Cyber Threat Intelligence Report

This week, we briefed our clients on two major supply chain attacks targeting npm (Node Package Manager) maintainers and next month's Microsoft EOS.

 KEY TAKEAWAYS 

• Two massive npm supply chain attacks over the last two weeks. Learn about the fallout and how to protect your organization.

• End of support for Windows 10 and Exchange Server 2016 and 2019.

• Critical and high-severity vulnerabilities in Fortra, SAP, Google Chrome, and Windows SMB, plus updates to CISA KEV, patch now!

npm Supply Chain Attacks

Over the last two weeks, there were two major supply chain attacks targeting npm maintainers, affecting hundreds of npm packages. The first attack occurred on September 10, when npm maintainer 'Qix' was successfully phished by a targeted social engineering attack. Once threat actors had access to the account, they published malicious versions of 20 npm packages. The potential impact of this attack was very large, as these packages average a total of 2 billion weekly downloads. The aim of this attack was to steal cryptocurrency assets. However, due to poor implementation of the malicious code, the attack was caught within 2 hours and remediated shortly thereafter with minimal fallout.

A week later, an even larger attack was announced as more npm maintainers were successfully phished. This time, the attack was much more sophisticated, as attackers created a self-replicating worm dubbed "Shai-Hulud". Due to the self-replicating nature of the malware, the spread went from a handful of compromised packages to at least 477 packages within 72 hours. Instead of trying to steal cryptocurrency assets, these malicious packages contained credential-stealing capabilities. The threat actors repurposed a legitimate secret-scanning tool known as "TruffleHog" to look for sensitive information on systems, including NPM authentication tokens, GitHub personal access tokens, Amazon Web Services (AWS) access keys, Google Cloud Platform (GCP) service credentials, and Microsoft Azure Credentials. 

Mitigation

Check all projects for the presence of any of the known compromised packages. A full list of the packages and their versions can be found here. If found, they should be removed or downgraded to a safe version immediately. Also, if found, administrators should rotate any potential exposed secrets, such as any of the secret keys or access tokens mentioned above. Lastly, one of the tell-tale signs of compromise in a repository is the existence of 'shai-hulud-workflow.yml'. 

Organizations need to be aware of these supply chain threats as the attacks are becoming more frequent and more sophisticated. While many of the security changes need to happen with package maintainers, organizations must have plans in place for when these attacks occur. One key component of this is knowing what software packages are used in the first place. Having an up-to-date software bill of materials (SBOM) is the most effective way to accomplish this.

Resources:

• https://thehackernews.com/2025/09/20-popular-npm-packages-with-2-billion.html
  
• https://cybersecuritynews.com/shai-hulud-npm-supply-chain-attack/
  
• https://cybersecuritynews.com/npm-supply-chain-ctrl-tinycolor/
  
• https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages
  
• https://www.cisa.gov/sbom

The End is Near! (Redux)

Next month is the end of support for several Microsoft products used widely by enterprises across the globe. Once this support deadline comes to pass, Microsoft will no longer issue security updates, adding increased risk to security posture. Administrators must ensure these systems are upgraded before the deadline to ensure their security. 

Microsoft Windows 10

Per Microsoft Support, Windows 10 will reach the end of support on October 14, 2025. There are two ways to ensure continued support and security updates: Upgrade systems to Windows 11 or enroll in Microsoft's Extended Security Update program for Windows 10. Note that certain compute devices do not meet the hardware requirements for Windows 11, so replacing the device may be required. 

Microsoft Exchange 2016 and 2019

Much like Windows 10, both Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019 will reach end of support on October 14, 2025. This will mean Microsoft will no longer provide security updates for these services after this date. As Microsoft Exchange vulnerabilities are frequently targeted by threat actors, it is critically important to migrate off of these systems before the deadline. Microsoft recommends fully migrating email services to either Exchange Online or Microsoft 365.

Resources:

• https://support.microsoft.com/en-us/windows/windows-10-support-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281
  
• https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
  
• https://techcommunity.microsoft.com/blog/exchange/t-6-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4403017

Vulnerability Roundup

Fortra GoAnywhere MFT Maximum Severity Vulnerability

On September 18, Fortra released a security bulletin detailing a maximum severity vulnerability in their GoAnywhere MFT License Servlet. The vulnerability is tracked as CVE-2025-10035. Per the advisory, "A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection." Fortra emphasizes that the vulnerability is highly dependent upon systems being exposed to the open internet, and strongly encourages that administrators restrict access to the GoAnywhere Admin Console. Administrators are strongly encouraged to patch to version 7.8.4 (latest release) or 7.6.3 (Sustain Release).

• https://www.fortra.com/security/advisories/product-security/fi-2025-012
  
• https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html

Maximum Severity Flaw in SAP NetWeaver

SAP introduced fixes for 21 vulnerabilities across their software suite for their September patch day. Among these vulnerabilities is a maximum severity flaw in SAP NetWeaver, tracked as CVE-2025-42944, that allows an unauthenticated attacker to exploit the system via the RMI-P4 module by submitting a malicious payload to an open port, leading to OS command injection. Other notable critical vulnerabilities in the advisory are CVE-2025-42922, a flaw in NetWeaver AS Java that could allow a non-administrative user to upload arbitrary files, and CVE-2025-42958, a flaw in NetWeaver on IBM i-series that allows high-privileged unauthorized users to read, modify, or delete sensitive information, as well as abuse other administrative functionalities. Administrators are urged to apply updates as soon as possible.

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
  
• https://www.cve.org/CVERecord?id=CVE-2025-42944
  
• https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html

Google Chrome 0-Day

Google recently released a security update to fix the 6th zero-day vulnerability this year in Chrome. The high-severity vulnerability is tracked as CVE-2025-10585, which is a "type confusion" weakness in the browser's V8 JavaScript Engine. Google has shared little details regarding how this bug was exploited in the wild. However, administrators are urged to patch to version 140.0.7339.185/.186 for Windows/Mac, and 140.0.7339.185 for Linux.

• https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop_17.html
  
• https://www.bleepingcomputer.com/news/security/google-patches-sixth-chrome-zero-day-exploited-in-attacks-this-year/

Windows SMB Privilege Escalation

As part of Microsoft's September Patch Tuesday, they disclosed a zero day vulnerability in Windows SMB Server. Tracked as CVE-2025-55234, SMB servers with certain configurations could be susceptible to relay attacks leading to privilege escalation. Per Microsoft's guidance, administrators are urged to apply hardening measures to the SMB server, including enabling SMB Server Signing and SMB Server Extended Protection for Authentication (EPA).

• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-55234
  
• https://support.microsoft.com/en-us/topic/support-for-audit-events-to-deploy-smb-server-hardening-smb-server-signing-smb-server-epa-056f7478-ee2c-43b9-b94b-c0ff06de1d8f
  
• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-5086 - Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.