Cyber OSINT Overview, Nov 24 - Nov 30, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• A resurgence of the “Shai-Hulud” npm worm, dubbed “The Second Coming”, has compromised hundreds of packages and exposed tens of thousands of GitHub repositories. This automated supply chain attack targets developer environments during the pre-install phase to steal secrets and credentials from CI/CD pipelines. It utilizes the Bun runtime to execute payloads and exfiltrates data to public GitHub repositories created by the malware. Major packages including those from Zapier, ENS Domains, and Postman were impacted.

• A supply chain attack involving the Salesforce-integrated platform Gainsight has led to data exposure for multiple organizations. Threat actors, linked to the ‘Scattered LAPSUS$ Hunters’ alliance, utilized compromised tokens to access Salesforce instances via connected apps. Salesforce revoked tokens associated with Gainsight applications as a precaution, while Gainsight confirmed a breach of its own support systems. The incident highlights the risks of persistent access tokens in SaaS integrations.

• Cybercriminals are aggressively targeting the holiday shopping season with sophisticated phishing and malvertising campaigns. Attackers have registered over 18,000 holiday-themed domains and are utilizing ‘fake gift’ surveys impersonating major brands like Lego and Louis Vuitton to steal banking details. There is also a noted surge in account takeover (ATO) fraud and the use of ‘ClickFix’ tactics to deliver malware via fake browser updates. Consumers are urged to be vigilant against brand impersonation and unsolicited offers.

Critical Vulnerabilities #

• A critical authentication bypass vulnerability (CVE-2025-61757) in Oracle Identity Manager is being actively exploited in the wild. The flaw, which has a CVSS score of 9.8, allows pre-authenticated remote code execution via improperly protected REST API endpoints. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.

• Fluent Bit is affected by five vulnerabilities, including a critical stack buffer overflow and authentication bypass issues. These flaws (CVE-2025-12970, CVE-2025-12969, and others) could allow attackers with network access to execute remote code or cause a denial of service. The vulnerabilities stem from improper sanitization of tags and plugin inputs.

• A security flaw in Microsoft Teams B2B Guest Access allows attackers to bypass Microsoft Defender for Office 365 protections. When a user accepts a guest invite to an external tenant, security controls are dictated by the hosting environment, potentially creating a ‘protection-free zone’ for delivering malware. This configuration issue can be exploited with a single invite.

• CISA added a cross-site scripting vulnerability (CVE-2021-26829) in OpenPLC ScadaBR to its KEV catalog, confirming active exploitation. The flaw in the system settings component allows remote attackers to inject malicious scripts, potentially hijacking sessions or modifying critical industrial control configurations. Federal agencies are required to remediate this by mid-December.

• GeoServer has issued a security advisory for critical vulnerabilities in versions prior to 2.28.1, including CVE-2025-58360 which is reportedly being exploited in the wild. This flaw involves XML External Entity (XXE) vulnerability that can lead to information disclosure or server-side request forgery. Users are urged to update immediately.

Major Incidents #

• The CodeRED emergency notification system, used by US law enforcement and municipalities, has been permanently shut down following a ransomware attack. The vendor, Crisis24, decommissioned the legacy platform after data including PII and passwords was stolen. Agencies are scrambling to switch to a new platform or alternative services.

• Three West London councils (Kensington and Chelsea, Westminster, Hammersmith and Fulham) are suffering significant IT disruptions due to a cyberattack on a shared services provider. The incident has affected online services and phone lines, prompting the involvement of the National Crime Agency and NCSC.

• Japanese beverage giant Asahi Group Holdings disclosed that a ransomware attack in September likely exposed personal data of approximately 2 million customers and employees. While operations in Japan were severely disrupted, no data has been confirmed leaked online yet. The attack involved the Qilin ransomware group.

• OpenAI confirmed a data breach involving its third-party analytics provider, Mixpanel. The incident exposed limited metadata of API users, including emails and names, but did not compromise OpenAI’s core systems or ChatGPT user data. Mixpanel was removed from OpenAI’s production environment following the breach.

• The French Football Federation (FFF) suffered a data breach where attackers accessed centralized administrative software via a compromised account. Sensitive PII of club members and licensees, including passport details and addresses, was stolen. This is the second significant cyber incident for the FFF in two years.

