Good Morning Security Gang
Just a few days away from Thanksgiving — my favorite holiday of the year. Before we dive in, a quick shoutout to my good friend Patrick Benoit for sending me an incredible bottle of double-barrel Amador bourbon. I’ll save it for the end of the day, not the start of this show — because, yes, it’s 5 o’clock somewhere, but not here!
Now, grab that espresso, hold your coffee cup high — coffee cup cheers, y’all!
Because today’s episode is packed. We’re covering Harvard’s alumni breach, Mazda’s Oracle denial, SitusAMC’s massive mortgage data leak, cyber warfare in Eastern Europe, Shai Hulud infecting NPM, and a major Iranian APT leak that’s shaking intelligence agencies. Let’s roll.
Harvard University Confirms Alumni Data Breach
Harvard University disclosed a data breach impacting its Alumni Affairs and Development (AA&D) systems. The incident exposed personal information belonging to alumni, donors, students, and staff, including contact details and internal communications. Initial investigations point to a vishing (voice phishing) campaign used to compromise employee credentials.
This isn’t Harvard’s first data security issue — it follows similar attacks on UPenn and Princeton, suggesting threat actors are systematically targeting Ivy League alumni networks. Why? Because alumni and donor databases are a goldmine of high-net-worth targets for financial fraud, investment scams, and social engineering.
“For universities like Harvard, your alumni database isn’t a list — it’s a vault of financial targets.” James Azar
If you’re a Harvard alum or donor, be on the lookout for fake invoices or donation requests tied to university events. Universities must start treating alumni data as critical financial infrastructure, not just marketing lists. For an institution that prides itself on elite education, Harvard has a major lesson to learn in cyber hygiene.
Mazda Denies Oracle EBS Breach Listed by Clop Ransomware Gang
Mazda North America has confirmed it was listed among victims of the Clop ransomware Oracle EBS campaign, but the company claims no data was leaked and that operations were unaffected.
The hackers listed Mazda alongside other Oracle E-Business Suite victims, but investigations by Mazda’s new CISO, Ray Griffith, indicate the claims were exaggerated or fabricated. Given Mazda’s publicly traded status, the company has a fiduciary duty to disclose truthfully under SEC rules — and false reporting would carry serious penalties.
That said, Clop’s inclusion of Mazda likely means some level of access was achieved — even if limited. It’s common for threat groups to inflate their success for credibility or to pressure victims into negotiations. Mazda’s response reflects strong internal governance and transparency, a model other firms should emulate when dealing with extortion claims.
SitusAMC Leak Exposes 18 Million Property Records
SitusAMC, a real estate and financial services vendor, confirmed a major data breach exposing mortgage-related documents tied to Citibank, JPMorgan Chase, and Morgan Stanley. The breach reportedly impacts millions of sensitive loan files, including contracts, appraisals, and identity verification records.
This isn’t just a tech issue — it’s an economic risk event. Mortgage documents contain signatures, SSNs, tax IDs, and banking information. Threat actors can weaponize this data for mortgage fraud, equity theft, and loan manipulation. With housing markets cooling, expect attackers to exploit these leaks to drain equity from unsuspecting homeowners.
Financial institutions must now revalidate workflows and tighten document chain-of-custody controls to prevent fraudulent loans from slipping through. This breach could ripple across the U.S. economy if not addressed quickly — it’s a direct hit on middle-class wealth.
Russia’s Cyber Systems Targeted in Ukraine Counterattack
The Ukrainian Cyber Alliance launched a counteroffensive against Russia’s national postal service operations in occupied regions of Donetsk and Luhansk. The campaign wiped over 1,000 workstations and 100 virtual machines, destroying terabytes of operational data using wiper malware.
The attack demonstrates how cyber warfare continues to play out as a battlefield extension of kinetic operations. Rather than ransomware or DDoS, this campaign’s intent was clear: destruction and disruption of Russian legitimacy in occupied Ukrainian territories.
While Russia’s state media has downplayed the incident, these repeated hits to critical systems show Ukraine’s offensive cyber capability is maturing rapidly — and cyber remains central to modern warfare.
Shai Hulud Infects 500+ NPM Packages
A self-replicating malware campaign named Shai Hulud 1.0 has infected over 500 NPM packages — and some reports suggest that number could be as high as 2,500. The malware masquerades as legitimate libraries (like Zapier, ENS domains, and Postman) and exfiltrates secrets from developer environments to GitHub.
Once deployed, it propagates by injecting malicious code into Continuous Integration (CI) pipelines and targeting Personal Access Tokens (PATs) and build secrets. Researchers from Wiz, Akito, Helix, and Step Security confirm this is a self-replicating supply chain attack — an alarming escalation in automated malware targeting the software ecosystem.
