Get A Quote

Weekly Cybersecurity Threat Advisory

  • Home
  • Blog
  • Weekly Cybersecurity Threat Advisory

Threat Landscape Summary (1 – 8 September, 2025)

I. Executive Summary

This report covers key threats and incidents observed from 01–08 September 2025. The week was dominated by a multi-tenant Salesforce data theft campaign via stolen OAuth tokens (linked to Salesloft/Drift), a critical Sitecore zero‑day (CVE‑2025‑53690) under active exploitation, a large‑scale npm supply‑chain compromise, and Google’s September Android patch addressing two actively exploited zero‑days. Action is required for identity/token hygiene, rapid patching, and software supply‑chain controls.

Key Highlights

  • Supply-chain exposure: Salesforce data-theft campaign via Salesloft/Drift OAuth tokens with wide downstream impact affecting Cloudflare, Palo Alto Networks, Zscaler, Workiva, and others. Exfiltrated CRM data and secrets from support cases raise pivot risk to cloud resources.
  • Critical zero-day exploitation: Sitecore zero-day (CVE-2025-53690) involving ViewState deserialization tied to exposed machine keys under active exploitation; CISA set a September 25 federal remediation date.
  • Largest npm supply-chain event: Maintainer phishing led to malicious updates to high-traffic packages (e.g., chalk, debug, supports-color) injecting a browser-side Web3 interceptor.
  • Mobile security: Android September patch fixes two actively exploited zero-days (CVE-2025-38352 kernel; CVE-2025-48543 ART). Immediate fleet patching recommended.
  • Additional exposure: Nx breach fallout resulted in approximately 6,700 repositories being made public with potential credentials/PII exposure.

Dominant Trends

  • Identity & OAuth abuse: Attackers leveraged stolen application access tokens to mass-export CRM data and mine secrets embedded in support workflows.
  • Software supply chain fragility: npm and Nx incidents underscore multi-point risk through maintainer phishing and CI secrets leakage.
  • Legacy web stack vulnerabilities: ASP.NET/ViewState misconfigurations resurfaced via Sitecore, enabling RCE with WeepSteel tooling.

II. Global Cyber Threat Landscape Overview

Key Observations

  • CRM/Helpdesk exploitation: Mass exports, log tampering, Tor egress, and Python-based clients targeting connected apps and tokens.
  • Maintainer targeting at scale: npm ecosystem targeted using look-alike domains and credential exfiltration URLs.
  • Legacy ASP.NET vulnerabilities: Deserialization paths via sample machine keys (Sitecore), with CISA KEV enforcement deadlines.

III. Notable Security Incidents and Data Breaches

Date (UTC)IncidentOrganization / SectorImpact / Notes
2025-09-02 to 09-05OAuth-token supply-chain via Salesloft/Drift → Salesforce data theftMultiple vendors (Cloudflare, Palo Alto Networks, Zscaler, Workiva, others)CRM data exfiltration; secrets hunting in support cases; token/credential rotation required
2025-09-04Network incidentBridgestone AmericasOperations/production impact under investigation (North America)
2025-09-08Maintainer-phishing → malicious npm package versionsPopular npm packages (chalk, debug, supports-color, etc.)Browser-side Web3/crypto interceptor injected into JS; risk to web apps using compromised bundles
2025-09-08Nx breach falloutNx/Nrwl ecosystem~6,700 private repos made public; potential credentials/PII exposure; supply-chain hardening needed


IV. Current Threat Landscape Analysis

Emerging Trends

CRM/Helpdesk exploitation of connected apps and tokens continues with mass exports, log tampering, Tor egress, and Python-based clients being observed.

Maintainer targeting at scale (npm) using look-alike domains and credential exfiltration URLs represents a significant supply chain risk.

Legacy ASP.NET deserialization paths via sample machine keys (Sitecore) with CISA KEV enforcement deadlines require immediate attention.

  • Based on observed patterns, OAuth token abuse against CRM platforms is likely to persist short-term as organizations rotate tokens but retain risky Connected Apps.
  • The npm event may drive copycat maintainer-phishing across other ecosystems (PyPI, NuGet).

V. Critical Vulnerabilities and CVEs (Prioritize within 24–72h)

CVEDescriptionSeverityMitigation / Notes
CVE-2025-53690Sitecore ViewState deserialization RCE due to exposed sample machine keys; actively exploited; CISA due date Sep 25CriticalRotate machine keys; apply SC2025-005; hunt for WeepSteel/Dwagent/Earthworm; enforce ViewState MAC; WAF rules
CVE-2025-38352Android Linux kernel UAF—actively exploitedHigh/CriticalPatch to Sept-2025; gate mobile access via MDM; verify kernel levels
CVE-2025-48543Android Runtime code-exec—actively exploitedHigh/CriticalPatch; enforce Play Protect; restrict sideloading
npm supply-chainTrojanized versions of widely used packages after maintainer phishing; browser-side crypto hijackHighFreeze builds; pin/rollback; regenerate lockfiles; verify provenance/attestations (SLSA)


