WEEKLY TOP TEN: September 01, 2025, 16:00 GMT
- npm ‘Nx’ Supply-Chain Attack Leaks ~20K Sensitive Files
Attackers compromised the popular Nx npm framework and seven plugins, pushing trojanized versions that installed a telemetry.js stealer. In just over four hours on August 26–27, more than 1,000 developers were infected, and roughly 20,000 sensitive files leaked publicly.
The malware took advantage of AI command-line tools—Claude Code, Gemini, and Amazon Q—to search for tokens, SSH keys, cloud credentials, and crypto wallets, and then automatically created “s1ngularity” GitHub repositories in the victims’ accounts. GitHub disabled those repositories, but many stolen GitHub tokens remained active. Researchers at Socket and Wiz tracked the campaign and urged credential rotation. - Ransomware Crew Gains Full Azure Control via Hybrid-Cloud Gaps
Microsoft explains how Storm-0501 exploited hybrid identity gaps to seize the Global Administrator role in Entra ID and then escalated to Azure Owner across subscriptions from a hybrid-joined device. Using AzureHound reconnaissance, AzCopy, and storage-key theft, the group exfiltrated data, exposed private storage to the internet, mass-deleted backups, and leveraged cloud-native encryption—achieving cloud-based ransomware impact without endpoint lockers.
The intrusion affected multiple Active Directory domains and Entra Connect Sync servers by exploiting a synced non-human identity that lacked MFA, allowing the attackers to reset passwords and register their own MFA. Microsoft warns Storm-0501 hunts unmanaged devices and hybrid-cloud misconfigurations, then uses cloud-native commands for discovery, escalation, exfiltration, deletion, and extortion. - Transunion Breach Hits 4.4M People
TransUnion confirmed a breach affecting over 4.4 million U.S. individuals after attackers accessed data via a Salesforce account tied to consumer support operations. ShinyHunters and UNC6395 claimed responsibility, asserting 13 million records were stolen, including 4.4 million U.S. profiles.
Names, billing addresses, phone numbers, email addresses, dates of birth, unredacted Social Security numbers, and support tickets and messages are among the exposed data. The breach occurred July 28 and was discovered July 30, per a Maine AG filing. TransUnion says credit reports weren’t exposed and is offering 24 months of identity protection. BleepingComputer links this incident to a broader Salesforce data-theft wave. - FreePBX Zero-Day Actively Exploited
Sangoma’s FreePBX team warns of an actively exploited zero-day targeting servers whose Administrator Control Panel is exposed to the internet. Exploitation began around August 21, leading to an emergency EDGE module fix for the Endpoint module, with a standard security release to follow.
The fix protects new installs but will not clean compromised systems. Reported intrusions affected 3,000 SIP extensions and 500 trunks. Key indicators include missing or altered /etc/freepbx.conf, presence of /var/www/html/.clean.sh, Apache logs referencing modular.php, unusual calls to extension 9998, and unauthorized “ampuser” entries. Admins should isolate systems, restore from pre-August-21 backups, rotate credentials, and restrict ACP access. - CISA & Allies Publish Joint CSA on PRC Apt Activity
CISA, NSA, FBI, and international partners released a joint advisory on People’s Republic of China (PRC)-nexus APT actors compromising networks worldwide, especially in telecom, government, transportation, lodging, and defense. They target provider-edge and customer-edge routers with low visibility, modifying firmware and configurations to evade detection and maintain persistent access to feed espionage systems.
Built from investigations through July 2025, the guidance emphasizes behavior over naming, noting overlaps with Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. Defenders are urged to hunt for router-level abuse and apply mitigations in the advisory. The alert highlights critical infrastructure risks and links to a full technical CSA for actions and detection. - Hackers Exploit CrushFTP Zero-Day to Take Over Servers
Researchers warn that hackers are actively exploiting a zero-day vulnerability in CrushFTP to take over servers. Tracked as CVE-2025-54309 and listed in CISA’s Known Exploited Vulnerabilities catalog, this flaw lets hackers run their code and upload any files they want, which helps them gain access to networks.
Discovery and exploitation evidence are credited to WatchTowr Labs, with adoption by threat actors. Admins should update immediately, review access logs for suspicious uploads or admin actions, rotate credentials and keys, and isolate instances. Given CrushFTP’s widespread use across enterprises and government, exploitation poses serious risks of data theft, ransomware deployment, and lateral movement. - CISA: Git RCE (CVE-2025-48384) Is Being Exploited
CISA added Git CVE-2025-48384 to the Known Exploited Vulnerabilities catalog. The flaw stems from inconsistent handling of carriage return chars in configuration files, causing submodule path misresolution. Attackers can publish repositories with submodules ending in \r and a crafted symlink plus malicious hook to achieve arbitrary code execution on machines that clone them.
Patches are available in Git 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. If updating isn’t possible, avoid recursive submodule clones from untrusted sources, disable hooks via core.hooksPath, and allow only audited submodules. Federal agencies face a September 15 deadline to patch or cease use immediately. - WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices
WhatsApp issued an emergency update for CVE-2025-55177, a zero-click flaw affecting iOS and macOS clients that stems from insufficient authorization of linked-device synchronization messages. The bug could let an unrelated user trigger processing of content from an arbitrary URL on a target device and was likely chained with Apple’s CVE-2025-43300 (ImageIO out-of-bounds write) in highly targeted spyware attacks.
Patches landed in WhatsApp for iOS 2.25.21.73 (July 28) and WhatsApp Business/Mac 2.25.21.78 (August 4). WhatsApp sent in-app threat notifications to fewer than 200 users and advised factory resets and prompt updating. Organizations should verify versions and monitor for suspicious device-linking activity. - Attackers Abuse Velociraptor IR Tool
Sophos reports threat actors installed the open-source Velociraptor incident-response tool via msiexec from a Cloudflare Workers domain, then used it to fetch Visual Studio Code with tunneling enabled for command-and-control. The chain also deployed a Cloudflare tunnel and Radmin, living off legitimate tools to evade detections.
At the same time, attackers pretended to be IT staff on Microsoft Teams to trick people into installing remote-access tools and PowerShell scripts to steal passwords and stay hidden—methods often used by ransomware groups. Security teams should watch for any unauthorized use of Velociraptor, as this may indicate a warning sign of possible ransomware. Additionally, they should check audit logs for tunneling and MSI installations, while ensuring that IDE EDR coverage and user training are prioritized. - Anthropic Flags ‘GTG-2002’: AI Agent Drives End-to-End Data-Extortion Spree
Anthropic’s threat report details GTG-2002, a cybercriminal operation that abused its Claude Code agent to automate data-extortion attacks against 17 organizations globally. The actor fed a “CLAUDE.md” playbook, then used the agent for reconnaissance (scanning thousands of VPN endpoints), intrusion, privilege escalation, lateral movement, credential harvesting, and exfiltration.
The Claude Code generated obfuscated Chisel variants and TCP proxy code to evade detection, calculated ransom amounts from stolen financials, and built HTML ransom notes shown at boot. The campaign stole personal, healthcare, financial, and government data but didn’t encrypt systems. Anthropic banned accounts and is developing tailored classifiers to curb similar abuse.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available:
