top of page

Cybersecurity Weekly Update: 24 November - 1 December 2025

  • Writer: SOC Team
    SOC Team
  • 1 day ago
  • 4 min read

Legacy & Open-Source Supply-Chain Risk: PyPI & npm Under Fire

Researchers discovered that a legacy build tool used in Python ecosystems (zc.buildout) carries flaws that enable domain-takeover risks — meaning attackers could take over domains tied to PyPI packages and inject malicious code. (The Hacker News)

Meanwhile, a second wave of supply-chain attacks hit the npm registry. Hundreds of npm packages were trojanized during pre-install phases — dubbed by security vendors as a “second Sha1-Hulud” campaign — impacting even popular packages used by major projects.


Why it matters: For organisations in finance, healthcare, education, defense — any reliance on open-source or community-maintained code (internal tools, custom applications, web services) now carries elevated risk. Even code that appears benign may be malicious at install time.


Action: Review dependencies across your codebases. Implement strict controls around package sources. Use dependency-scanning tools, lockfiles, and — where possible — signed or internal registries.


Malware Surge: npm Backdoors + New Android MaaS Threat

The previously mentioned npm campaign delivered a variant of the malware OtterCookie — used in supply-chain attacks to compromise build or runtime environments. (The Hacker News)

Additionally, a new Android malware distributed as a “Malware-as-a-Service” — Albiriox — was revealed, targeting over 400 apps (including banking, fintech, wallets, crypto exchanges). The bait: dropper apps distributed via social-engineering lures, and payloads delivered to compromise devices for on-device fraud and screen control.


Why it matters: For organisations operating in sectors like finance — especially mobile banking, fintech, or mobile-based payment systems — this increases the risk of fraud, credential theft, and device compromise. In regulated sectors (healthcare, defence) compromised endpoints can become breach entry points.


Action: For mobile-app ecosystems: enforce strict app vetting, restrict permissions, apply mobile-device management (MDM), and educate staff about social engineering lures. For development teams: audit build pipelines, remove suspicious dependencies, and ensure reproducible builds.


Backdoor on WSUS: Exploitation of Patch-Management Infrastructure via ShadowPad (CVE-2025-59287)

Security researchers reported that a recently patched deserialization flaw in Windows Server Update Services (WSUS) was exploited in the wild. Attackers used it to drop ShadowPad — a powerful modular backdoor (successor to PlugX) — by distributing it via legitimate-looking updates.


Why it matters: WSUS is widely used for patch management across enterprise environments. If attackers compromise WSUS, they gain a credible mechanism to deliver malware under the guise of legitimate updates — bypassing many security controls. For sectors with strict compliance or regulatory requirements (healthcare, financial services, defense), this is alarmingly potent.


Action: Immediately check your WSUS servers. Ensure they’re patched to versions beyond CVE-2025-59287. Audit recent update deliveries for anomalies, and verify that no unauthorised binaries were pushed. Consider isolating or heavily monitoring WSUS servers, or migrating to alternative update mechanisms.


Nation-State Espionage: APT31 — Cloud-Based, Persistent, Hard to Detect

APT31 has been linked to a stealthy, long-running campaign from 2022–2025 targeting IT firms in Russia, but using cloud services and social-media platforms for command-and-control — effectively blending malicious traffic with legitimate cloud traffic. Malware and tools used include “CloudyLoader,” backdoors, lateral-movement tools, and even use of cloud storage or services (e.g., OneDrive) for C2. (The Hacker News)


Why it matters: The techniques — using legitimate cloud services, mixed malware toolsets, long-term persistence — make detection far harder. For organisations operating in defence, aerospace, financial services, or working as government contractors — this shows how sophisticated APTs are evolving. Even cloud-native or hybrid environments are not safe by default.


Action: Review cloud-service usage, especially file-sharing, remote-access, or tunnelling via legitimate services. Increase logging and monitoring; detect unusual patterns (e.g., use of cloud storage for C2, unexpected lateral movement). Apply the principle of least privilege (PoLP), especially on accounts with privileged access.


Threat Actor Innovation: Tomiris Uses Public-Service Implants for Stealthy C2

On 1 Dec 2025, security researchers reported that Tomiris is deploying malware implants that use public services (e.g., Telegram, Discord) as command-and-control servers — rather than custom infrastructure — to evade detection. This increases the stealth and longevity of these threat campaigns. (The Hacker News)


Why it matters: Using legitimate, widely used public services for C2 severely complicates detection, since communications may look benign and blend with normal network traffic. For sensitive organisations (government, defence, critical infrastructure, institutions handling private data) — this is a major escalation in adversary tradecraft.


Action: Monitor outbound traffic for social-media or cloud-service usage from unexpected hosts or accounts; implement network segmentation; restrict use of unsanctioned apps for internal devices; and integrate threat-intel feeds to detect known malicious C2 patterns.


Key Recommendations

  1. Audit Open-Source Dependencies & Build Pipelines: especially for Python and npm ecosystems: patch or deprecate vulnerable libraries, consider private registries, enable dependency-scanning and supply-chain protections.

  2. Patch Identity, Update & Management Systems Immediately: Oracle Identity Manager and WSUS were exploited; ensure they are updated, isolated, and monitored.

  3. Harden Cloud & Endpoint Security: limit use of public cloud storage or social-app platforms for critical operations; enforce least privilege; enable robust logging and anomaly detection.

  4. Strengthen Mobile & Client-Side Security: control mobile app deployment, manage device permissions, use MDM, and train staff to recognise fraudulent apps or social engineering.

  5. Assume Advanced Adversaries Are Active: adopt a “zero trust” mindset: segment networks, restrict privileged access, monitor behaviors, and validate all software and updates — even those that appear legitimate.


bottom of page