CISA has added CVE-2021-26829, a cross-site scripting (XSS) flaw in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. The vulnerability affects Windows and Linux versions of the software and has been exploited by the pro-Russian hacktivist group TwoNet in a recent attack. Federal agencies are required to apply fixes by December 19, 2025. Additionally, VulnCheck observed a long-running OAST service driving exploit operations targeting Brazil.

The Qilin ransomware group has been active, targeting multiple organizations, including Inotiv, a U.S.-based pharmaceutical company, Creative Box Inc. (CBI), a subsidiary of Nissan, Mecklenburg County Public Schools (MCPS), Asahi Group, and Synnovis, a UK pathology services provider. The latest attack was on South Korean financial sector, where Qilin claims to have stolen over 1 million files and 2 TB of data from 28 victims. The attack caused significant operational disruption, including a beer shortage in Japan. The group has also targeted other Japanese companies, including Shinko Plastics and Osaki Medical. The Qilin ransomware group operates as a ransomware-as-a-service (RaaS) network, providing tools and infrastructure to affiliates and taking a 15–20% share of ransom payments. The group's malware is custom-built in Rust and C for cross-platform attacks, including Windows, Linux, and ESXi systems. The Qilin ransomware operation was first launched as "Agenda" in August 2022 and rebranded to Qilin by September 2022. Qilin ransomware operation has attacked more than 700 victims across 62 countries in 2025. The Qilin ransomware operation has published over 40 new victims per month in the second half of 2025. The Qilin ransomware operation uses the Windows Subsystem for Linux (WSL) to execute Linux encryptors on Windows systems, evading traditional security tools. Qilin ransomware group has been observed exploiting unpatched VPN appliances and lack of multi-factor authentication (MFA) to gain initial access to corporate networks. Qilin ransomware group has been observed targeting small-to-medium-sized businesses in the construction, healthcare, and financial sectors. Qilin ransomware group has been observed using new extortion channels, including Telegram and public sites such as WikiLeaksV2. Qilin ransomware group has been observed collaborating with affiliates of the Scattered Spider group. Qilin ransomware group has been observed operating as a ransomware-as-a-service (RaaS) group since 2023, leasing its tools and infrastructure to affiliates. Qilin ransomware group has been observed publishing victims' data on dark-web leak sites if no ransom is paid. Asahi Group Holdings confirmed that the personal data of approximately 1.914 million individuals, including 1.525 million customers, was or may have been exposed in the cyber-attack. The exposed data includes names, genders, dates of birth, postal addresses, email addresses, and phone numbers. Asahi Group Holdings spent two months investigating the breach, conducting root cause analysis, integrity checks, containing the ransomware, restoring systems, and strengthening security. Atsushi Katsuki, President and Group CEO of Asahi Group Holdings, publicly apologized for the difficulties caused by the disruptions. Asahi Group Holdings is reviewing the potential impact of the incident on its financial results for fiscal year 2025. The Qilin ransomware group claimed responsibility for the cyber-attack on Asahi Group Holdings. Asahi Group Holdings temporarily suspended its operations in Japan in late September following a system failure due to the ransomware attack. The disruptions included order and shipment operations, call centers, and customer service desks. Asahi Group Holdings postponed the launch of a new product scheduled to be released in October due to the cyber-attack. On October 7, the Qilin ransomware group listed Asahi on its data leak site, claiming to have stolen 27 GB of files from the company.

OpenAI, valued at $500 billion, is exploring the introduction of ads on ChatGPT to address revenue challenges. The company, which has 800 million users, relies heavily on a small percentage of paying customers for its $13 billion revenue. OpenAI is debating this move ahead of a potential public offering, as it seeks to diversify its revenue streams. OpenAI has also expanded the availability of its cheaper 'Go' subscription plan to more countries and introduced purchasable credits for Codex and Sora. OpenAI is now internally testing ads inside ChatGPT, with references to an 'ads feature' in the ChatGPT Android app 1.2025.329 beta. The ads could be highly personalized as the AI knows everything about the user unless the feature is disabled.

