Daily Digest

Massive 'Sha1-Hulud' Supply Chain Attack Compromises 25,000+ GitHub Repos; CISA Warns of Multiple Actively Exploited Zero-Days

Massive 'Sha1-Hulud' Supply Chain Attack Compromises 25,000+ GitHub Repos; CISA Warns of Multiple Actively Exploited Zero-Days

November 25, 2025
2 articles (1 new, 1 updated)
10 min read

Summary

This intelligence briefing for November 25, 2025, covers a massive software supply chain attack named 'Sha1-Hulud' that has compromised over 25,000 GitHub repositories via malicious npm packages. Additionally, CISA has issued directives for actively exploited zero-day vulnerabilities in Oracle Identity Manager, Google Chrome, and Fortinet's FortiWeb. Other major threats include the Akira ransomware group targeting M&A activities, a surge in Black Friday phishing scams, and a data breach at a major banking vendor, SitusAMC.

Filter by Category

New Articles (1)

Akira Ransomware Targets M&A Blind Spots, Breaching Firms via Inherited SonicWall Devices

HIGH

Akira Ransomware Exploits M&A Security Gaps by Infiltrating Networks Through Unpatched SonicWall Appliances

The Akira ransomware group is exploiting security blind spots created during corporate mergers and acquisitions (M&A). According to research by ReliaQuest, Akira affiliates are gaining initial access to acquiring companies by compromising vulnerable SonicWall SSL VPN appliances inherited from smaller, acquired firms. Attackers leverage the fact that the acquiring organizations are often unaware of these unpatched, legacy devices on their new network. Once inside, they use zombie credentials and move laterally, with the time from lateral movement to ransomware deployment averaging less than one hour, highlighting a rapid and effective attack chain.

November 25, 2025
5 min read
AkiraransomwareM&ASonicWallsupply chain +2 more
Akira Ransomware Targets M&A Blind Spots, Breaching Firms via Inherited SonicWall Devices
Ransomware
Threat Actor
Cyberattack

Updated Articles (1)

URGENT: CISA Orders 7-Day Patch for Actively Exploited FortiWeb Zero-Day

CRITICAL

Fortinet Discloses Critical FortiWeb Zero-Day (CVE-2025-58034) Under Active Attack; CISA Issues Emergency Directive

Update:

Fortinet has provided critical updates regarding the actively exploited FortiWeb zero-day, CVE-2025-58034. While rated medium severity (CVSS 6.7) in isolation, it can be chained with the previously disclosed path-traversal vulnerability, CVE-2025-64446, to achieve unauthenticated remote code execution. This chain allows attackers to bypass authentication, create an admin account, and then exploit CVE-2025-58034 for full system takeover. Fortinet has released specific patched versions, including 7.0.12, 7.2.12, 7.4.11, 7.6.6, and 8.0.2, urging immediate upgrades. Widespread scanning for CVE-2025-64446 has been detected, indicating active targeting. New detection methods include monitoring for unauthorized admin account creation and web server processes spawning shells.

November 20, 2025
Updated: November 25, 2025
5 min read
Zero-DayWAFCommand InjectionCISAKEV +2 more
URGENT: CISA Orders 7-Day Patch for Actively Exploited FortiWeb Zero-Day
Vulnerability
Patch Management
Cyberattack

📢 Share This Publication

Help others stay informed about cybersecurity threats