- Email: office@meraal.me
- 60 Alfalah Town, Main Boulevard, Cantt, Lahore , Pakistan
- +923234979477
Threat Landscape Summary (17 – 24 November 2025)
The week of November 17 to November 24, 2025, represented a critical peak in data exfiltration activity, characterized by a series of high-impact breaches targeting the finance, retail, and higher education sectors. A significant shift was observed in the “Clop” syndicate’s operations, which successfully exfiltrated nearly 2TB of data from a major hardware manufacturer, while the “ShinyHunters” group capitalized on legacy cloud exposures to target global fintech platforms.
The discovery of the “Shai-Hulud” worm variant—which compromised nearly 1,000 NPM packages—further highlighted the fragility of the software supply chain. Additionally, the retail sector faced unprecedented pressure as South Korea’s largest online retailer, Coupang, disclosed a breach affecting over 33 million accounts, marking one of the largest regional exposures of the year.
Adversaries have increasingly moved away from traditional encryption-heavy ransomware in favor of high-volume data theft and “silent” persistence. This week, we observed a 38% increase in identity-focused attacks, with “Scattered Spider” and similar collectives utilizing sophisticated vishing (voice phishing) to bypass multi-factor authentication (MFA) at prestigious institutions like Harvard University.
Geopolitically, the landscape is seeing a convergence of financial crime and state-sponsored espionage. Groups like Silk Typhoon (China-nexus) have been identified conducting reconnaissance on economic forecasting data, while Russian-linked groups continue to pressure the Japanese retail market. The focus has moved from “disruption” to “economic intelligence acquisition.”
Under Armour (Retail/Apparel): On November 17, the company fell victim to a ransomware incident that targeted internal corporate systems. Threat actors claim to have exfiltrated data involving millions of personal records.
Logitech (Technology): The Clop ransomware group officially claimed responsibility for a massive 1.8TB data theft from the hardware giant. The breach reportedly utilized a zero-day in a third-party software platform to bypass perimeter defenses.
Harvard University (Education): Disclosed a breach on November 24 originating from a sophisticated voice-phishing (vishing) campaign. The attack successfully compromised contact details and donor information for alumni, students, and faculty.
SitusAMC (Finance): The real-estate finance giant reported a breach exposing sensitive client data, including legal agreements and accounting documents tied to major global banks like JPMorgan Chase and Citi.
Coupang (Retail): The South Korean e-commerce leader discovered unauthorized access to 33.7 million accounts. Investigation revealed that the intrusion likely began in June 2025 but was only fully detected on November 18.
| Date | Affected Organization | Sector | Incident Type | Impact |
| Nov 17, 2025 | Under Armour | Retail | Ransomware | Millions of records claimed |
| Nov 17, 2025 | Logitech | Technology | Data Extortion | 1.8TB of corporate data stolen |
| Nov 18, 2025 | Coupang | E-commerce | Data Breach | 33.7M account profiles exposed |
| Nov 20, 2025 | Linux Infrastructure | Global | Active Exploit | CVE-2024-1086 used in ransomware |
| Nov 24, 2025 | Harvard University | Education | Vishing | Donor and alumni PII leaked |
| Nov 24, 2025 | SitusAMC | Finance | Data Breach | Sensitive banking & loan data |
The Rise of Vibe-Coding and AI-Agents:
A notable development this week is the emergence of “AI-jailbroken” attack chains. Reports from major AI labs indicate that threat actors are successfully using compromised LLM agents to automate the reconnaissance and initial vulnerability scanning phases of a breach. This allows for a “constant-pressure” environment where vulnerabilities are identified and weaponized in minutes rather than days.
The “Shai-Hulud” NPM Worm:
A self-propagating worm was identified infecting over 1,000 NPM packages. This malware automatically publishes stolen credentials and victim data back to GitHub, creating a feedback loop that fuels further automated attacks. This marks a significant evolution in “autonomic” malware that requires little to no human intervention to spread.
| CVE ID | Description | Severity | Mitigation Status |
| CVE-2025-61757 | Oracle Identity Manager Auth Bypass: Allows full admin access via URL manipulation. | 9.8 (Critical) | Tier 0 Risk. Added to CISA KEV; patch immediately. |
| CVE-2025-64446 | Fortinet FortiWeb RCE: Path traversal and unauthenticated command execution. | 9.8 (Critical) | CISA Directive. 7-day mandatory patch for US agencies. |
| CVE-2025-62215 | Windows Kernel EoP: Race condition allowing SYSTEM privilege escalation. | 7.0 (High) | Actively Exploited. Part of Nov Patch Tuesday. |
| CVE-2025-62354 | Cursor AI Command Injection: Unauthorized OS command execution via Cursor. | 9.8 (Critical) | Update to version 0.43.x or later. |
.env files, SSH keys, and cloud tokens, then automatically commits them to public repositories to facilitate further breaches.For Technical Audiences:
The convergence of the Oracle Identity Manager bypass and the Fortinet FortiWeb RCE creates a dangerous situation for corporate perimeters. Attackers can now theoretically bypass the “front door” (Fortinet) and immediately take control of the “keys to the kingdom” (Oracle Identity Manager). This “Double-Zero-Day” scenario requires security teams to assume a state of compromise and prioritize internal network segmentation and lateral movement detection.
Meraal Cyber Security (MCS) Threat Intelligence Team
Would you like me to prepare a focused analysis on the “Shai-Hulud” worm’s impact on your specific software development environment?