Weekly Top 10: 12.01.2025: Over 17,000 Secrets Exposed in Public GitLab Projects; Dartmouth College Confirms Data Theft in Oracle EBS Hack; OpenAI Customer Data Exposed in Mixpanel Analytics Hack, and More.

WEEKLY TOP TEN: December 01, 2025, 16:00 GMT

1. Dartmouth College Confirms Data Theft in Oracle EBS Hack
   
   Dartmouth College discloses that attackers exploiting Oracle E-Business Suite stole roughly 226 GB of files from its systems. The Ivy League institution uses Oracle EBS for operations, and the compromise is part of the larger Cl0p-linked Oracle campaign that also hit other universities and enterprises. Dartmouth reports that personal and financial information — including Social Security numbers — for tens of thousands of people in New Hampshire and Maine was exposed, with the total victim count still under review. Data posted on the extortion site appears consistent with Dartmouth’s systems, raising long-term privacy and identity-theft concerns for faculty, staff, students, and alumni.
2. Over 17,000 Secrets Exposed in Public GitLab Projects
   
   A large-scale scan of public GitLab repositories uncovers more than 17,000 exposed secrets, including credentials, API tokens, private keys, and database connection strings. The analysis shows that individuals and organizations widely commit sensitive configuration data directly into code, leaving it freely accessible to anyone. Some of the exposed secrets belong to cloud service accounts and production databases, opening the door to data theft, cryptomining abuse, and supply-chain attacks. The findings emphasize that secret-scanning and pre-commit controls are still not standard practice for many GitLab users, and that old repositories can remain a long-term source of exploitable access even after active development has moved elsewhere.
3. ClickFix Phishing Pages Masquerade as Windows Update
   
   A new wave of ClickFix browser-based attacks lures victims to full-screen phishing pages that mimic the Windows Update interface, then pushes them to “fix” bogus issues. Once a user clicks through, the campaign triggers infostealer or remote-access malware downloads instead of legitimate patches. The technique preys on users’ muscle memory around system updates, particularly in corporate environments where patch prompts are common. Organizations whose staff interact with productivity and collaboration sites targeted by malvertising and SEO-poisoning campaigns are at higher risk. Since the attack runs inside the browser, endpoint protections tuned only for traditional installers may miss early stages of compromise.
4. OpenAI Customer Data Exposed in Mixpanel Analytics Hack
   
   OpenAI is notifying some customers after a compromise at analytics vendor Mixpanel exposed limited user profile and telemetry data associated with the platform.openai.com environment. Mixpanel detected a smishing-driven intrusion on November 8 and says only a subset of accounts were affected. OpenAI reports that attackers accessed a dataset containing names, email addresses, approximate locations, browser and OS details, and organization or user IDs.
   
   There is no evidence of access to ChatGPT chats, API keys, payment data, account passwords, or government IDs, and core infrastructure was not breached. However, the exposed profiles could help adversaries craft more convincing phishing or social-engineering campaigns against OpenAI’s developer and enterprise user base.
5. Ransomware Attack Cripples OnSolve CoeRED Emergency Alerts
   
   A ransomware intrusion against the OnSolve CodeRED emergency alert platform, operated by Crisis24, disrupts local alerting capabilities across numerous US cities and counties. The Inc Ransom group claims responsibility, stating it accessed systems on November 1, deployed ransomware on November 10, and later leaked stolen data. Municipalities in states including Massachusetts, Colorado, Texas, Florida, and others report being unable to send emergency notifications to residents. Stolen data includes names, email addresses, physical addresses, phone numbers and passwords for users of a legacy CodeRED environment. Local agencies are scrambling to switch platforms while Crisis24 coordinates containment and investigation.
6. JSONFormatter and CodeBeautify Leaks Expose Thousands of Secrets
   
   WatchTowr researchers find that users of popular online tools JSONFormatter and CodeBeautify have inadvertently exposed thousands of secrets via saved code snippets. By harvesting publicly visible “recent links,” the team uncovered credentials, API keys, SSH session data, configuration files, and personally identifiable information belonging to organizations in government, finance, healthcare, critical infrastructure, and tech.
   
   In one extreme example, someone pasted a full export from AWS Secrets Manager. Other threat actors are already scraping these sites and using exposed secrets within days. The incident highlights how casually pasting production code into public web utilities can quietly compromise entire environments.
7. Harvard University Data Breach Hits Alumni and Donors
   
   Harvard University confirms a breach affecting alumni and donors after unauthorized access to systems linked to previous extortion activity exploiting Oracle software. The university reports that personal information, including contact details and some financial-related data associated with fundraising operations, was compromised. Investigators tie this incident to a broader campaign that already involved Harvard in an Oracle E-Business Suite exploit spree. While Harvard stresses that core academic and student systems remain unaffected, the exposure of high-value donor data creates reputational pressure and additional risk of follow-on phishing targeting alumni communities and philanthropic networks.
8. SitusAMC Breach Ripples Across Major US Banks
   
   Real-estate finance services provider SitusAMC reveals a breach that exposed client-related corporate data and some customer information for major financial institutions. The vendor supports banks like JPMorgan Chase, Citi, and Morgan Stanley with mortgage and real-estate lifecycle services, so compromised records include sensitive loan and portfolio data. The intrusion, detected after a November 12 alert, appears to be straight data theft rather than ransomware, but the scale raises significant third-party risk concerns for Wall Street. Financial firms are now assessing downstream impact, while SitusAMC works with law enforcement and forensics teams to understand what was accessed and exfiltrated.
9. Shai-Hulud Malware Poisons 500+ npm Packages
   
   A large supply-chain campaign is abusing Shai-Hulud malware to trojanize hundreds of npm packages and steal developer and CI/CD secrets. The operation compromises maintainer accounts, publishes backdoored versions of popular libraries used by firms like Zapier, ENS Domains, PostHog, and Postman, and then scans infected systems for credentials and tokens. Stolen data is exfiltrated and even pushed back into victims’ own GitHub repositories. The malware also attempts destructive cleanup if persistence fails, including deleting files in the user’s home directory. Organizations relying on npm in build pipelines face theft of secrets, code tampering, and potential lateral movement.
10. Everest Ransomware Claims Breach at Iberia and Air Miles España
    
    Everest ransomware operators publicly claim they breached Spain’s flag carrier airline Iberia and coalition loyalty program Air Miles España, allegedly stealing around 596 GB of data. The group says the haul includes customer records, internal documents, and operational data from both the airline and the loyalty platform, potentially placing millions of travelers at risk. Early reporting indicates the attackers gained deep access to backend systems before exfiltrating archives for extortion. If the claims are accurate, Iberia and Air Miles España could be facing regulatory exposure in multiple jurisdictions as well as reputational damage in the competitive travel sector.