All news with #supply-chain incident tag

Shai-Hulud v2 Supply-Chain Campaign Hits Maven Central

⚠️ The second wave of the Shai-Hulud supply-chain attack has moved from npm into the Maven ecosystem after researchers found org.mvnpm:posthog-node:4.18.1 embedding the same setup_bun.js loader and bun_environment.js payload. The artifact was rebundled via an automated mvnpm process and was not published by PostHog; mirrored copies were purged from Maven Central on Nov 25, 2025. The campaign steals API keys, cloud credentials and npm/GitHub tokens by backdooring developer environments and injecting malicious GitHub workflows, affecting thousands of repositories.

Multiple London councils' IT systems hit by cyberattack

🔒 The Royal Borough of Kensington and Chelsea and Westminster City Council are experiencing widespread service disruptions after a cybersecurity incident that also affected the London Borough of Hammersmith and Fulham. Several systems including phone lines were taken offline and councils activated emergency plans to preserve critical services. Officials say they shut down affected systems as a precaution while working with specialist incident responders and the National Cyber Security Centre. Security researchers indicate the outage stems from a ransomware attack on a shared services provider; investigations and efforts to restore services are ongoing.

Care That You Share: Holiday Risks and Mitigations

🛡️ This edition of Talos Threat Source urges a simple behavioral shift: practice care in what, how, and why you share information during the holiday season and beyond. The briefing highlights operational pressures as teams run lean and attackers intensify phishing and supply‑chain campaigns, and it outlines practical changes such as retiring obsolete ClamAV signatures and encouraging feature‑release container tags for better security maintenance. Thoughtful, timely sharing of tips, IOCs, and status updates can materially improve collective resilience when resources are constrained.

Qilin Ransomware Targets South Korean MSP, Hits Finance

🛡️ South Korea's financial sector was struck by a coordinated supply-chain campaign that deployed Qilin ransomware via a compromised MSP, Bitdefender reports. The operation, self-styled as 'Korean Leaks', unfolded in three publication waves in September–October 2025 and resulted in the theft of over 1 million files (about 2 TB) from 28 victims. Analysis ties the clustered intrusions to a single upstream MSP compromise and notes possible involvement by North Korean-affiliated actors alongside Qilin affiliates operating under a RaaS model.

Gainsight Breach Impacts More Salesforce Customers

🔒Gainsight has confirmed the cyber‑attack tied to Salesforce affected more customers than initially reported, though the vendor says the number remains limited and affected customers were notified. As a precaution Gainsight temporarily disabled Salesforce read/write access for several products, including Customer Success (CS), Community (CC), Northpass (CE), Skilljar (SJ) and Staircase (ST). Other vendors such as Gong.io, Zendesk and HubSpot have also disabled their connectors. Gainsight engaged Mandiant for an independent forensic investigation and is advising customers to rotate credentials and S3 keys, reset NXT passwords where appropriate, re-authorize integrations, and follow proactive hardening guidance while the investigation continues.

Webinar: Safely Patching Systems Using Community Tools

🔒 Community-driven package managers like Chocolatey and Winget speed deployments but can introduce supply-chain risks when packages are added or updated without rigorous vetting. Gene Moody, Field CTO at Action1, will lead a free webinar that tests these tools in practice, highlights common weak points, and demonstrates pragmatic safeguards such as source pinning, allow-lists, and hash/signature verification. The session focuses on actionable steps to help teams prioritize updates using known-exploited vulnerability data (KEV) and to choose whether to rely on community repos, vendor sources, or a hybrid approach while maintaining operational velocity.

SLSH Resurgence: ShinySp1d3r RaaS Ahead of Holidays

⚠️ Unit 42 documents a renewed campaign by the Scattered LAPSUS$ Hunters (SLSH) that combines a supply-chain driven data theft affecting Gainsight/Salesforce integrations with the emergence of a new Windows-focused ransomware-as-a-service, ShinySp1d3r. The actors publicly threatened mass ransomware deployment and set a leak deadline while also actively recruiting insiders and claiming hundreds of additional victim accesses. Organizations should prioritize rotating exposed tokens, enforcing strong insider controls, and engaging incident response if they suspect compromise.

Shai-Hulud 2.0: Inside a Major npm Supply-Chain Attack

🧨 Check Point Research details the Shai-Hulud 2.0 campaign, a rapid and extensive npm supply-chain attack observed in November 2025. Between 21–23 November attackers compromised hundreds of npm packages and over 25,000 GitHub repositories by abusing the npm preinstall lifecycle script to execute payloads before installation completed. The report outlines techniques, scale, and practical mitigations to help organizations protect development pipelines.

Blender .blend Files Weaponized to Deliver StealC V2

🛡️ Cybersecurity researchers disclosed a campaign that leverages Blender .blend files hosted on public asset sites to deliver the information stealer StealC V2. Malicious .blend assets contain embedded Python scripts that execute when Blender's Auto Run is enabled, fetching PowerShell code and two ZIP archives — one deploying StealC V2 and the other a secondary Python stealer. Vendors advise keeping Auto Run disabled and verifying asset sources.

