All news with #supply-chain incident tag

UK backs Jaguar Land Rover with £1.5 billion loan guarantee

🔒 The UK Government has granted Jaguar Land Rover a £1.5 billion loan guarantee via UK Export Finance's Export Development Guarantee (EDG) to help the automaker recover after a severe cyberattack halted production and forced system shutdowns. The guarantee backs a commercial bank loan rather than direct state lending, reducing lender risk so JLR can secure larger, better-priced financing and immediate liquidity to pay suppliers. Repaid over five years, the measure is intended to stabilise the supply chain and protect thousands of jobs while JLR works with the NCSC, law enforcement and cybersecurity specialists during a phased return to manufacturing.

Harrods Breach Exposes 430,000 E-commerce Customer Records

🔒 Harrods has confirmed a new data breach after a compromise at a third-party supplier exposed 430,000 e-commerce customer records. The disclosed information primarily comprises names, contact details and internal marketing tags, while account passwords, payment information and order histories were not included. The retailer says this incident is separate from the May attack attributed to Scattered Spider and that the threat actor has contacted them, apparently seeking extortion. Harrods has notified affected customers and authorities and urges vigilance against phishing and social engineering.

September 2025 security roundup — key incidents and guidance

🔐 Tony Anscombe reviews the top cybersecurity stories for September 2025 and highlights their implications for defenders. Incidents include disruptions at major European airports after a ransomware attack on Collins Aerospace, a prolonged outage at Jaguar Land Rover following an IT breach, and a large npm supply‑chain compromise that drew a CISA alert. He also notes impersonation campaigns targeting macOS users with LastPass‑themed information‑stealers.

First Malicious MCP Server Found in NPM Postmark Package

🛡️ Cybersecurity researchers at Koi Security reported the first observed malicious Model Context Protocol (MCP) server embedded in an npm package, a trojanized copy of the postmark-mcp library. The malicious change, introduced in version 1.0.16 in September 2025 by developer "phanpak", added a one-line backdoor that BCCs every outgoing email to phan@giftshop[.]club. Users who installed the package should remove it immediately, rotate any potentially exposed credentials, and review email logs for unauthorized BCC activity.

Postmark MCP Connector Compromised via Malicious NPM

🔒 A malicious npm package named postmark-mcp was discovered inserting a hidden Bcc that forwarded copies of transactional emails to an attacker-controlled server. Koi Security identified the backdoor in version 1.0.16 after its risk engine flagged suspicious behavior, noting the package had been trusted across many prior releases. With roughly 1,500 weekly downloads, the single-line injection enabled broad exfiltration of password resets, invoices, and internal correspondence before the package was removed; Koi urges immediate removal, credential rotation, and audits of all MCP connectors.

JLR Begins Phased Restart After Major Cyber-Attack

🔁 JLR has begun a controlled, phased restart of digital and operational systems after the cyber-attack that halted production in early September. The company has increased IT processing capacity for invoicing and restored its financial wholesale system, allowing it to clear payment backlogs and resume sales and vehicle registrations. The Global Parts Logistics Centre is also returning to full operation as recovery work continues with support from the UK National Cyber Security Centre and law enforcement.

Malicious Rust crates on Crates.io exfiltrate crypto keys

🔒Two malicious Rust crates published to Crates.io scanned developer systems at runtime to harvest cryptocurrency private keys and other secrets. The packages, faster_log and async_println, mimicked a legitimate logging crate to avoid detection and contained a hidden payload that searched files and environment variables for Ethereum-style hex keys, Solana-style Base58 strings, and bracketed byte arrays. Discovered by Socket, both crates were removed and the publisher accounts suspended; affected developers are advised to clean systems and move assets to new wallets.

Threatsday Bulletin: Rootkits, Supply Chain, and Arrests

🛡️ SonicWall released firmware 10.2.2.2-92sv for SMA 100-series appliances to add file checks intended to remove an observed rootkit, and moved SMA 100 end-of-support to 31 October 2025. The bulletin also flags an unpatched OnePlus SMS permission bypass (CVE-2025-10184), a GeoServer RCE compromise affecting a U.S. federal agency, and ongoing npm supply-chain and RAT campaigns. Defenders are urged to apply patches, rotate credentials, and enforce phishing-resistant MFA.

Report: Many Indian Suppliers Pose Global Supply Risks

🔍 SecurityScorecard's assessment found that 53% of selected Indian vendors experienced at least one third-party breach in the past year, with outsourced IT operations and managed service providers representing 63% of those incidents. The study evaluated 15 prominent Indian suppliers across 10 industries using security ratings based on patching cadence, DNS health, IP reputation, and endpoint, network and app security, and concluded that 27% of vendors received an F while 25% earned an A. It recommends continuous monitoring of third- and fourth-party ecosystems, prioritizing certificate management and patching, and using cybersecurity ratings to inform procurement and ongoing vendor oversight.

