Category: Cybersecurity

Nov 30, 2025Ravie LakshmananHacktivism / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.

The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via system_settings.shtm. It impacts the following versions –

• OpenPLC ScadaBR through 1.12.4 on Windows
• OpenPLC ScadaBR through 0.9.1 on Linux

The addition of the security defect to the KEV catalog comes a little over a month after Forescout said it caught a pro-Russian hacktivist group known as TwoNet targeting its honeypot in September 2025, mistaking it for a water treatment facility.

In the compromise aimed at the decoy plant, the threat actor is said to have moved from initial access to disruptive action in about 26 hours, using default credentials to obtain initial access, followed by carrying out reconnaissance and persistence activities by creating a new user account named “BARLATI.”

The attackers then proceeded to exploit CVE-2021-26829 to deface the HMI login page description to display a pop-up message “Hacked by Barlati,” and modify system settings to disable logs and alarms unaware that they were breaching a honeypot system.

TwoNet Attack Chain

“The attacker did not attempt privilege escalation or exploitation of the underlying host, focusing exclusively on the web application layer of the HMI,” Forescout said.

TwoNet began its operations on Telegram earlier this January, initially focusing on distributed denial-of-service (DDoS) attacks, before pivoting to a broader set of activities, including the targeting of industrial systems, doxxing, and commercial offerings like ransomware-as-a-service (RaaS), hack-for-hire, and initial access brokerage.

It has also claimed to be affiliated with other hacktivist brands such as CyberTroops and OverFlame. “TwoNet now mixes legacy web tactics with attention-grabbing claims around industrial systems,” the cybersecurity company added.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by December 19, 2025, for optimal protection.

OAST Service Fuels Exploit Operation

The development comes as VulnCheck said it observed a “long-running” Out-of-Band Application Security Testing (OAST) endpoint on Google Cloud driving a regionally-focused exploit operation. Data from internet sensors deployed by the firm shows that the activity is aimed at Brazil.

“We observed roughly 1,400 exploit attempts spanning more than 200 CVEs linked to this infrastructure,” Jacob Baines, VulnCheck CTO, said. “While most of the activity resembled standard Nuclei templates, the attacker’s hosting choices, payloads, and regional targeting did not align with typical OAST use.”

The activity entails exploiting a flaw, and if it is successful, issue an HTTP request to one of the attacker’s OAST subdomains (“*.i-sh.detectors-testing[.]com”). The OAST callbacks associated with the domain date back to at least November 2024, suggesting it has been ongoing for about a year.

The attempts have been found to emanate from U.S.-based Google Cloud infrastructure, illustrating how bad actors are weaponizing legitimate internet services to evade detection and blend in with normal network traffic.

VulnCheck said it also identified a Java class file (“TouchFile.class”) hosted on the IP address (“34.136.22[.]26”) linked to the OAST domain that expands on a publicly available exploit for a Fastjson remote code execution flaw to accept commands and URL parameters, and execute those commands and make outbound HTTP requests to the URLs passed as input.

“The long-lived OAST infrastructure and the consistent regional focus suggest an actor that is running a sustained scanning effort rather than short-lived opportunistic probes,” Baines said. “Attackers continue to take off-the-shelf tooling like Nuclei and spray exploits across the internet to quickly identify and compromise vulnerable assets.”

Nov 28, 2025Ravie LakshmananSupply Chain Attack / Malware

The North Korean threat actors behind the Contagious Interview campaign have continued to flood the npm registry with 197 more malicious packages since last month.

According to Socket, these packages have been downloaded over 31,000 times, and are designed to deliver a variant of OtterCookie that brings together the features of BeaverTail and prior versions of OtterCookie.

Some of the identified “loader” packages are listed below –

• bcryptjs-node
• cross-sessions
• json-oauth
• node-tailwind
• react-adparser
• session-keeper
• tailwind-magic
• tailwindcss-forms
• webpack-loadcss

The malware, once launched, attempts to evade sandboxes and virtual machines, profiles the machine, and then establishes a command-and-control (C2) channel to provide the attackers with a remote shell, along with capabilities to steal clipboard contents, log keystrokes, capture screenshots, and gather browser credentials, documents, cryptocurrency wallet data, and seed phrases.