A 44-year-old Australian man was sentenced to seven years and four months in prison for operating an "evil twin" WiFi network to steal data from travelers during flights and at airports across Australia. The man used a WiFi Pineapple device to create rogue access points with the same SSID as legitimate networks, directing users to phishing pages to steal credentials and private media. The man pleaded guilty to multiple charges, including unauthorized access, theft, and evidence tampering. Authorities seized thousands of intimate images, personal credentials, and records of fraudulent WiFi pages. The Australian Federal Police (AFP) warned the public about the risks of free WiFi, advising the use of VPNs, strong passwords, and disabling automatic WiFi connectivity.

Recent Windows 11 updates since August 2025 have caused the password login option to become invisible on the lock screen, though the button remains functional. This issue affects systems with multiple sign-in options enabled, including those updated with KB5064081 or later updates on Windows 11 24H2 and 25H2. Microsoft has acknowledged the problem and is working on a fix, but no timeline has been provided. Users can still access the password login by hovering over the area where the icon should appear.

A security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains in public GitLab repositories. The scan, conducted using the TruffleHog tool, revealed a significant number of valid credentials, including API keys, passwords, and tokens. The findings highlight the ongoing risk of sensitive data exposure in public code repositories. The researcher also found that many of these secrets were relatively new, with some dating back to 2009 but still valid. The most common leaked secrets were Google Cloud Platform (GCP) credentials, followed by MongoDB keys, Telegram bot tokens, and OpenAI keys.

Researchers discovered vulnerable legacy Python bootstrap scripts in multiple PyPI packages that could enable domain-takeover attacks. The scripts fetch installation files from a defunct domain (python-distribute.org), now available for purchase, potentially allowing attackers to serve malicious code. Affected packages include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures. While some packages have removed the vulnerable scripts, others like slapos.core still include them, posing a latent risk to users who might execute the scripts.

The French Football Federation (FFF) suffered a data breach on November 20, 2025, exposing personal details of millions of amateur football players. The breach involved unauthorized access to a software platform used by licensed football clubs for administrative tasks. The exposed data includes names, genders, dates of birth, birth locations, nationalities, postal addresses, email addresses, phone numbers, and football license ID numbers. The FFF took immediate steps to secure the platform by deactivating the compromised account and resetting all user account passwords. The federation also notified relevant authorities and warned players to be vigilant against phishing scams. This incident follows a similar breach at the French Shooting Federation three weeks prior.

Threat actors are manipulating digital calendar subscription infrastructure to deliver phishing and malware. They exploit expired or hijacked domains to set up deceptive infrastructures, tricking users into subscribing to malicious notifications. Once subscribed, attackers can deliver harmful content, including URLs or attachments, leading to phishing, malware distribution, and even JavaScript execution. BitSight's research uncovered 347 suspicious calendar domains, with approximately four million unique IP addresses per day interacting with these domains, primarily in the US.

Darktrace reported a 620% spike in Black Friday-themed phishing campaigns leading up to Black Friday and Cyber Monday. The firm anticipates an additional 20% to 30% increase during the Black Friday week. Three main scam tactics were highlighted: brand impersonation, fake marketing domains, and generative AI-powered fake advertisements. Amazon was the most impersonated brand, with 80% of phishing attempts mimicking it. Fake domains and AI-generated emails are also being used to trick users into revealing sensitive data.

Organizations are increasingly adopting Remote Privileged Access Management (RPAM) to secure privileged access for remote and third-party users. RPAM extends traditional PAM capabilities to cloud-based and hybrid environments, providing secure, monitored access without relying on VPNs. This shift is driven by the rise of remote work, the need for strong access controls, and the targeting of weak remote access points by cybercriminals. RPAM solutions enforce least-privilege access, verify user identities, and record privileged sessions, enhancing security and compliance.