Emerging Threats #

• The ‘ClickFix’ social engineering technique is evolving, now using fake ‘Windows Update’ splash screens and ‘Google Meet’ errors to trick users into pasting malicious PowerShell commands. These attacks increasingly use steganography to hide malware within image files, bypassing traditional detection methods. This technique is being used to deliver infostealers like LummaC2 and Rhadamanthys.

• Malicious Large Language Models (LLMs) like ‘WormGPT 4’ and ‘KawaiiGPT’ are being commercialized on the underground market. These tools are specifically designed for cybercrime, offering capabilities to generate phishing lures, write polymorphic malware, and automate reconnaissance without ethical guardrails. They lower the barrier to entry for less skilled attackers.

• A new Mirai-based botnet variant named ‘ShadowV2’ was observed targeting IoT devices during a recent AWS outage. It exploits vulnerabilities in devices from vendors like D-Link and TP-Link to launch DDoS attacks. Its activity suggests it may have been a test run for broader future campaigns.

• Threat actors are exposing massive amounts of sensitive secrets by pasting them into public code formatting sites like JSONFormatter and CodeBeautify. Researchers scraped these sites and found thousands of credentials, API keys, and private keys, impacting critical sectors. This highlights a persistent user behavior issue leading to data leakage.

• A new Android malware-as-a-service named ‘Albiriox’ has emerged, offering advanced remote access features like VNC streaming for on-device fraud. It targets over 400 financial and crypto applications, allowing attackers to bypass 2FA and device fingerprinting by manually operating the victim’s device.

Regulatory and Policy Updates #

• California has enacted a new law requiring web browsers to offer a ‘universal opt-out’ mechanism for data sharing, effective 2027. Experts believe this will likely force browsers to implement the feature nationally to avoid fragmentation, significantly impacting the data broker industry. The law applies to California residents even when traveling.

• New US legislation, the ‘AI Fraud Deterrence Act’, has been introduced to increase criminal penalties for fraud committed using AI. The bill proposes significant fines and prison sentences for using AI to generate fake audio/video for scams or impersonating government officials, following a rash of AI-assisted incidents.

• The US House Homeland Security Committee has called on the CEO of Anthropic to testify regarding a Chinese espionage campaign that utilized their AI tool, Claude. The hearing aims to address the national security implications of AI-facilitated cyber attacks and how policymakers should respond.

• EU member states have agreed on a negotiating mandate for the Child Sexual Abuse Regulation, which would permanently extend voluntary scanning for abuse material by online platforms and establish a new EU center for child protection. The agreement moves the controversial law closer to implementation despite privacy concerns.

Security Operations #

• Microsoft will enforce a new Content Security Policy for Entra ID sign-ins starting in late 2026, blocking the execution of external scripts. This move aims to mitigate XSS attacks and prevent unauthorized code execution during the authentication process. Admins are advised to audit their environments for tools that inject scripts into sign-in pages.

• Integrating threat intelligence with vulnerability management is increasingly vital to prioritize risks effectively. By enriching vulnerability data with real-time intelligence on active exploitation and attacker interest, organizations can move from reactive patching to proactive risk reduction, focusing on the vulnerabilities that actually matter.

• Managing ‘Shadow AI’ has become a priority for CIOs as employees use unapproved AI tools. Strategies include establishing clear guardrails (approved, restricted, forbidden lists), maintaining continuous inventory and visibility of AI usage, and potentially using secure API proxies to allow safe experimentation.

• The concept of ‘Defense Against Configurations’ is highlighted as a critical challenge, where default or misconfigured settings in operating systems and applications create pervasive vulnerabilities. Addressing these configuration drifts is as important as patching software vulnerabilities.

Wins #

• Polish authorities detained a Russian citizen suspected of hacking Polish companies and e-commerce platforms. The suspect, who entered the country illegally, is accused of breaching security systems to access and manipulate databases. This arrest is part of a broader crackdown on Russian-linked sabotage and espionage in the region.

• Comcast agreed to pay a $1.5 million fine to the FCC to settle an investigation into a data breach at a third-party vendor (FBCS). The settlement includes a compliance plan to strengthen vendor oversight, demonstrating regulatory enforcement holding companies accountable for their supply chain security.

• Google has filed a lawsuit under the RICO Act against the ‘Smishing Triad’ cybercrime group to dismantle their ‘Lighthouse’ phishing-as-a-service platform. This legal action aims to disrupt the infrastructure used to defraud millions of victims via SMS scams.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.