Heroes, it's Monday. Let's get at it. C-level Heroes might be interested in the Cyber Saint article which details how Cyber Security is a CEO problem. MikeGPT hopes to be a part of the solution.
Here's a detailed look at the current cybersecurity landscape for September 29, 2025.
Date & Time: 2025-09-29T14:09:14
A significant software supply chain attack has compromised over 500 packages in the NPM registry. The attack utilizes a self-propagating malware variant, dubbed Shai-Hu..., which steals credentials to spread to further packages, posing a severe risk to development environments and production applications that ingest these dependencies.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: CERT/CC ↗
Date & Time: 2025-09-29T12:36:00
This week's threat landscape is marked by several high-impact events, including the active exploitation of a Cisco zero-day vulnerability, the release of a new LockBit 5.0 ransomware variant, and a record-breaking DDoS attack. These concurrent threats require organizations to prioritize patching, review ransomware defenses, and ensure DDoS mitigation strategies are in place.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: The Hacker News ↗
Date & Time: 2025-09-29T09:32:34
The Akira ransomware group is actively exploiting a known SonicWall vulnerability to gain initial access to target networks. The threat actors are leveraging legitimate tools, including the Datto RMM utility, on domain controllers to move laterally and deploy their payload while evading detection by security solutions.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: SecurityWeek ↗
Date & Time: 2025-09-29T08:52:00
A sophisticated phishing campaign is leveraging large language models (LLMs) to generate malicious SVG files that bypass traditional email security filters. This technique represents a significant evolution in phishing, as the AI-generated payloads are highly obfuscated and effectively trick both automated defenses and end-users.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: The Hacker News ↗
Date & Time: 2025-09-28T16:32:55
A new Linux post-exploitation agent named RingReaper has been identified that uses the `io_uring` interface to execute system calls, effectively bypassing EDR and other monitoring tools that hook traditional syscall methods. This technique allows attackers to operate with a high degree of stealth on compromised Linux systems, challenging existing detection strategies.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: GitHub ↗
Date & Time: 2025-09-29T14:09:23
A September cyberattack has forced a complete halt in production and sales for Jaguar Land Rover, necessitating a £1.5 billion government-backed loan to manage the fallout. This incident underscores the severe financial and operational impact that cyberattacks can have on major manufacturing and critical infrastructure sectors.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: GovInfoSecurity ↗
Date & Time: 2025-09-28T15:42:45
A recent breach impacting both Salesloft and Drift exposes the deeply interconnected nature of modern SaaS platforms and the associated supply chain risks. The incident serves as a critical reminder for organizations to scrutinize the security posture of their third-party vendors, particularly those integrated with core platforms like Google Workspace.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Guardz ↗
Date & Time: 2025-09-29T05:19:40
Dutch police have arrested two 17-year-olds for allegedly conducting espionage activities for a pro-Russian hacking group. This event highlights the ongoing recruitment of insiders and sympathizers by nation-state-aligned threat actors and the complex challenge of countering insider threats, regardless of age.
CVE Details: n/a
Compliance Realm: General Enterprise
Source: Security Affairs ↗
Date & Time: 2025-09-29T12:30:00
The November 10 deadline for Cybersecurity Maturity Model Certification (CMMC) is rapidly approaching for organizations within the defense industrial base. CISOs and compliance leaders must ensure their security controls and documentation are finalized to meet this critical regulatory milestone for securing government contracts.
Source: CyberSaint Security ↗
Date & Time: 2025-09-29T12:00:02
The sheer volume of security alerts is leading to significant analyst fatigue, increasing the risk of missed critical incidents. This analysis frames alert overload as a strategic business problem for CEOs, advocating for better tooling, automation, and risk-based prioritization to improve security operations effectiveness.
Source: CyberSaint Security ↗
Spotlight Rationale: Socket is selected for this spotlight because its security research was instrumental in uncovering today's top critical threat: the [NPM supply chain compromise](https://kb.cert.org/vuls/id/534320) affecting over 500 packages. This demonstrates the critical need for specialized tooling that can detect malicious code and behavior within open-source dependencies before they are integrated into an organization's software.