Researchers discovered a security blind spot in Microsoft Teams guest access that allows attackers to bypass Microsoft Defender for Office 365 protections. When users join an external tenant as guests, their security protections are determined by the hosting environment, not their home organization. This vulnerability enables attackers to create 'protection-free zones' by setting up malicious tenants with minimal security policies and inviting targets to join as guests, bypassing email security checks and delivering phishing or malware-laden content. The issue arises because Microsoft Defender for Office 365 protections do not apply when a user accepts a guest invitation to an external tenant, subjecting them to the security policies of the hosting tenant. Organizations are advised to restrict B2B collaboration settings, implement cross-tenant access controls, and train users to be cautious of unsolicited Teams invites.

The Bloody Wolf APT group has expanded its cyber campaign across Central Asia, targeting government entities in Kyrgyzstan and Uzbekistan. The group has shifted from traditional malware to using legitimate remote-access software, specifically NetSupport RAT, deployed via Java-based delivery methods. The campaign involves sophisticated social engineering tactics, including impersonating government ministries and using geofenced infrastructure to deliver malicious payloads. The group's activities have been ongoing since at least June 2025, with a notable increase in operations by October 2025. The infection chain involves downloading a JAR file that fetches additional components, installs NetSupport RAT, and adds persistence mechanisms. The group uses custom JAR generators to produce varied samples, reducing the likelihood of detection. The campaign has also targeted finance and IT sectors. The shift to legitimate remote-administration tools indicates an evolution in the group's tactics to evade detection and blend into normal IT activity.

Researchers at Palo Alto Networks Unit42 have identified two large language models (LLMs), WormGPT 4 and KawaiiGPT, that are being used by cybercriminals to generate malicious code and phishing messages. These tools are empowering inexperienced hackers to conduct sophisticated attacks, including ransomware encryption and lateral movement. WormGPT 4, available for a subscription fee, can create ransomware scripts and convincing ransom notes. KawaiiGPT, a free alternative, can generate phishing messages and scripts for lateral movement and data exfiltration. Both tools have active communities on Telegram where users share tips and advice.

Hackers have hijacked US radio transmission equipment, particularly Barix network audio devices, to broadcast false emergency alerts and offensive material. The incidents involved unauthorized access to the Emergency Alert System (EAS) and affected stations in Texas and Virginia. The Federal Communications Commission (FCC) issued a notice urging broadcasters to enhance security measures to prevent such intrusions.

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

GreyNoise Labs has launched a free tool called GreyNoise IP Check to help users determine if their IP address has been involved in malicious scanning activities, such as botnet or residential proxy networks. The tool provides a simple way to check for malicious activity without requiring deep technical analysis. The tool offers three possible results: Clean, Malicious/Suspicious, and Common Business Service. For suspicious activity, it provides a 90-day historical timeline to help identify potential infection points. Users are advised to investigate their devices, run malware scans, update firmware, and secure network settings if suspicious activity is detected.

OpenAI has disclosed that a data breach at Mixpanel, a third-party analytics provider, exposed limited customer identifiable information and analytics data of some OpenAI API users. The breach occurred between November 9 and 25, 2025, and resulted from a smishing (SMS phishing) campaign detected on November 8, 2025. Affected data includes names, email addresses, approximate locations, operating systems, browsers, referring websites, and organization or user IDs associated with API accounts. OpenAI has removed Mixpanel from its services and is conducting additional security reviews across its vendor ecosystem. The company is notifying potentially affected users and advising them to be vigilant against phishing and social engineering attacks. OpenAI emphasized that no chat content, API usage data, passwords, credentials, API keys, payment details, or government IDs were compromised. CoinTracker, a cryptocurrency portfolio tracker and tax platform, has also been impacted, with exposed data including device metadata and limited transaction count.