Shai-Hulud 2.0 Worm Spreads Through npm and GitHub

⚠️ Researchers at Wiz, JFrog and others are tracking a renewed campaign of the Shai‑Hulud credentials‑stealing worm spreading through the npm registry and GitHub. The new Shai‑Hulud 2.0 executes during the preinstall phase, exfiltrates developer and CI/CD secrets to randomized repositories, and injects malicious payloads into other packages. Widely used modules, including @asyncapi/specs, Zapier, Postman and others, have been compromised, prompting immediate remediation steps for affected developers and organizations.

What Keeps CISOs Awake - Zurich's Approach to Resilience

😴 At the Global Cyber Conference 2025 in Zurich, CISOs openly confronted a profession-wide exhaustion tied to escalating cyber risk. Tim Brown distilled the anxiety into five core threats: shrinking exploit windows, persistent adversaries, third-party risk, an AI arms race, and staff burnout. The Swiss Cyber Institute's vendor-free format created a trust-based forum where peers share IOCs, run joint table-tops and adopt risk-based patching and UEBA to speed response and restore resilience.

Major US Banks Assess Impact of SitusAMC Data Breach

🔒 Major US banks including JPMorgan Chase, Citi and Morgan Stanley are assessing potential customer data exposure after third-party mortgage servicer SitusAMC disclosed a breach discovered on Nov. 12 and confirmed on Nov. 22. SitusAMC says corporate records and 'certain data' related to clients' customers may have been accessed; the company reports services remain operational and the incident is contained. The FBI is investigating, has found no operational impact to banking services so far, and the company has implemented credential resets, disabled remote access tools, updated firewall rules and engaged third-party advisors while forensic analysis continues.

Fortinet, Chrome 0-days and Supply-Chain Attacks Recap

⚠️ This week’s recap spotlights multiple actively exploited vulnerabilities, supply‑chain compromises, and a record cloud DDoS that forced rapid vendor responses. Fortinet disclosed a FortiWeb OS command injection (CVE-2025-58034) that was observed chained with a recent critical fix, raising concerns about silent patching and disclosure timing. Google patched an actively exploited Chrome V8 0‑day (CVE-2025-13223), and attackers continued to abuse browser notifications, malicious updates, and SaaS integrations to phish and persist. The incidents underscore urgent priorities: patch quickly, scrutinize integrations, and strengthen monitoring and response.

Iberia Alerts Customers After Supplier-Related Data Breach

⚠️ Iberia has notified customers that personal data was exposed after unauthorized access to a supplier's systems, potentially including names, email addresses and Iberia Club loyalty numbers. The carrier says no login credentials or payment card details were taken and that it has implemented additional verification checks and mitigation measures. Customers are urged to watch for phishing and suspicious communications. The airline is investigating and has informed authorities.

Iberia Notifies Customers of Vendor-Related Data Leak

🔔 Iberia has informed customers of a security incident after unauthorized access to a supplier's systems exposed limited customer information. The airline says affected fields may include full name, email address, and Iberia Club loyalty identification numbers, while login credentials and payment card data were not accessed. Iberia says it activated its security protocol, added verification codes for email changes, is monitoring systems, and has notified authorities as it works with the third-party vendor. Customers are urged to watch for suspicious messages and report anomalies to the airline.

OAuth Token Compromise Hits Salesforce Ecosystem Again

🔐 Salesforce disclosed unauthorized access tied to Gainsight-published apps using OAuth integrations, saying it revoked all active access and refresh tokens and temporarily removed those apps from the AppExchange while investigators continue their work. Gainsight confirmed the incident, has engaged Mandiant for forensics, and revoked related connector access across other marketplaces. Google Threat Intelligence linked the activity to actors associated with ShinyHunters, echoing prior token-abuse campaigns against Salesloft and Drift. The incident highlights supply-chain risks in SaaS OAuth integrations and reinforces urgent recommendations to audit and revoke suspicious tokens.

APT24 Deploys BADAUDIO in Multi-Year Espionage Campaign

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

Gainsight Supply-Chain Hack Disrupts Salesforce Apps

⚠️ On November 20, customer support platform provider Gainsight reported connection failures after Salesforce revoked active access for the Gainsight SFDC Connector following detection of unusual activity. Salesforce temporarily removed all Gainsight-published apps from its AppExchange, citing potential unauthorized access via the app's external connection rather than a Salesforce platform vulnerability. Gainsight also disabled integrations with HubSpot and Zendesk, and engaged Mandiant to support forensic work. A criminal collective claiming affiliation with Lapsus$/Scattered Spider said it was responsible and threatened wider data leaks and a RaaS offering.

SEC Drops Lawsuit Against SolarWinds After Years-long Probe

📰The U.S. Securities and Exchange Commission has voluntarily dismissed its lawsuit against SolarWinds and CISO Timothy G. Brown, filing a joint motion to dismiss on November 20, 2025. The October 2023 complaint alleged fraud, internal control failures, and misleading disclosures tied to the late-2020 supply-chain compromise attributed to APT29. Many allegations were rejected by the SDNY in July 2024 as relying on hindsight. SolarWinds' CEO said the company emerges stronger, more secure, and better prepared.

ShadowRay 2.0 Worm Uses Ray Flaw to Build Global Botnet

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.