VI. Threat Actor Activities

Profiles of active threat actors mapped to MITRE ATT&CK:

Salesforce data-theft operators linked in reporting to ShinyHunters

Objective: Data theft and credential harvesting Mapped TTPs:

  • Initial access: Phishing/Vishing (T1566); OAuth/application access tokens (T1550.001).
  • Collection/Evasion: Mass CRM exports; log deletion; Tor egress; custom Python user-agents.

npm supply-chain adversaries

Objective: Supply chain compromise Mapped TTPs:

  • Initial access: Phishing with malicious link (look-alike npmjs.help) (T1566.002).
  • Impact: Compromise software dependencies (T1195.002).

Sitecore intrusions

Objective: System compromise and data exfiltration Mapped TTPs:

  • Initial access: Exploit public-facing app via ViewState deserialization.
  • Post-exploitation tools: WeepSteel (recon/exfil), Earthworm (tunneling), Dwagent (RAT).

VII. Malware Spotlights

MalwareCapabilitiesDelivery / TTPsAffected Platforms / Notes
WeepSteelReconnaissance, system/process/network enumeration, data exfilHides exfiltration in ViewState responses; observed alongside Earthworm/DwagentSitecore campaigns targeting ASP.NET environments
npm Web3 interceptorBrowser-side crypto wallet monitoring and transaction redirectionJS injected into package index.jsWeb applications using compromised npm bundles


VIII. Recommendations

For Technical Audiences (Security, IT, DevOps) – Immediate (24–48h):

  • Salesforce/CRM: Revoke all Drift/Salesloft OAuth tokens; audit Connected Apps; rotate any secrets present in cases; enable high-risk OAuth alerts.
  • Sitecore: Apply SC2025-005, rotate unique machine keys, enforce ViewState MAC, add WAF rules; hunt for WeepSteel/Dwagent artifacts.
  • Android fleet: Push Sep-2025 patch to all managed devices; block access for devices below this level via MDM.
  • Supply chain: Freeze builds; pin/rollback impacted npm packages; regenerate lockfiles; validate SBOMs; enable provenance/attestations (SLSA).
  • Detection engineering: Watch for Salesforce bulk exports + user-agents (python-requests, aiohttp), Tor egress; Add IoCs from Appendix to proxy/DNS/EDR.

Strategic (2–6 weeks):

  • OAuth governance: App allow-lists, scoped tokens, automated token inventory/rotation; train support teams to never place secrets in cases.
  • Supply-chain hardening: Enforce maintainer 2FA; branch protection; artifact signing; continuous dependency health monitoring.
  • Legacy ASP.NET reviews: Audit machine-key configs across estates; pen-test ViewState paths.

For Non-Technical Audiences (Leadership & Staff):

  • Be extra cautious with unexpected support calls/emails asking to approve apps or share ‘one-time’ codes.
  • Use strong, unique passwords and MFA; never share credentials in tickets or email.
  • Report suspicious emails/calls and unusual mobile prompts immediately via the incident hotline.

IX. Analyst Notes

  • OAuth token abuse against CRM platforms is likely to persist short-term as organizations rotate tokens but retain risky Connected Apps. Expect follow-on attempts against helpdesk/ITSM systems with similar app marketplaces.
  • The npm event underscores systemic maintainer targeting; anticipate phishing waves against other ecosystems (PyPI, NuGet) using lookalike domains and registrar ‘publicvm’ hosting.
  • ViewState/Machine-key misconfigurations will continue to surface in legacy ASP.NET estates; proactive configuration audits are recommended.

X. Threat Indicator Appendix (IoCs)

TypeIndicatorContextAction
Domainbold-dhawan.45-139-104-115.plesk.pageGhostAction exfil endpointBlock/monitor; hunt for POSTs; rotate exposed secrets
IP45.139.104.115GhostAction hostBlock egress; check historical connections
URLhttps://npmjs.help (look-alike)Maintainer-phishing domainBlock at DNS/mail; warn dev teams
URLhttps://websocket-api2.publicvm.com/images/jpg-to-png.php?name=*Credential exfil pathBlock FQDN/path; proxy alerting

Note: Validate IoCs in a staging environment before broad enforcement to avoid false positives.

X. Contact Information

Meraal Cyber Security (MCS) – Threat Intelligence Team

  • Website: www.meraal.me
  • Email: office@meraal.me | naveed@meraal.me
  • Phone: +92 42 357 27575 | +92 323 497 9477

Note on Sources & Intelligence:
This report synthesizes data from CISA, MS-ISAC, MITRE, law enforcement press releases, leading cybersecurity vendors, and internal MCS analysis. Confirmed intelligence is separated from unverified speculation to maintain accuracy and credibility.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright Meraal Cyber Security. All Rights Reserved.