Category: Threat Intelligence
Summary
The EU and UK have issued their first coordinated cyber sanctions package, naming Russian GRU military intelligence officers over a years-long espionage campaign. Brussels and London jointly attributed a recent cyberattack on Poland's power grid to Russian state operators, marking a notable escalation in how allied governments respond to attacks on critical national infrastructure. The sanctions target named individuals accused of running sustained intrusion operations across Europe. For defenders, this reinforces that energy, utilities, and OT environments remain priority targets for nation-state actors — and that attribution is increasingly being paired with legal and financial consequences.
Key points
- First joint EU–UK cyber sanctions package targeting GRU officers.
- Poland power-grid attack officially attributed to Russian intelligence.
- Signals tighter allied coordination on critical-infrastructure defence.
▶ Microsoft Maps Year-Long ShinyHunters Campaign Stealing Salesforce Data
Category: Data Breach
Summary
Microsoft has published research tracing a year-long data-theft operation linked to the ShinyHunters extortion group, which targeted Salesforce environments through three distinct attack paths. The findings highlight how attackers increasingly pivot into SaaS platforms holding large volumes of customer and CRM data rather than breaching on-premises networks directly. Organisations relying on cloud CRM should treat connected apps, OAuth tokens, and third-party integrations as part of their attack surface. The report is a reminder that SaaS tenants need the same monitoring, least-privilege access, and token hygiene as traditional infrastructure — data exfiltration here rarely trips classic perimeter alerts.
Key points
- ShinyHunters-linked theft spanned roughly a year across three intrusion paths.
- Salesforce and connected SaaS apps were the primary target.
- Audit OAuth grants, connected apps, and token lifetimes now.
▶ Progress Orders Emergency ShareFile Shutdown Over Mystery Threat
Category: Vulnerability & Patch
Summary
Progress Software has instructed customers to shut down ShareFile servers on an emergency basis in response to a security threat it has not fully detailed publicly. The move echoes previous high-impact incidents involving Progress products, where managed file-transfer and content-collaboration platforms became entry points for mass exploitation and extortion. Administrators running self-managed ShareFile should follow vendor guidance immediately, isolate exposed instances, and review logs for signs of unauthorised access. File-transfer and collaboration appliances remain a favourite target because they sit at the boundary between internal data and the internet — patch cadence and exposure reduction are critical here.
Key points
- Progress issued an emergency shutdown directive for ShareFile servers.
- Full technical details were withheld while the threat is assessed.
- Managed file-transfer platforms remain prime mass-exploitation targets.
▶ CISA Warns of Actively Exploited RCE Flaws in Joomla Extensions
Category: Web & CMS
Summary
CISA has warned that remote code execution vulnerabilities in Joomla extensions are being actively exploited in the wild, urging organisations to patch or remove the affected components without delay. Third-party extensions remain the weakest link in CMS security: the core platform may be current while a neglected plugin quietly exposes the whole site. Anyone running Joomla should inventory installed extensions, apply available updates, and retire anything unmaintained. For forum and content operators, this is a timely reminder that the CMS attack surface extends well beyond the base install, and exploited RCE flaws are typically weaponised for webshells and pivoting.
Key points
- RCE flaws in Joomla extensions are under active exploitation.
- CISA advises immediate patching or removal of affected extensions.
- Third-party plugins, not core, are the usual entry point.
▶ CrashStealer macOS Malware Abuses Notarised Dropper to Beat Gatekeeper
Category: Malware
Summary
A new macOS infostealer dubbed CrashStealer disguises itself as an Apple crash-reporting tool and uses a notarised dropper to slip past Gatekeeper's built-in checks. By abusing Apple's own trust mechanisms, the malware lands on systems that would normally block unsigned software, then harvests credentials and sensitive data. The technique underlines a growing trend of attackers weaponising legitimate signing and notarisation to defeat platform defences. Mac users and admins should be wary of unexpected "crash reporter" prompts, enforce application allow-listing where possible, and rely on behavioural detection rather than assuming notarisation equals safety.
Key points
- CrashStealer masquerades as an Apple crash-reporting utility.
- A notarised dropper bypasses Gatekeeper trust checks.
- Notarisation alone is no longer a reliable safety signal.
