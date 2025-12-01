Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us.

One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and servers are in play.

Every story below is a reminder that your "safe" tools might be the real weak spot.

⚡ Threat of the Week

Shai-Hulud Returns with More Aggression — The npm registry was targeted a second time by a self-replicating worm that went by the moniker "Sha1-Hulud: The Second Coming," affecting over 800 packages and 27,000 GitHub repositories. Like in the previous iteration, the main objective was to steal sensitive data like API keys, cloud credentials, and npm and GitHub authentication information, and facilitate deeper supply chain compromise in a worm-like fashion. The malware also created GitHub Actions workflows that allow for command-and-control (C2) and injected GitHub Actions workflow mechanisms to steal repository secrets. Additionally, the malware backdoored every npm package maintained by the victim, republishing them with malicious payloads that run during package installation. "Rather than relying solely on Node.js, which is more heavily monitored, the malware dynamically installs Bun during package installation, benefiting from its high performance and self-contained architecture to execute large payloads with improved stealth," Endor Labs said. "This shift likely helps the malware evade traditional defenses tuned specifically to observe Node.js behavior." GitGuardian's analysis revealed a total of 294,842 secret occurrences, which correspond to 33,185 unique secrets. Of these, 3,760 were valid as of November 27, 2025. These included GitHub access tokens, Slack webhook URLs, GitHub OAuth tokens, AWS IAM keys, OpenAI Project API keys, Slack bot tokens, Claude API keys, Google API Keys, and GitLab tokens. Trigger.dev, which had one of its engineers installing a compromised package on their development machine, said the incident led to credential theft and unauthorized access to its GitHub organization. The Python Package Index (PyPI) repository said it was not impacted by the supply chain incident.

🔔 Top News

ToddyCat Steals Outlook Emails and Microsoft 365 Access Tokens — Attackers behind the ToddyCat advanced persistent threat (APT) toolkit have evolved to stealing Outlook mail data and Microsoft 365 Access tokens. The APT group has refined its toolkit in late 2024 and early 2025 to capture not only browser credentials, as previously seen, but also victims' actual email archives and access tokens. The activity marks the second major shift in ToddyCat's tooling this year, following an April 2025 campaign where the group abused a vulnerability in ESET's security scanner to deliver a previously undocumented malware codenamed TCESB.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week's most serious security flaws. Check them, fix what matters first, and stay protected.

This week's list includes — CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, CVE-2025-12969 (Fluent Bit), CVE-2025-13207, CVE-2024-24481 (Tenda), CVE-2025-62164 (vLLM), CVE-2025-12816 (Forge), CVE-2025-59373 (ASUS MyASUS), CVE-2025-59366 (ASUS routers) CVE-2025-65998 (Apache Syncope), CVE-2025-13357 (HashiCorp Vault Terraform Provider), CVE-2025-33183, CVE-2025-33184 (NVIDIA Isaac-GR00T), CVE-2025-33187 (NVIDIA DGX Spark), CVE-2025-12571, CVE-2024-9183 (GitLab CE/EE), CVE-2025-66035 (Angular HttpClient), and an unauthenticated DoS vulnerability in Next.js (no CVE).

📰 Around the Cyber World

Poland Detains Russian Citizen Over Hack — Polish authorities detained a Russian citizen suspected of hacking into the IT systems of local companies, marking the latest case that Warsaw has linked to Moscow's sabotage and espionage efforts. The suspect allegedly broke into an online retailer's systems without authorization and tampered with its databases so as to potentially disrupt operations. The identity of the suspect has not been disclosed.

🎥 Cybersecurity Webinars

🔧 Cybersecurity Tools

LUMEN — It is a browser-based Windows Event Log analyzer that runs entirely on your machine. It lets analysts upload multiple EVTX files, run SIGMA detections, correlate events into storylines, extract IOCs, and export findings—all without data leaving the device. Designed for secure, offline investigations, it supports curated and custom SIGMA rules, dashboards, and local session storage for efficient, privacy-focused log analysis.

Pi-hole — It is a network-wide DNS sinkhole that blocks ads, trackers, and unwanted domains before they reach your devices. Installed on local hardware or servers, it filters all network traffic without client software and provides a dashboard and CLI for monitoring, custom blocklists, and DNS control.

Disclaimer: These tools are for learning and research only. They haven't been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws.

Conclusion

If there's one theme this week, it's this: nobody is "too small" or "too boring" to be a target anymore. The weak link is usually something simple — a package no one checked, a vendor no one questioned, a "temporary" token that never got revoked, a guest account nobody owns. Attackers love that stuff because it works.

So don't just close this tab and move on. Pick one thing from this recap you can act on today — rotate a set of keys, tighten access for one vendor, review guest accounts, lock down an update path, or fix one high-risk bug. Then share this with the people who can break things and fix things with you. The gap between "we should do this" and "we actually did" is where most breaches live.