🕵🏻‍♂️ [InfoSec MASHUP] 37/2025

🔓 BREACHES & SECURITY INCIDENTS

🗓️ Salesloft says the Drift supply-chain attack began when attackers gained undetected access to its GitHub account as far back as March. The group stole OAuth tokens and data from hundreds of organizations in a mid‑August campaign. Salesloft has taken Drift offline, rotated keys, and is still investigating amid criticism for limited transparency.

🎣 😱 Attackers phished a maintainer and pushed malicious updates to 20 popular npm packages with over 2 billion weekly downloads. The injected malware intercepts browser crypto transactions and swaps wallet addresses to steal funds.

As of yet, the effective impact of this attack as measured by its success in stealing cryptocurrency has been reportedly minimal, especially when considering the high prevalence of the compromised packages. —Wiz.io

🇺🇸 Lovesac confirmed a data breach after hackers accessed its internal systems between Feb 12 and Mar 3, 2025. The attackers stole personal data, but the company has not said how many people were affected and is offering 24 months of Experian credit monitoring. The RansomHub gang claimed the attack and threatened to publish the stolen data.

📺 Plex says an unauthorized party accessed some customer data, including emails, usernames, hashed passwords and authentication info. Plex asks everyone to reset their password now and choose to sign out connected devices so attackers are kicked out. The company says it blocked the intrusion, is reviewing security, and warns users about phishing, but it did not say who attacked or how many accounts were affected.

🇨🇦 Wealthsimple says a supply-chain attack on a trusted third-party software package caused a data breach discovered on August 30. Less than 1% of customers had personal data exposed, including IDs, Social Insurance Numbers, birth dates, contact info, and account numbers. The intrusion was contained within hours, no funds or passwords were stolen, and affected customers are being notified and offered free credit monitoring.

→ More breaches:

• 160,000 Impacted by Wayne Memorial Hospital Data Breach

• Jaguar Land Rover says data stolen in disruptive cyberattack

• 100,000 Impacted by Cornwell Quality Tools Data Breach

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇨🇳 🇵🇭 A China-linked APT used a new fileless malware called EggStreme to breach a Philippine military company — EggStreme runs only in memory, uses DLL sideloading, and contacts attackers via gRPC command-and-control servers. Its main backdoor includes a keylogger, dozens of commands for discovery, lateral movement and data theft, and tools to stay hidden and resilient.

🇨🇳 🇺🇸 A House committee warns China-linked hackers (APT41) are targeting U.S. trade officials and groups during 2025 trade talks. They impersonated Rep. Moolenaar in phishing emails that delivered malware to steal data and gain covert access. The committee says this is state-backed espionage to influence negotiations, and China denies the claim.

🇨🇳 🇺🇸 China’s ‘Typhoons’ changing the way FBI hunts sophisticated threats — Chinese groups Salt Typhoon and Volt Typhoon use stealthy, patient "living off the land" tactics. They target cloud systems and edge devices to preposition for disruption, not just steal data. The FBI and CISA now hunt as if attackers are already inside networks and must change how they share indicators.

🇺🇸 ⚖️ 🇺🇦 The U.S. filed charges against Ukrainian Volodymyr Tymoshchuk for a global ransomware campaign that hit hundreds of companies. Prosecutors say he built and ran malware like Nefilim, LockerGoga, and MegaCortex, causing tens of millions in damage to big firms, hospitals, and factories. The State Department offered up to $10 million for tips, but Tymoshchuk is still a fugitive.

🇺🇸 🇲🇲 🇰🇭 The U.S. Treasury sanctioned 19 people and groups tied to big online scam hubs in Burma and Cambodia — Officials say the scams stole at least $10 billion from Americans in 2024, a 66% jump from the year before. Authorities say the criminal groups use forced labor, violence, and sex trafficking to run the scams.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 Senator Ron Wyden asked the FTC to investigate Microsoft for gross cybersecurity negligence after ransomware hit hospitals and other critical groups. He says weak default settings and support for old RC4 crypto let attackers use Kerberoasting to spread ransomware and steal data. Wyden warns Microsoft’s dominance and insecure defaults are a national security threat and wants the company held accountable.

⚖️ 🇺🇸 Former Meta security chief sues company — A former Meta security chief sued the company, saying it ignored his warnings about serious WhatsApp security and privacy flaws. He alleges thousands of engineers could access user data without logging or oversight, violating an FTC privacy order. He says Meta retaliated against him and fired him for speaking up; the suit names Meta, Mark Zuckerberg and other executives.

➡️ 🗓️ CISA pushed the final cyber incident reporting rule back to May 2026 — The rule would make critical infrastructure report major cyberattacks in 72 hours and ransom payments in 24 hours. CISA says the delay lets it consider industry comments, reduce burden, and better align rules.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🔙 🚪 Researchers found CHILLYHELL, a modular macOS backdoor that profiles hosts, persists via LaunchAgents/LaunchDaemons or shell profiles, and talks to hard-coded C2 servers. CHILLYHELL was notarized, tied to suspected espionage group UNC4487, and uses timestomping and password-cracking. They also found ZynorRAT, a Go-based RAT for Linux and Windows that uses a Telegram bot for C2 to exfiltrate data and run commands.

🎠 RatOn is a new Android trojan that combines NFC relay attacks with remote access and automated bank-transfer (ATS) features. It uses fake Play Store droppers and abusive permissions to steal PINs, seed phrases, and take over crypto wallets and a Czech bank app. The malware can lock phones with fake ransom screens, record keystrokes, exfiltrate data, and likely use local money mules in the Czech Republic and Slovakia.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

👀 Meredith Whittaker Sounds Alarm on AI Agents: “They’re Coming for Your Privacy”

🔓 UAE's K2 Think AI was jailbroken by exploiting its own transparency features. Attackers read the model's explanations to learn and disable each safety rule until harmful prompts worked. This shows a core conflict: explainable AI can be required by regulators but also makes systems hackable.

🇨🇳 Anthropic will stop selling its AI services to companies with majority Chinese ownership — The company says it wants to limit Beijing’s ability to use the AI for military and intelligence purposes. Anthropic expects the move to cut its revenue by a few hundred million dollars.

💬 🔐 Signal now offers secure chat backups with free and paid options. Free backups include 100MB for texts and the last 45 days of media. For $1.99/month you get 100GB; backups are zero-knowledge and the feature is in Android beta.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Microsoft Patch Tuesday addresses 81 vulnerabilities, none actively exploited

• Adobe Patches Critical ColdFusion and Commerce Vulnerabilities

• SAP fixes maximum severity NetWeaver command execution flaw

🚗 Researchers disclosed a remote CarPlay hack that can spy on or distract drivers — Attackers can pair over Bluetooth or Wi‑Fi, abuse iAP2 and an AirPlay SDK flaw to run code and control the car screen and audio. Apple patched the bug, but many automakers and devices remain unpatched, leaving millions of cars exposed.

💰 Critical Chrome Vulnerability Earns Researcher $43,000 — Google released a Chrome update that fixes two serious security bugs, including a critical ServiceWorker use-after-free (CVE-2025-10200). Looben Yang was paid $43,000 for the critical bug, and Sahan Fernando and an anonymous researcher earned $30,000 for the Mojo flaw (CVE-2025-10201). Google says there is no evidence the bugs were exploited in the wild, but users should update Chrome now.

🛰️ ICS, OT & IoT

🐛 🩹 ICS Patch Tuesday — Several industrial control system vendors released Patch Tuesday security advisories, led by Rockwell Automation. Rockwell published eight high-severity fixes for data exposure, DoS, and remote code execution, and Siemens issued seven advisories including a CVSS 9.3 data-access flaw and an unauthenticated RCE. Schneider, Phoenix Contact, Honeywell and agencies like CISA and CERT@VDE also published advisories for other vulnerabilities.

🇯🇵 🤝🏼 🇺🇸 Mitsubishi Electric will buy Nozomi Networks for $883 million, valuing it near $1 billion. Nozomi will become a wholly owned but independently run subsidiary, keeping its San Francisco HQ and Swiss R&D. Nozomi makes OT/IoT cybersecurity tools, and Mitsubishi says the deal will help build AI-powered industrial security solutions.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.