All news with #supply-chain incident tag

Ransomware Attack on Swedish Supplier Exposes Worker Data

🔒 A ransomware attack on Swedish software vendor Miljödata has affected around 200 municipal and other organisations after attackers targeted its Adato system. Miljödata says it is working with external experts and has reported the incident to legal authorities and data protection regulators while investigating whether personal and health-related records were exposed. Police say extortionists demanded 1.5 bitcoins (about SEK 1.5M / US$165,000) and national agencies are coordinating the response.

TransUnion Breach Exposes Data of 4.5 Million US Consumers

🔐 TransUnion has disclosed unauthorized access to a third-party application serving its US consumer support operations, affecting nearly 4.5 million Americans. The company says the incident exposed specific personal data elements but did not include credit reports or core credit information. Detected July 30 after an intrusion on July 28, TransUnion is offering free credit monitoring and proactive fraud assistance while it enhances security controls.

Gainesville Regional Utilities Tightens Vendor Risk Controls

🔒 Gainesville Regional Utilities (GRU) launched a Vendor Security Risk Assessment (VSRA) program in August 2023 to vet third-party suppliers that access its smart-grid, metering, and fiber-optic systems. The intake, triage, detailed questionnaire, technical review, and centralized recordkeeping ensure vendors meet rigorous security standards before onboarding. Automation and a vendor scoring system reduced manual work by 50% and accelerated decision-making while improving compliance.

VS Code Marketplace Flaw Lets Deleted Extensions Be Reused

🔍 Researchers at ReversingLabs found a loophole in the Visual Studio Code Marketplace that permits threat actors to republish removed extensions under the same visible names. The new malicious package, ahbanC.shiba, mirrors earlier flagged extensions and acts as a downloader for a PowerShell payload that encrypts files in a folder named "testShiba" and demands a Shiba Inu token ransom. Investigation revealed that extension uniqueness is enforced by the combination of publisher and name, not the visible name alone, enabling attackers to reuse names once an extension is removed. Organizations should audit extension IDs, enforce whitelists, and run automated supply-chain scanning to reduce exposure.

Supply-Chain Attacks on Nx and React Expose Dev Credentials

🔒 A coordinated supply-chain campaign compromised multiple npm packages — most notably the Nx build system — and used post-install scripts to harvest developer assets across enterprise environments. Wiz found the malware weaponized local AI CLI tools to exfiltrate filesystem contents, tokens, SSH keys, and environment variables. Separately, JFrog uncovered obfuscated malicious React packages designed to steal Chrome data. Vendors removed the packages and recommend rotating credentials, removing affected versions, and auditing developer and CI systems.

Salt Typhoon Exploits Router Flaws to Breach 600 Orgs

🔒Salt Typhoon, a China-linked APT, exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks edge devices to compromise and persistently control routers worldwide. The actors modified device configurations, created GRE tunnels, and used on-box Linux containers to stage tools and exfiltrate data. Agencies from 13 countries linked the campaign to three Chinese firms and warned of espionage impacting telecoms, government, transport, lodging, and military sectors.

VS Code Marketplace Name Reuse Enables Malware Campaign

🔍 ReversingLabs has exposed a campaign in which malicious Visual Studio Code extensions exploited a name-reuse loophole on the VS Code Marketplace. A downloader extension named ahbanC.shiba executed the command shiba.aowoo to fetch a second payload that encrypted files and demanded one Shiba Inu token, although no wallet address was provided. The vulnerability arises because removed extensions free their names for reuse, contrary to Marketplace guidance that names are unique. Researchers demonstrated the issue by republishing test extensions under previously used names and warned developers to exercise greater caution when installing Marketplace packages.

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.

Malicious Nx npm Packages in 's1ngularity' Supply Chain

🔒 The maintainers of nx warned of a supply-chain compromise that allowed attackers to publish malicious versions of the npm package and several supporting plugins that gathered credentials. Rogue postinstall scripts scanned file systems, harvested GitHub, cloud and AI credentials, and exfiltrated them as Base64 to public GitHub repositories named 's1ngularity-repository' under victim accounts. Security firms reported 2,349 distinct secrets leaked; maintainers rotated tokens, removed the malicious versions, and urged immediate credential rotation and system cleanup.

Google Named a Leader in IDC Incident Response 2025

🔒 Google has been named a Leader in the IDC MarketScape: Worldwide Incident Response 2025, recognizing Mandiant—now integrated into Google Cloud Security—for its decades of incident response expertise. The report praises Mandiant’s "team of teams" model, rapid crisis communications capability, and integration with Google's SecOps platform. Proprietary tools like FACT and Monocle and combined threat intelligence with VirusTotal enhance enterprise-scale investigations.