Threat Context: VU#534320: NPM supply chain compromise exposes challenges to securing the ecosystem
Platform Focus: Socket's Software Supply Chain Security Platform
Socket's platform addresses the core of the NPM supply chain threat by proactively analyzing open-source packages for potential risks before they are installed. Unlike traditional scanners that focus on known vulnerabilities, Socket inspects package metadata, author history, and code for suspicious indicators like obfuscation, excessive permissions, or the presence of post-install scripts—hallmarks of malware like the Shai-Hu... variant. This provides a vital defense layer in the CI/CD pipeline, preventing malicious code from ever reaching production environments.
Actionable Platform Guidance: Organizations should configure Socket (or a similar tool) to automatically block packages that exhibit high-risk characteristics. A baseline policy should include blocking packages with install scripts, obfuscated code, new or unverified authors, or those that attempt to access environment variables and network resources during installation. Alerts should be configured to notify security and development teams immediately when a developer attempts to add a dependency that violates these policies.
Source: CERT/CC ↗
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Socket
# Example Policy Configuration for a Software Supply Chain Security Platform like Socket
# Goal: Block dependencies similar to the malicious NPM packages reported in VU#534320
policy "Block Malicious NPM Package Indicators" {
# Block packages that execute code upon installation
deny on issue.type == "install-scripts";
# Block packages containing obfuscated or minified code, which hides malicious logic
deny on issue.type == "obfuscated-code";
# Block packages that attempt to read sensitive environment variables
deny on issue.type == "env-variable-access" and issue.details.variable matches "(TOKEN|SECRET|KEY|PASS)";
# Alert on packages from new authors or with low reputation scores
warn on issue.type == "author-reputation" and issue.details.score < 0.5;
# Block packages that make network calls during the install phase
deny on issue.type == "network-access" and issue.details.phase == "install";
}2. YARA Rule for NPM Supply Chain Malware (Shai-Hu... Variant)
rule NPM_SupplyChain_ShaiHulud_Variant {
meta:
description = "Detects indicators associated with malicious NPM packages involved in credential theft and self-propagation, similar to the Shai-Hu... malware."
author = "Threat Rundown"
date = "2025-09-29"
reference = "https://kb.cert.org/vuls/id/534320"
severity = "high"
tlp = "white"
strings:
$s1 = "postinstall" ascii wide
$s2 = "process.env.NPM_TOKEN" ascii wide
$s3 = "npm publish" ascii wide
$s4 = "require('fs').readFileSync" ascii wide
$s5 = "/home/runner/.npmrc" ascii wide // Common in CI/CD environments
condition:
filesize < 500KB and uint16(0) == 0x2123 and any of them
}3. SIEM Query — Detecting Akira Ransomware Living-off-the-Land (Datto RMM)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ComputerName IN (DomainControllerList)
ParentImage="*\\RMM\\rmmagent.exe"
Image IN ("*\\powershell.exe", "*\\cmd.exe", "*\\net.exe", "*\\net1.exe", "*\\vssadmin.exe")
| eval risk_score=case(
match(Image, "vssadmin.exe") AND match(CommandLine, "delete shadows"), 100,
match(ParentImage, "rmmagent.exe") AND user!="SYSTEM", 90,
1==1, 50)
| where risk_score >= 90
| table _time, user, ComputerName, ParentImage, Image, CommandLine, risk_score
| sort -_time4. PowerShell Script — Hunt for Suspicious SVG Files (AI Phishing)
# This script hunts for recently created SVG files in user profiles that may be related to the AI-driven phishing campaign.
$lookbackDays = 7
$userFolders = Get-ChildItem -Path C:\Users -Directory | Where-Object { $_.Name -ne "Public" -and $_.Name -ne "Default" }
foreach ($folder in $userFolders) {
$searchPaths = @(
Join-Path -Path $folder.FullName -ChildPath "Downloads",
Join-Path -Path $folder.FullName -ChildPath "AppData\Local\Temp"
)
foreach ($path in $searchPaths) {
if (Test-Path $path) {
Write-Host "[*] Checking for suspicious SVG files in $path..."
Get-ChildItem -Path $path -Filter "*.svg" -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
if ($_.CreationTime -gt (Get-Date).AddDays(-$lookbackDays)) {
# Further checks could include looking for embedded scripts or large file sizes
if ($_.Length -gt 100KB) { # Large SVGs can hide obfuscated scripts
Write-Warning "[!] Potential malicious SVG found: $($_.FullName) | Size: $($_.Length) bytes | Created: $($_.CreationTime)"
}
}
}
}
}
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!