Weekly Cybersecurity Recap - 15 September 2025

Introduction

This week’s cybersecurity landscape brought major supply chain attacks, critical zero-day exploits, AI vulnerabilities, and global policy shifts. From the compromise of popular npm packages used by millions of developers, to Samsung and SiteCore zero-days under active attack, to governments warning citizens about digital risks, the events highlight both the evolving sophistication of threat actors and the challenges of securing modern digital ecosystems.

Supply Chain and Infrastructure Threats

20 Popular npm Packages With 2 Billion Weekly Downloads Compromised in Supply Chain Attack

A phishing attack against maintainer Josh Junon (aka Qix) led to the compromise of more than 20 npm packages downloaded nearly 2 billion times weekly. The attackers used an adversary-in-the-middle (AiTM) phishing site disguised as an npm support page to steal credentials and two-factor authentication tokens. These stolen credentials were then used to upload malicious versions of widely relied-upon packages, posing significant risk across the software ecosystem.

DELMIA Factory Software Vulnerability Exploited in Attacks

Threat actors are actively exploiting a critical vulnerability in Dassault Systèmes’ DELMIA Apriso factory software, according to a CISA alert. This manufacturing operations system is widely used across sectors including aerospace, automotive, defense, and high-tech industries. The flaw allows attackers to compromise systems managing sensitive industrial processes, potentially disrupting supply chains and production environments on a large scale.

The Quiet Revolution in Kubernetes Security

Despite Kubernetes being the backbone of modern cloud-native infrastructure, many organizations still run clusters on legacy operating systems like Ubuntu, CentOS, or RHEL. These OS dependencies introduce unnecessary complexity and vulnerabilities, contradicting the security advantages of ephemeral, container-native environments. Experts warn that without rethinking Kubernetes security from the ground up, organizations risk carrying over outdated assumptions into next-generation workloads.

Critical Vulnerabilities and Exploits

Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks

Samsung issued its August security updates for Android, patching CVE-2025-21043, a critical out-of-bounds write vulnerability with a CVSS score of 8.8. The flaw was already being exploited in active zero-day attacks to achieve arbitrary code execution. This marks another reminder of the increasing focus attackers are placing on mobile ecosystems as targets for advanced exploits.

Cursor AI Code Editor Flaw Enables Silent Code Execution via Malicious Repositories

A newly disclosed weakness in Cursor, the AI-powered coding assistant, highlights risks in AI development tools themselves. If a user opens a maliciously crafted repository, the program can silently execute code with the same privileges as the user. Researchers note the root cause is a security setting that ships disabled by default, underscoring the dangers of insecure defaults in widely adopted AI-driven software.

HybridPetya Crypto-Locker Outsmarts UEFI Secure Boot

ESET researchers have uncovered HybridPetya, a copycat strain of the notorious Petya/NotPetya ransomware family. Unlike its predecessors, HybridPetya is designed to bypass UEFI Secure Boot protections. While it lacks the aggressive propagation mechanisms of NotPetya, which caused over $10 billion in global damages in 2017, its ability to defeat Secure Boot shows how ransomware operators continue to refine methods to disable foundational security features.

Researchers Warn VoidProxy Phishing Platform Can Bypass MFA

Okta Threat Intelligence has detailed VoidProxy, a phishing-as-a-service (PhaaS) platform designed to target Microsoft and Google accounts. The service uses adversary-in-the-middle techniques to bypass multifactor authentication, a control long considered one of the strongest defenses against account takeover. The growing sophistication of PhaaS offerings shows how industrialized and commoditized phishing campaigns have become.

Regional and Policy Updates

UAE: Every Login, Online Post Can Be Traced by Hackers, Cyber Security Council Warns

The UAE’s Cybersecurity Council cautioned citizens that every digital footprint — logins, social media posts, or even sharing photos — can be tracked and potentially exploited by cybercriminals. The warning emphasized that careless digital behavior can expose individuals to identity theft, fraud, and long-term reputational damage, urging stronger vigilance in digital hygiene.

UAE’s K2 Think AI Jailbroken Through Its Own Transparency Features

Researchers have successfully jailbroken K2 Think, the UAE’s flagship AI system, by exploiting its transparency functions. Transparency, while often mandated by international regulations like the EU AI Act for explainability, paradoxically gave attackers insight into how the model processes information, enabling them to bypass safeguards. The case highlights the tension between regulatory transparency requirements and security-by-obscurity principles.