Cybersecurity News — July 19, 2025

Table of Contents

• Hijacked JavaScript Libraries Spread Malware via NPM
• Co-op Data Breach Exposes 6.5 Million Members
• Chinese Hackers Breach US National Guard Networks
• FortiWeb Exploited in Mass Attacks Following PoC Release
• CitrixBleed 2 Lingers Despite Patching
• New Linux Boot Vulnerability Bypasses Secure Boot
• RingReaper: Novel Linux EDR Evasion Tool Leveraging io_uring

Hijacked JavaScript Libraries Spread Malware via NPM

Supply Chain Attack Targets Popular ESLint Config Packages

Researchers have uncovered a supply chain attack in which the popular JavaScript libraries eslint-config-prettier and eslint-plugin-prettier were hijacked to distribute malicious payloads. Attackers initiated this incident through highly targeted phishing and credential theft, allowing them unauthorized access to the maintainers’ NPM accounts.

Technical Mechanism

After gaining control, the threat actors pushed trojanized versions of the packages. The malicious code was crafted to download and execute further malware on developer systems whenever these libraries were included as development dependencies. Because these tools are widely integrated into pipelines for code linting and formatting, the attack risked widespread downstream compromise across software teams, CI/CD environments, and end-user application deployments.

Detection and Remediation

Automated feeds flagged the anomalous commits, which exhibited code obfuscation and embedded payload URLs. NPM promptly removed the compromised versions and is conducting a credential audit with maintainers. Users are advised to check installed versions, reset developer tokens, and review build job environments for suspicious artifacts.

Co-op Data Breach Exposes 6.5 Million Members

Details of the Breach

The Co-op retail chain confirmed a major data breach after attackers exfiltrated sensitive data of approximately 6.5 million members. The compromised data reportedly includes names, account numbers, email addresses, and in some cases, partial financial details or transaction histories.

Attack Vector and Impact

Early investigation suggests a vulnerability in a customer service portal was exploited for unauthorized access. The incident went undetected for several days, allowing threat actors to conduct broad data scraping. Forensic teams are still assessing the extent of lateral movement and whether any privilege escalation occurred on backend infrastructure.

Response and Notification

Affected individuals will receive direct notifications and guidance on protective measures such as credential resets and ongoing account monitoring. Regulatory authorities have been informed and may initiate compliance reviews or penalties under data protection statutes.

Chinese Hackers Breach US National Guard Networks

State-Sponsored Intrusion Tactics

A China-linked APT group successfully infiltrated portions of the US National Guard’s internal networks. The attackers focused specifically on extracting configuration data, network diagrams, and administrator credentials, which can later aid in deeper operational or supply chain attacks.

Technical Details and Scope

The campaign leveraged weaponized CAPTCHAs, typo-squatted GitHub repositories, and AI-assisted malware loaders, indicating a high level of sophistication. The initial vector was a phishing email targeting IT staff, followed by lateral movement using compromised remote desktop credentials.

Response Efforts

Agencies rapidly contained the breach, but the incident underscores persistent vulnerabilities in complex, federated network environments. Ongoing monitoring and intelligence sharing are in place to detect follow-on activities or further exploitation attempts.

FortiWeb Exploited in Mass Attacks Following PoC Release

Critical FortiWeb Vulnerability Targeted in the Wild

Attackers have compromised dozens of FortiWeb web application firewall instances after a public Proof-of-Concept (PoC) exploit was shared. The vulnerability enables remote attackers to bypass authentication or even achieve remote code execution, depending on configuration.

Attack Patterns and Risk

Upon availability of the PoC, automated exploitation attempts spiked, predominantly scanning for accessible management interfaces and weak credential use. Exploited hosts are being used for data exfiltration, web shell deployment, and as pivot points into protected network segments.

Mitigations

Fortinet advises urgent patching and the disabling of management interfaces on Internet-facing systems. Organizations are urged to audit logs for suspicious access and to consider threat hunting for unauthorized changes.

CitrixBleed 2 Lingers Despite Patching

Re-exploitation Possible After Patching

A new report warns that the CitrixBleed 2 vulnerability in NetScaler devices may still expose organizations even after patches are applied. The flaw can allow information disclosure or unauthorized access if prior exploitation occurred before hotfixes were installed.

Underlying Issue and Persistence

This residual risk emerges because exploitation may have created rogue administrator accounts or left backdoors on affected systems. Attackers could maintain persistence despite a superficially secure system.

Mitigation Strategies

Security teams must conduct thorough post-patch reviews, including enumeration of all privileged accounts, malware scans, and integrity verification of NetScaler device firmware.

New Linux Boot Vulnerability Bypasses Secure Boot

Vulnerability Overview

A critical vulnerability discovered in the Linux boot process allows attackers with brief physical access to bypass Secure Boot protections by manipulating the initramfs during system initialization. This bypass enables the execution of unsigned or malicious code before kernel lockdown.

Exploitation Requirements

The attack vector typically requires access to system consoles or removable media during the boot phase. In some environments, less physical control may be necessary if unattended servers are not tightly monitored. The exploit has been demonstrated on multiple distributions.

Remediation

Linux maintainers are releasing updates to harden the boot chain, and administrators should review physical security policies, disable unused boot options, and gravitate toward encrypted boot loaders where possible.

RingReaper: Novel Linux EDR Evasion Tool Leveraging io_uring

Introduction and Mechanism

RingReaper is a newly identified Linux evasion tool exploiting the legitimate io_uring kernel interface to bypass advanced Endpoint Detection and Response (EDR) products. This interface allows for high-performance I/O and is increasingly present in modern kernel versions.

Techniques Used

The malware abuses io_uring for stealthy injection and execution of malicious payloads, evading conventional monitoring hooks and signature-based detections implemented by security agents. It dynamically loads payloads, masking memory access patterns and process activity from EDR.

Detection and Defense

Responders are urged to update threat intelligence feeds to include new indicators related to io_uring misuse, consider restricting or auditing its use in high-security environments, and integrate low-level kernel telemetry into EDR solutions.