It’s worth noting that the blurring distinction between OtterCookie and BeaverTail was documented by Cisco Talos last month in connection with an infection that impacted a system associated with an organization headquartered in Sri Lanka after a user was likely deceived into running a Node.js application as part of a fake job interview process.

Further analysis has determined that the packages are designed to connect to a hard-coded Vercel URL (“tetrismic.vercel[.]app”), which then proceeds to fetch the cross-platform OtterCookie payload from a threat actor-controlled GitHub repository. The GitHub account that serves as the delivery vehicle, stardev0914, is no longer accessible.

“This sustained tempo makes Contagious Interview one of the most prolific campaigns exploiting npm, and it shows how thoroughly North Korean threat actors have adapted their tooling to modern JavaScript and crypto-centric development workflows,” security researcher Kirill Boychenko said.

The development comes as fake assessment-themed websites created by the threat actors have leveraged ClickFix-style instructions to deliver malware referred to as GolangGhost (aka FlexibleFerret or WeaselStore) under the pretext of fixing camera or microphone issues. The activity is tracked under the moniker ClickFake Interview.

Written in Go, the malware contacts a hard-coded C2 server and enters into a persistent command-processing loop to collect system information, upload/download files, run operating system commands, and harvest information from Google Chrome. Persistence is achieved by writing a macOS LaunchAgent that triggers its execution by means of a shell script automatically upon user login.

Also installed as part of the attack chain is a decoy application that displays a bogus Chrome camera access prompt to keep up the ruse. Subsequently, it presents a Chrome-style password prompt that captures the content entered by the user and sends it to a Dropbox account.

“Although there is some overlap, this campaign is distinct from other DPRK IT Worker schemes that focus on embedding actors within legitimate businesses under false identities,” Validin said. “Contagious Interview, by contrast, is designed to compromise individuals through staged recruiting pipelines, malicious coding exercises, and fraudulent hiring platforms, weaponizing the job application process itself.”

Nov 28, 2025Ravie LakshmananMalware / Vulnerability

Cybersecurity researchers have discovered vulnerable code in legacy Python packages that could potentially pave the way for a supply chain compromise on the Python Package Index (PyPI) via a domain takeover attack.

Software supply chain security company ReversingLabs said it found the “vulnerability” in bootstrap files provided by a build and deployment automation tool named “zc.buildout.”

“The scripts automate the process of downloading, building, and installing the required libraries and tools,” security researcher Vladimir Pezo said. “Specifically, when the bootstrap script is executed, it fetches and executes an installation script for the package Distribute from python-distribute[.]org – a legacy domain that is now available for sale in the premium price range while being managed to drive ad revenue.”

The PyPI packages that include a bootstrap script that accesses the domain in question include tornado, pypiserver, slapos.core, roman, xlutils, and testfixtures.

The crux of the problem concerns an old bootstrap script (“bootstrap.py“) that was used along with the zc.buildout tool to initialize the Buildout environment. The Python script also supported the ability to install a packaging utility called “Distribute,” a short-lived fork of the Setuptools project, into the local environment.

To achieve this, the Distribute installation script (“distribute_setup.py”) is fetched from the python-distribute[.]org, a domain that has been up for sale since 2014. In adding the option, the idea was to instruct the bootstrap script to download and install the Distribute package instead of the older Setuptools package to manage eggs and dependencies for the buildout.

It’s important to note that the Distribute fork came into being due to the lack of active development of Setuptools, the main package management tool used at that time. However, the features from Distribute were integrated back into Setuptools in 2013, rendering Distribute obsolete.

The issue identified by ReversingLabs concerns the fact that many packages have continued to ship the bootstrap script that either attempts to install Distribute by default or when the command-line option (“-d” or “–distribute”) is specified. This, coupled with the fact that the domain in question is up for grabs, puts users at latent risk as an attacker could weaponize this setup to serve malicious code when the bootstrap script is inadvertently run and potentially steal sensitive data.

