Cybersecurity

Security Alert: Iberia Airlines Reports Customer Data Breach Iberia Airlines, part of the International Airlines Group (IAG) along with British Airways and Aer Lingus, has notified its customers about a security incident that compromised personal information. The data breach originated through an Iberia supplier, underscoring the inherent risks to supply chain security. The airline began sending notifications to customers over the weekend, revealing that the incident involved unauthorized access to a supplier’s systems. ...

Multiple security companies have warned of a second wave of attacks affecting the npm registry, reminiscent of the Shai-Hulud attack of September 2025. This new campaign, called Sha1-Hulud, has compromised hundreds of npm packages between November 21 and 23, 2025. According to Wiz researchers, the new variant of the attack executes malicious code during the preinstall phase, significantly increasing exposure in build and runtime environments. The Evolution of the Sha1-Hulud Attack The Sha1-Hulud attack shares similarities with the previous wave, which also posted stolen secrets on GitHub under the description “Sha1-Hulud: The Second Coming.” The previous wave was characterized by compromising legitimate packages to search for secrets on developer machines using the TruffleHog credential scanner and propagate in a self-replicating manner. ...

A new command and control (C2) platform called Matrix Push C2 is being used by cybercriminals to distribute malware, taking advantage of a legitimate feature of web browsers: push notifications. According to a report by BlackFrog, this malicious platform tricks users with fake system notifications, redirects them to malicious websites, monitors victims in real time, and scans for cryptocurrency wallets. How Does the Matrix Push C2 Attack Work? Matrix Push C2 abuses the browser’s push notification system to create a C2 communication channel. The attack process takes place in several stages: ...

 Security Alert for Unusual Activity in Gainsight Apps Salesforce has issued a warning about detecting “unusual activity” related to apps published by Gainsight and connected to its platform. The company’s investigation suggests that this activity may have allowed unauthorized access to data of certain Salesforce customers through the third-party application connection. In response to the incident, Salesforce has taken preventive measures: Token Revocation: All active access and refresh tokens associated with Gainsight applications have been revoked. Platform Removal: Gainsight apps have been temporarily removed from the AppExchange while the investigation continues. Salesforce has notified affected customers, although it has not revealed the total number of victims. The company emphasized that “there is no indication that this issue resulted from any vulnerability in the Salesforce platform,” stating that the activity appears to be related to the “external application connection” to Salesforce. ...

Alarming Increase in Supply Chain Gaps According to BlueVoyant’s annual State of Supply Chain Defense: Annual Global Insights Report 2025, an overwhelming majority of organizations (97%) have been negatively impacted by a supply chain breach. This data represents a significant increase compared to the 81% recorded in 2024, pointing out the growing vulnerability of companies to third-party risks. Increasing Maturity in Third Party Risk Management (TPRM) Despite the worrying outlook, the report highlights that organizations are intensifying their efforts to prevent, mitigate and resolve supply chain incidents more effectively. ...

Potentially Historic Massive Data Leak Austrian researchers have revealed a mass enumeration vulnerability in WhatsApp that allowed the extraction of 3.5 billion user phone numbers. This finding highlights a security flaw in the app’s “contact discovery” feature, which, lacking strict rate limiting, allowed researchers to scrape a large portion of WhatsApp’s user base. The method exploited by the researchers is based on how WhatsApp makes it easy to add contacts: when you enter a phone number, the platform instantly checks whether that number is registered and often displays the profile photo and associated name. By repeating this process billions of times using the browser-based WhatsApp app, researchers were able to collect phone numbers of almost all WhatsApp users in the world. ...

CTM360 has identified a rapidly expanding WhatsApp account hacking campaign, internally called HackOnChat. This campaign uses a network of deceptive authentication portals and phishing pages to target users around the world. Attackers exploit WhatsApp’s familiar web interface and employ social engineering tactics to trick users into compromising their accounts. CTM360’s research revealed thousands of malicious URLs hosted on low-cost domains and generated quickly by modern website building platforms, allowing attackers to deploy new pages at scale. A notable increase in incidents has been observed in recent weeks, especially in the Middle East and Asia. ...

A newly disclosed security vulnerability affecting 7-Zip is being actively exploited in practice, according to an advisory issued by the United Kingdom’s NHS England Digital. The vulnerability allows remote attackers to execute arbitrary code on affected systems. Vulnerability Details (CVE-2025-11001) The primary vulnerability, identified as CVE-2025-11001 (with a CVSS score of 7.0), lies in the handling of symbolic links within ZIP files. Exploitation Mechanism: Attackers can create crafted data within a ZIP archive that forces the decompression process to traverse unwanted directories. Impact: Allows remote code execution (RCE) in the context of the affected user or service account. Discovery: The flaw was discovered and reported by Ryota Shiga of GMO Flatt Security Inc., with the help of the AI-powered AppSec Auditor Takumi audit tool. Related Vulnerability (CVE-2025-11002) The 7-Zip version 25.00 update also addresses another similar flaw, CVE-2025-11002 (CVSS score of 7.0). This vulnerability also exploits improper handling of symbolic links in ZIP files to achieve directory traversal and RCE. Both flaws were introduced in 7-Zip version 21.02. ...

The cyber threat landscape targeting Chinese-speaking users has intensified with the detection of multiple malware campaigns. Two recent reports highlight the sophistication of threat actors using the Gh0st RAT remote access trojan, a malware known for its versatility. One of the campaigns involves the threat actor known as Dragon Breath (also APT-Q-27 or Golden Eye), which uses a multi-phase loader called RONINGLOADER to deliver a modified variant of Gh0st RAT. Simultaneously, another series of large-scale phishing campaigns have been distributing the same malware. ...

The threat group known as Dragon Breath, also tracked as APT-Q-27 and Golden Eye, has been detected using a multi-stage loader called RONINGLOADER to deliver a modified variant of the Gh0st RAT remote access Trojan. This campaign primarily targets Chinese-speaking users and uses Trojanized NSIS installers that impersonate legitimate software such as Google Chrome and Microsoft Teams. According to researchers at Elastic Security Labs, the infection chain employs a multi-stage delivery mechanism that incorporates advanced evasion techniques. These techniques are specifically designed to neutralize popular endpoint security products in the Chinese market. ...