Good Morning Security Gang!
Happy Monday, September 8th, 2025, and welcome to another episode of the CyberHub Podcast. The weekend may be over, but the cybersecurity news cycle didn’t take a break.
As we settle into the September routine with kids back in school and summer officially behind us, the cyber threat landscape continues to evolve at breakneck speed. Today's show is absolutely packed with critical developments that every security professional needs to understand, from sophisticated nation-state espionage campaigns to supply chain attacks that are reshaping how we think about third-party risk.
From China-linked espionage in U.S. trade talks to a supply chain breach at Wealthsimple, a massive fine for Google in Europe, and ongoing fallout from breaches hitting education and aviation, today’s lineup underscores how global politics, corporate accountability, and technical vulnerabilities intersect.
☕️ Double espresso in hand, let’s dig in.
🇨🇳 China Espionage During U.S. Trade Talks
During high-stakes trade negotiations, Chinese hackers impersonated a U.S. Congressman, emailing committee members about sanctions proposals. The emails, traced to APT41, included malware-laced attachments aimed at spying on U.S. legislative strategy.
"China actively wants to destroy the United States of America - that's part of their hundred year plan." James Azar
FBI and Capitol Police are investigating. This was a blatant attempt to gain leverage in tariff negotiations and part of Beijing’s long-term cyber strategy to undercut U.S. national security and trade policy.
💸 Wealthsimple Supply Chain Breach
Canadian fintech Wealthsimple disclosed a breach via a compromised third-party software package. Fewer than 1% of customers were affected, but stolen data included contact info, government IDs, SSNs, DOBs, IP addresses, and some financial account details. Wealthsimple contained the intrusion within hours, assured customers that no passwords or funds were stolen, and offered free credit monitoring.
🛠 Wokiva Impacted by Salesforce/Drift Supply Chain Attack
Wokiva, a SaaS provider serving 6,000+ clients (including 85% of the Fortune 500), confirmed attackers exploited the SalesLoft Drift/Salesforce supply chain compromise. Data accessed included names, emails, phone numbers, and support ticket content. High-profile customers like Google, T-Mobile, Hershey, and Mercedes-Benz were among those impacted. The attack was attributed to ShinyHunters, continuing the wave of Salesforce-related breaches.
✈ Qantas Executives Penalized for Breach
Australian airline Qantas reduced executive bonuses by 15% following its July cyberattack that exposed data from 5.7M customers. Information leaked included names, frequent flyer numbers, emails, DOBs, addresses, meal preferences, and genders. CEO Vanessa Hudson saw a $250,000 pay cut, with the board citing “shared accountability” for failing to prevent or mitigate the breach quickly.
⚖ Texas Sues PowerSchool Over Education Breach
The state of Texas sued PowerSchool, the cloud vendor breached in 2024 that exposed data from 62.4M students and 9.5M teachers. The lawsuit alleges deceptive trade practices, false claims about security standards, and failure to deploy MFA before the breach. Texas is pushing for fines and stronger oversight, underscoring accountability for vendors handling K–12 data.
🖼 Malware Hidden in SVG Files – VirusTotal Discovery
VirusTotal flagged a new malware campaign using SVG files to impersonate Colombia’s judiciary portal. The malicious graphics contained embedded JavaScript that displayed fake download portals, tricking victims into pulling password-protected malware archives. Traditional antivirus missed these, but VirusTotal’s AI-based Code Insight detected the behavior—showing the value of AI in spotting novel file-based threats.
🧬 S1ngularity AI Supply Chain Attack Expands
The S1ngularity attack on NX NPM tokens has grown. Attackers published 8 malicious NX package versions that stole API keys, GitHub tokens, SSH keys, and crypto wallet data. They exfiltrated 20,000+ files from 225 users, made 6,700 private repos public, and weaponized AI assistants (Claude, Gemini) for reconnaissance. Wiz confirmed 2,300+ leaked secrets, including GitHub and AI API keys. This is one of the most advanced AI-driven supply chain breaches seen to date.
⚙ Argo CD Critical Flaw in Kubernetes GitOps
CVE-2025-7451, a flaw in Argo CD, allowed project-level API tokens to access repo credentials they shouldn’t. This could expose sensitive cloud repos in Kubernetes environments. A patch is available and must be applied immediately.
🇪🇺 EU Slaps Google with $3.5B Fine
The EU fined Google $3.5B for anticompetitive behavior in ad tech, alleging it favored its own services over competitors. Regulators ordered Google to end “self-preferencing” and adopt compliance measures.
"If there's a continent that enjoys destroying itself and destroying business in the process, it's nothing but our friends in the European Union." James Azar
Google called the ruling unjustified and pledged to appeal, warning it could harm European businesses relying on Google Ads.
🧠 James Azar’s CISO Take
What jumps out today is how supply chain risk dominates the headlines. From Wealthsimple’s software dependency to Wokiva’s Salesforce breach and the Singularity NX compromise, we’re reminded that our vendors’ vendors can become our weakest link. These aren’t failures of Salesforce or Google—they’re failures in visibility, governance, and token security. If you don’t have a map of your supply chain dependencies, you’re flying blind.
Today's episode really highlights the sophisticated, multi-vector approach our adversaries are taking against both government and private sector targets. What frustrates me most is how the mainstream media, particularly the Wall Street Journal, continues to softball China's malicious activities by calling APT41 a "contractor" when we know damn well that nothing in China operates independently of state control. The Chinese aren't just trying to get a better trade deal - they're actively working to undermine our negotiating position through cyber espionage, and we need to call it what it is.
The accountability we're seeing from Qantas leadership gives me hope that boards are finally starting to understand that cyber incidents have real consequences that should be reflected in executive compensation. Meanwhile, the EU continues its destructive pattern of stifling innovation through punitive fines rather than fostering competition. The sophistication of supply chain attacks like the NX campaign shows us that our entire development ecosystem is under assault, and we need to fundamentally rethink how we validate and monitor the software we depend on. Every file type, every package, every third-party integration is now a potential attack vector, and our defenses need to evolve accordingly.
✅ Action Items
🔐 Revoke & rotate tokens for Salesforce and all connected integrations.
📊 Audit SaaS vendors for supply chain security maturity.
🛡 Patch Argo CD (CVE-2025-7451) in Kubernetes clusters immediately.
📈 Reassess breach accountability frameworks—consider executive incentives.
📑 Implement MFA across all vendor platforms; verify enforcement.
🖼 Update detection tools for SVG and other “trusted” file formats.
🌐 Monitor AI-driven supply chain exploits; build resilience planning.
