BMC Daily Cyber News

This is today’s cyber news for November 28th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Millions of phones still follow old online calendars. Researchers showed that attackers can re register hundreds of expired calendar domains and quietly push fresh invites into any device that once synced those feeds. Those poisoned entries can be spoofed into reminders, meetings, or alerts that prod people to click links or share information they would usually guard. The danger is that calendar traffic often slips under filters that watch email and web browsing, which lets tracking and phishing ride piggyback into busy lives. For now the issue is mainly a warning, yet it exposes how forgotten cloud links can keep tugging on devices long after people stop paying attention.

A breach at an analytics vendor has exposed details about OpenAI developer accounts. The stolen data appears to focus on metadata such as contact information and usage patterns rather than model content or passwords. Even so it gives attackers a new map of which companies are building on the platform and how heavily they rely on it. That information can be siphoned into tailored phishing and social engineering aimed at the teams who run critical artificial intelligence projects. OpenAI customers now need to assume that developer identities tied to their apps may be probed more often and should be guarded as carefully as any production credential.

Japan’s beer giant Asahi is recovering from a major ransomware attack. The incident disrupted parts of its domestic operations and led to the leak of data about roughly two million customers, employees, and partners. Attackers likely staged and stole files before encryption, then clobbered systems that support production, logistics, and back office work. That combination of outage and exposure raises regulatory, legal, and reputational stakes far beyond simple downtime. The company and its ecosystem now face a long period of cleanup, monitoring, and communication as leaked information fuels copycat fraud and phishing.

Security teams are tracking a North Korean group that has poisoned JavaScript packages on npm and related GitHub projects. The goal is to deliver a malware family known as OtterCookie onto developer machines and build systems that depend on those dependencies. Once running, the malware pries into credentials, crypto wallets, and other sensitive data tied to modern software and Web3 work. The campaign blends into normal development by hiding inside what look like routine updates from familiar registries. Organizations that lean heavily on open source now need to treat every new package and update as a potential supply chain pivot rather than a simple convenience.

A separate campaign built on the Shai Hulud malware family is abusing npm packages and GitHub Actions workflows. In this case attackers sneak booby trapped components into pipelines, steal cloud and build secrets, and then threaten a destructive data wipe if their access is cut. That creates a hostage situation around code repositories and automation that many teams assume will quietly run in the background forever. Because GitHub Actions often runs with broad permissions, a single poisoned workflow can jam multiple projects at once. The episode reinforces that continuous integration and continuous delivery are not just engineering tools, they are critical business systems whose compromise can halt delivery overnight.

In Korea, a managed service provider breach has spilled over into multiple banks and insurers. Ransomware operators broke into the provider, disrupted its systems, and siphoned roughly two terabytes of documents and records tied to financial customers. Those stolen files map internal processes, customer relationships, and operational details that could later be weaponized for fraud or further intrusion. Individual institutions had limited early insight because the initial compromise sat in a partner environment rather than their own networks. The case shows how a single link in the middle of the chain can quietly become the door into many regulated organizations at once.

Researchers have found that old Python build scripts still point to internet domains that no longer belong to their original owners. Attackers can re register those domains and quietly feed modified tools or dependencies into any environment that follows outdated installation guides. The risk sits not in the current package index but in long lived documentation that developers still trust and reuse. Over time those forgotten paths can be spoofed into backdooring modern projects that were never meant to touch the abandoned infrastructure. The finding is a reminder that build instructions age just like code and can turn into attack rails if nobody keeps them fresh.

High powered workstations used to train sensitive artificial intelligence models, including Nvidia Spark systems, are under scrutiny after new firmware flaws surfaced. Researchers disclosed fourteen issues in the management firmware. An attacker who reaches that layer can jam services, crash jobs, or plant code that tampers with model training and data access. These machines often sit at the heart of clusters that host crown jewel workloads, yet firmware updates lag far behind software patches. Security teams now need to treat this infrastructure like any other critical system by tracking exposure, scheduling updates, and watching logs for strange reboots or access attempts.

Customer success vendor Gainsight is working with clients after investigators found that suspicious activity touched more Salesforce environments than first believed. Attackers moved through app integrations rather than direct user logins. By abusing trusted links between Gainsight and Salesforce, the intruders could skim records, explore permissions, and quietly probe where valuable customer data lived. Different tenants saw different patterns, yet the shared concern is that one third party app connected to many instances became a common pivot point. Customers now have to review audit logs, trim permissions, and confirm exactly which records each integration touched during the window of suspicious use.

Banks, ministries, and technology firms in parts of Central Asia are dealing with a spying campaign that hides behind NetSupport remote access software. Messages pretend to come from local government offices or regulators. Staff who open the lures can quietly install the tool, which then gives operators full remote control over the workstation and its files. Because NetSupport is often used for legitimate support, its presence may not raise alarms even as documents are copied and keystrokes are captured. Organizations in sensitive regions need to watch email and endpoint logs closely for new installs of this tool and remote sessions that do not match normal support patterns.

An investigative report has named a fifteen year old known as Rey as the alleged leader of a disruptive hacking crew modeled on earlier Scattered Lapsus style groups. The group is accused of high profile intrusions. Investigators say the attackers rely on social engineering, phone tricks, and stolen credentials to pry into technology and gaming firms without much custom malware. Publicly naming someone so young has stirred debate about accountability, privacy, and the best way to steer talented but reckless teenagers away from crime. For companies the case is a reminder that strong identity checks, careful helpdesk processes, and fast detection of odd account use matter more than guessing who sits on the other side.

Home and small office networks that rely on Asus routers with AiCloud features are under pressure to update. Researchers flagged nine serious flaws in this gear. One authentication bypass bug lets intruders slip into router controls without a password and quietly change traffic or settings. Because these devices often sit at the edge of home offices and remote worker setups, compromise can expose many connected systems. Patches are available now, yet adoption will likely lag as people ignore prompts or never log into the router console.

Next year Microsoft plans to tighten its Entra sign in flows by blocking untrusted scripts during the login process. The change targets quiet script injection at login. Today many organizations load custom banners, analytics, or third party widgets that piggyback on sign in pages with wide permissions. Under stricter content rules, those extras may be blocked or broken, causing user friction if teams do not test ahead of time. Microsoft is signaling early, so identity and application owners now have a window to clean up risky add ons before enforcement.

A new open source toolkit called KawaiiGPT is giving low skill attackers an easier way to spin up offensive language models. These models are tuned to dodge safety limits on purpose. Instead of wrestling with commercial platforms, an attacker can run the toolkit on local or cheap rented hardware and quietly generate phishing scripts, lures, or basic code. The result is a wave of polished, believable emails and messages that look like real business communication rather than clumsy scams. Defensive teams now need to assume that convincing attack text can be forged on demand by almost anyone with curiosity and time.

That’s the BareMetalCyber Daily Brief for November 28th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at Daily Cyber dot news. We’re back monday.