Daily Cyber News – November 25th, 2025
This is today’s cyber news for November 25th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Attackers have launched a sprawling software supply chain campaign that slips a self spreading JavaScript worm into widely used open source packages. Once a developer installs one of the tainted components, the code quietly harvests environment variables, source control credentials, and application programming interface keys from workstations and build servers. In many environments the malware then alters local projects so that contaminated dependencies are pushed into still more repositories, which helps it slither through entire organizations. For development teams this means a single unlucky install can siphon secrets and corrupt multiple applications at once, even if nothing odd appears in production right away. Right now the real damage depends on how quickly teams can trace where those packages landed and rotate any credentials that might already be in the hands of criminals.
Cloud and research teams are also grappling with a serious flaw in the Ray framework that orchestrates many artificial intelligence clusters. When Ray management ports are left exposed, intruders can send commands that run code across entire clusters, turning expensive graphics processors into engines for cryptomining, model theft, or tampering with live training jobs. In practice that means one misconfigured dashboard on the internet can give an outsider ample power to hijack workloads that cost thousands of dollars per day. For organizations funding cutting edge research, this kind of quiet abuse can drain budgets, delay launches, and put hard won intellectual property at risk. Today the urgent work is to fence off every Ray endpoint, check running clusters for suspicious jobs, and rebuild anything that shows signs of unwanted control.
Another story focuses on Fluent Bit, a small logging agent that quietly runs inside countless cloud images and Kubernetes clusters. Researchers disclosed five vulnerabilities that, when chained together, can let an attacker bypass checks, crash services, or even execute code on systems that use this component for observability. Because Fluent Bit often ships as a default sidecar, many teams do not realize it is present or reachable, which gives intruders a stealthy foothold that lurks behind normal monitoring traffic. For businesses that rely on managed container platforms and large telemetry pipelines, a compromised logging agent can become a springboard to far more sensitive workloads. The safest move is to treat Fluent Bit like any other critical service, find every instance, apply fixes, and tighten who and what can talk to it over the network.
Defenders are also watching active exploitation of a recently patched Windows update service flaw to deploy the ShadowPad backdoor. By first compromising central update or software distribution servers, intruders can use normal looking jobs to spray malicious code across thousands of desktops and servers in one coordinated push. That approach allows them to piggyback on trusted maintenance traffic rather than trying to break into each machine directly, which makes the intrusion feel like routine administration for a long time. For organizations with large Windows estates, this turns their own patching backbone into a weapon that can quietly pry open the entire network. Security teams now need to verify those servers are patched, scrutinize recent deployment jobs, and hunt for any trace of ShadowPad both on the management systems and the clients they serve.
Website owners are dealing with new urgency after a critical flaw in the W3 Total Cache plugin for WordPress received a public proof of concept exploit. The bug can allow an unauthenticated visitor to execute code on the underlying server, turning a performance tuning tool into a direct path to defacement, data theft, or hosting of further attacks. Since W3 Total Cache is popular on small and mid sized business sites, one vulnerable plugin can suddenly give criminals control over stores, marketing pages, or client portals. For many brands the first visible sign is a site that starts redirecting visitors, skimming payment details, or silently spreading malware under the company logo. Owners who rely on this plugin now need to update it quickly, lock down administrator access, and scan their sites for unauthorized file or template changes.
Oracle customers face renewed pressure as attackers weaponize a newly disclosed cloud application flaw in enterprise software that already sits at the heart of many billing and supply chain processes. The weakness lets remote attackers bypass normal access paths in certain Oracle deployments and reach sensitive operational and financial data that ordinarily requires strict permissions. Early incidents show criminals not only grabbing information but also trying to extort organizations, pairing fresh exploitation with threats to leak stolen records. For enterprises that already endured a recent Oracle Cloud breach, this pattern suggests adversaries are mapping where these systems run and returning with new tricks rather than moving on. The practical response is to prioritize patches, tighten external exposure, and review logs around administrative actions and large data exports to spot any attempts to exploit this latest gap.
