#data-breaches

Dutch authorities dismantled a 17-million-device botnet and seized Russian-linked infrastructure, while ShinyHunters breaches impacted Canvas LMS and Carnival Corporation, Lazarus deployed the RemotePE RAT against financial targets, Glassworm targeted developers through poisoned software repositories, and SymJack exposed remote code execution risks across leading AI coding agents.

Data exposure at Asahi and the Mixpanel incident affecting OpenAI API users feature prominently. The FCC reported unauthorised radio alerts, while researchers described expanding activity by Bloody Wolf and a new Shai-Hulud supply chain wave. These developments reflect several active intrusion and disruption events across multiple sectors.

Highlights of the day:

Gainsight expands scope of customer impact: unauthorised access to Salesforce-connected applications affected more organisations than first reported, prompting some partners to suspend integrations while investigations continue.

Scattered Lapsus$ Hunters spoof Zendesk in phishing wave: over 40 typosquatted domains and malicious support tickets were used to steal credentials and attempt malware delivery to legitimate portals.

OpenAI details Mixpanel data exposure: an intrusion into Mixpanel systems revealed limited analytics data for some API users, with no access to OpenAI infrastructure or sensitive credentials.

Asahi confirms 1.9m records exposed in ransomware attack: the September incident compromised customer and employee information across Japan-based systems, though no leaked data has been found online.

Bloody Wolf broadens NetSupport RAT operations: new campaigns in Kyrgyzstan and Uzbekistan used government-themed lures and customised loaders to deploy the remote-administration tool via geo-fenced infrastructure.

Today's cybersecurity briefing outlines a broad set of developments, including arrests in Korea, large-scale data exposure from compromised developer packages, and the discovery of long-running spyware extensions. It also details targeted activity by Iran-linked actors against organisations in Israel and Egypt. These incidents reflect sustained pressure from criminal and state-linked groups across multiple sectors.

Today’s cybersecurity update outlines major data breaches, coordinated law enforcement operations, and renewed malware activity across multiple regions.

Authorities confirmed a large breach at Coupang, the takedown of the Cryptomixer laundering service, and reports of widespread malicious browser extensions and Android malware campaigns.

Today’s cybersecurity briefing also details the Coupang customer data exposure, the European action against Cryptomixer, and new findings on ShadyPanda extensions and Albiriox malware circulating on dark-web markets.

Highlights of the day:

Tomiris expands toolkit with multi-language implants: new modules use Telegram and Discord for command-and-control and support broader post-exploitation workflows, with operations focused on diplomatic and governmental targets.

New Android RAT targets global banking and crypto apps: Albiriox combines remote control, accessibility abuse, and overlays, with over 400 hardcoded financial targets and early campaigns delivered through fake retail apps and phishing sites.

Police dismantle Cryptomixer laundering service: Swiss and German authorities seized infrastructure linked to over €1.3 billion in Bitcoin laundering, disrupting a mixer used by ransomware groups and wider criminal networks.

Coupang breach exposes data of millions in South Korea: 33.7 million accounts were compromised, and investigators are examining server logs pointing to a former employee amid renewed scrutiny of national data-protection controls.

Codex CLI bug allowed silent command execution via local config: CVE-2025-61260 let attackers embed malicious MCP entries in project repositories to trigger unprompted command execution, patched in version 0.23.0.

Seven-year browser extension campaign hits 4.3 million users: ShadyPanda-linked Chrome and Edge extensions deployed backdoors and surveillance modules, with some activated after years of legitimate behaviour.

SmartTube breach pushes malicious Android TV update: stolen signing keys enabled a tampered release containing a hidden library that fingerprinted devices and communicated with a remote backend.

Fake developer extensions deliver malware in ongoing campaign: at least 23 cloned or manipulated code-editor extensions used inflated statistics and evolving implants to deliver malware across major marketplaces.

Today’s cybersecurity briefing covers new data breaches, supply-chain compromises and malicious package activity across multiple software registries.

A ransomware incident at Asahi, a breach at the French Football Federation and claims involving Brsk shaped the day’s reporting. Researchers also described widespread exposed secrets on GitLab, updated OtterCookie activity linked to North Korean actors and newly identified risks in Python and npm ecosystems.

Highlights of the day:

French Football Federation reports major data breach: a compromised account exposed personal details of millions of licensed players, prompting notification of national authorities and system remediation.

Calendar subscription abuse affects millions of Apple devices: more than 4 million iOS and macOS systems continue syncing to abandoned or hijacked calendar domains used to deliver unsolicited events with links or attachments.

North Korean npm campaign expands with nearly 200 new packages: malicious uploads distribute an updated OtterCookie variant through typosquatted tools and cloned crypto projects targeting Web3 developers.

Scan of public GitLab repositories uncovers 17,000 live secrets: analysis of 5.6 million repositories revealed widespread exposure of active credentials, including Google Cloud Platform keys and GitLab tokens.

WA man jailed for airport ‘evil twin’ WiFi attacks: a Perth court sentenced him to more than seven years for deploying fake WiFi networks, harvesting credentials, and accessing victims’ online accounts.

Today’s update covers malware distribution campaigns, compromised software packages, significant cloud vulnerabilities, and multiple confirmed breaches.

Fresh activity included deceptive update screens in ClickFix attacks, a large-scale npm supply-chain compromise, major flaws in a widely deployed logging agent, and new breach disclosures from several organisations.

A week marked by severe vulnerabilities, large-scale breaches and intensified nation-state activity.

React-based server vulnerabilities saw active remote code execution, with exploitation of React2Shell and related RSC flaws affecting major frameworks and prompting emergency mitigations across cloud environments.

Chinese-linked intrusion campaigns escalated, deploying BRICKSTORM, new Golang implants and expanded persistence tooling across VMware, ESXi and Microsoft 365 ecosystems.

Criminal operations suffered major disruption, as authorities dismantled Cryptomixer, while Aisuru-powered DDoS attacks reached record hyper-volumetric levels.

Large-scale data breaches impacted global users, including Coupang’s exposure of 33.7 million accounts and widespread compromise through malicious browser extensions and tampered developer packages.

Supply-chain and software ecosystem flaws expanded, with Shai-Hulud 2.0 infecting hundreds of npm packages, malicious Rust crates and IDEsaster vulnerabilities affecting AI-powered development environments.

Privacy and surveillance concerns intensified, driven by Intellexa spyware leaks, unsecured AI image datasets and legal developments in Europe.

Multiple organisations disclosed data breaches, including US financial institutions, Canadian carrier Freedom Mobile, Leroy Merlin, and several universities. Critical vulnerabilities in React, Next.js, and WordPress King Addons faced active exploitation. Microsoft patched a long-exploited Windows LNK flaw without prior disclosure. Researchers reported a record 29.7 Tbps DDoS attack by the Aisuru botnet and renewed activity from large-scale malware infrastructures.