Today’s roundup
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’
Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim 'Korean Leaks' Data Heist
Shai-Hulud v2 Spreads From npm to Maven, as Campaign Exposes Thousands of Secrets
Popular Forge library gets fix for signature verification bypass flaw
How Malware Authors Are Incorporating LLMs to Evade Detection
OpenAI discloses API customer data breach via Mixpanel vendor hack
London councils enact emergency plans after three hit by cyber-attack
FBI Warns of $262M Losses from Account Takeover Fraud in 2025
Gainsight Expands Impacted Customer List Following Salesforce Security Alert
At least 35,000 impacted by Dartmouth College breach through Oracle EBS campaign
Summary
Brian Krebs unmasked "Rey," identified as Saif Al-Din Khader, a 15-year-old from Jordan, as the technical operator and public face of the Scattered LAPSUS$ Hunters cybercrime group. This group has been involved in data theft and extortion of major corporations, and Khader also launched the ShinySp1d3r ransomware-as-a-service. He is reportedly cooperating with European law enforcement.
South Korea's financial sector was targeted in a sophisticated supply chain attack that deployed Qilin ransomware. The operation, potentially linked to North Korean state-affiliated actors (Moonstone Sleet), leveraged a Managed Service Provider (MSP) resulting in a "Korean Leaks" data heist affecting 28 victims.
The Shai-Hulud supply chain attack has escalated, with its second wave spreading from the npm registry to the Maven ecosystem. This campaign has reportedly compromised over 830 packages in npm and exposed thousands of secrets.
A critical vulnerability was patched in the 'node-forge' package, a widely used JavaScript cryptography library. This flaw allowed for signature verification bypasses through the crafting of seemingly valid data, posing a risk to cryptographic integrity.
Cyberattackers are increasingly integrating large language models (LLMs) into their malware. This advanced technique allows them to run prompts at runtime, enabling dynamic code augmentation and evasion of detection systems.
OpenAI disclosed a data breach affecting some ChatGPT API customers due to a compromise at its third-party analytics provider, Mixpanel. Limited identifying information of these customers was exposed.
Three London councils, including Kensington and Chelsea, Westminster, and Hammersmith and Fulham, were hit by a cyberattack, disrupting IT systems and leading to emergency plan activations. The National Crime Agency is involved in the ongoing investigation into potential data compromise.
The FBI reported that account takeover (ATO) fraud schemes have resulted in over $262 million in losses since January 2025. Cybercriminals impersonate financial institutions to steal data and funds, highlighting a significant financial threat.
Gainsight announced an expansion of its impacted customer list following a Salesforce security alert. Initially, three customers were identified, but the scale of those affected by suspicious activity targeting Gainsight applications has significantly increased as of November 21, 2025.
A data breach at Dartmouth College impacted at least 35,000 individuals across multiple states. This incident occurred during a broader campaign by hackers targeting a popular line of Oracle E-Business Suite software.
Want to dig deeper?
Cyber Groups
Malware Families