Svoboda Cybersecurity Brief November 05, 2025

Critical React Native CLI Vulnerability Exposes Developers to RCE

A critical flaw (CVE-2025-11953, CVSS 9.8) in @react-native-community/cli-server-api (versions 4.8.0–20.0.0-alpha.2) allows unauthenticated attackers to execute arbitrary OS commands via Metro development server’s /open-url endpoint. The npm package, maintained by Meta, sees ~2M weekly downloads.
Impact: Remote code execution with attacker-controlled parameters on Windows (full control) or Linux/macOS (limited control).
Mitigation: Upgrade to version 20.0.0+. Disable Metro server if unused.
Source: BleepingComputer

Malicious Android Apps Downloaded 42M Times from Google Play

239 malicious Android apps were downloaded 42M+ times from June 2024–May 2025, per Zscaler. Adware dominates (69% of detections), followed by Joker infostealer (23%) and spyware (220% YoY increase). High-risk malware includes Anatsa (banking trojan targeting 831 financial orgs) and Android Void (backdoor infecting 1.6M outdated Android TV devices).
Source: BleepingComputer

Apache OpenOffice Denies Akira Ransomware’s Data Breach Claims

Akira ransomware gang claimed to steal 23GB of Apache OpenOffice data (employee/financial records), but Apache disputes this, stating the open-source project holds no such data. No evidence of compromise found.
Source: BleepingComputer

Swedish IT Supplier Miljödata Breach Impacts 1.5M People

Miljödata, serving 80% of Sweden’s municipalities, suffered a cyberattack in August 2025, exposing data of 1.5M individuals. Threat actors demanded 1.5 BTC and leaked data (names, emails, govt IDs) via Datacarry ransomware group’s dark web portal.
Source: BleepingComputer

Operation SkyCloak Targets Defense Sectors with Tor-Enabled Backdoor

Phishing emails deliver malware (OpenSSH + Tor obfs4) to Russian/Belarusian defense entities. Attackers use PowerShell stagers with anti-sandbox checks, schedule tasks (githubdesktopMaintenance), and exfiltrate data via .onion domains. Overlaps with UAC-0125 tactics.
Source: TheHackerNews

Scattered Spider, LAPSUS$, ShinyHunters Form Cybercrime Alliance

Dubbed Scattered LAPSUS$ Hunters (SLH), the group launched 16 Telegram channels since August 2025, offering extortion-as-a-service. Members include UNC5537 (Snowflake attacks) and UNC3944 (Scattered Spider). Plans for Sh1nySp1d3r ransomware hinted.
Source: TheHackerNews

Microsoft Uncovers SesameOp Backdoor Abusing OpenAI API

SesameOp uses OpenAI Assistants API for C2, relaying encrypted commands via Netapi64.dll (loaded via AppDomainManager injection). Results are sent back as OpenAI messages labeled “Result”. Microsoft notified OpenAI, which disabled the abused API key.
Source: TheHackerNews

Google’s AI “Big Sleep” Finds 5 Safari WebKit Vulnerabilities

Apple patched 5 flaws (e.g., CVE-2025-43429 buffer overflow) in WebKit via iOS/iPadOS 26.1, macOS Tahoe 26.1, and Safari 26.1. Discovered by Google’s Big Sleep AI agent, though none were exploited in the wild.
Source: TheHackerNews

JobMonster WordPress Theme Exploited for Admin Takeover

Critical auth bypass (CVE-2025-5397, CVSS 9.8) in JobMonster theme (≤v4.8.1) lets attackers hijack admin accounts if social login is enabled. Over 5,500 Envato sales.
Impact: Full site compromise via unauthenticated admin access.
Mitigation: Update to v4.8.2 or disable social login.
Source: BleepingComputer

Transportation Firms Hacked to Divert Shipments

Attackers compromise broker load boards, deploy RMM tools (ScreenConnect, AnyDesk) to hijack cargo. Targets include freight brokers; stolen goods likely sold online/overseas.
Source: SecurityWeek

Share this brief: https://svo.bz/W1U3