While some of the affected packages have taken steps to remove the bootstrap script, the slapos.core package still continues to ship the vulnerable code. It’s also included in the development and maintenance version of Tornado.

Another important aspect to consider here is that the bootstrap script is not executed automatically during the package installation and is written in Python 2. This means the script cannot be executed with Python 3 without modifications. But the mere presence of the file leaves an “unnecessary attack surface” that attackers can exploit if developers are tricked into running code that triggers the execution of the bootstrap script.

The threat of a domain takeover is not theoretical. In 2023, it came to light that the npm package fsevents was compromised by a bad actor who seized control of an unclaimed cloud resource hosted at fsevents-binaries.s3-us-west-2.amazonaws[.]com to push malicious executables to users installing certain versions of the package (CVE-2023-45311, CVSS score: 9.8).

“The issue lies in the programming pattern that includes fetching and executing a payload from a hard-coded domain, which is a pattern commonly observed in malware exhibiting downloader behavior,” Pezo said. “The failure to formally decommission the Distribute module allowed vulnerable bootstrap scripts to linger and left unknown numbers of projects exposed to a potential attack.”

The disclosure comes as HelixGuard discovered a malicious package in PyPI named “spellcheckers” that claims to be a tool for checking spelling errors using OpenAI Vision, but contains malicious code that’s designed to connect to an external server and download a next-stage payload, which then executes a remote access trojan (RAT).

The package, first uploaded to PyPI on November 15, 2025, by a user named leo636722, has been downloaded 955 times. It’s no longer available for download.

“This RAT can receive remote commands and execute attacker-controlled Python code via exec(), enabling full remote control over the victim’s host,” HelixGuard said. “When the user installs and runs the malicious package, the backdoor becomes active, allowing the attacker to remotely control the user’s computer.”

Nov 28, 2025The Hacker NewsEnterprise Security / Threat Detection

As IT environments become increasingly distributed and organizations adopt hybrid and remote work at scale, traditional perimeter-based security models and on-premises Privileged Access Management (PAM) solutions no longer suffice. IT administrators, contractors and third-party vendors now require secure access to critical systems from any location and on any device, without compromising compliance or increasing security risks. To keep up with modern demands, many organizations are turning to Remote Privileged Access Management (RPAM) for a cloud-based approach to securing privileged access that extends protection beyond on-prem environments to wherever privileged users connect.

Continue reading to learn more about RPAM, how it differs from traditional PAM and why RPAM adoption is growing across all industries.

What is RPAM?

Remote Privileged Access Management (RPAM) allows organizations to securely monitor and manage privileged access for remote and third-party users. Unlike traditional PAM solutions, RPAM extends granular access controls beyond the corporate perimeter, enabling administrators, contractors and vendors to connect securely from any location.

RPAM enforces least-privilege access, verifies user identities and monitors every privileged session, all without exposing credentials or depending on Virtual Private Networks (VPNs). Each privileged session is recorded in detail, giving security teams full visibility into who accessed what and when.

How does PAM differ from RPAM?

Both PAM and RPAM help organizations secure privileged access, but they were built for different operational environments. Traditional PAM solutions are designed to monitor and manage privileged accounts within an organization’s internal network. Since they were designed for on-prem environments, legacy PAM solutions struggle to keep up with today’s distributed, cloud-based infrastructures.

RPAM, on the other hand, extends PAM capabilities to modern hybrid and remote environments, providing secure privileged access regardless of a user’s location. In contrast to traditional PAM solutions, RPAM offers secure remote access without requiring VPNs or agent-based deployments, improving scalability and reducing attack surfaces. By supporting zero-trust principles and cloud-native architectures, RPAM gives organizations the control and flexibility needed to protect privileged accounts across modern environments.

Why RPAM adoption is accelerating

Technology is advancing at such a rapid pace that organizations must accelerate the adoption of RPAM to keep up with the growing need for secure and flexible remote access. Here are the main reasons why RPAM adoption is accelerating so quickly.

Remote work demands strong access controls

With the steady rise of hybrid and remote work, organizations face increased access challenges beyond their corporate networks. Since employees, contractors and vendors require privileged access to critical systems from various locations and devices, organizations need RPAM to provide policy-based, Just-in-Time (JIT) access to eliminate standing privileges across distributed environments. RPAM ensures that every connection, whether from an internal IT admin or an external vendor, is authorized and monitored to maintain security and transparency.

Cybercriminals target weak remote access points

Traditional remote access methods, including VPNs and Remote Desktop Protocol (RDP) sessions, are commonly targeted attack vectors. Once they have access to stolen credentials or remote systems, cybercriminals can deploy ransomware, steal data or move laterally within an organization’s network. RPAM mitigates these risks by enforcing Multi-Factor Authentication (MFA), recording privileged sessions and supporting zero-trust security. RPAM eliminates the use of shared credentials, ensuring that only continuously verified users can access sensitive data.

Compliance requirements drive automation

Organizations must comply with a variety of regulatory frameworks, such as ISO 27001 and HIPAA, which require full visibility into privileged activities. RPAM improves security and compliance by automating session logging and recording detailed audit trails. Not only does RPAM streamline audits, but it also provides organizations with valuable insight into privileged activity, helping ensure they align with compliance requirements.

The future of privileged access management

As remote work and cloud environments continue to modernize enterprises, traditional PAM solutions must evolve to meet the demands of remote access. The future of PAM lies in RPAM solutions that deliver secure, cloud-native control over privileged access across distributed networks. RPAM capabilities, such as agentic AI threat detection, can help organizations identify suspicious activity and proactively prevent potential data breaches before they happen. Modern organizations must shift toward solutions that offer zero-trust architectures, ensuring each access request is authenticated and continuously validated. KeeperPAM® offers a scalable, cloud-native RPAM solution that enables enterprises to secure privileged access and maintain compliance, regardless of where their users are located.

Nov 28, 2025Ravie LakshmananEmail Security / Enterprise Security

Cybersecurity researchers have shed light on a cross-tenant blind spot that allows attackers to bypass Microsoft Defender for Office 365 protections via the guest access feature in Teams.

“When users operate as guests in another tenant, their protections are determined entirely by that hosting environment, not by their home organization,” Ontinue security researcher Rhys Downing said in a report.

“These advancements increase collaboration opportunities, but they also widen the responsibility for ensuring those external environments are trustworthy and properly secured.”

The development comes as Microsoft has begun rolling out a new feature in Teams that allows users to chat with anyone via email, including those who don’t use the enterprise communications platform, starting this month. The change is expected to be globally available by January 2026.

“The recipient will receive an email invitation to join the chat session as a guest, enabling seamless communication and collaboration,” Microsoft said in its announcement. “This update simplifies external engagement and supports flexible work scenarios.”

In the event the recipient already uses Teams, they are notified via the app directly in the form of an external message request. The feature is enabled by default, but organizations can turn it off using the TeamsMessagingPolicy by setting the “UseB2BInvitesToAddExternalUsers” parameter to “false.”

At this stage, it’s worth mentioning that guest access is different from external access, which allows users to find, call, and chat with people who have Teams but are outside of their organizations.

The “fundamental architectural gap” highlighted by Ontinue stems from the fact that Microsoft Defender for Office 365 protections for Teams may not apply when a user accepts a guest invitation to an external tenant. In other words, by entering the other tenant’s security boundary, the user is subjected to security policies where the conversation is hosted and not where the user’s account lives.

What’s more, it opens the door to a scenario where the user can become an unprotected guest in a malicious environment that’s dictated by the attacker’s security policies.

In a hypothetical attack scenario, a threat actor can create “protection-free zones” by disabling all safeguards in their tenants or avail licenses that lack certain options by default. For instance, the attacker can spin up a malicious Microsoft 365 tenant using a low-cost license such as Teams Essentials or Business Basic that doesn’t come with Microsoft Defender for Office 365 out of the box.

Once the unprotected tenant is set up, the attacker can then conduct reconnaissance of the target organization to gather more information and initiate contact via Teams by entering a victim’s email address, causing Teams to send an automated invitation to join the chat as a guest.

Perhaps the most concerning aspect of the attack chain is that the email lands on the victim’s mailbox, given that the message originates from Microsoft’s own infrastructure, effectively bypassing SPF, DKIM, and DMARC checks. Email security solutions are unlikely to flag the email as malicious, as it’s legitimately from Microsoft.

Should the victim end up accepting the invitation, they are granted guest access in the attacker’s tenant, where all subsequent communication takes place. The threat actor can send phishing links or distribute malware-laced attachments by taking advantage of the lack of Safe Links and Safe Attachments scans.

“The victim’s organization remains completely unaware,” Downing said. “Their security controls never triggered because the attack occurred outside their security boundary.”

To safeguard against this line of attack, organizations are recommended to restrict B2B collaboration settings to only allow guest invitations from trusted domains, implement cross-tenant access controls, restrict external Teams communication if not required, and train users to watch out for unsolicited Teams invites from external sources.

The Hacker News has reached out to Microsoft for comment, and we will update the story if we hear back.

Nov 27, 2025Ravie LakshmananMalware / Social Engineering

The threat actor known as Bloody Wolf has been attributed to a cyber attack campaign that has targeted Kyrgyzstan since at least June 2025 with the goal of delivering NetSupport RAT.

As of October 2025, the activity has expanded to also single out Uzbekistan, Group-IB researchers Amirbek Kurbanov and Volen Kayo said in a report published in collaboration with Ukuk, a state enterprise under the Prosecutor General’s office of the Kyrgyz Republic. The attacks have targeted finance, government, and information technology (IT) sectors.

“Those threat actors would impersonate the [Kyrgyzstan’s] Ministry of Justice through official looking PDF documents and domain names, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT,” the Singapore-headquartered company said.

“This combination of social engineering and accessible tooling allows Bloody Wolf to remain effective while keeping a low operational profile.”

Bloody Wolf is the name assigned to a hacking group of unknown provenance that has used spear-phishing attacks to target entities in Kazakhstan and Russia using tools like STRRAT and NetSupport. The group is assessed to be active since at least late 2023.

The targeting of Kyrgyzstan and Uzbekistan using similar initial access techniques marks an expansion of the threat actor’s operations in Central Asia, primarily impersonating trusted government ministries in phishing emails to distribute weaponized links or attachments.

The attack chains more or less follow the same approach in that the message recipients are tricked into clicking on links that download malicious Java archive (JAR) loader files along with instructions to install Java Runtime.

While the email claims the installation is necessary to view the documents, the reality is that it’s used to execute the loader. Once launched, the loader then proceeds to fetch the next-stage payload (i.e., NetSupport RAT) from infrastructure that’s under the attacker’s control and set up persistence in three ways –

• Creating a scheduled task
• Adding a Windows Registry value
• Dropping a batch script to the folder “%APPDATA%MicrosoftWindowsStart MenuProgramsStartup”

The Uzbekistan phase of the campaign is notable for incorporating geofencing restrictions, thereby causing requests originating outside of the country to be redirected to the legitimate data.egov[.]uz website. Requests from within Uzbekistan have been found to trigger the download of the JAR file from an embedded link within the PDF attachment.

Group-IB said the JAR loaders observed in the campaigns are built with Java 8, which was released in March 2014. It’s believed that the attackers are using a bespoke JAR generator or template to spawn these artifacts. The NetSupport RAT payload is a old version of NetSupport Manager from October 2013.

“Bloody Wolf has demonstrated how low-cost, commercially available tools can be weaponized into sophisticated, regionally targeted cyber operations,” it said. “By exploiting trust in government institutions and leveraging simple JAR-based loaders, the group continues to maintain a strong foothold across the Central Asian threat landscape.”

Nov 27, 2025Ravie LakshmananWeb Security / Zero Trust

Microsoft has announced plans to improve the security of Entra ID authentication by blocking unauthorized script injection attacks starting a year from now.

The update to its Content Security Policy (CSP) aims to enhance the Entra ID sign-in experience at “login.microsoftonline[.]com” by only letting scripts from trusted Microsoft domains run.

