Fraud Management & Cybercrime,
Governance & Risk Management,
Patch Management
Highlights: npm Packages Breach, FBI Fraud Alert, CISO Dismissal at Campbell’s
ISMG compiles weekly cybersecurity incidents and breaches globally. This week highlights a critical vulnerability in Oracle that is being actively exploited, Shelly Pro 4PM’s denial-of-service issues, the discovery of a major npm attack dubbed “Shai-Hulud 2.0” that leaked sensitive information, and the FBI’s warning regarding escalating bank account takeover fraud. Notably, regulators have fined Comcast following a vendor breach, and Campbell’s has dismissed its CISO amid legal troubles and leaked audio tapes.
Related Insight: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups
Critical Oracle Identity Manager Flaw Under Attack
A severe vulnerability within Oracle Identity Manager, which has been recently patched, is now being actively targeted by cyber adversaries, as flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
This vulnerability, designated CVE-2025-61757 and scoring 9.8 on the CVSS scale, affects versions 12.2.1.4.0 and 14.1.2.1.0. It allows unauthenticated attackers to execute remote code via the Oracle REST Web Services component.
Research from Searchlight Cyber indicates attackers can circumvent the authentication checks of OIM by appending specific strings like ?WSDL or ;.wadl to certain REST endpoints, misleading the system into permitting access to restricted interfaces.
This enables the attacker to reach a Groovy script validation endpoint designed solely for syntax checks, where, by exploiting Groovy’s annotation processing framework, they can execute arbitrary code, taking control of the server without the need for credentials.
CISA has classified this flaw as a part of its Known Exploited Vulnerabilities Catalog, urging federal agencies to effectuate urgent patches.
The corresponding fix released by Oracle is included in their October Critical Patch Update that remedies several other remotely exploitable vulnerabilities.
High-Severity DoS Vulnerabilities Found in Shelly Pro 4PM
Nozomi Networks has reported a high-severity vulnerability in the Shelly Pro 4PM smart power relay, utilized in both residential and commercial settings. A successful exploit could lead to device downtime by issuing a single oversized request.
Tracked as CVE-2025-11243, this vulnerability is a result of improper JSON-RPC input handling, which triggers an immediate reboot upon receiving a payload of excessive size, as stated by the researchers.
The vulnerability affects approximately 30 API methods, providing multiple avenues for a potential denial-of-service condition. Although it does not allow for code execution or unauthorized data access, it can hinder essential connected automation functionalities until manually restored.
While CISA has not logged any public exploits associated with this vulnerability, it remains non-remotely exploitable under default settings.
Shelly Group has rolled out firmware version 1.6.0 to address the issue, advising administrators to update their devices and restrict network exposure of control APIs, as well as isolating automation devices behind virtual private networks or firewalls.
Comcast Fined for Vendor Data Breach
The U.S. Federal Communications Commission has sanctioned Comcast Cable Communications with a $1.5 million civil fine following a vendor data breach that exposed personally identifiable information (PII) of over 237,000 cable subscribers, as detailed in a recent consent decree.
The FCC Enforcement Bureau reported that the breach occurred between February 14 and 26, 2024, when a hacker compromised Financial Business and Consumer Solutions, a former debt-collection vendor. Despite the cessation of their business relationship in 2022, the vendor retained Comcast subscriber data at the time of the breach.
Exposed information included subscriber names, physical addresses, birth dates, account numbers, as well as internal Comcast and vendor identifiers, and segments of Social Security numbers.
The FCC indicated Comcast contravened Section 631(c) and Section 631(e) of the Cable Communications Policy Act, which mandates cable operators to prevent unauthorized access and necessitates data destruction when it’s no longer needed.
Under the settlement, Comcast must establish a three-year compliance initiative managed by a designated officer, developing a comprehensive vendor-management framework to mitigate future breaches.