Hook Android Trojan Evolves with Ransomware Features

🛡️Researchers at Zimperium zLabs have detected a new variant of the Hook Android banking Trojan that expands beyond banking fraud to include ransomware-style overlays and advanced surveillance tools. The sample supports 107 remote commands, 38 of which are newly introduced, enabling fake NFC prompts, lock-screen bypasses, transparent gesture-capturing overlays and real-time screen streaming. Operators are distributing malicious APKs via GitHub repositories and continue to exploit Android Accessibility Services for automated fraud and persistent control. Industry observers warn the campaign is global and rapidly escalating, increasing risks to both enterprises and individual users.

Cloudflare Introduces MCP Server Portals for Zero Trust

🔒 Cloudflare has launched MCP Server Portals in Open Beta to centralize and secure Model Context Protocol (MCP) connections between large language models and application backends. The Portals provide a single gateway where administrators register MCP servers and enforce identity-driven policies such as MFA, device posture checks, and geographic restrictions. They deliver unified visibility and logging, curated least-privilege user experiences, and simplified client configuration to reduce the risk of prompt injection, supply chain attacks, and data leakage.

MixShell Malware Targets U.S. Supply Chain via Contact Forms

⚠️ Cybersecurity researchers warn of a targeted social‑engineering campaign delivering an in‑memory implant called MixShell to supply‑chain manufacturers through corporate 'Contact Us' forms. The activity, tracked as ZipLine by Check Point, uses weeks of credible exchanges, fake NDAs and weaponized ZIPs containing LNK files that trigger PowerShell loaders. MixShell runs primarily in memory, uses DNS tunneling for C2 with HTTP fallback, and enables remote commands, file access, reverse proxying, persistence and lateral movement. Malicious archives are staged on abused Heroku subdomains, illustrating use of legitimate PaaS for tailored delivery.

ZipLine: Advanced Social Engineering Against U.S. Industry

🔒 ZipLine is a highly sophisticated social-engineering phishing campaign identified by Check Point Research that reverses the typical attack flow by initiating contact through corporate “Contact Us” forms. Attackers cultivate multi-week, professional email exchanges and often request NDAs before delivering a malicious ZIP containing the in-memory backdoor MixShell. MixShell maintains covert command-and-control via DNS tunneling with HTTP fallback and executes in memory to reduce forensic traces. The campaign primarily targets U.S. manufacturing and supply-chain–critical organizations and has evolved a second wave that uses an AI transformation pretext to increase legitimacy.

Ransomware Disrupts Operations at Data I/O Manufacturer

🔒 Data I/O, a US-based provider of programming solutions for Flash devices, disclosed a ransomware incident on 16 August that forced it to take platforms offline and deploy mitigations. The company said operations including communications, shipping, manufacturing and support functions were temporarily impacted while it restores systems. Costs for remediation and contractor fees are reasonably likely to affect finances. Major customers include Tesla, Panasonic, Amazon, Google and Microsoft.

Code Insight Expands to Cover Software Supply Chain Risks

🛡️ VirusTotal’s Code Insight now analyzes a broader set of software supply chain formats — including CRX, XPI, VSIX, Python WHL, NPM packages, and MCP protocol integrations. The tool inspects code logic to detect obfuscation, dynamic code fetching, credential theft, and remote command execution in extensions and packages. Recent findings include malicious Chrome and Firefox extensions, a deceptive VS Code extension, and compromised Python and NPM packages. This capability complements traditional signature- and ML-based classification by surfacing behavior-based risks.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

Threat Actors Abuse SDKs to Sell Victim Bandwidth Stealthily

🔍 Unit 42 observed a campaign exploiting CVE-2024-36401 in GeoServer to remotely deploy legitimate SDKs or apps that sell victims' internet bandwidth. The attackers leverage JXPath evaluation to achieve RCE across multiple GeoServer endpoints, then install lightweight binaries that operate quietly to monetize unused network capacity. This approach often uses unmodified vendor SDKs to maximize stealth and persistence while avoiding traditional malware indicators.

Dissecting PipeMagic: Architecture of a Modular Backdoor

🔍 Microsoft Threat Intelligence details PipeMagic, a modular backdoor used by Storm-2460 that masquerades as an open-source ChatGPT Desktop Application. The malware is deployed via an in-memory MSBuild dropper and leverages named pipes and doubly linked lists to stage, self-update, and execute encrypted payload modules delivered from a TCP C2. Analysts observed exploitation of CVE-2025-29824 for privilege escalation followed by ransomware deployment, with victims across IT, finance, and real estate in multiple regions. The report includes selected IoCs, Defender detections, and mitigation guidance to help defenders detect and respond.

Muddled Libra Strike Teams: Collaborative Cybercrime

🧩 Muddled Libra is not a single organized group but a fluid collaboration of personas that form distinct strike teams with varying objectives and tradecraft. Unit 42 has identified patterns across at least seven teams, from crypto theft and extortion to IP theft and mass data harvesting. Defenders should prioritize protecting high-value data, tighten access controls, and assume evolving tactics rather than a fixed adversary profile.