Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack.
The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on
Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841.
"The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group," Silent Push
Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.
Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach.
"With
Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.
While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing
Dans un accord signé le 5 septembre 2025, Nintendo et le propriétaire d'un site de piratage de Switch ont mis fin à une bataille judiciaire entamée plus d'un an auparavant. Pour éviter une procédure qui aurait pu s’éterniser, le hacker a choisi d’accepter les conditions du géant japonais, auquel il doit désormais la somme de 2 millions de dollars.
Media streaming platform Plex is warning customers to reset passwords after suffering a data breach in which a hacker was able to steal customer authentication data from one of its databases. [...]
Large network scans have been targeting Cisco ASA devices, prompting warnings from cybersecurity researchers that it could indicate an upcoming flaw in the products. [...]
A new supply chain attack on GitHub, dubbed 'GhostAction,' has compromised 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. [...]
Signal has introduced a new opt-in feature that helps users create end-to-end encrypted backups of their chats, allowing them to restore messages even if their phones are damaged or lost. [...]
American furniture brand Lovesac is warning that it suffered a data breach impacting an undisclosed number of individuals, stating their personal data was exposed in a cybersecurity incident. [...]
Calcio, a large piracy sports streaming platform with more than 120 million visits in the past year, was shut down following a collaborative effort by the Alliance for Creativity and Entertainment (ACE) and DAZN. [...]
In a supply chain attack, attackers injected malware into NPM packages with over 2.6 billion weekly downloads after compromising a maintainer's account in a phishing attack. [...]
Salesloft says attackers first breached its GitHub account in March, leading to the theft of Drift OAuth tokens later used in widespread Salesforce data theft attacks in August. [...]
Selon les données de Kaspersky, les attaques contre les utilisateurs de smartphones Android ont augmenté de 29 % au cours du premier semestre 2025 par rapport au premier semestre 2024, et de 48 % par rapport au second semestre 2024. Tribune – En 2025, Kaspersky a détecté des menaces mobiles de premier ordre telles que […]
La France, mauvais élève de la cybersécurité ? C’est ce que suggère une nouvelle étude Cohesity. Malgré l’intensification des menaces et des standards plus exigeants, les entreprises peinent à faire de leurs employés un rempart fiable, laissant leurs systèmes vulnérables aux cyberattaques. Quand l’inaction des employés met les organisations en péril – un collaborateur français […]
With WSUS deprecated, it's time to move from an outdated legacy patching system to a modern one. Learn from Action1 how its modern patching platform offers cloud-native speed, 3rd-party coverage, real-time compliance, and zero infrastructure. Try it free now! [...]
Pour contrer les campagnes de désinformation orchestrées par des acteurs étrangers sur les réseaux sociaux, en particulier sur X, le ministère des Affaires étrangères a annoncé le lancement d’un compte officiel dédié à la riposte. Une initiative qui s’inscrit dans une stratégie de communication plus offensive de la diplomatie française face aux fausses informations qui la visent.
Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.
This week, one story stands out above the rest: the
Connexion