The **Gainsight cyber-attack** has expanded significantly, with Salesforce initially identifying **three impacted customers** but later confirming a **larger, unspecified number of victims** by **November 21, 2025**. Meanwhile, the **Scattered Lapsus$ Hunters (SLSH) alliance** has launched a **new phishing campaign targeting Zendesk users**, deploying over **40 typosquatted domains** (e.g., *znedesk[.]com*) and **malicious helpdesk tickets** to harvest credentials and deploy remote access trojans (RATs). The group’s tactics mirror those used in the **August 2025 Salesforce attacks**, with **deceptive SSO portals** and **social engineering lures** aimed at support staff. **Discord** has already confirmed a breach via its Zendesk-based support system, exposing user data including **names, emails, billing details, and government-issued IDs**. Gainsight’s breach involved **unauthorized access via an AT&T IP address on November 8**, preceded by reconnaissance from **3.239.45[.]43 on October 23** and approximately **20 suspicious intrusions between November 16–23** using **VPN services (Mullvad, Surfshark)** and the **Salesforce-Multi-Org-Fetcher/1.0 technique**—a method tied to the **Salesloft Drift breach**. Salesforce revoked all access tokens associated with Gainsight applications, while third-party vendors like **Gong.io, Zendesk, and HubSpot** severed integrations as a precaution. HubSpot confirmed no compromise of its infrastructure. Forensic investigations by **Mandiant** and Salesforce revealed the attackers exploited **compromised multifactor credentials** for VPN and system access. Customers were advised to **rotate S3 keys, reset NXT passwords, and re-authorize integrations** while adopting **Google Threat Intelligence Group (GTIG) mitigations**. The SLSH alliance has also unveiled a new **ransomware-as-a-service (RaaS) platform, ShinySp1d3r**, featuring **advanced anti-forensic capabilities**, network propagation tools, and **AI-enhanced modifications** of the **HellCat ransomware**. The platform is administered by **Saif Al-Din Khader (aka Rey)**, a core SLSH member who claims cooperation with law enforcement since June 2025. The group has been linked to **51 cyberattacks in the past year**, combining RaaS with extortion-as-a-service (EaaS) and insider recruitment to maximize impact. This attack follows a year-long pattern of **high-impact breaches** by ShinyHunters and Scattered Spider, including the **$107 million loss at the Co-operative Group (U.K.)**, **Jaguar Land Rover’s operational shutdown**, and breaches at **Allianz Life, Farmers Insurance, and Workday**, all exploiting **Salesforce platform vulnerabilities**. Despite arrests (e.g., **Scattered Spider members Owen Flowers and Thalha Jubair**) and shutdown claims, the threat persists, with **new victims emerging in critical sectors like rail transport (Almaviva/FS Italiane Group)** and now **Zendesk users**. Authorities, including the **FBI and U.K. NCA**, continue issuing alerts as the groups adapt tactics, leveraging **third-party IT providers, cloud-based CRM systems, and AI-enhanced tooling** to evade detection and scale operations.

The UK government has introduced the Cyber Security and Resilience Bill, aiming to upgrade the 2018 NIS Regulations and bolster national cyber defenses. The bill proposes stricter security requirements for essential services, expanded incident reporting, and enhanced regulatory powers. It also includes new regulations for managed service providers and critical suppliers, with tougher penalties for serious offenses. The legislation follows multiple high-profile breaches and aims to address growing cyber threats, including those from AI and unsupported equipment. The bill aims to address annual damages of nearly £15 billion ($19.6 billion) from cyberattacks, with the average significant cyberattack costing over £190,000, totaling roughly £14.7 billion each year. The National Cyber Security Centre (NCSC) reported a 130% increase in "nationally significant" cyber incidents in 2025 compared to 2024. The Technology Secretary will have the authority to direct regulators and organizations to take actions when national security is threatened. Additionally, the House of Commons Business and Trade Committee has called for legislation to mandate the Software Security Code of Practice and proposed tax relief for businesses investing in cybersecurity measures. The Committee's report argues for making software developers liable for avoidable vulnerabilities and introducing mandatory cyber-incident reporting to build a clearer national threat picture.

