Lab-Dookhtegan Disables Communications on Iranian Maritime Vessels

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.

A phishing campaign targeting KazMunaiGas employees was initially attributed to the Noisy Bear threat actor. The campaign, codenamed Operation BarrelFire, involved phishing emails with malicious attachments. KazMunaiGas later clarified that the activity was part of a planned phishing test conducted in May 2025. The campaign used a ZIP file containing a Windows shortcut (LNK) downloader, a decoy document, and instructions in Russian and Kazakh. The LNK file dropped additional payloads, including a PowerShell loader and a DLL-based implant. The infrastructure was hosted on a Russia-based bulletproof hosting service. The campaign was initially reported in September 2025, with KazMunaiGas confirming it was a test in response to the report. The Noisy Bear threat actor has been active since at least April 2025, with the campaign involving sophisticated techniques such as anti-analysis measures and CreateRemoteThread Injection. The activity has geopolitical implications, potentially aiming to sustain information advantage in Central Asia.

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

On August 24, 2025, a ransomware attack targeted the state of Nevada, impacting essential services and leading to data theft. The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are providing real-time incident response to assist in restoring critical services and rebuilding systems. The attack's origins are under investigation. CISA's Threat Hunting teams are actively examining state networks to identify the full scope of the situation and mitigate threats. The Federal Bureau of Investigation (FBI) is assisting in the investigation, and the Federal Emergency Management Agency (FEMA) is advising on emergency response grants and other available assistance. The attack on Nevada is part of a broader trend of ransomware attacks on local governments, exacerbated by federal budget and staffing cuts.