#supply-chain-attack

Malicious npm packages targeted Ethereum developers by stealing wallet keys. A GitHub supply chain attack compromised over 2,000 accounts. Kazakhstan’s energy sector faced phishing from Noisy Bear. Malware was hidden in SVG files impersonating Colombia’s judiciary. The Czech cyber agency warned against Chinese technology in infrastructure. iCloud Calendar abuse enabled phishing emails to bypass spam filters.

A worm-style supply chain attack hit over 180 npm packages, spreading through stolen developer credentials. Apple rolled out major security patches for iOS and macOS, addressing dozens of vulnerabilities and an actively exploited zero-day. Jaguar Land Rover extended factory shutdowns for a fourth week due to an ongoing cyberattack. Microsoft and Cloudflare disrupted the RaccoonO365 phishing kit, seizing hundreds of domains. Fashion giant Kering confirmed a data breach exposing customer data from Gucci, Balenciaga, and Alexander McQueen brands.

Major supply chain attacks dominated headlines, with Salesloft’s GitHub compromise leading to widespread Salesforce data breaches and GhostAction exposing thousands of secrets on GitHub. Attackers also hijacked popular npm packages, injecting malware into billions of downloads. Wealthsimple confirmed a vendor breach affecting 30,000 customers, while SAP S/4HANA users were urged to patch a critical flaw under active exploitation. The US sanctioned operators of cyber scam centres in Myanmar and Cambodia, expanding international enforcement against fraud. Other reports included a ransomware breach at Lovesac and disruption at Jaguar Land Rover.