WEEKLY TOP TEN: July 28, 2025, 16:00 GMT
- npm ‘is’ Package Hijacked in Expanding Supply Chain Attack
Threat actors hijacked the popular npm ‘is’ package and six others using stolen maintainer credentials, embedding cross-platform JavaScript malware that establishes live C2 channels. The malware collects system information and environment variables before executing remote commands via WebSocket connections, with some variants deploying Windows-specific DLLs containing the “Scavenger” infostealer. Socket researchers confirmed malicious versions were automatically distributed through normal dependency workflows, affecting millions of weekly downloads. - Credential Theft and Remote Access Surge as AllaKore, PureRAT, and Hijack Loader Proliferate
Arctic Wolf Labs tracked the Greedy Sponge group’s continued campaign against Mexican organizations, using a modified AllaKore RAT specifically designed to harvest banking credentials. The threat actors refined their tradecraft in mid-2024 by moving geofencing server-side and deploying SystemBC to create SOCKS5 proxies. Additional campaigns were observed distributing PureRAT via Ghost Crypt and Neptune RAT through malicious Inno Setup installers. - CryptoJacking is Dead: Long Live CryptoJacking
Researchers discovered a new generation of stealthy cryptojacking malware using WebSocket communication and web workers to mine below detection thresholds. The campaign infected 3,500+ websites with obfuscated JavaScript that spawns background mining tasks while avoiding obvious performance degradation. This “stay low, mine slow” approach represents cryptojacking’s evolution into persistent, silent resource theft. - Amazon AI Coding Agent Hacked to Inject Data-Wiping Commands
A threat actor successfully planted data-wiping code in Amazon’s Q Developer Extension by submitting an unapproved pull request that was inadvertently published as version 1.84.0. The malicious code contained commands to “clear systems to near-factory state,” though AWS confirmed it was incorrectly formatted and wouldn’t execute. Amazon released version 1.85.0 to remove the code and revoked associated credentials - AI-Generated Malware in Panda Image Hides Persistent Linux Threat
Aqua Nautilus uncovered Koske, a sophisticated Linux cryptomining malware showing clear signs of AI-assisted development that delivers payloads through weaponized JPEG images. The malware establishes multiple persistence mechanisms and deploys a userland rootkit using LD_PRELOAD to hide from monitoring tools. Koske demonstrates advanced adaptive behavior, including connectivity checks, proxy discovery, and support for 18 different cryptocurrencies. - CISA Warns of Hackers Exploiting SysAid Vulnerabilities in Attacks
CISA added two critical unauthenticated XXE vulnerabilities in SysAid IT management software to its Known Exploited Vulnerabilities Catalog after confirming active exploitation. The flaws, originally patched in March 2025, are trivial to exploit and allow attackers to retrieve sensitive local files. Federal agencies have until August 12 to patch, while CISA urges all organizations to prioritize updates. - Cisco: Maximum-Severity ISE RCE Flaws Now Exploited in Attacks
Cisco confirmed three maximum-severity RCE vulnerabilities in Identity Services Engine are being actively exploited in attacks. All three flaws carry CVSS scores of 10.0 and allow unauthenticated root command execution through crafted API requests. ISE 3.3 users must upgrade to Patch 7 and ISE 3.4 users to Patch 2, with no workarounds available. - Coyote in the Wild: First-Ever Malware That Abuses UI Automation
Akamai researchers discovered the first confirmed malicious use of Microsoft’s UI Automation framework in a new Coyote banking trojan variant. The malware targets Brazilian users and extracts credentials from 75 banking institutions by parsing UI elements when traditional detection methods fail. This represents a significant evolution, as UIA provides attackers with simple application parsing without requiring deep structural knowledge. - SharePoint Under Siege: ToolShell Mass Exploitation
Eye Security identified active mass exploitation of the ToolShell SharePoint RCE vulnerability chain just days after its Pwn2Own Berlin demonstration. The attack allows unauthenticated extraction of cryptographic secrets to craft valid ViewState payloads for complete remote code execution. Researchers found dozens of compromised systems worldwide with attackers planting stealthy key-extraction shells. - NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods
Proofpoint identified a widespread RFQ scam where threat actors impersonate companies to obtain net financing for high-value goods they never intend to pay for. Scammers use stolen business credentials to establish credit lines for electronics and medical devices shipped to freight forwarders and residential mules. Proofpoint disrupted operations by taking down 19 domains and coordinating with shipping companies to halt fraudulent deliveries.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk, and using multiple sources when available: