Svoboda Cybersecurity Brief November 26, 2025

OnSolve CodeRED Cyberattack Disrupts Emergency Alerts Nationwide

Risk management company Crisis24 confirmed a cyberattack on its OnSolve CodeRED platform, disrupting emergency notification systems used by state/local governments and public safety agencies. The INC Ransom gang claimed responsibility, leaking stolen data including names, addresses, emails, phone numbers, and cleartext passwords. Systems are being rebuilt from a March 2025 backup.
Impact: Nationwide disruption of emergency alert systems and exposure of sensitive user data.
Mitigation: Reset reused CodeRED passwords, monitor for credential misuse, and transition to the rebuilt CodeRED by Crisis24 platform.
Source: BleepingComputer

Shai-Hulud Worm Returns, Infects 640+ NPM Packages in Supply Chain Attack

A new variant of the self-replicating Shai-Hulud worm infected ~640 NPM packages, targeting preinstall scripts to spread faster across dev environments and CI/CD pipelines. The malware steals GitHub/NPM tokens, hijacks DNS, and wipes files if no tokens are found. Over 25,000 malicious repositories were created.
Impact: Compromise of developer secrets, potential ecosystem-wide supply chain contamination.
Mitigation: Rotate all tokens, audit CI/CD pipelines, and enforce MFA for repository access.
Source: SecurityWeek

Fluent Bit Vulnerabilities Expose Cloud Services to RCE

Five flaws (CVE-2025-12972 to CVE-2025-12969) in Fluent Bit allow arbitrary file overwrites, stack overflows, and authentication bypass. The most critical (CVE-2025-12972) enables RCE via malicious tag values in file outputs.
Impact: Cloud infrastructure takeover via log tampering or code execution.
Mitigation: Update to Fluent Bit 4.1.1/4.0.12; audit configurations for missing ‘File’ keys in outputs.
Source: SecurityWeek

Dartmouth College Confirms Data Breach After Clop Extortion Attack

Dartmouth disclosed a breach linked to Clop’s Oracle EBS zero-day exploit (CVE-2025-61882), exposing SSNs and financial data of 1,494 individuals. Clop leaked data from Harvard, Envoy Air, and others in the same campaign.
Impact: Theft of sensitive personal and financial records.
Mitigation: Monitor for credential misuse; apply Oracle EBS patches promptly.
Source: BleepingComputer

FBI Warns of $262M Lost to Bank Impersonation Scams

Since January 2025, 5,100+ complaints involved criminals impersonating bank support to steal credentials via phishing or fraudulent sites. Attacks used SEO-poisoned ads and fake law enforcement claims to trick victims.
Impact: Account takeovers and irreversible wire transfers to crypto wallets.
Mitigation: Enable MFA, use bookmarked banking sites, and verify support requests.
Source: BleepingComputer

JSONFormatter and CodeBeautify Leak Thousands of Credentials

Over 80,000 pastes (5GB) from govt, finance, and critical infrastructure orgs exposed AWS keys, AD credentials, and KYC data via public “Recent Links” on these code-formatting tools. Attackers actively scraped the data.
Impact: Exposure of high-risk credentials and PII.
Mitigation: Revoke exposed keys, monitor for anomalous access, and disable auto-save features.
Source: TheHackerNews

JackFix Malware Uses Fake Windows Updates on Adult Sites

A campaign lures users on fake adult sites (e.g., PornHub clones) with full-screen fake Windows updates, forcing PowerShell execution to deliver StealC V2/Rhadamanthys. Techniques include disabling Escape/F11 keys and obfuscating C2 domains.
Impact: Credential theft and secondary payload deployments.
Mitigation: Disable AutoRun, block malicious PowerShell commands, and educate users on update legitimacy.
Source: TheHackerNews

CISA Warns of Spyware Targeting Signal and WhatsApp Users

Threat actors exploit device-linking QR codes and zero-days (e.g., CVE-2025-43300 in WhatsApp) to deploy ClayRat/ProSpy spyware, focusing on high-value targets like government officials.
Impact: Unauthorized access to private communications.
Mitigation: Enable Lockdown Mode (iOS), use E2EE, and restrict app permissions.
Source: SecurityWeek

ToddyCat Deploys TCSectorCopy to Steal Outlook Emails

The APT group uses TCSectorCopy (“xCopy.exe”) to extract OST files and SharpTokenFinder to harvest Microsoft 365 tokens from memory. A PowerShell variant of TomBerBil now targets Firefox via SMB.
Source: TheHackerNews

Blender 3D Assets Deliver StealC V2 Malware

Malicious .blend files on platforms like CGTrader execute Python scripts when opened, fetching PowerShell payloads. StealC V2 steals crypto wallets, browser data, and messaging apps.
Impact: Silent malware execution via trusted 3D modeling tools.
Mitigation: Disable AutoRun in Blender; verify asset sources.
Source: TheHackerNews

SitusAMC Hack Impacts Major US Banks

A November 12 breach at the real-estate lender exposed accounting records and legal agreements tied to JPMorgan Chase, Citi, and Morgan Stanley. No ransomware was deployed.
Source: SecurityWeek

WormGPT 4 and KawaiiGPT Democratize Cybercrime

Dark LLMs like WormGPT 4 ($50/month) and KawaiiGPT (free) automate phishing, malware creation, and reconnaissance. WormGPT 4 generates polymorphic ransomware, while KawaiiGPT has 500+ weekly users.
Source: SecurityWeek

Harvard University Breached Via Phone Phishing

Unauthorized access to Alumni Affairs systems exposed donor/student data (emails, addresses, donation details). No SSNs or passwords were compromised.
Source: SecurityWeek

Russia Arrests Cybersecurity Entrepreneur for Treason

Timur Kilin, 21, was detained for criticizing state-owned app Max and its vulnerabilities. He previously reported flaws exposing Russian data to “unfriendly countries.”
Source: DataBreaches

UK MPs Demand Software Vendor Liability for Cyber Incidents

A report calls for holding software developers liable for security flaws, citing attacks on Jaguar Land Rover and retailers. Proposals include mandatory breach reporting.
Source: DataBreaches

Share this brief: https://svo.bz/dWxY