Weekly Cybersecurity Recap - 3 November 2025

Introduction

This week, the cybersecurity landscape highlighted an accelerating mix of automation, large-scale disruptions, and state-backed cyber activity. From new AI-powered defense tools to zero-day exploits and supply chain compromises, the digital battlefield continues to evolve. Here’s a breakdown of the key developments shaping global cybersecurity this week.

AI, Automation & Digital Resilience

OpenAI Unveils Aardvark: GPT-5 Agent That Finds and Fixes Code Flaws Automatically

OpenAI announced the launch of “Aardvark,” an AI-powered autonomous security agent built on GPT-5 that can scan, understand, and patch code vulnerabilities automatically. The company says the agent is designed to act like a human security researcher capable of identifying and fixing flaws at scale - a move that could significantly accelerate secure software development. Currently in private beta, Aardvark reflects a growing shift toward embedding intelligent automation within DevSecOps workflows.

Cloud Outages Highlight the Need for Resilient, Secure Infrastructure Recovery

Two major cloud outages this week, impacting Amazon Web Services (AWS) and Microsoft Azure, reinforced the importance of resilient recovery planning. The AWS incident caused widespread service disruptions affecting platforms like Snapchat and Disney+, while Azure’s downtime crippled critical business operations. These incidents serve as a stark reminder that even leading cloud providers are not immune to failure - and underscore the need for security teams to prioritize recovery strategies that prevent cascading cyber risks.

Threats, Exploits & Supply Chain Attacks

PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs

Researchers uncovered a large-scale npm supply chain attack involving more than 100 malicious packages under the codename “PhantomRaven.” The malware steals GitHub credentials, CI/CD secrets, and developer tokens directly from infected systems. Active since August 2025, the campaign has drawn over 86,000 installs, showing just how quickly malicious code can infiltrate open-source ecosystems and compromise entire development pipelines.

Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

A newly discovered malware dubbed “Airstalk” has been linked to a suspected nation-state operation, tracked as CL-STA-1009 by Unit 42. The campaign likely originated through a supply chain compromise, underscoring how state actors continue to exploit trusted channels to deliver espionage tools. The discovery adds to a growing list of sophisticated intrusions leveraging third-party software as the initial attack vector.

China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems

The China-backed Tick group has been observed exploiting a zero-day vulnerability in Motex Lanscope Endpoint Manager (CVE-2025-61932) to gain full system privileges. The flaw allows remote code execution and has been actively abused to drop backdoors on compromised systems. Security experts note this is part of a broader trend where advanced persistent threats (APTs) target IT management tools as stepping stones into corporate networks.

Open VSX Downplays Impact From GlassWorm Campaign

The team behind the Open VSX registry confirmed that the GlassWorm attacks targeting its VS Code extension marketplace have been fully contained. While the incident initially raised fears of a self-replicating worm, Open VSX clarified it was not traditional malware and that affected packages were swiftly removed. The event highlights the growing security pressures on open-source infrastructure providers serving developer communities.

Corporate & Infrastructure Breaches

LG Uplus is Latest South Korean Telco to Confirm Cybersecurity Incident

South Korean telecom provider LG Uplus has reported a suspected data breach to the Korea Internet & Security Agency (KISA), making it the third major telco in the country to face such an incident in six months. The company did not disclose the scale or impact of the breach, but the pattern of repeated telecom intrusions points to a sustained campaign targeting critical communications infrastructure across South Korea.

Industrial Giants Schneider Electric and Emerson Named as Victims of Oracle Hack

Cybercriminals linked to the FIN11 threat group have claimed responsibility for data theft impacting Schneider Electric and Emerson. The breach, tied to vulnerabilities in Oracle E-Business Suite (EBS), resulted in stolen data being posted on the Cl0p ransomware leak site. The inclusion of two major industrial players in this campaign underscores the expanding reach of financially motivated groups into critical manufacturing and infrastructure sectors.

Browser & Platform Security

New "Brash" Exploit Crashes Chromium Browsers Instantly with a Single Malicious URL

A newly disclosed exploit, dubbed “Brash,” targets an architectural flaw in Chromium’s Blink rendering engine, allowing attackers to crash browsers like Chrome and Edge within seconds. Researcher Jose Pino revealed that the flaw stems from how certain DOM operations are handled, and while it doesn’t lead to remote code execution, its simplicity makes it ripe for use in denial-of-service or browser-crash campaigns.

Google's Built-In AI Defenses on Android Now Block 10 Billion Scam Messages a Month

Google announced new figures demonstrating the scale of its AI-powered defenses on Android, which now block more than 10 billion suspected scam calls and messages every month. The system uses on-device machine learning to identify and intercept spam before it reaches users, while over 100 million suspicious numbers have been banned from RCS messaging. The company says this marks a major milestone in leveraging AI to proactively defend against social engineering and phishing threats.