Shai-Hulud 2.0: A Major npm Supply Chain Attack
A recently discovered supply chain attack, termed “Shai-Hulud 2.0,” has targeted npm (Node Package Manager), compelling developers and organizations to engage in emergency remediation efforts.
The malicious payload, concealed in files such as setup_bun.js, employs the under-the-radar Bun runtime to evade traditional Node.js detection mechanisms. Upon execution, the malware seeks out sensitive credentials, including secrets from npm tokens, and exfiltrates them to locations controlled by the attackers.
Initial analyses reveal worm-like characteristics that facilitate automatic infections of other packages managed by affected developers. Alarmingly, the malware also has a ‘dead man’s switch’ mechanism threatening data loss if its infection or exfiltration pathways are disrupted.
In total, 621 npm packages were compromised, affecting 25,000 GitHub repositories, with 14,000 secrets leaked. This incident follows the original Shai-Hulud breach, which marked one of the most severe JavaScript supply chain attacks on record.
Account Takeover Fraud Tactics Generate $262 Million in Losses
The FBI has issued a warning regarding escalating account takeover (ATO) schemes that have resulted in over $262 million in losses this year, with attackers adopting tactics that mimic bank representatives.
The FBI’s Internet Crime Complaint Center (IC3) noted that it has received over 5,100 reports related to schemes where attackers communicate with victims via phone, email, or text, masquerading as financial institution staff.
These ATO scams typically leverage social engineering to funnel victims towards phishing sites designed to mirror legitimate banking portals, prompting victims to unknowingly provide critical access credentials or multi-factor authentication codes.
Once access is gained, attackers can execute unauthorized transactions, including fund transfers to cryptocurrency accounts, while often altering login details to lock victims out.
The FBI reports that criminals frequently utilize spoofed customer service numbers and misleading digital communications to reach potential victims.
Iberia Investigates External Vendor Breach
Iberia, Spain’s flagship airline, is currently conducting an investigation into a security incident involving one of its external service providers.
An email sent to customers indicated that unauthorized access to the vendor’s systems may have compromised customer names, email addresses, and Iberia Club loyalty numbers. Fortunately, there are no signs suggesting that account passwords or full payment card information was affected.
However, Russian-linked extortion group Everest has claimed responsibility, asserting they accessed Iberia’s systems, stealing an extensive amount of data and presenting it for sale.
This follows alerts that suggested a threat actor was promoting the sale of internal Iberia data, implying potential long-term access to the airline’s systems.
Five Vulnerabilities Identified in Fluent Bit
Researchers have unveiled critical vulnerabilities within Fluent Bit, a log processing tool vital across numerous cloud and container environments, exposing key elements of observability pipelines to potential manipulation.
According to Oligo Security’s findings, the five vulnerabilities present significant risks, potentially allowing adversaries to overwrite logs and reroute logs to unintended destinations, with exploitation leading to remote code execution in specific configurations.
Due to Fluent Bit’s widespread adoption by major cloud providers, the vulnerabilities pose a high-impact threat landscape. The maintainers have released a fix through version 4.1.1.
Amazon Web Services has announced it has updated its systems reliant on Fluent Bit and urged customers to upgrade to the latest version to ensure their environments are secured.
Campbell’s Dismisses CISO Following Controversy
The Campbell Company has terminated its Chief Information Security Officer, Martin Bally, after an audio recording surfaced containing derogatory remarks regarding the company’s products and personnel.
The food conglomerate condemned the statements as inappropriate, emphasizing that Bali’s conduct fell short of the company’s values. His departure coincides with a lawsuit filed by a former analyst alleging a hostile work environment stemming from remarks made during a salary meeting.
The lawsuit outlines a series of troubling allegations, including racial insensitivity and substance use while at work. The plaintiff reports retaliatory termination following attempts to report the issues.
Additional News From Last Week
Report by Information Security Media Group’s Anviksha More in Mumbai and Mathew Schwartz in Scotland.
