Good Morning Security Gang
Today’s show feels like a snapshot of modern cyber warfare. From China’s stealthy supply chain attacks to Russia’s renewed aggression through APT28 zero-days and a fresh round of destructive wiper malware, the chessboard of global cyber power has never been more active.
We’re covering the Notepad++ supply chain breach tied to China, Panera Bread’s expanded 5.1 million account breach, new data wipers in the wild, developer package poisoning campaigns, APT28’s zero-day exploitation spree, and coordinated Russian cyberattacks against Denmark. I’ll also break down ShinyHunters’ SSO abuse playbook and the FCC’s new ransomware warning to U.S. telecoms all of it shaping the battlefront between Russia, China, and the United States.
Grab your coffee — mine’s a double espresso in a handmade mug from California — and let’s get into it. ☕
China’s Notepad++ Supply Chain Hack Exposes Global Users
Investigators confirmed a China-linked supply chain attack on Notepad++, where threat actors compromised the hosting provider that distributes software updates. The attackers injected a trojanized update into the distribution pipeline — effectively turning a trusted tool into a credential-harvesting Trojan horse.
This wasn’t a noisy crypto-mining op — it was quiet persistence, designed for long-term espionage and credential theft. As I said on the show:
“This is SolarWinds, but normalized — SolarWinds isn’t rare anymore; it’s the playbook.”
Mitigation here means verifying every third-party update via internal code-signing and SBOM validation before release. Even with sandboxing, this one could have slipped through. The Notepad++ team has since migrated to a new hosting provider.
NationStates Game Breach Shuts Down Platform
The NationStates multiplayer political simulation game was forced offline after a user exploited a remote code execution vulnerability and accessed both application code and user data. While it sounds minor, the real risk is in credential reuse — many employees use personal emails or identical passwords across corporate systems.
Mitigate by forcing SSO session refreshes, rotating reused credentials, and monitoring for new ASN logins on high-risk corporate apps. This kind of exposure fuels targeted social engineering and SaaS credential stuffing.
Panera Bread Confirms 5.1 Million Accounts Exposed
After weeks of speculation, Panera Bread expanded its data breach disclosure to 5.1 million customers, not 14 million as initially feared. Exposed data includes names, contact information, loyalty card details, and purchase histories — all of which can be used in phishing and brand impersonation attacks.
“Even executives order Panera — this breach hits inboxes we can’t afford to ignore.”
My recommendation: add Panera lookalike domain detection to your email filters and quarantine emails combining brand keywords with payment or credential requests. Expect ShinyHunters, who claimed responsibility, to exploit this data for targeted phishing.
New Data Wiper Malware Detected in the Wild
A new wiper family has surfaced, erasing event logs, corrupting file systems, and overwriting key boot sectors. Unlike ransomware, this isn’t about money it’s destruction disguised as extortion.
As I’ve said since 2023:
“Wipers are the next frontier — economic warfare in digital form.”
Defend by maintaining offline immutable backups and rehearsing full restoration drills — not just for databases, but directory and license servers as well.
Developer Ecosystem Poisoned by 341 Malicious Packages
Security researchers uncovered 341 tainted packages across npm and PyPI, seeded with stealers and post-install beacons. These malicious uploads rely on typosquatting to trap developers installing from public repos.
Mitigation:
Mirror all third-party libraries in internal proxies.
Block direct public installs on corporate devices.
Enforce version pinning for critical builds.
“One typo by a dev can be a full-blown breach. That’s not bad luck — that’s predictable risk.”
Russia’s APT28 Exploits Microsoft Zero-Day
Russian threat group APT28 (Fancy Bear) has been exploiting a Microsoft zero-day targeting Western governments within 24 hours of disclosure. Attackers delivered malicious documents that installed Covenant backdoors, using living-off-the-land techniques to evade detection.
Ukraine’s CERT observed active scanning and weaponization just hours after Microsoft’s advisory — showing how quickly state-backed adversaries adapt.
Mitigation includes PowerShell constraint policies, script block logging, and alerting on non-IT admin activity.
Russia and Allies Target Denmark in Coordinated Campaign
Russian-aligned hacker collectives have ramped up targeting of Danish infrastructure and government-linked organizations. The campaign blends influence operations and access prep, seeking to undermine European coordination.
Enterprises with Danish subsidiaries or EU integrations should tighten geo-based access controls and enforce hardware key MFA for any privileged connections from outside the EU.
GlassWorm Malware Targets macOS Developers
A resurgence of GlassWorm malware is hitting macOS developers through malicious VS Code extensions hosted on Open VSX. The extensions, disguised as utilities, steal cloud credentials and tokens — compromising dev pipelines at their source.
Lock down IDEs to signed, vetted extensions only, and rotate developer PATs and OAuth tokens if any suspect extensions were installed.
ShinyHunters Expand SSO Abuse Playbook
Threat intel from Mandiant reveals that ShinyHunters are now exploiting SSO token replay and OAuth consent abuse to hijack cloud sessions. They’re moving away from password theft and focusing on persistent token compromise.
To mitigate:
Enable continuous access evaluation (CAE).
Auto-revoke unused refresh tokens.
Require admin consent approval for all new enterprise apps.
FCC Issues Ransomware Preparedness Warning to Telecoms
The FCC has warned U.S. telecom providers to strengthen segmentation, incident communication, and customer notifications in the event of ransomware incidents. This move signals policy enforcement readiness and future audits across core network functions.
Telecom-dependent enterprises should document secondary MFA routes and establish alternate SIP providers to ensure operational continuity.
Action List
🔐 Validate all third-party software updates through SBOM verification and sandboxing.
🔑 Force password rotations and SSO refreshes for reused credentials.
☁️ Configure geo-based access control and hardware MFA for EU tenants.
📦 Mirror all npm/PyPI packages in internal registries.
🧰 Patch Microsoft and Fortinet zero-days within 24 hours.
🧠 Apply continuous token evaluation and revoke stale OAuth sessions.
📞 Test telecom redundancy and SIP failover before the next incident.
James Azar’s CISO’s Take
Today’s stories painted the world for what it is: a global cyber chessboard. China is embedding itself into trusted supply chains, Russia is weaponizing zero-days, and the U.S. is stuck playing defense across both digital and physical domains. The EU and India? Bystanders — reacting, not shaping.
What does this mean for us as practitioners? Resilience over prevention. You can’t stop every zero-day, but you can stop the domino effect by shortening trust lifespans, rehearsing recovery, and maintaining integrity in your update and identity ecosystems. The battle lines aren’t drawn between nations — they’re drawn between teams that plan for chaos and those that don’t.
Stay alert, stay caffeinated, and as always — stay cyber safe.