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website. Additionally, the ShadowV2 botnet has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. The botnet was active during the major AWS outage in October, possibly as a test run. The malware identifies itself as 'ShadowV2 Build v1.0.0 IoT version' and is similar to the Mirai LZRD variant. The botnet supports DDoS attacks on UDP, TCP, and HTTP protocols, with various flood types for each.

NordVPN is offering significant discounts on its VPN plans during the Black Friday 2025 sale. The promotion includes up to 77% off on various subscription plans, including Basic, Plus, and Ultimate bundles. The deal runs from October 16 to December 10, 2025. NordVPN's offerings include enhanced security features, fast speeds, and access to streaming services. The discounts make it a competitive option for users seeking comprehensive online privacy and security solutions.

A high-severity vulnerability (CVE-2025-12816) in the popular node-forge JavaScript cryptography library allows attackers to bypass signature verification by crafting malformed ASN.1 data. The flaw affects versions 1.3.1 and earlier and could lead to authentication bypass, data tampering, and misuse of certificate functions. A patch (version 1.3.2) has been released to address the issue.

Comcast will pay a $1.5 million fine to settle an FCC investigation into a 2024 vendor data breach that exposed personal and financial information of 273,703 customers. The breach occurred at Financial Business and Consumer Solutions (FBCS), a debt collector Comcast had stopped using two years prior. The breach was initially underreported, with the total number of affected individuals rising from 1.9 million to 4.2 million over several months. Comcast has agreed to enhance vendor oversight and implement a compliance plan, including appointing a compliance officer and conducting regular risk assessments. The company denies wrongdoing, stating its network was not breached and that FBCS was contractually required to comply with security requirements.

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success. A second wave of attacks, dubbed Sha1-Hulud, has compromised hundreds of npm packages. This new campaign introduces a variant that executes malicious code during the preinstall phase, increasing potential exposure in build and runtime environments. The attackers add a preinstall script (setup_bun.js) in the package.json file, which installs or locates the Bun runtime and runs a bundled malicious script (bun_environment.js). The malicious payload registers the infected machine as a self-hosted runner named SHA1HULUD and adds a workflow called .github/workflows/discussion.yaml. The malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables. Wiz researchers identified over 25,000 affected repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours. The second wave is more aggressive, with the malware attempting to destroy the victim's entire home directory if it fails to authenticate or establish persistence. The wiper-like functionality is triggered only if the malware cannot authenticate to GitHub, create a GitHub repository, fetch a GitHub token, or find an npm token. Organizations are urged to scan all endpoints for impacted packages, remove compromised versions, rotate all credentials, and audit repositories for persistence mechanisms. The new Shai-Hulud worm targets popular projects like Zapier and PostHog. The new version can infect up to 100 npm packages, compared to 20 in the previous version. The malware has an unusual structure, split into two files to evade detection. The first file checks for and installs a non-standard 'bun' JavaScript runtime, while the second file is a massive malicious source file that publishes stolen data to .json files in a randomly named GitHub repository. The size and structure of the file confuse AI analysis tools, causing inconsistent analysis results. The worm is scaling rapidly, with 1000 new repositories discovered every 30 minutes. The worm poses a significant risk to the software industry and end users, potentially leading to data breaches, ransomware footholds, and a loss of trust in the npm ecosystem. The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. A Maven Central package named org.mvnpm:posthog-node:4.18.1 was identified to embed the same two components associated with Sha1-Hulud: the 'setup_bun.js' loader and the main payload 'bun_environment.js'. The Maven Central package is not published by PostHog itself but is generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The 'second coming' of the supply chain incident has targeted developers globally to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens. The latest iteration of the attack is more stealthy, aggressive, scalable, and destructive. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages. It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one. The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. The self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack. The vulnerability used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. It's assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year. This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation. Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian's analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025. Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break. A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours. The techniques attackers are using are constantly evolving. Most of these attacks don't rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.