Developers should immediately:
Rotate all tokens and SSH keys.
Use private registries and version pinning.
Quarantine low-reputation publishers in build environments.
GitHub and NPM are still scrubbing infected packages, but this may take several days — so defense teams must act locally to secure CI/CD environments.
WordPress W3 Total Cache Exploit Released
A proof-of-concept (PoC) exploit has been released for a critical unauthenticated command injection flaw (CVE-2025-90501) in W3 Total Cache, one of the most widely used WordPress plugins. The vulnerability allows remote attackers to gain full administrative control over affected sites.
With more than 1 million active installations, this poses an immediate risk of mass exploitation for both data theft and SEO poisoning. Site owners should update or disable W3 Total Cache immediately, deploy WAF rules against known payloads, and inspect logs for suspicious administrative actions.
WhatsApp Campaign Spreads Banking Trojans
Cybercriminals are leveraging WhatsApp message links in Brazil to deliver banking Trojans and credential-stealing malware. The campaign targets Android users via social engineering, pushing fake update prompts and links disguised as financial notifications.
This campaign mirrors a pattern seen in Latin America for years — starting in Brazil before spreading globally. The risk is amplified by BYOD and contractor devices connected to corporate networks, creating a new ingress point for lateral attacks.
Security teams should treat personal messaging apps as potential data exfiltration channels and enforce containerized mobile device management (MDM) for any employee devices accessing sensitive systems.
WhatsApp API Exploit Exposes 3.5 Billion Accounts
A separate issue involving WhatsApp’s contact discovery endpoint revealed that up to 3.5 billion phone numbers could be enumerated via scraping. This vulnerability, now patched, exposed metadata like status, last seen, and profile photos — data that can be weaponized for phishing, doxing, or corporate targeting.
Researchers disclosed that weak rate limiting and session tokens made the exploitation feasible. Even after Meta patched the flaw, many users’ data may already have been collected. In regions where WhatsApp is used for business, these lists can act as informal employee directories for spear phishing.
Charming Kitten (APT35) Operations Exposed in Major Leak
Documents leaked from Charming Kitten (APT35), an Iranian Revolutionary Guard Corps-aligned threat group, have revealed their entire organizational structure, training materials, and attack pipelines.
The leak exposed internal playbooks, exchange credential harvesting methods, and junior operator onboarding manuals, giving defenders rare visibility into how the group trains new recruits. Targets included energy and telecom firms in Turkey, Saudi Arabia, South Korea, and Lebanon.
For defenders, this is a treasure trove — the documents show their dependency on Exchange and Gmail credential phishing, as well as misuse of Telegram and Discord for internal communication. Security teams should block consumer chat apps, enable AMSI logging and PowerShell transcription, and monitor for suspicious OAuth grants or mailbox searches.
UK Pushes for Software Vendor Liability
A parliamentary report in the U.K. has proposed new measures that would hold software vendors legally liable for insecure code, calling it a matter of national and economic security.
“The line between cyber risk and economic risk is gone — one vendor breach can shake entire markets.” James Azar
The move follows the Jaguar Land Rover cyber incident and reflects a growing political appetite for regulation. Future procurement contracts may require secure-by-default software, mandatory SBOMs, and vulnerability remediation SLAs.
While well-intentioned, such legislation could burden developers and slow innovation. The better solution? Building security warranties and coordinated disclosure frameworks into contracts rather than punitive regulation.
Action List
🧠 Audit alumni or donor databases for access controls and MFA enforcement.
🚗 Patch Oracle EBS systems and rotate integration credentials.
🏦 Revalidate mortgage workflows for compromised SitusAMC data.
🧱 Quarantine compromised NPM dependencies and rotate developer tokens.
💬 Treat WhatsApp and similar messaging apps as unmanaged risk vectors.
🧩 Patch W3 Total Cache and inspect site admin logs.
🕵️♂️ Harden SaaS apps with OAuth monitoring and user behavior analytics.
🧰 Apply secure-by-default principles in procurement and vendor SLAs.
James Azar’s CISO’s Take
Today’s stories show how cybersecurity now sits at the crossroads of economy, politics, and technology. From Harvard’s alumni breach to mortgage data leaks and vendor failures, the weakest link isn’t always a firewall — it’s the third party you trust most. The interconnectedness of supply chains, SaaS integrations, and cloud ecosystems means your exposure is never just your own.
My takeaway? The era of isolated breaches is over. Every compromise now echoes across sectors — from real estate and academia to national defense. CISOs must stop thinking like defenders and start operating like risk managers, where trust is conditional, access is temporary, and resilience is continuous.
Stay vigilant, stay caffeinated, and as always — stay cyber safe.