▶ Backdoored Jscrambler npm Package Ships Infostealer to Developers
Category: Software Supply Chain
Summary
Attackers backdoored a Jscrambler npm package, embedding infostealer malware that runs when developers install or build against the compromised dependency. Because npm packages execute install-time scripts and flow straight into build pipelines, a single poisoned release can reach many downstream projects before anyone notices. This incident continues a relentless wave of open-source supply-chain attacks aimed squarely at developer machines and CI systems, where stolen tokens and secrets unlock much bigger targets. Teams should pin dependencies, review lockfile changes, use scoped registry tokens, and run installs in sandboxed CI rather than on privileged workstations.
Key points
- A Jscrambler npm package was trojanised with infostealer code.
- Install-time scripts push malware into developer and CI environments.
- Pin versions, review lockfiles, and sandbox dependency installs.
▶ Microsoft: AI Now Exploits Windows 11 Bugs in Hours — Patch Within 3 Days
Category: Vulnerability & Patch
Summary
Microsoft says attackers are now using AI to weaponise Windows 11 vulnerabilities within hours of disclosure, and is warning organisations not to delay updates beyond roughly three days. The company also confirmed it is applying AI-assisted vulnerability detection internally, though it says only the highest-confidence findings reach engineering teams. The takeaway for defenders is that traditional 30-day patch windows are increasingly untenable as the gap between disclosure and exploitation collapses. Expect faster patch cycles, tighter SLAs on critical fixes, and more pressure to automate testing and deployment so security updates land in days, not weeks.
Key points
- AI-driven exploitation is shrinking the disclosure-to-attack window to hours.
- Microsoft advises applying updates within about three days.
- Long patch cycles are becoming a serious liability.
▶ MemGhost Attack Plants Persistent False Memories in AI Agents via One Email
Category: AI Security
Summary
Researchers have detailed a new attack, MemGhost, that plants persistent false "memories" in AI agents using a single crafted email. By poisoning an agent's long-term memory store, an attacker can influence its future decisions and outputs long after the initial message — a stealthy form of indirect prompt injection that survives across sessions. As organisations deploy autonomous agents with memory, tool access, and email integration, this class of attack becomes a real operational risk. Defenders should treat agent memory as untrusted input, validate and sandbox what gets persisted, and apply least-privilege limits to the actions agents can take.
Key points
- A single email can implant lasting false memories in an AI agent.
- Poisoned memory persists across sessions and skews later behaviour.
- Treat agent memory as untrusted; sandbox and constrain agent actions.
▶ Zimbra Patches Critical Remote Code Execution Vulnerability
Category: Email Security
Summary
Zimbra has released a patch for a critical vulnerability that allows remote code execution against affected collaboration servers. Email and groupware platforms are consistently high-value targets: they hold sensitive communications and often sit internet-facing, making an RCE flaw an attractive route to full server compromise and lateral movement. Administrators running Zimbra should apply the fix promptly and review systems for signs of prior exploitation, since flaws in this product have historically been targeted quickly once disclosed. For self-hosted mail operators, this is a reminder to keep collaboration stacks patched and to minimise exposed administrative interfaces.
Key points
- Critical RCE vulnerability patched in Zimbra collaboration servers.
- Internet-facing mail platforms are frequently and quickly targeted.
- Apply the update and hunt for prior compromise indicators.
▶ Meta on Course to Become America's Next Big Cloud Provider
Category: Cloud & Infrastructure
Summary
Meta's aggressive AI build-out is putting it on a path to become one of America's largest cloud providers, according to industry analysis. The company is expanding its Hyperion supercluster toward 5GW of capacity and has pushed its Louisiana data-centre investment past $50 billion as the AI compute race accelerates. The scale of these commitments — rivalling the traditional hyperscalers — hints at Meta eventually renting out infrastructure rather than keeping it purely internal. For architects, it signals a shifting cloud landscape: more capacity, new potential providers, and continued pressure on power, cooling, and regional grid availability driven by AI demand.
Key points
- Hyperion supercluster plans expanding toward 5GW of capacity.
- Louisiana data-centre investment pushed past $50 billion.
- Meta could emerge as a new hyperscale cloud competitor.