A new cyber extortion collective, Scattered LAPSUS$ Hunters (SLH), has emerged as a unified alliance combining Scattered Spider, ShinyHunters, and LAPSUS$. The group is leveraging the reputational capital of these three high-profile criminal brands to create a consolidated threat identity. SLH is using Telegram as a command hub and brand engine, cycling through public channels to maintain a persistent presence. The alliance aims to fill the void left by the collapse of BreachForums and attract displaced operators with an affiliate-driven extortion model. SLH has created 16 Telegram channels since August 8, 2025, and offers an extortion-as-a-service (EaaS) model. The group is part of a larger cybercriminal enterprise known as The Com and has associations with other threat clusters, including CryptoChameleon and Crimson Collective. SLH's activities blend financially motivated cybercrime and attention-driven hacktivism, with a mature grasp of perception and legitimacy within the cybercriminal ecosystem. The group has hinted at developing a custom ransomware family named Sh1nySp1d3r and is aligned with DragonForce, functioning as an affiliate to break into targets through social engineering techniques. Recently, the admin of SLH, Rey, a 16-year-old named Saif Al-Din Khader from Amman, Jordan, has been cooperating with law enforcement since June 2025. Rey has been involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, which is a rehash of Hellcat ransomware modified with AI tools.

The INC Ransom gang has disrupted the OnSolve CodeRED emergency alert platform, stealing sensitive user data and forcing Crisis24 to decommission the legacy environment. The attack affected emergency notification systems used by state and local governments, police departments, and fire agencies across the United States. Data stolen includes names, addresses, email addresses, phone numbers, and passwords. The gang claims to have breached the system on November 1, 2025, and encrypted files on November 10, 2025. Crisis24 is rebuilding the service using backups from March 31, 2025, which may result in missing accounts. The incident highlights the critical impact of cyberattacks on emergency services and the importance of robust cybersecurity measures. The INC Ransom group has published screenshots of stolen data and is selling samples of the stolen data, escalating concerns among affected agencies.

Enterprises are increasingly concerned about their ability to secure non-human identities (NHIs), which are critical for modern digital infrastructure. A recent survey reveals that 60% of organizations lack confidence in their NHI security measures, highlighting a significant gap in governance and protection frameworks. NHIs, including service accounts and machine identities, require sophisticated management to prevent unauthorized access and lateral movement, posing critical security risks.

Microsoft has introduced a change in Windows 11 versions 24H2 and 25H2 where FIDO2 security keys may prompt users to enter a PIN during sign-in after installing updates released since the September 2025 preview update. This change is intended to comply with WebAuthn specifications, which require user verification when set to 'preferred'. The feature began rolling out with the KB5065789 preview update and was fully deployed with the November KB5068861 update. Organizations can configure WebAuthn settings to discourage PIN usage if desired. FIDO2 security keys provide passwordless authentication, enhancing security against phishing and credential theft.

Since January 2025, cybercriminals impersonating bank support teams have stolen over $262 million through account takeover (ATO) fraud schemes. The FBI's Internet Crime Complaint Center (IC3) has received over 5,100 complaints, affecting individuals and businesses across various sectors. Criminals gain unauthorized access to online financial accounts using social engineering techniques or fraudulent websites. Once in control, they wire funds to crypto wallets and often change account passwords, making recovery difficult. The FBI advises monitoring financial accounts, using strong passwords, enabling MFA, and avoiding search results for banking websites. Victims are urged to contact their financial institutions immediately and file complaints with the IC3. Recent reports highlight the growing use of AI-powered phishing campaigns, SEO poisoning, and exploitation of e-commerce vulnerabilities, particularly ahead of the holiday season. Additionally, purchase scams and mobile phishing (mishing) sites have seen a significant increase, leveraging trusted brand names to deceive users. Cybercriminals have been found to alert account holders to alleged fraudulent purchases of high-risk items such as firearms, and use SEO poisoning by purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites.