All news with #lapsus tag

🔒 Checkmarx confirmed that the LAPSUS$ group published data taken from its private GitHub repository after a March 23 supply-chain compromise tied to the Trivy incident. Investigators say credentials harvested from that earlier intrusion enabled repository access and the insertion of malicious code. On April 22 attackers published malicious Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner that collected credentials, keys, tokens, and config files. Checkmarx states the 96GB leak originated from its GitHub, contains no customer data, and is under forensic review while the repository remains locked.

🔐 Researchers at Wiz report that TeamPCP has been harvesting, validating, encrypting and exfiltrating cloud credentials, SSH keys, Kubernetes configs and other development secrets from compromised supply chain components to attacker-controlled domains. The group used typosquatting on PyPI to push credential-stealing malware into packages affecting Trivy, KICS, LiteLLM and Telnyx. Wiz warns this activity appears linked to, or at least shared with, extortion-focused actors such as Lapsus$, and vendors report claims of partnerships with ransomware affiliates, raising the risk of follow-on ransomware campaigns.

🔐 A supply-chain compromise of Trivy has escalated into an extortion campaign linked to Lapsus$, with Mandiant reporting over 1,000 impacted enterprise SaaS environments and the potential for many more. Initial access by cloud-native actor TeamPCP led to stolen credentials that were used to backdoor packages and extend control to projects such as LiteLLM. Security firms Wiz and Socket describe malicious Docker and npm artifacts, a self-replicating worm, and manipulated CI/CD tags, while Aqua Security and partners work to rotate credentials and contain the incident.

🔒 Coinbase confirmed that a contractor improperly accessed data for approximately 30 customers in a December incident, and the individual no longer performs services for the company. Impacted users were notified, provided identity theft protection services, and Coinbase disclosed the incident to relevant regulators. Screenshots of an internal support panel briefly appeared on Telegram and were associated with the 'Shiny Lapsus Hunters' posts, showing customer PII, KYC details, and wallet balances, though attribution remains unclear.

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.

⚠️ The European Space Agency (ESA) has suffered a further significant cybersecurity breach after a December incident, with the Scattered Lapsus$ Hunters group claiming to exfiltrate roughly 500GB of additional data. The stolen material reportedly includes operational procedures, spacecraft and mission documentation, and proprietary contractor data from partners such as SpaceX, Airbus Group, and Thales Alenia Space. ESA has confirmed a criminal investigation is underway amid concerns about systemic security weaknesses.

⚠️ On November 20, customer support platform provider Gainsight reported connection failures after Salesforce revoked active access for the Gainsight SFDC Connector following detection of unusual activity. Salesforce temporarily removed all Gainsight-published apps from its AppExchange, citing potential unauthorized access via the app's external connection rather than a Salesforce platform vulnerability. Gainsight also disabled integrations with HubSpot and Zendesk, and engaged Mandiant to support forensic work. A criminal collective claiming affiliation with Lapsus$/Scattered Spider said it was responsible and threatened wider data leaks and a RaaS offering.

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.

🔍 Palo Alto Networks' Unit 42 reports monitoring a Scattered LAPSUS$ Hunters Telegram channel since early October 2025, noting a tactical shift toward an extortion-as-a-service (EaaS) offering that omits file encryption. Researchers also observed posts mentioning a potential new ransomware, SHINYSP1D3R, though its development and the profitability of EaaS remain uncertain. Unit 42 found the group's data leak site apparently defaced and confirmed leaked records tied to at least six firms; the actors had set an Oct 10 ransom deadline but later stated on Oct 11 that "nothing else will be leaked."

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

🔒 Police seized several domains tied to the Scattered Lapsus$ Hunters extortion network, but one dark‑web mirror remained briefly accessible and was used to publish alleged data on October 10. The site listed victims including Qantas, Vietnam Airlines, Albertsons, GAP, Fujifilm, and Engie Resources, with claimed volumes from millions to hundreds of thousands of records. Authorities caution that domain seizures are tactical wins: actors often resurrect forums from backups or migrate to platforms such as Telegram, and the group has even promised a 2026 return with a subscription-based extortion-as-a-service model.

🔒 Scattered Lapsus$ Hunters, with core actors such as Bling Libra, claim responsibility for large-scale theft of Salesforce customer data and launched a public data leak site in early October 2025. The group operates an extortion-as-a-service model, recruiting affiliates to send targeted executive extortion messages and taking revenue shares from payments. Recent activity included a Clearnet domain seizure by law enforcement and threatening deadlines for victim disclosures. Retail and hospitality organizations face heightened risks of identity theft, account takeover, returns and loyalty fraud; Unit 42 recommends secrets scanning, zero trust controls, least privilege and participation in industry ISACs.

🔒 The FBI, US Department of Justice and French authorities seized the BreachForums domain and parts of its backend on Oct. 9, disrupting infrastructure tied to an alliance of threat actors including ShinyHunters, Scattered Spider and LAPSUS$. The action followed threats to publish alleged Salesforce customer data unless a ransom was paid by Oct. 10. Although the primary forum domain now displays a takedown notice, a separate leak site remains active and the extortion campaign appears to be continuing. Experts advise organizations to audit Salesforce configurations, enable OAuth app governance, and enforce token and session hygiene immediately.

🚨 Law enforcement in the United States and France have seized domains tied to the BreachForums hacking forum, and the seized site now displays an official takedown banner pointing victims to an IC3 subdomain. Observers caution the action may be largely symbolic because a dark‑web instance remains active and no public arrests of administrators were confirmed. A collective calling itself Scattered LAPSUS$ Hunters says it will still release one billion records allegedly taken from Salesforce customers on 10 October 2025, while Salesforce has reportedly told clients it will not pay a ransom.

🔓 The Scattered Lapsus$ Hunters gang opened a public data-leak site claiming it stole Salesforce data from dozens of global companies, including Salesforce, Toyota, FedEx, Disney/Hulu, Marriott and Google. The group set an Oct. 10 deadline for ransom payments and threatened to publish or even use stolen documents in legal actions if demands are not met. Salesforce says its investigation found no indication the platform itself was compromised and attributes the incidents to past or unsubstantiated claims. Researchers link many breaches to vishing that installs malicious connected apps and to compromised OAuth tokens in Salesloft Drift, underscoring a broader SaaS supply-chain risk.

🔓 An extortion group claiming affiliation with ShinyHunters, Scattered Spider, and Lapsus$ has launched a public data leak site listing 39 companies allegedly compromised via Salesforce breaches. The site publishes sample records and urges victims to pay before an October 10 deadline, while also demanding that Salesforce pay to prevent disclosure of roughly 1 billion records. The attackers say they used OAuth-based voice-phishing and stolen tokens to access customer data. Victims named include FedEx, Disney/Hulu, Google, Cisco, and many other major brands.

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.

🔒 Jaguar Land Rover (JLR) has extended its production pause until at least 24 September after a cyber-attack earlier this month. The outage is causing cascading disruption across its supply chain, with some third-party workers reportedly laid off while JLR employees are not facing job losses. Unite has called for government-backed furloughs for affected contractors. A group using the name Scattered Lapsus$ Hunters has claimed responsibility and JLR confirmed some data were affected and regulators have been informed.

🔒 Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal and has been disabled. The company said no requests were made with the account and no data was accessed. The claim follows posts by a group calling itself "Scattered Lapsus$ Hunters", which also asserted access to the FBI's eCheck system. The actors have previously targeted Salesforce-related infrastructure and taunted security teams.