This sponge won’t clean your mess—Greedy Sponge is busy soaking up credentials and scrubbing Mexican organizations out of their data with RATs and proxy malware in tow. Meanwhile, a phishing campaign against npm maintainers led to the hijacking of popular packages like eslint-config-prettier, with attackers using stolen tokens to publish malicious versions and bypass GitHub checks. A new ACRStealer variant also emerged, using Heaven’s Gate and low-level NT functions to evade analysis and monitoring. Read below for more cybersecurity news.
01
A financially motivated threat group, Greedy Sponge, has been targeting Mexican organizations using phishing-delivered MSI installers to deploy a modified AllaKore RAT alongside SystemBC proxy malware for credential theft and financial fraud.
02
A phishing campaign targeting npm maintainers led to the hijacking of packages like eslint-config-prettier, with attackers using stolen tokens to publish malicious versions, bypassing GitHub for detection.
03
Malware embedded in Google Tag Manager scripts is targeting WordPress sites, redirecting users to spam domains by injecting malicious code into the database to evade file-based detection.
04
A new variant of ACRStealer has been found using Heaven’s Gate to disrupt analysis and bypass library-based monitoring with low-level NT functions.
05
Hardcoded credentials in HPE Aruba Instant On Wi-Fi devices (CVE-2025-37103) could allow attackers to bypass authentication and gain administrative access. Another security flaw (CVE-2025-37102) in the HPE Instant On Command Line Interface could enable attackers with higher privileges to execute any command.
06
Two critical vulnerabilities (CVE-2025-49656 and CVE-2025-50151) discovered in Apache Jena allow administrators to access and create files outside designated server directories.
07
Sophos has patched five vulnerabilities in its firewall, including two critical RCE flaws (CVE-2025-6704, CVE-2025-7624) that could allow attackers to gain control of affected devices under specific conditions.
08
ExpressVPN fixed a bug in its Windows client that exposed users’ IP addresses during Remote Desktop Protocol (RDP) sessions due to RDP traffic bypassing the VPN tunnel.
09
AI cybersecurity firm Darktrace has acquired Mira Security, a network traffic visibility solutions provider.
10
Vorboss, the London-based enterprise fiber network operator, acquired 40fi, a cybersecurity and managed services provider.
