Tracking Threats, Incidents, and Vulnerabilities
Tracking Threats, Incidents, and Vulnerabilities
OpenAI reported a data breach affecting some API customers due to a Mixpanel hack, disclosing limited identifying information such as names and email addresses. No sensitive data like passwords or payment details were compromised. OpenAI has removed Mixpanel from its services and is investigating the incident, advising affected users to be cautious of potential phishing attempts.
Space has become an active domain of warfare, with cyberattacks now considered the primary threat. Ground stations are identified as the most significant vulnerability for satellite operators, making them central targets. Countries like Russia and China are already engaged in hybrid warfare in space, such as satellite jamming. As satellite systems become more interconnected, their cyberattack surface grows. Although most attacks so far are basic, more advanced threats are expected. Security experts recommend supply chain control and a ‘security by design’ approach throughout missions.
https://www.govinfosecurity.com/as-space-becomes-warfare-domain-cyber-on-frontlines-a-30148
November 2025 highlights notable open-source cybersecurity tools:
Explore these tools for robust security strategies.
Mac users targeted by fake LinkedIn job offers to download Flexible Ferret malware via counterfeit software updates. Attackers impersonate recruiters to steal passwords and gain covert access through a backdoor. Individuals are advised to keep software updated, avoid running unverified commands, use real-time anti-malware, and verify sender authenticity to stay safe.
JSONFormatter and CodeBeautify leaks expose thousands of sensitive data, including passwords and API keys. Research identified over 80,000 files revealing credentials from sectors like government and finance. Both tools allowed users to store and share links, making sensitive data accessible to malicious actors. The tools' functionality has been temporarily disabled amid security concerns, as organizations are warned against using such platforms for sensitive information.
https://thehackernews.com/2025/11/years-of-jsonformatter-and-codebeautify.html
New ClickFix campaign mimics Windows updates to distribute malware. Attackers use fake update screens prompting users to run commands, leading to infections via steganography embedded in images. Users are urged to be cautious with commands from untrusted sources, limit copy-pasting, and utilize antivirus software for protection.
SLSH (Scattered LAPSUS$ Hunters) has resumed activities with claims of accessing Salesforce data through a Gainsight breach, threatening to leak information and demanding ransom before a self-imposed deadline. Their new ransomware, “ShinySp1d3r,” currently targets Windows, with plans for broader compatibility. Additionally, there are reports of insider recruitment attempts and involvement in significant data theft on a large scale. With a volatile holiday season approaching, cybersecurity vigilance is critical as SLSH escalates their threats, fostering concerns for various organizations.
https://unit42.paloaltonetworks.com/new-shinysp1d3r-ransomware/
Rey, admin of the notorious cybercriminal group “Scattered LAPSUS$ Hunters” (SLSH), has been identified following an interview where he confirmed his real identity. SLSH, comprising three hacking groups, has extorted major corporations through social engineering, including companies like Toyota and FedEx. Rey previously managed data leak operations for other ransomware groups and recently launched a new ransomware service called ShinySp1d3r. Despite initially engaging in cybercrime, Rey, now 15, claims to be trying to distance himself from the criminal activities and has communicated with law enforcement about his involvement. His digital footfalls, however, led to his identification.
https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/
WormGPT 4, a malicious AI tool, costs $220 for lifetime access, allowing cybercriminals to easily generate malware and phishing attempts without requiring extensive technical knowledge. This AI can create ransomware scripts and other malicious code, significantly lowering entry barriers for attackers. Another model, KawaiiGPT, is free and also capable of producing harmful scripts, exemplifying the growing accessibility of malicious AI tools.
https://www.theregister.com/2025/11/25/wormgpt_4_evil_ai_lifetime_cost_220_dollars/
Mirai-based botnet ShadowV2 emerged during an AWS outage, infecting IoT devices globally and potentially testing for future attacks, as reported by Fortinet. It exploited device vulnerabilities to orchestrate DDoS attacks, affecting 28 countries across various sectors. Although its activity was limited to the outage period, it highlights ongoing IoT security weaknesses, prompting calls for better device protection and monitoring.
https://www.theregister.com/2025/11/26/miraibased_botnet_shadowv2/
CISOs and security experts debunk common cybersecurity myths affecting everyday individuals and small businesses, advocating for updated, fact-based guidance. They criticize outdated advice like avoiding public WiFi and regularly changing passwords, instead suggesting practical measures such as keeping devices updated, using multi-factor authentication, and employing password managers. They call on software manufacturers to ensure systems are secure by design and support better security practices, urging communicators to promote realistic, effective cybersecurity strategies.
Phishing attacks consistently evade modern enterprise security, according to Okta’s multi-organization study. Even mature companies with advanced defenses remain vulnerable, especially since many do not regularly use phishing-resistant authentication. Attackers rely on widely available proxy tools, and breaches often go undetected until system alerts are triggered. U.S. companies and Office 365 accounts are prime targets. Increased cross-company information sharing shows promise as a defense, but evolving phishing techniques keep the threat persistent.
https://www.darkreading.com/cyberattacks-data-breaches/advanced-security-phishing-tactics
CISA warns of active spyware campaigns targeting Signal and WhatsApp users, utilizing social engineering and commercial spyware to gain unauthorized access. High-value individuals, including government officials, are primary targets. Notable campaigns exploit app features and security flaws to deploy malware. Users are advised to use encrypted communications, avoid SMS-based MFA, update software, and secure app permissions to enhance safety.
https://thehackernews.com/2025/11/cisa-warns-of-active-spyware-campaigns.html
TL;DR: watchTowr researchers discovered over 80,000 exposed credentials and sensitive data inadvertently shared on online code formatters like JSONFormatter and CodeBeautify, affecting numerous critical sectors. The mishaps illustrate the risks of sharing sensitive information online, demonstrating a lack of understanding of confidentiality practices. Organizations must cease using random platforms for credential storage to mitigate potential threats.
TLDR: Major resurgence of Shai-Hulud malware, now called “Sha1-Hulud: The Second Coming,” compromises over 800 npm packages and tens of thousands of GitHub repos. It embeds credential-stealing payloads and can delete users' home directories if unsuccessful. It exploits GitHub Actions for remote code execution, allowing attackers to run commands through victim accounts. Organizations should scan endpoints, remove affected packages, rotate credentials, and audit workflows to mitigate risks.
