Welcome back! This month we’ve seen a lot of action, with both vulnerabilities and security incidents that have left users affected. We bring you the latest cloud security highlights, to help you stay informed and stay secure.
🔍 Highlights
Shai-Hulud: Package Supply Chain Compromise Delivering Data-Stealing Malware
On September 15, 2025, malicious versions of multiple popular packages were published to npm. They contained a post-install script that harvested sensitive data and exfiltrated it to attacker-created public GitHub repos named Shai-Hulud. Beyond data theft, the malware exhibits worm-like behaviour: when a compromised package encounters additional npm tokens in its environment, it will automatically publish malicious versions of any packages it can access - spreading across the npm ecosystem. Wiz Threat Research identified 36 GitHub users with secrets exposed in the “Shai-Hulud” repo (data.json, double–base64 encoded), 8 users whose private repositories were force-migrated to public with the label “Shai-Hulud Migration” and 64 additional repositories with a “shai-hulud” branch.
Wiz Research assesses this campaign is directly downstream of the late-August 2025 s1ngularity/Nx compromise (initial GitHub token theft to npm token theft to mass package poisoning). As the first successful self-propagating attack in the npm ecosystem, this appears to be one of the most severe JavaScript supply-chain attacks observed to date.
🐞 High Profile Vulnerabilities
Renewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASA
Cisco has reported exploitation in the wild of two 0-day vulnerabilities affecting Cisco Adaptive Security Appliance (ASA), CVE-2025-20333 and CVE-2025-20362, allowing RCE and local privilege escalation, respectively. NCSC and CISA have corroborated these reports, noting the use of malware dubbed RayInitiator & LINE VIPER, and attributing the activity to the threat actor behind the ArcaneDoor campaign of early 2024. US federal agencies are required to remediate these vulnerabilities by September 26, 2025.
Critical Vulnerabilities in Chaos-Mesh
Researchers disclosed four vulnerabilities in the Chaos-Mesh engineering platform (CVE-2025-59358, CVE-2025-59359, CVE-2025-59360, CVE-2025-59361) that allow unauthenticated in-cluster attackers to execute OS commands via the Chaos Controller Manager and abuse the Chaos Daemon to move laterally and steal service-account tokens, leading to full Kubernetes cluster takeover. Customers should patch immediately or apply mitigations if patching is not possible.
According to Wiz data, less than 1% of cloud environments have resources vulnerable to these vulnerabilities.
Learn more here →
Critical RCE Vulnerability in GoAnywhere MFT
Fortra disclosed a critical deserialization vulnerability (CVE-2025-10035) in its GoAnywhere MFT enterprise managed file transfer solution. The flaw allows unauthenticated remote code execution (RCE). Following disclosure, both WatchTowr and Microsoft reported evidence of exploitation in the wild of this vulnerability, with the latter attributing this activity to Storm-1175.
According to Wiz data, 3% of cloud environments have resources vulnerable to CVE-2025-10035.
Learn more here →
Entra ID Vulnerability Enabled Global Admin Takeover
A critical vulnerability in Microsoft Entra ID (formerly Azure AD), tracked as CVE-2025-55241, exposed every tenant worldwide to potential full compromise. The flaw involved undocumented “Actor tokens” and a validation weakness in the legacy Azure AD Graph API. An attacker leveraging these flaws could impersonate any user, including Global Admins, across tenants, bypassing Conditional Access and other security controls. Microsoft fixed the issue in July 2025, with additional mitigations rolled out in August. No customer action is required.
Learn more here →
🔒 Security incidents & campaigns
Compromised Salesloft Drift Tokens Enable Data Theft Across Integrations
Google Threat Intelligence Group report a widespread data-theft campaign abusing OAuth tokens tied to Salesloft Drift. Initially observed against Salesforce orgs (Aug 8–18, 2025), the scope now includes other Drift integrations: on Aug 9, a small number of Google Workspace mailboxes configured with the “Drift Email” integration were accessed using stolen tokens. Google revoked affected tokens and disabled the Workspace-Drift integration, Salesforce/Salesloft revoked Drift tokens and removed the app from AppExchange. It is advised to treat any authentication token in or connected to Drift as potentially compromised, and revoke and rotate all OAuth tokens/API keys/credentials for every third-party app connected to your Drift instance (not just Salesforce).
Highly Popular npm Packages Compromised (including debug and chalk)
On September 8, 2025, malicious new versions of 18 popular npm packages maintained by a developer known as Qix (incl. debug@4.4.2, chalk@5.6.1) were published to npm. If those versions were pulled into a frontend build and served to users, the injected code runs in the browser and can silently redirect crypto transactions (recipients/approvals) to attacker-controlled addresses. The maintainer acknowledged a compromise around 15:15 UTC and began cleanup. On September 9, 2025, JFrog reported that more packages were affected: @duckdb/node-api@1.3.3, @duckdb/duckdb-wasm@1.29.2, @duckdb/node-bindings@1.3.3, duckdb@1.3.3, proto-tinker-wc@0.1.87, and @coveops/abi@2.0.1.
SonicWall MySonicWall Cloud Backup File Security Incident
SonicWall has disclosed a security incident affecting its MySonicWall cloud backup service. Threat actors conducted brute force attacks on the MySonicWall.com portal and gained unauthorized access to a subset of firewall preference files. While fewer than 5% of firewall installations were impacted and sensitive credentials remain strongly encrypted, configuration details contained in the files were only encoded, potentially providing attackers with useful intelligence for targeting associated firewall devices. According to SonicWall, no evidence currently suggests that the files have been leaked online, and the event was not ransomware-related.
BRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal Sectors
Google Threat Intelligence (GTIG) reports ongoing intrusions using the BRICKSTORM backdoor to maintain stealthy access, averaging ~393 days, primarily in U.S. legal services, SaaS, BPO, and technology organizations. Activity is attributed to UNC5221 and related suspected China-nexus clusters that emphasize appliance-based footholds, VMware pivoting, credential theft, and quiet data access.
🎙 Hold on to your headphones!
Tune in to "Crying Out Cloud", our monthly roundup of cloud security news podcast! Hosted by the talented duo Eden Naftali and Amitai Cohen.
Listen on Spotify and Apple Podcasts.