In financial services, a breach at mortgage technology provider Situs A M C has exposed detailed loan and client records for several major banks. Systems used to support real estate and mortgage finance operations were compromised, exposing data such as borrower details, loan terms, and institutional relationships that sit behind the scenes of the housing market. Criminals who obtain this information can craft convincing fraud attempts, mimic legitimate correspondence, or probe for weaknesses in how lenders verify borrowers and counterparties. For banks and investors that outsource key parts of their mortgage lifecycle to a vendor like Situs A M C, the incident highlights how much sensitive information can accumulate in one place outside their own walls. Risk and security teams now need to coordinate with the provider, reinforce fraud controls for affected portfolios, and reconsider how they assess and monitor third party data handlers.
Customer success and sales operations are under scrutiny after an attack on Gainsight raised concerns about data exposure across its deep integrations with Salesforce and other tools. The incident appears to have abused the trusted connector that allows Gainsight to pull and push rich customer records into Salesforce, Zendesk, HubSpot, and similar platforms. Because these integration accounts often have wide ranging permissions and automation powers, any misuse can ripple through multiple systems at once, touching contacts, activity history, and engagement notes. For companies that rely on dashboards and playbooks built on top of this data, even subtle tampering can distort how teams interpret customer health and deal risk. The priority now is to audit connected applications, strip excess privileges, rotate keys and tokens, and put stronger monitoring around bulk exports, field changes, and new automation rules tied to integration users.
Higher education and philanthropy circles are reacting to news that Harvard suffered a breach of alumni and donor contact data driven by voice phishing. Attackers placed convincing phone calls to staff, coaxing out credentials that opened doors into systems used to manage fundraising and relationship records. Once inside, they pulled lists containing names, email addresses, phone numbers, mailing addresses, giving histories, and biographical details that are ideal fuel for highly targeted scams. For alumni and donors, the main risk is not an immediate account drain but a wave of messages or calls that sound credible because they reference real gifts and affiliations. Harvard is now notifying affected individuals and tightening verification procedures, while other universities and nonprofits are weighing how well their own teams handle support calls that seem urgent or authoritative.
Healthcare privacy concerns are renewed after Delta Dental of Virginia disclosed that a compromised employee email account exposed data on about one hundred forty six thousand dental plan members. The mailbox contained messages and attachments with names, Social Security numbers, plan identifiers, and medical information that should have lived in more controlled systems. Criminals who gain access to such an inbox can quietly search for exactly the documents needed to commit identity theft, submit fake claims, or resell dossiers on underground markets. For insurers and medical providers, this kind of incident shows how everyday communication habits can quietly undermine formal protections around regulated health data. Stronger controls around email, including multi factor authentication, better monitoring, and stricter rules on storing sensitive content, are now central to preventing similar exposure in the future.
Attackers have also turned certain Superbox streaming devices into quiet workhorses inside a global cybercrime network. These set top boxes ship with intrusive software that routes large volumes of login attempts and web traffic through ordinary home connections while still delivering television shows on screen. Behind the scenes that traffic includes credential stuffing, ad fraud, and probing of online banking and shopping sites that makes innocent households look like the origin of abuse. Because many of these devices are rooted and talk to hard coded control servers, even a factory reset cannot fully cut off the connection. For security teams, the concern is that remote workers may enter corporate passwords on networks where traffic is piggybacked through hardware they barely understand.
Another story highlights a tactic called EtherHiding that uses blockchain infrastructure to keep drive by malware campaigns alive. Criminals first compromise legitimate websites and inject fake CAPTCHA and verification pages that appear when visitors try to reach content. The malicious scripts on those pages call out to blockchain smart contracts to fetch the latest payload, which lets attackers rotate malware without touching the site again. That design makes simple cleanup less effective because the real control channel lives in a decentralized ledger rather than a single command server. For defenders, the challenge is to clamp down on unauthorized script changes on production sites and rely on strong endpoint protection to block suspicious downloads, even when a page looks familiar.
Developers were also put at risk when a fake Visual Studio Code extension posed as a trusted code formatter and slipped into the official marketplace. The look alike extension copied the name and icon of the real tool closely enough that many engineers installed it without a second thought. Once active, it quietly captured browser cookies, saved passwords, and authentication tokens, then shipped them off to attacker controlled servers for later use. Those stolen secrets can unlock private repositories, cloud dashboards, and continuous integration pipelines far beyond the single workstation. Teams that rely on integrated plugin stores now need to curate approved extensions carefully and rotate credentials anywhere the rogue formatter might have run.
Digital artists are facing a different kind of trap as booby trapped Blender model files install StealC information stealing malware when opened. Attackers upload attractive models to popular asset marketplaces, where busy artists see them as free shortcuts to speed up client projects. Hidden scripts inside these files run automatically when the scene loads and then pull down extra code that plants the infostealer on the workstation. Once in place, StealC rummages through browsers and local wallets to siphon passwords, cryptocurrency, and other sensitive data before exfiltrating it to remote servers. Studios and freelancers alike now have to treat unvetted 3D assets as potential malware and bring creative workstations fully into their security programs.
Python developers in cryptocurrency projects are meanwhile dealing with a look alike package on the Python Package Index that quietly hijacks wallet details. The malicious library uses a nearly identical name to a respectable spell checker package, counting on typos and autocomplete suggestions to snare victims. After installation, it injects code that intercepts configuration values and credentials for wallets and transaction tools, then sends them to criminals waiting to drain funds. Because the package still appears to function, many developers may never suspect the dependency until money disappears or accounts behave strangely. In environments that handle digital assets, this makes dependency review and software composition analysis as important to financial safety as traditional fraud checks.
In Brazil, banking customers are being robbed after criminals turned trusted WhatsApp conversations into a channel for installing financial malware. Campaigns often begin with email messages that steer victims into chat threads, where attackers pose as support staff or contacts and continue the conversation. Once trust builds, they share links or files that plant malware able to read one time codes, capture keystrokes, and take over mobile banking sessions in progress. The malicious apps also harvest contacts and chat histories so the attackers can impersonate victims to friends and relatives and push the scam even further. Banks serving this region now need to blend device intelligence, transaction monitoring, and customer education to catch these piggybacked attacks early.
Researchers have also uncovered a remote access tool called RadzaRat that disguises itself as a simple file manager app on Android. After installation, it requests broad permissions that let it read messages, pull documents, use the camera and microphone, and track the device over time, all while looking like a normal utility. Worryingly, the current samples evade many mobile antivirus tools, so users do not see warnings even as the app quietly calls home. Distribution relies on direct links and third party stores rather than official app marketplaces, which means victims may not realize they bypassed normal safeguards. For organizations with bring your own device programs, this turns a single unvetted app into a long running surveillance tool that can spy on both personal and work activity.
Another theme in today’s research is how mainstream artificial intelligence coding assistants are being bent toward near autonomous malware creation. Security labs show that by feeding prompts and snippets into these tools, operators can generate working droppers and evasion tricks quickly, then iterate until the code slips past basic defenses. Some demonstrations even loop the assistant into an almost continuous cycle that tweaks samples whenever scanners start to catch them. While skilled attackers have long built custom malware, this approach lowers the bar for less experienced actors who can now produce many tailored variants. For defenders, the reality is a growing tide of fast changing threats that demand behavior based detection and strong response processes rather than reliance on static signatures alone.
Telecom customers are watching a policy shift as the Federal Communications Commission rolls back several cybersecurity and breach reporting rules for carriers. The revised framework eases some of the requirements that pushed providers to notify regulators and customers quickly after significant intrusions. It also relaxes expectations around how carriers document and test protections for the core networks that move voice and data traffic. For enterprises that depend on these services, the change means less guaranteed visibility into security incidents that start inside carrier environments. This leaves organizations more reliant on their own contracts, monitoring, and contingency plans to understand and absorb telecom related cyber risk.
Finally, leaked files tied to an Iranian aligned cyber unit provide an unusually detailed look at how it profiles and targets officials and organizations. The documents describe target lists, training material, and performance reports that cover government staff, dissidents, and business figures across the region. Screenshots and notes suggest the group relies heavily on email and social media account takeovers, along with common cloud services, to watch and pressure its victims. The leak confirms long suspected tactics and gives defenders concrete examples of phishing themes, account abuse patterns, and tracking workflows. High risk organizations can now use these insights to refine threat models, tighten identity protections, and brief at risk individuals whose personal and work lives may both be in scope.
That’s the BareMetalCyber Daily Brief for November 25th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at Daily Cyber dot news. We’re back tomorrow.
