Daily Digest

Supply Chain Attacks Surge as North Korean Hackers Flood NPM; CISA Issues Urgent Mobile & ICS Alerts

Supply Chain Attacks Surge as North Korean Hackers Flood NPM; CISA Issues Urgent Mobile & ICS Alerts

November 28, 2025
8 articles (8 new)
24 min read

Summary

This cybersecurity advisory for November 27-28, 2025, highlights a significant escalation in software supply chain attacks, underscored by a North Korean campaign that flooded the NPM registry with nearly 200 malicious packages. Concurrently, CISA has issued critical warnings, adding an exploited ICS vulnerability (CVE-2021-26829) to its KEV catalog and releasing urgent guidance for mobile device security against commercial spyware. Other major incidents include a data breach at the French Football Federation exposing player information, a massive leak of over 17,000 secrets on public GitLab repositories, and evolving tactics from APT groups like Bloody Wolf and Tomiris targeting government entities across Central Asia.

Filter by Category

New Articles (8)

French Football Federation Data Breach Exposes Player Info Via Single Compromised Account

HIGH

French Football Federation Discloses Major Data Breach Affecting 2.3 Million Licensees After Attacker Used Compromised Privileged Account

The French Football Federation (FFF) announced a significant data breach on November 28, 2025, after an attacker gained access to a centralized administrative software platform using a single compromised user account. The breach exposed the personally identifiable information (PII) of a large number of its 2.3 million members, including names, contact details, and birth dates. The attackers did not exploit a software vulnerability but rather leveraged stolen credentials to gain administrative control. In response, the FFF disabled the account, forced a password reset for all users, and notified both the French data protection authority (CNIL) and the national cybersecurity agency (ANSSI). This incident highlights the critical risk posed by credential compromise and the trend of cyberattacks targeting sports organizations.

November 28, 2025
6 min read
Data BreachCredential CompromisePIIGDPRPhishing +1 more
French Football Federation Data Breach Exposes Player Info Via Single Compromised Account
Data Breach
Cyberattack
Phishing

IT Professional Jailed for 7 Years in Australia for 'Evil Twin' Wi-Fi Attacks on Flights

HIGH

Australian IT Guru Michael Clapsis Sentenced to Over 7 Years for Using Wi-Fi Pineapple to Steal Credentials and Intimate Images

An Australian IT professional, Michael Clapsis, has been sentenced to seven years and four months in prison for conducting sophisticated 'evil twin' Wi-Fi attacks. Using a Wi-Fi Pineapple device, he created rogue Wi-Fi hotspots at airports and on flights to trick travelers into entering their credentials into a phishing portal. Clapsis then used this access to infiltrate the online accounts of multiple women, stealing thousands of private images and videos. The Australian Federal Police (AFP) investigation began after airline staff reported a suspicious network. Clapsis also attempted to obstruct the investigation by deleting evidence and abusing his IT privileges at work to spy on meetings between his employer and the AFP.

November 28, 2025
5 min read
Evil TwinWi-Fi PineappleMan-in-the-MiddlePhishingCybercrime +1 more
IT Professional Jailed for 7 Years in Australia for 'Evil Twin' Wi-Fi Attacks on Flights
Cyberattack
Phishing
Threat Intelligence

Massive Scan of Public GitLab Repositories Uncovers Over 17,000 Live Secrets

HIGH

Security Researcher Finds 17,430 Verified Secrets, Including GCP Keys and GitLab Tokens, in 5.6 Million Public GitLab Repositories

A security engineer, Luke Marshall, conducted a large-scale scan of all 5.6 million public repositories on GitLab Cloud, uncovering 17,430 verified, live secrets. The exposed credentials include thousands of API keys and access tokens for over 2,800 unique domains, with Google Cloud Platform (GCP) keys being the most common. The scan, performed using the open-source tool TruffleHog, highlights the pervasive issue of developers hardcoding secrets in public code. Alarmingly, 406 valid GitLab access tokens were found within GitLab's own repositories. The research also uncovered 'zombie secrets' that have remained valid for over a decade, posing a long-term risk. Marshall's responsible disclosure efforts led to multiple bug bounty payouts.

November 28, 2025
6 min read
GitLabSecrets ManagementHardcoded SecretsDevSecOpsCloud Security +2 more
Massive Scan of Public GitLab Repositories Uncovers Over 17,000 Live Secrets
Cloud Security
Security Operations
Supply Chain Attack

Legacy Python Scripts Create Dormant Supply Chain Risk via Abandoned Domain

HIGH

ReversingLabs Uncovers Latent Domain-Takeover Risk in PyPI Packages Using Legacy 'zc.buildout' Scripts

Security researchers at ReversingLabs have identified a long-dormant supply chain vulnerability within the Python ecosystem affecting packages that use the legacy 'zc.buildout' tool. Outdated bootstrap scripts (`bootstrap.py`) found in several PyPI packages contain hardcoded references to an abandoned domain, `python-distribute.org`. This domain, once used for a fork of the Setuptools project, is now for sale. An attacker could purchase the domain, host malicious code, and automatically compromise any developer or build system that runs one of these legacy scripts. This creates a direct vector for malware injection, exposing an unknown number of projects to a decade-old risk.