“This update strengthens security and adds an extra layer of protection by allowing only scripts from trusted Microsoft domains to run during authentication, blocking unauthorized or injected code from executing during the sign-in experience,” the Windows maker said.

Specifically, it only allows script downloads from Microsoft trusted CDN domains and inline script execution from a Microsoft trusted source. The updated policy is limited to browser-based sign-in experiences for URLs beginning with login.microsoftonline.com. Microsoft Entra External ID will not be affected.

The change, which has been described as a proactive measure, is part of Microsoft’s Secure Future Initiative (SFI) and is designed to safeguard users against cross-site scripting (XSS) attacks that make it possible to inject malicious code into websites. It’s expected to be rolled out globally starting mid-to-late October 2026.

Microsoft is urging organizations to test their sign-in flows thoroughly ahead of time to ensure that there are no issues and the sign-in experience has no friction.

It’s also advising customers to refrain from using browser extensions or tools that inject code or script into the Microsoft Entra sign-in experience. Those who follow this approach are recommended to switch to other tools that don’t inject code.

To identify any CSP violations, users can go through a sign-in flow with the dev console open and access the browser’s Console tool within the developer tools to check for errors that say “Refused to load the script” for going against the “script-src” and “nonce” directives.

Microsoft’s SFI is a multi-year effort that seeks to put security above all else when designing new products and better prepare for the growing sophistication of cyber threats.

It was first launched in November 2023 and expanded in May 2024 following a report from the U.S. Cyber Safety Review Board (CSRB), which concluded that the company’s “security culture was inadequate and requires an overhaul.”

In its third progress report published this month, the tech giant said it has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures, and that the adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%.

Other notable changes enacted by Microsoft are as follows –

• Enforced Mandatory MFA across all services, including for all Azure service users
• Introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust
• Migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK)
• Discontinued the use of Active Directory Federation Services (ADFS) in our productivity environment
• Decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments
• Advanced threat hunting by centrally tracking 98% of production infrastructure
• Achieved complete network device inventory and mature asset lifecycle management
• Almost entirely locked code signing to production identities
• Published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties

“To align with Zero Trust principles, organizations should automate vulnerability detection, response, and remediation using integrated security tools and threat intelligence,” Microsoft said. “Maintaining real-time visibility into security incidents across hybrid and cloud environments enables faster containment and recovery.”

Nov 27, 2025Ravie LakshmananCybersecurity / Hacking News

Hackers have been busy again this week. From fake voice calls and AI-powered malware to huge money-laundering busts and new scams, there’s a lot happening in the cyber world.

Criminals are getting creative — using smart tricks to steal data, sound real, and hide in plain sight. But they’re not the only ones moving fast. Governments and security teams are fighting back, shutting down fake networks, banning risky projects, and tightening digital defenses.

Here’s a quick look at what’s making waves this week — the biggest hacks, the new threats, and the wins worth knowing about.

That’s a wrap for this week’s ThreatsDay. The big picture? Cybercrime is getting faster, smarter, and harder to spot — but awareness still beats panic. Keep your software updated, stay alert for anything that feels off, and don’t click in a hurry. The more we all stay sharp, the harder it gets for attackers to win.

Nov 27, 2025Ravie LakshmananRansomware / Cloud Security

Gainsight has disclosed that the recent suspicious activity targeting its applications has affected more customers than previously thought.

The company said Salesforce initially provided a list of 3 impacted customers and that it has “expanded to a larger list” as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said “we presently know of only a handful of customers who had their data affected.”

The development comes as Salesforce warned of detected “unusual activity” related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach has been claimed by a notorious cybercrime group known as ShinyHunters (aka Bling Libra).

A number of other precautionary steps have been enacted to contain the incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com. HubSpot, in its own advisory, said it found no evidence to suggest any compromise of its own infrastructure or customers.

In an FAQ, Gainsight has also listed the products for which the ability to read and write from Salesforce has been temporarily unavailable –

• Customer Success (CS)
• Community (CC)
• Northpass – Customer Education (CE)
• Skilljar (SJ)
• Staircase (ST)

The company, however, emphasized that Staircase is not affected by the incident and that Salesforce removed the Staircase connection out of caution in response to an ongoing investigation.

