Today’s intelligence digest is dominated by a widespread software supply chain compromise targeting the npm ecosystem, with CISA issuing a critical alert. Concurrently, CISA has detailed a federal agency breach stemming from an unpatched GeoServer vulnerability, highlighting significant detection delays. Other major events include ongoing operational shutdowns at Jaguar Land Rover and European airports due to cyberattacks, and the discovery of a nation-state linked SIM farm threatening New York’s cellular network.
Top 5 Critical Security Alerts
- Widespread Supply Chain Compromise Impacting npm Ecosystem: CISA warns of a self-replicating worm, ‘Shai-Hulud,’ that has compromised over 500 npm packages to steal developer credentials and API keys. Read more
- CISA says hackers breached federal agency using GeoServer exploit: CISA confirms threat actors breached a federal agency by exploiting a known GeoServer vulnerability (CVE-2024-36401), moving laterally and remaining undetected for three weeks. Read more
- Libraesva ESG issues emergency fix for bug exploited by state hackers: An emergency patch has been released for the Libraesva Email Security Gateway to fix a critical vulnerability actively exploited by state-sponsored threat actors. Read more
- SolarWinds releases third patch to fix Web Help Desk RCE bug: SolarWinds has issued another hotfix for a critical remote code execution (RCE) vulnerability in its Web Help Desk software. Read more
- US uncovers 100,000 SIM cards that could have “shut down” NYC cell network: The Secret Service disrupted a massive, nation-state-linked network of 100,000 SIM cards and 300 servers capable of launching attacks against NYC’s cellular infrastructure. Read more
Threat Intelligence
- How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking: Talos Intelligence details how a new PlugX malware variant overlaps with RainyDay and Turian backdoors, using DLL search order hijacking for execution. Read more
- NPM package caught using QR Code to fetch cookie-stealing malware: Researchers discovered the ‘fezbox’ npm package using QR codes to conceal and deliver a second-stage payload designed to steal browser cookies. Read more
- ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service: A new DDoS-for-hire botnet, ShadowV2, is actively compromising misconfigured Docker containers on AWS to build its attack infrastructure. Read more
Security Breaches & Incidents
- European airports still dealing with disruptions days after ransomware attack: A ransomware attack on Collins Aerospace continues to cause flight delays and check-in system disruptions at major airports in Berlin, Brussels, Dublin, and London. Read more
- Jaguar Land Rover extends shutdown again following cyberattack: The production halt at Jaguar Land Rover, caused by a cyberattack, has been extended into October, marking at least four weeks of disruption. Read more
- South Korea probes credit card company data breach affecting 3 million customers: A major South Korean credit card processor is investigating a data breach that has impacted approximately 3 million customers, requiring card reissuances. Read more
- Boyd Gaming discloses data breach after suffering a cyberattack: The US casino operator confirmed a cyberattack where threat actors accessed its systems and exfiltrated employee and customer data. Read more
Security Tools & Best Practices
- GitHub tightens npm security with mandatory 2FA, access tokens: In response to recent supply-chain attacks, GitHub is strengthening npm security by enforcing 2FA and introducing short-lived access tokens for publishing packages. Read more
- SonicWall releases SMA100 firmware update to wipe rootkit malware: SonicWall has issued a firmware update for its SMA 100 series appliances designed to detect and remove persistent rootkit malware from compromised devices. Read more
Cloud & Network Security
- Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack: Cloudflare successfully defended against a massive DDoS attack that peaked at 22.2 Tbps, setting a new record for mitigated attack volume. Read more
Security Standards & Frameworks
- CISA Adds One Known Exploited Vulnerability to Catalog: CISA has added CVE-2025-10585, a type confusion vulnerability in Google Chromium’s V8 engine, to its Known Exploited Vulnerabilities (KEV) catalog. Read more
- CISA Releases Six Industrial Control Systems Advisories: CISA has published six new advisories detailing vulnerabilities in ICS products from vendors including AutomationDirect, Mitsubishi Electric, and Schneider Electric. Read more
Emerging Security Technologies
- AI models are using material from retracted scientific papers: Recent studies reveal that some AI chatbots are sourcing information from flawed, retracted scientific papers, raising concerns about the reliability of AI-generated research. Read more
