The Bottom Line
Supply chain attacks dominated the week—800+ npm publishers compromised, OpenAI breached through Mixpanel, and Oracle Identity Manager actively exploited. Chinese APTs now deploy AI agents executing thousands of attacks per second, fundamentally changing defense timelines. Meanwhile, 80,000+ files containing credentials leaked through developer tools and Asahi's ransomware hit shows attackers now auction data when ransoms aren't paid.
The Rundown
Attackers compromised over 800 software publisher accounts to distribute malware through legitimate code repositories, while OpenAI's ChatGPT customer data was exposed through third-party vendor Mixpanel. The npm ecosystem attack can completely destroy victim systems, and Oracle Identity Manager's critical vulnerability (CVE-2025-61757) is actively being exploited.
- →FAQ About Sha1-Hulud 2.0: The "Second Coming" of the npm Supply-Chain Campaign
- →Critical Flaw in Oracle Identity Manager Under Exploitation
- →OpenAI discloses API customer data breach via Mixpanel vendor hack
Chinese state actors deployed AI agents executing thousands of cyberattacks per second against finance, chemical, and government sectors. DeepSeek-R1 AI generates vulnerable code when discussing Tibet or Uyghurs, while new AI-powered malware tools like WormGPT 4 lower the barrier for sophisticated attacks.
- →Zero-Day Zero: The AI Attack That Just Ended the Era of the Forgiving Internet
- →Chinese DeepSeek-R1 AI Generates Insecure Code When Prompts Mention Tibet or Uyghurs
- →The Dual-Use Dilemma of AI: Malicious LLMs
Government agencies and critical infrastructure companies exposed over 80,000 files containing passwords and API keys by using online code formatting tools. Fluent Bit's five critical vulnerabilities can be chained for complete cloud infrastructure takeover, affecting any organization using this popular monitoring tool.
- →New Fluent Bit Flaws Expose Cloud to RCE and Stealthy Infrastructure Intrusions
- →Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys
Asahi's ransomware attack affected 2 million individuals while crippling Japanese operations. Ransomware groups like WarLock and Rhysida now auction stolen data when victims refuse to pay, with data-only extortion campaigns doubling in 2025. This creates secondary markets extending breach impact beyond initial incidents.
- →Asahi Data Breach Impacts 2 Million Individuals
- →From Extortion to E-commerce: How Ransomware Groups Turn Breaches into Bidding Wars
Russian GRU Unit 29155 breached a U.S. civil engineering firm using new tactics, while security experts warn of elevated risks during Thanksgiving and Black Friday. Scattered LAPSUS$ Hunters remain active targeting reduced holiday staffing, with over 100 fake domains impersonating major brands for Black Friday scams.
- →For the first time, a RomCom payload has been observed being distributed via SocGholish
- →Thanksgiving holiday weekend kicks off heightened threat environment for security teams
- →The Golden Scale: 'Tis the Season for Unwanted Gifts
On the Radar
This week's surge in security incidents signals coordinated attacks during the holiday season when security teams are stretched thin. The shift from ransomware to data breaches suggests attackers are harvesting credentials and sensitive data now for larger campaigns in Q1 2026.
- →Supply chain attacks targeting year-end software updates
- →Credential stuffing campaigns using stolen holiday shopping data
- →Exploitation of unpatched vulnerabilities in remote access tools
- →Business email compromise targeting year-end financial transfers