According to information from Salesforce, reconnaissance efforts against customers with compromised Gainsight access tokens were first recorded from the IP address “3.239.45[.]43” on October 23, 2025, followed by subsequent waves of reconnaissance and unauthorized access starting November 8.

To further secure their environments, customers are asked to follow the steps below –

• Rotate the S3 bucket access keys and other connectors like BigQuery, Zuora, Snowflake etc., used for connections with Gainsight
• Log in to Gainsight NXT directly, rather than through Salesforce, until the integration is fully restored
• Reset NXT user passwords for any users who do not authenticate via SSO.
• Re-authorize any connected applications or integrations that rely on user credentials or tokens

“These steps are preventative in nature and are designed to ensure your environment remains secure while the investigation continues,” Gainsight said.

The development comes against the backdrop of a new ransomware-as-a-service (RaaS) platform called ShinySp1d3r (also spelled Sh1nySp1d3r) that’s being developed by Scattered Spider, LAPSUS$, and ShinyHunters (SLSH). Data from ZeroFox has revealed that the cybercriminal alliance has been responsible for at least 51 cyberattacks over the past year.

“While the ShinySp1d3r encryptor has some features common to other encryptors, it also boasts features that have never been seen before in the RaaS space,” the company said.

“These include: Hooking the EtwEventWrite function to prevent Windows Event Viewer logging, terminating processes that keep files open – which would normally prevent encryption – by iterating over processes before killing them, [and] filling free space in a drive by writing random data contained in a .tmp file, likely to overwrite any deleted files.”

ShinySp1d3r also comes with the ability to search for open network shares and encrypt them, as well as propagate to other devices on the local network through deployViaSCM, deployViaWMI, and attemptGPODeployment.

In a report published Wednesday, independent cybersecurity journalist Brian Krebs said the individual responsible for releasing the ransomware is a core SLSH member named “Rey” (aka @ReyXBF), who is also one of the three administrators of the group’s Telegram channel. Rey was previously an administrator of BreachForums and the data leak website for HellCat ransomware.

Rey, whose identity has been unmasked as Saif Al-Din Khader, told Krebs that ShinySp1d3r is a rehash of HellCat that has been modified with artificial intelligence (AI) tools and that he has been cooperating with law enforcement since at least June 2025.

“The emergence of a RaaS program, in conjunction with an EaaS [extortion-as-a-service] offering, makes SLSH a formidable adversary in terms of the wide net they can cast against organizations using multiple methods to monetize their intrusion operations,” Palo Alto Networks Unit 42 researcher Matt Brady said. “Additionally, the insider recruitment element adds yet another layer for organizations to defend against.”

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry.

The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the “setup_bun.js” loader and the main payload “bun_environment.js.” The company told The Hacker News that org.mvnpm:posthog-node:4.18.1 was the only Java package identified so far.

“This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload,” the cybersecurity company said in a Tuesday update.

It’s worth noting that the Maven Central package is not published by PostHog itself. Rather, the “org.mvnpm” coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said they are working to implement extra protections to prevent already known compromised npm components from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged.

The development comes as the “second coming” of the supply chain incident has targeted developers globally with an aim to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper supply chain compromise in a worm-like fashion. The latest iteration has also evolved to be more stealthy, aggressive, scalable, and destructive.

Besides borrowing the overall infection chain of the initial September variant, the attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens.

The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident.

“This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki said. “It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one.”

The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. What’s more, the self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time.

Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack and compromise projects associated with AsyncAPI, PostHog, and Postman.

The vulnerability “used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run,” security researcher Ilyas Makari said. “A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day.”

It’s assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm.

“As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year,” Nadav Sharkazy, a product manager at Apiiro, said in a statement.

“This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation.”

Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian’s analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025.

Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement.

“Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break,” Dan Lorenc, co-founder and CEO of Chainguard, said. “A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours.”

“The techniques attackers are using are constantly evolving. Most of these attacks don’t rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.”