Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 13-19 September
Shai-Hulud: malware campaign compromises more than 180 packages on npm
Security researchers have detected a supply chain attack that has compromised at least 187 packages in the npm repository, including the popular @ctrl/tinycolor, with over two million weekly downloads.
The campaign, dubbed Shai-Hulud, is characterized by its ability to spread automatically: the malware modifies and republishes packages from the same maintainer, spreading the infection on a large scale. The malicious code incorporates a script that uses TruffleHog, a legitimate secret search tool, to steal credentials from developers and CI/CD environments, create unauthorized workflows on GitHub, and exfiltrate the information to a remote server.
Among those affected are packages under CrowdStrike's official namespace, although the company assures that its Falcon platform has not been compromised.
FBI warns of data theft in Salesforce by UNC6040 and UNC6395
The FBI issued a FLASH alert warning that two clusters, UNC6040 and UNC6395, are compromising Salesforce environments to steal data and extort victims. UNC6040 used social engineering and vishing campaigns to trick employees into installing malicious OAuth applications, allowing the mass exfiltration of tables such as Accounts and Contacts.
The extracted data was exploited by extortion groups such as ShinyHunters. UNC6395, meanwhile, abused OAuth tokens and refresh tokens stolen from Salesloft/Drift to access customer instances between August 8 and 18, focusing the search on support cases containing secrets and credentials. The Salesloft-related campaign originated after the compromise of GitHub repositories, from which Drift tokens were stolen.
Victims include large technology and consumer companies, including Cloudflare, Google, Cisco, Adidas, Palo Alto Networks, and many more. Salesloft and Salesforce revoked tokens and required affected customers to reauthenticate.
HybridPetya: UEFI ransomware that bypasses Secure Boot
ESET researchers have identified a new ransomware sample called HybridPetya capable of installing a malicious bootkit on the EFI partition and bypassing Secure Boot protection. The malware, found on VirusTotal, combines visual elements and the Petya/NotPetya attack chain with new functionalities: it replaces the boot loader with a vulnerable “reloader.efi” and deposits several files in \EFI\Microsoft\Boot.
Upon reboot, it causes a fake BSOD, and during boot, the bootkit encrypts MFT clusters using Salsa20 while displaying a fake CHKDSK message, preventing Windows from booting. After completing the encryption, a ransom note is displayed demanding $1,000 in Bitcoin and offering a 32-character key to restore the original loader and decrypt the data.
HybridPetya exploits the CVE-2024-7344 (CVSSv3 8.2) vulnerability to bypass Secure Boot; Microsoft fixed this flaw in the January 2025 Patch Tuesday.
New FileFix attack uses steganography to deploy StealC malware
Acronis researchers have detected the first active campaign of FileFix, a technique derived from ClickFix, which goes beyond PoC and uses steganography to hide malicious code in JPG images. The attack begins with a multilingual phishing site that pretends to be Facebook security, prompting the user to paste commands into the file explorer address bar, triggering a multi-stage infection chain.
This includes obfuscated PowerShell scripts that extract encrypted payloads from images, culminating in the execution of the StealC infostealer, capable of compromising credentials from browsers, messaging apps, cryptocurrencies, and cloud services. The global infrastructure, multiple languages, and variants observed in two weeks suggest a rapidly evolving campaign with victims in countries such as the US, Germany, China, and Peru.
It is recommended to strengthen the detection of obfuscated scripts, monitor the use of steganography, and educate users about attacks that exploit common functions.
New Phoenix attack bypasses Rowhammer defenses in DDR5 memory
Researchers at ETH Zurich and Google have developed Phoenix, an advanced Rowhammer attack technique capable of compromising DDR5 memory.
Phoenix manages to synchronize extremely long access patterns with thousands of internal refresh commands, overcoming TRR (Target Row Refresh) defenses through self-correcting synchronization. In tests, Phoenix caused bit flips in all 15 DDR5 devices evaluated, allowing privilege escalation to root access on systems with default configurations and compromising RSA-2048 keys on virtual machines.
The attack is registered as CVE-2025-6202 and affects modules manufactured between January 2021 and December 2024, potentially affecting systems with DDR5 memory.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
