Good Morning Cyber Gang,
Mother’s Day weekend offered little rest for defenders. In today’s episode James Azar walks us through fresh evidence of Chinese-linked economic warfare against Japan, AI-supply-chain booby-traps, critical SAP exploits, and a record-shattering privacy settlement that will make every GC revisit their data map.
Below, each headline is unpacked in detail, followed by a practitioner action list to start your week on the front foot.
Japanese Brokerage Accounts Hijacked for $2 Billion in Trades
Japan’s Financial Services Agency (FSA) has raised the alarm after 27,446 fraudulent transactions across 5,000 brokerage accounts generated more than US $1 billion in both buy- and sell-orders during Q1. Investigators say attackers used stolen credentials, liquidated blue-chip holdings, then pumped thinly-traded Chinese and small-cap stocks to distort prices—an economic-warfare tactic reminiscent of Beijing’s pressure during tariff talks. The FSA scrubbed early references to China from its advisory, signalling a deeper diplomatic probe.
Malicious NPM Packages Target Cursor AI Users
Three still-live NPM packages—sw-cur, sw-cur1, and aiide-cur—promise cut-rate access to the fast-growing Cursor AI IDE. Once installed, they exfiltrate developer credentials, swap legitimate binaries with attacker code, and relaunch the IDE to grant persistent RCE. More than 3,200 developers downloaded the bundles before Socket researchers raised the red flag, illustrating how enthusiasm for AI tooling is being weaponised against software teams.
Chinese Threat Actors Exploit SAP NetWeaver Zero-Day
ForeScout Vedere Labs links the ongoing exploitation of CVE-2025-31324—an unauthenticated file-upload flaw in SAP NetWeaver Visual Composer—to a group dubbed “Chaya.” At least 204 internet-facing servers remain unpatched worldwide. Telemetry shows attacks funnelling through Alibaba and Tencent cloud IPs while deploying Chinese-language reverse shells. SAP released an emergency patch on 24 April; defenders are urged to restrict metadata services or disable Visual Composer entirely until patched.
DOJ & Lumen Dismantle 20-Year-Old “5Socks” Proxy Botnet
A joint U.S.–Dutch–Thai operation seized domains and null-routed traffic for “Any Proxy” and “5Socks,” services that rented access to 7,000+ compromised hosts for as little as US$10/month. Indictments name four Russians and a Kazakh who allegedly earned US$46 million since the early 2000s. Only ~10 % of the malware samples triggered AV alerts, underscoring how low-profile proxy botnets can evade notice for decades.
iClicker Classroom Platform Hit by Click-Fix Malware Scam
Between 12–16 April, the iClicker website displayed a fake CAPTCHA that coaxed students and professors into pasting a clipboard PowerShell command. The payload varied by visitor type but granted attackers remote control over devices at universities such as Michigan and Florida. Although the malicious prompt is gone, incident responders still don’t know which malware strains were ultimately installed.
Toronto School Board Learns Ransomware Lesson—Twice
After quietly paying attackers in the December PowerSchool breach, the Toronto District School Board has now received an extortion letter threatening to leak the same data. James Azar blasted administrators for trusting criminals and warned that paying once almost guarantees repeat demands—a cautionary tale for every public-sector leader.
Poland Closes Russian Consulate over Mall Arson Plot
Polish PM Donald Tusk confirmed that last year’s blaze at Warsaw’s Marywilska shopping centre was ordered by Russian intelligence and executed via local criminal proxies. In retaliation, Poland will shut Russia’s Kraków consulate. The move highlights Moscow’s escalating blend of cyber-enabled sabotage aimed at EU economies.
Texas Scores Record US$1.375 Billion Privacy Settlement with Google
Texas Attorney General Ken Paxton announced the largest single-state data-privacy payout ever, dwarfing the previous U.S. record of US$93 million. The suit alleged Google secretly harvested users’ location, search, voice and facial data despite “incognito” promises. The judgment follows Texas’ earlier US$1.4 billion win against Meta’s facial-recognition practices and will likely accelerate state-level privacy enforcement nationwide.
Ascension Health Partner Breach Exposes 437k Patients
HHS filings reveal that a third-party vendor linked to Ascension Health leaked names, SSNs, diagnoses and insurance details for 437,329 patients. The December incident aligns with Clop’s mass exploitation of the MOVEit file-transfer platform, reminding hospitals that vendor weak points can trigger HIPAA-scale fallout months later.
Practitioner Action List
Lock Down Brokerage & Trading Portals: Enforce phishing-resistant MFA and behavioural analytics to stop credential replay in wealth-management apps.
Purge Malicious NPMs: Block
sw-cur*andaid-curpackages; scan developer endpoints for replaced binaries and unusual outbound traffic.Patch SAP NetWeaver Now: Apply CVE-2025-31324 fixes, isolate uploader services, and hunt for Chinese-language web shells.
Audit Proxy Traffic: Use fresh IOC feeds from the Any Proxy takedown to detect residual 5Socks beacons inside your estate.
Educate Students & Staff: Highlight click-fix tactics and disable clipboard pastes from untrusted domains in campus browsers.
Adopt a ‘No-Pay’ Ransom Stance: Build offline backups and legal/PR playbooks to resist repeat extortion attempts.
Monitor Hybrid Threats: Treat physical incidents (arson, bomb threats) as indicators of possible coordinated cyber campaigns.
Re-examine Data Mapping & Consent: The Texas–Google settlement raises the liability bar—verify location, biometric and voice data practices today.
Tighten Vendor Governance: Demand SOC 2 or HITRUST evidence from partners handling PHI and insist on patch-management SLAs.
✅ Story Links:
https://therecord.media/hackers-hijack-japan-finance-accounts
https://www.securityweek.com/malicious-npm-packages-target-cursor-ais-macos-users/
https://www.securityweek.com/us-announces-botnet-takedown-charges-against-russian-administrators/
https://therecord.media/toronto-school-district-says-data-not-deleted-after-ransom
https://therecord.media/poland-shuts-russian-consolate-blames-kremlin-warsaw-fire
https://thecyberexpress.com/google-deal-on-data-privacy/
https://www.securityweek.com/437000-impacted-by-ascension-health-data-breach/
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post