CyberNews: 10/10/2025 Edition

Published by Dunateo on 2025-10-10

Today’s roundup

  • 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign
  • From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability
  • CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw
  • From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware
  • New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps
  • GitHub Copilot 'CamoLeak' AI Attack Exfiltrates Data
  • U.S. CISA adds Grafana flaw to its Known Exploited Vulnerabilities catalog
  • Apple Announces $2 Million Bug Bounty Reward for the Most Dangerous Exploits
  • 'Payroll pirate' hackers diverting salary payments from university employees, Microsoft says
  • Discord says 70,000 users had government IDs exposed in third-party breach

    • Summary

    Cybersecurity researchers have identified 175 malicious npm packages, collectively downloaded 26,000 times. These packages were used in a credential harvesting phishing campaign, codenamed Beamglea, targeting over 135 industrial, technology, and energy organizations.

    An unpatched zero-day vulnerability (CVE-2025-11371, CVSS 6.1) affecting Gladinet CentreStack and TrioFox products is under active exploitation. The flaw is an unauthenticated local file inclusion bug, allowing access to system files, which can escalate to remote code execution.

    The CL0P ransomware group is linked to the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software, impacting dozens of organizations since August 9, 2025. Google Threat Intelligence Group (GTIG) and Mandiant reported this widespread breach.

    A China-aligned threat actor, UTA0388, is deploying the Go-based GOVERSHELL espionage implant through spear-phishing campaigns targeting North America, Asia, and Europe. These sophisticated attacks evolve from initially tailored messages.

    A new, rapidly evolving Android spyware campaign named ClayRat is targeting users in Russia. Attackers distribute the spyware via Telegram channels and phishing sites impersonating popular apps like WhatsApp and TikTok, exfiltrating sensitive device data and communications.

    A proof-of-concept attack, dubbed 'CamoLeak', has demonstrated the ability to exfiltrate code and secrets from GitHub Copilot. This highlights a significant vulnerability in AI-powered development tools that can lead to data exposure.

    The U.S. CISA has added a Grafana directory traversal vulnerability (CVE-2021-43798, CVSS 7.5) to its Known Exploited Vulnerabilities catalog. This flaw, affecting self-hosted instances, allows local file access and federal agencies must patch by October 30, 2025.

    Apple has announced an expanded bug bounty program, offering up to $2 million for the most dangerous exploits, with potential bonuses bringing the total reward for iPhone exploits to $5 million. This initiative aims to counter the booming mercenary spyware industry.

    Microsoft has reported a phishing campaign where "payroll pirate" hackers are gaining access to university third-party platforms. These attackers divert employee salary payments to accounts under their control, leading to direct financial theft from university staff.

    Discord has confirmed a third-party breach that exposed government identification documents for approximately 70,000 users. This incident involves highly sensitive Personally Identifiable Information being compromised by cybercriminals.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-11371 Medium
    CVE-2021-43798 High