November 28, 2025
6 min read
PythonPyPISupply Chain AttackDomain TakeoverReversingLabs +1 more
Legacy Python Scripts Create Dormant Supply Chain Risk via Abandoned Domain
Supply Chain Attack
Vulnerability
Security Operations

'Adversarial Poetry' Emerges as Universal Jailbreak for Major LLMs

HIGH

Researchers Discover 'Adversarial Poetry' Can Universally Bypass Safety Guardrails on 25 Major Large Language Models

A new research paper has unveiled a simple yet powerful technique, dubbed 'adversarial poetry,' that can consistently bypass the safety guardrails of major Large Language Models (LLMs). By reformulating harmful prompts into verse, researchers were able to achieve jailbreak success rates up to 18 times higher than with plain text. The technique proved effective as a 'universal single-turn jailbreak' across 25 different AI models, including both proprietary and open-source ones. It successfully generated content related to dangerous topics like CBRN threats and cyber-offenses, revealing a fundamental weakness in current AI alignment strategies that appear overly sensitive to a prompt's style rather than its semantic content.

November 28, 2025
6 min read
LLMAI SecurityJailbreakPrompt InjectionAdversarial AI +1 more
'Adversarial Poetry' Emerges as Universal Jailbreak for Major LLMs
Other
Threat Intelligence

Bloody Wolf APT Shifts Tactics, Using Legitimate RATs to Target Central Asian Governments

HIGH

Bloody Wolf APT Expands Cyber-Espionage Campaign to Kyrgyzstan and Uzbekistan, Leveraging NetSupport RAT

The cyber-espionage group 'Bloody Wolf' has expanded its campaign, now targeting government entities in Kyrgyzstan and Uzbekistan. According to research from Group-IB, the APT group has evolved its tactics, moving away from custom malware to a more streamlined, Java-based delivery method. The new attack chain tricks victims into installing the legitimate NetSupport Manager remote administration tool (RAT). By using a widely recognized commercial tool, Bloody Wolf aims to evade detection by blending its malicious activities with normal administrative network traffic, sustaining its long-term espionage and data exfiltration goals.

November 28, 2025
6 min read
Bloody WolfAPTCyber EspionageNetSupportRAT +2 more
Bloody Wolf APT Shifts Tactics, Using Legitimate RATs to Target Central Asian Governments
Threat Actor
Cyberattack
Threat Intelligence

CISA Adds Actively Exploited OpenPLC XSS Flaw to KEV Catalog After Hacktivist Attacks

CRITICAL

CISA Orders Federal Agencies to Patch OpenPLC ScadaBR XSS Flaw (CVE-2021-26829) Following Active Exploitation by Pro-Russian Group TwoNet

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, CVE-2021-26829, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on November 28, 2025, follows confirmed reports of active exploitation by the pro-Russian hacktivist group TwoNet. The group was observed using the flaw to deface the HMI of an industrial control system honeypot. The medium-severity vulnerability allows an attacker with access to the system to inject malicious scripts. Federal agencies are now required to patch the flaw by December 19, 2025, to protect against this confirmed threat to ICS/OT environments.

November 28, 2025
7 min read
CISAKEVCVE-2021-26829OpenPLCICS +4 more
CISA Adds Actively Exploited OpenPLC XSS Flaw to KEV Catalog After Hacktivist Attacks
Vulnerability
Industrial Control Systems
Threat Actor

Tomiris APT Refines Toolkit, Using Discord and Telegram for C2 in Diplomatic Attacks

HIGH

Tomiris APT Enhances Espionage Campaign Against Diplomatic Targets in Russia and Central Asia with New Tools

The cyber-espionage group 'Tomiris' has upgraded its tactical arsenal in a new wave of attacks targeting diplomatic and government organizations in Russia and Commonwealth of Independent States (CIS) countries. According to a new report from Kaspersky, the APT group is now using public services like Discord and Telegram for command-and-control (C2) communications to better evade detection. The group uses tailored spear-phishing emails to deliver a variety of payloads, including reverse shells and custom backdoors, and deploys specialized 'FileGrabber' malware to steal documents, demonstrating a focus on long-term intelligence gathering.

November 28, 2025
6 min read
TomirisAPTCyber EspionageDiscordTelegram +3 more
Tomiris APT Refines Toolkit, Using Discord and Telegram for C2 in Diplomatic Attacks
Threat Actor
Cyberattack
Threat Intelligence

📢 Share This Publication

Help others stay informed about cybersecurity threats