Welcome back! In this edition, we bring you the latest in cloud security - noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
š Highlights
s1ngularity: Supply Chain Attack Leaks Secrets on GitHub
On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victimsā GitHub accounts.
Learn more in our blogĀ here.
RCE Vulnerabilities in NVIDIA Triton
The Wiz Research team has discovered a chain of vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. The vulnerabilities were discovered during pwn2own and assigned CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. When chained together, these flaws allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).
According to Wiz data, 4.5% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more in our blogĀ here.
š High Profile Vulnerabilities
Critical Vulnerability in FortiSIEM Exploited in-the-Wild
A critical OS command injection vulnerability (CVE-2025-25256, CVSS 9.8) affects multiple versions of FortiSIEM. The flaw allows unauthenticated remote attackers to execute arbitrary code or commands via crafted CLI requests. Exploit code has been observed in the wild, increasing the urgency for patching. Older, unsupported versions remain vulnerable without available fixes.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to CVE-2025-25256.
Learn moreĀ here.
RCE Vulnerabilities in Trend Micro Apex One Exploited in-the-Wild
Two critical command injection vulnerabilities (CVE-2025-54948 and CVE-2025-54987) in the management console of Trend Micro Apex One have been disclosed and are under active exploitation. These flaws enable unauthenticated remote attackers to execute arbitrary code. It is recommended to upgrade to patched versions as soon as possible. Both vulnerabilities, one targeting standard x64 systems and the other focused on different CPU architectures, enable attackers to upload and execute malicious code remotely without user interaction. Trend Micro confirmed in-the-wild exploitation of CVE-2025-54948.
Learn moreĀ here.
Privilege Escalation in Microsoft Exchange Hybrid Deployments
Microsoft has disclosed CVE-2025-53786, a high-severity privilege escalation vulnerability affecting hybrid Exchange Server deployments. The vulnerability allows attackers with administrative access to an on-premises Exchange server to escalate privileges within connected Exchange Online environments. Exploitation requires an attacker to already possess high privileges, specifically administrative access, on the on-prem Exchange server, and exploitation has not been observed in the wild.
According to Wiz data, 7% of cloud environments have resources vulnerable to CVE-2025-53786.
Learn moreĀ here.
š Security Incidents & Campaigns
Silk Typhoon Exploiting Trusted Relationships for Cloud Environments Compromise
Researchers reported ongoing activity by Silk Typhoon, a China-nexus espionage group active since at least 2023. The group has targeted government, technology, academia, legal, and professional services entities in North America, leveraging trusted-relationship compromises in cloud environments. By hijacking service principal secrets or Global Administrator accounts in upstream providers, they were able to pivot into downstream customer environments, escalate privileges, and access sensitive data.
Learn more in our blogĀ here.Ā
DripDropper Malware Targets Apache ActiveMQ for Persistence on Cloud Linux Machines
AĀ campaign has been observed targeting cloud-based Linux systems using the CVE-2023-46604 vulnerability in Apache ActiveMQ. After exploiting the vulnerability, the attacker installs persistence mechanisms and stealthy command-and-control (C2) tools, and then patches the very vulnerability they exploited to obscure their initial access and prevent other attackers from entering the system. The malware used, dubbed DripDropper, is a custom Python-based loader that communicates covertly with a Dropbox account and drops further malicious payloads with persistence mechanisms.
Read moreĀ here.
Storm-0501 Deploys Cloud-Based Ransomware
The financially motivated actor Storm-0501 has shifted from classic endpoint encryption to cloud-based ransomware: using Entra ID privileges to take over Azure, exfiltrate data at scale, delete backups and storage, and selectively encrypt remaining blobs, often without deploying traditional malware. The latest case shows on-prem to Entra to Azure pivots across a multi-tenant enterprise, followed by extortion via Microsoft Teams.
Learn moreĀ here.
Plague PAM-Based Backdoor for Linux
A newly discovered Linux backdoor, dubbedĀ Plague, was embedded as a malicious PAM (Pluggable Authentication Module) component. Designed to silently bypass system authentication, Plague grants attackers persistent SSH access while evading all known antivirus detection and leaving minimal forensic traces. It has been in active development for at least a year, with samples dating back to mid-2024.
Read moreĀ here.
š§ Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen š
Listen on Spotify and Apple Podcasts.
Latest Episode