Malicious npm Package Mimics Nodemailer to Hijack Crypto Transactions
A major supply chain attack was identified in the JavaScript ecosystem involving a malicious npm package imitating the popular Nodemailer library. The compromised package was downloaded 3.9 million times weekly before discovery, designed to steal cryptocurrency by altering digital asset transfer mechanisms in victim applications.
Attack Vector and Distribution
Attackers published a rogue npm module under a name nearly identical to Nodemailer, leveraging typographical errors (“typosquatting”) to trick developers. Integrating this package into applications led to the inclusion of malicious scripts designed to monitor and intercept blockchain-related activities within the developer environment.
Technical Payload Analysis
The malicious code included obfuscated scripts that replaced wallet addresses in transaction workflows with those controlled by the attacker. Various anti-analysis techniques were present—such as dynamic code loading and environmental detection—to evade security checks and sandboxes often deployed by CI pipelines or endpoint protection solutions.
Impact and Response
With millions of downloads per week, the package had broad potential reach in fintech, web3, and general backend development. Immediate removal from the npm registry followed coordinated alerts, and platform maintainers are urging all organizations to validate package hashes and implement stronger supply chain defense practices.
Microsoft Confirms Security Update KB5063709 Breaks Windows 11 Reset and Recovery
Microsoft officially acknowledged a critical issue in its August 2025 security patch (KB5063709), which rendered system reset and recovery functions nonoperational on the latest Windows 11 versions (22H2, 23H2, and select enterprise builds). This impacts the reliability of disaster recovery and device reimaging strategies across enterprises.
Discovery and Issue Scope
After widespread user reports and IT teams failing to reset devices or resume from recovery partitions, Microsoft’s investigation traced the failure to the logic changes introduced in the cumulative update’s system restore modules.
Remediation Guidance
Companies are instructed to hold off on applying the update where feasible and provided with rollback scripts for affected builds, though some recovery features may require additional manual intervention or full device reinstallation pending a permanent fix expected by September’s Patch Tuesday release.
Pirated Games Used to Evade Defender SmartScreen and Adblockers for Malware Delivery
A persistent campaign has weaponized torrent-distributed pirated games to spread advanced malware, circumventing signature-based defenses, including Microsoft Defender SmartScreen and commonly used browser ad blockers. The attack illustrates the combined use of social engineering and security evasion to compromise end-user devices.
Threat Tactics
Malicious installers, distributed via cracks or repackaged games, leverage polyglot code and runtime obfuscators to bypass static analysis and gain execution on Windows endpoints. Payloads include information stealers and remote access trojans, often loaded in memory without touching disk to avoid antivirus heuristics.
Countermeasures
Security teams are recommended to enforce policy restrictions on executable downloads from untrusted sources and increase analytic coverage on unsanctioned software installs. End users are further warned about the considerable risk posed by torrenting commercial software.
Sni5Gect: Real-Time 5G Interception and Payload Injection
Researchers have revealed a new framework—Sni5Gect—that demonstrates in-the-wild interception and manipulation of 5G cellular data streams. The tool exposes valuable weaknesses in the application of message protection within current carrier networks, enabling adversaries to inject arbitrary payloads or eavesdrop on communications.
Technical Details
Sni5Gect leverages vulnerabilities in weakly authenticated 5G control plane messages, employing active man-in-the-middle (MITM) strategies at the radio and core network level. The proof-of-concept includes mechanisms for session hijacking, tracking device identities, and downgrade attacks against mutual authentication routines.
Implications
Although primarily demonstrated for red-team and research purposes by university teams, the technique raises new concerns for 5G infrastructure providers and application operators, especially in critical IoT and national infrastructure settings, due to its capacity for stealthy interception and data manipulation.
Blue Locker Ransomware Targets Pakistani Oil & Gas Sector
Pakistan’s National Cyber Emergency Response Team (NCERT) issued an alert following an orchestrated cyberattack campaign against government ministries, attributing new attacks to Blue Locker ransomware with a focus on the national oil and gas sector.
Infection Chain
NCERT’s advisory details initial infection vectors via phishing emails containing weaponized attachments, which exploit unpatched vulnerabilities in office productivity software to establish persistence and facilitate lateral movement across segmented OT and IT environments.
Operational Impact
Blue Locker encrypts critical data files and threatens public shaming or data leaks upon nonpayment of ransom, disrupting industrial SCADA and ERP systems essential to operations. Emergency response teams are engaging in threat hunting to preempt additional government sector intrusions and reinforce backup and segmentation protocols.
