Weekly Cybersecurity Recap - 9 June 2025

Introduction

Last week in cybersecurity, we saw everything from a stealthy supply chain malware operation targeting open-source ecosystems, to the takedown of a major cybercrime marketplace. On the enterprise front, Salesforce users were targeted through crafty phishing campaigns, and AT&T found itself in hot water - again - after another massive data leak. Meanwhile, industrial networks saw a spike in malware infections, pointing to broader risks in operational environments. Here's your full breakdown:

Malware and Threat Campaigns

New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

A supply chain attack has compromised over a dozen npm and PyPI packages linked to the GlueStack framework. The malware was injected via a modification in the "lib/commonjs/index.js" file, enabling threat actors to execute shell commands, capture screenshots, and upload files from infected machines. Aikido Security reports that these compromised packages see nearly one million downloads each week, amplifying the global risk.

New Atomic macOS Stealer Campaign Exploits ClickFix to Target Apple Users

A fresh campaign is targeting macOS users using the ClickFix tactic—malicious CAPTCHA prompts that trick users into downloading malware. The attacker distributes Atomic macOS Stealer (AMOS) through typosquatted domains impersonating U.S. telecom provider Spectrum. This method is particularly effective in duping Apple users who may assume they're visiting a trusted source.

Ramnit Malware Infections Spike in OT as Evidence Suggests ICS Shift

Honeywell’s 2025 Cybersecurity Threat Report shows a concerning rise in Ramnit and ransomware attacks in industrial sectors. While many incidents didn’t directly impact OT systems, over half of the security disclosures to the SEC this year involved OT-related disruptions, suggesting a shift toward targeting critical infrastructure.

Hackers abuse malicious version of Salesforce tool for data theft, extortion

Google’s Threat Intelligence Group reported that threat group UNC6040 has been using voice phishing to access Salesforce data from multinational organizations. Impersonating internal IT staff, the attackers tricked employees into revealing login credentials, enabling further theft and extortion. These efforts appear focused on English-speaking entities within large corporations.

Data Leaks and Breaches

AT&T Hit by Massive Reported Identity Data Leak - Again

AT&T is facing yet another major breach after hackers released data on 86 million users, including nearly 44 million decrypted Social Security numbers. Researchers say the stolen records contain detailed personal information such as addresses and dates of birth, making them highly valuable for identity theft operations. The data dump significantly increases risks for fraud and impersonation.

Lee Enterprises Says 40,000 Hit by Ransomware-Caused Data Breach

Lee Enterprises, a media company with publications across 25 states, confirmed this week that a ransomware attack in February led to a data breach. The attack encrypted critical systems and exfiltrated sensitive files. A total of nearly 40,000 individuals were affected, according to the company’s filing with the Maine Attorney General’s Office.

Exploits and Software Security

Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hard-Coded Credentials

Security researchers have discovered that several well-known Chrome extensions transmit sensitive data over unencrypted HTTP connections and embed hard-coded credentials within their code. This lack of security allows attackers on the same network - especially in public Wi-Fi environments - to intercept or even alter transmitted data. These weaknesses pose major privacy and integrity risks for users who unknowingly install these extensions.

Law Enforcement and Takedowns

Carding Marketplace BidenCash Shut Down by Authorities

Law enforcement agencies have successfully taken down BidenCash, a carding site responsible for selling stolen credit card details and personal data since 2022. The site, which operated on 145 domains, had distributed over 3.3 million stolen cards as promotional content within months of launching. Authorities seized all related domains, marking a significant disruption in the cybercrime marketplace ecosystem.