Today’s roundup

• Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication
• Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign
• Click Studios Patches Passwordstate Authentication Bypass Vulnerability in Emergency Access Page
• FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available
• Google Warns Salesloft OAuth Breach Extends Beyond Salesforce, Impacting All Integrations
• TamperedChef Malware Disguised as Fake PDF Editors Steals Credentials and Cookies
• North Korean Hackers Weaponize Seoul Intelligence Files to Target South Koreans
• Npm Package Hijacked to Steal Data and Crypto via AI-Powered Malware
• TransUnion Data Breach Impacts 4.5 Million US Customers
• Experts warn of actively exploited FreePBX zero-day

Summary

Amazon disrupted APT29's watering hole campaign abusing Microsoft Device Code Auth to redirect users to malicious infrastructure. Threat actors hijacked an abandoned Sogou Zhuyin update server to deploy C6DOOR and GTELAM malware targeting Eastern Asia. Click Studios patched an authentication bypass in Passwordstate's emergency access page, releasing build 9972 on August 28. FreePBX zero-day (CVE-2025-57819) allowed RCE via exposed admin panels, prompting emergency patches for versions 15-17. Google confirmed Salesloft Drift OAuth token compromises impacted all integrations, advising immediate credential rotation. TamperedChef malware distributed fake PDF editors via hijacked ads to steal credentials and cookies. North Korean APT37 leveraged stolen South Korean intelligence documents in spear-phishing campaigns. npm 'Nx' package compromised via AI-powered supply chain attack to deploy crypto-stealing malware. TransUnion breach exposed 4.5 million US customer records through a third-party application on July 28. Sitecore disclosed HTML cache poisoning (CVE-2025-53693) and deserialization RCE (CVE-2025-53691) vulnerabilities patched in June/July 2025.