Salesloft Drift OAuth Breach: Widespread Integration Compromise
Recent disclosures reveal the OAuth breach at Salesloft-Drift is broader than originally reported, impacting all third-party integrations—not only Salesforce—due to mass exfiltration of OAuth and refresh tokens. Security analysts recommend that all connected services be assumed compromised across affected environments.
Incident Analysis
Attackers, reportedly linked to UNC6395, used sophisticated phishing and token harvesting techniques via compromised Drift chat integrations. This enabled lateral movement into downstream SaaS applications connected to the same credentials, expanding the breach scope considerably.
Mitigation Steps
Google and other security vendors advise immediate revocation of all OAuth tokens issued to Drift and Salesloft integrations and comprehensive audit of connected SaaS access. Organizations are cautioned to watch for similar attack patterns across their automation and chat platforms.
Critical Citrix NetScaler ADC/Gateway RCE Vulnerability Under Exploitation
Over 28,200 instances of Citrix NetScaler ADC/Gateway remain exposed to a severe remote code execution (RCE) flaw (CVE-2025-7775), which has been publicly confirmed as under active exploitation. This vulnerability is now on the CISA Known Exploited Vulnerabilities catalog.
Exploit Behavior
Attackers can execute arbitrary code on unpatched appliances via malformed HTTP requests due to input sanitization errors. Exploits seen in the wild involve privilege escalation, planting webshells, and using compromised appliances for further propagation or data exfiltration activities.
Patch Imperative
Citrix and federal authorities instruct all organizations to apply the published patch without delay, review access logs for potential indicators of compromise, and remove or reimage any appliance showing signs of post-exploit persistence.
Pudu Robotics Food Delivery Robots Exposed to Order Manipulation Attacks
Security researchers uncovered vulnerabilities in the customer API management systems of Pudu Robotics’s food delivery robots, allowing attackers to take unauthorized control of active robots, redirecting delivery missions or accessing order data without authentication.
Attack Mechanism
The critical flaw stems from insufficient verification in backend management endpoints, enabling attackers to inject commands or alter delivery routes. Some API requests lacked even basic token-based authentication, making them vulnerable to common web exploitation tools.
Risk Assessment
Unchecked, attackers could conduct denial-of-service (robot rerouting) or data theft operations in environments such as hospitals and hotels, highlighting the urgent need for access controls and session validation in robotics fleet management.
Email Phishing Targets Hotel Property Management Platforms via Malvertising
A sophisticated phishing campaign was discovered exploiting online advertising (malvertising) to impersonate well-known hospitality service providers, targeting property management system (PMS) users within hotels and vacation rentals.
Technique and Impact
Threat actors placed fraudulent search ads leading to cloned PMS login pages, collecting credentials and delivering stealer malware, then leveraging compromised backends for secondary fraud and data theft. The malvertising infrastructure used proxying and domain shadowing to hide linkage to criminal operations.
Preventive Actions
Security vendors recommend web content filtering, DNS security controls, and routine staff awareness training to mitigate the risk of similar campaigns targeting credential-rich environments in vertical markets.
Google Web Designer RCE Exposes Windows Systems to Full Compromise
A critical remote code execution vulnerability affecting Google Web Designer was uncovered, enabling attackers to take full control of Windows systems through a crafted project file. The bug was given a high severity due to its ability to elevate attacker privileges with minimal user interaction.
Exploit Analysis
The vulnerability is triggered by opening a malicious GWD project, leading to arbitrary code execution in the context of the logged-in user. Attackers can abuse this vector to drop and run second-stage payloads, install persistence mechanisms, and evade endpoint monitoring.
Mitigation Guidance
Google has released an urgent patch; users and organizations are advised to update immediately and restrict file acceptance from unverified sources.
SUSE Fleet Vulnerability: Plain Text Storage of Exploit Values
Security research disclosed a high-severity flaw in the SUSE Fleet GitOps Kubernetes deployment tool, exposing vulnerability exploit Helm values in plain text. This issue creates risk for Kubernetes administrators managing sensitive cluster configuration.
Technical Finding
Helm value files—which often contain credentials, token secrets, and exploit parameter definitions—were found stored unencrypted in default Fleet repositories, accessible to any account with read-level privileges. The flaw enables automated extraction and subsequent lateral movement or privilege escalation within affected clusters.
Remediation
SUSE has issued updated security advisories and recommends immediate rotation of cluster secrets alongside application of the fixed version, as well as audit of all Fleet repositories for untracked exposure.