NCA Arrests Man Linked to HardBit Ransomware Disruption

🔒 British investigators arrested a man in his forties in West Sussex in connection with a suspected ransomware outbreak that disrupted flights across Europe. The National Crime Agency said the suspect was released on conditional bail and the probe remains at an early stage. Security researchers have linked the incident to the HardBit variant, which affected ARINC vMUSE systems and forced airlines to revert to paper processes amid repeated reinfections.

Malicious Rust crates stole Solana and Ethereum keys

🛡️ Security researchers discovered two malicious Rust crates impersonating the legitimate fast_log library that covertly scanned source files for Solana and Ethereum private keys and exfiltrated matches to a hardcoded command-and-control endpoint. Published on May 25, 2025 under the aliases rustguruman and dumbnbased, the packages — faster_log and async_println — accumulated 8,424 downloads before crates.io maintainers removed them following responsible disclosure. Socket and crates.io preserved logs and artifacts for analysis, and maintainers noted the payload executed at runtime when projects were run or tested rather than at build time.

Ransomware-Enabled Heist and npm Worm Supply-Chain Threats

🔒 Ransomware can do more than encrypt files — it can disable alarms and create physical security vulnerabilities. In a recent episode of the Smashing Security podcast, hosts discuss how a ransomware-related outage at the Natural History Museum in Paris preceded a late-night theft of €600,000 in gold. The show also covers a new npm supply-chain worm dubbed Shai Hulud that has infected over 180 packages and quietly exfiltrated secrets, plus odd stories about ads appearing on consumer appliances.

Malicious npm Package Uses QR Code to Steal Cookies

🔍 A malicious npm package named Fezbox was discovered using QR-code steganography to conceal and deliver a credential-stealing payload. The package fetched a QR image from a remote URL, waited roughly 120 seconds, decoded embedded code and executed it to extract usernames and passwords from browser cookies. Socket's AI-based scanner flagged the behavior; the package, which had at least 327 downloads, was removed after a takedown request to the npm security team.

Extending Zero Trust to the Storage Layer: Resilience

🔒 Applying zero trust to the storage layer is no longer theoretical — it is now essential to ensure recovery. The author describes ransomware incidents, including Change Healthcare in February 2024, where attackers deliberately targeted backups and recovery points, exposing storage as a primary attack surface. He recommends three operational principles — control where data is touched, control who and when, and make critical backups immutable — and ties those measures to governance, policy-as-code, and executive outcomes.

Iframe Security Exposed — Payment Checkout Blind Spot

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.

GitHub Tightens npm Security: Mandatory 2FA, Token Limits

🔒 GitHub is implementing stronger defenses for the npm ecosystem after recent supply-chain attacks that compromised repositories and spread to package registries. The platform will require 2FA for local publishing, shorten token lifetimes to seven days, deprecate classic tokens and TOTP in favor of FIDO/WebAuth, and promote trusted publishing. Changes will roll out gradually with documentation and migration guides to reduce disruption.

npm Supply-Chain Worm 'Shai-Hulud' Compromises Packages

🛡️ CISA released an alert about a widespread software supply chain compromise affecting the npm registry: a self-replicating worm called 'Shai-Hulud' has compromised over 500 packages. The actor harvested GitHub Personal Access Tokens and cloud API keys for AWS, Google Cloud, and Azure, exfiltrating them to a public repository and using them to publish malicious package updates. CISA recommends immediate dependency reviews, credential rotation, enforcing phishing-resistant MFA, pinning package versions to releases before Sept. 16, 2025, hardening GitHub settings, and monitoring for anomalous outbound connections.

Lean Security Teams Elevate Risk from Hardcoded Secrets

🔒 As organizations shrink and security teams tighten, hardcoded secrets have become a critical, costly blind spot that manual processes can no longer manage. The article cites rising credential-driven breaches, a 292‑day average containment window, and steep financial impacts when secrets are exposed. It contends that precision remediation — contextual ownership, integrated workflows, and automated rotation — is essential to reduce remediation from weeks to hours and to curb analyst overhead. GitGuardian is presented as an example of this targeted remediation approach.

NPM package uses QR code to fetch cookie-stealing malware

🔒 A malicious npm package named fezbox was recently discovered using a QR code embedded in an image to retrieve a second-stage, cookie-stealing payload from the attacker's server. The package's minified code (notably in dist/fezbox.cjs) delays execution, avoids development environments, then decodes a reversed URL to fetch a dense JPG QR image containing obfuscated JavaScript. When the payload finds credentials in document.cookie it extracts username and password and exfiltrates them via an HTTPS POST; the package accrued at least 327 downloads before registry removal.

Stellantis Confirms Third-Party Cybersecurity Breach

🔒 Stellantis has confirmed unauthorized access to a third‑party service provider platform that supports its North American customer service operations. The group said affected customer information was potentially exposed but limited to contact details and did not include stored financial or other sensitive data. Stellantis activated incident response protocols, notified authorities and began informing impacted customers while warning them to expect phishing attempts. Security researchers and outlets linked the incident to claims by ShinyHunters and a recent series of Salesforce-related data breaches.