Daily Security Briefing #057

November 1, 2025 | Read Online

NPM phishing attacks prompt new email defenses, critical Linux kernel exploited in active ransomware, BADCANDY implant targets Cisco IOS XE devices in Australia…

Executive Summary

Today’s cybersecurity landscape is marked by heightened threats from highly targeted supply chain and infrastructure attacks. The recent compromise of the NPM ecosystem through phishing has accelerated innovation in email security methods to block similar incidents. Meanwhile, a severe Linux kernel vulnerability (CVE-2024-1086) is actively exploited by ransomware gangs worldwide, triggering urgent alerts from CISA. In Australia, the BADCANDY web shell continues to infiltrate Cisco IOS XE devices, exploiting a critical vulnerability to maintain persistent, unauthorized access. China-linked cyber actors are also leveraging zero-day flaws to deploy advanced malware, while ransomware groups escalate data theft campaigns against prominent organizations.

Top Articles

New Email Security Technique Prevents Phishing Attacks Behind NPM Breach
The large-scale September 2025 NPM ecosystem compromise, involving malicious code inserted via phishing-hijacked developer accounts, has driven renewed focus on strengthening email security. The attack affected 20 popular NPM packages with billions of downloads, emphasizing email as the frontline defense in supply chain security. Innovative email security techniques are now being developed to counter such sophisticated phishing threats.
GBHackers

CISA Alerts on Linux Kernel Vulnerability Exploited in Ransomware Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-1086, a critical Linux kernel vulnerability, to its Known Exploited Vulnerabilities catalog. This flaw is actively exploited by ransomware operators targeting Linux systems globally. Organizations are urged to apply patches immediately to mitigate these high-impact threats affecting critical infrastructure and enterprise environments.
GBHackers | CyberPress

ASD Warns of Ongoing BADCANDY Attacks Exploiting Cisco IOS XE Vulnerability
The Australian Signals Directorate confirms ongoing cyber operations leveraging CVE-2023-20198 to deploy the BADCANDY web shell on vulnerable Cisco IOS XE devices. Despite concerted remediation efforts, over 150 devices remain compromised in Australia, allowing threat actors persistent, remote control with no authentication required. This activity poses significant risks to critical network infrastructure.
TheHackerNews | CyberPress | GBHackers

China-linked Hackers Exploited Lanscope Flaw as a Zero-Day in Attacks
The espionage group known as Bronze Butler exploited a zero-day vulnerability in Motex Lanscope Endpoint Manager to deploy an updated variant of their Gokcpdoor malware. This attack highlights the continuous risk posed by state-sponsored threat actors who rapidly weaponize new vulnerabilities for spying and infiltration missions.
BleepingComputer

Windows 11 Build 26220.7051 Released with “Ask Copilot” Feature
Microsoft has rolled out Windows 11 Build 26220.7051 to Windows Insider testers, introducing the Ask Copilot AI assistant integrated in the taskbar along with two other new features. This development signals ongoing efforts to embed AI-driven productivity tools into the operating system environment.
BleepingComputer

Hackers Hide SSH–Tor Backdoor Inside Weaponized Military Documents
Researchers discovered a sophisticated campaign delivering malware hidden in weaponized ZIP archives masquerading as Belarusian military documents. The payload is a SSH–Tor backdoor enabling covert, encrypted command and control operations, targeting military personnel with espionage objectives.
GBHackers

Akira Ransomware Strikes Apache OpenOffice, Allegedly Exfiltrates 23GB of Data
The Akira ransomware gang announced a successful breach of Apache OpenOffice systems, exfiltrating 23 gigabytes of sensitive data. The group threatens publication of the stolen information unless their ransom demands are met, continuing a trend of aggressive double-extortion tactics against major software projects.
GBHackers | CyberPress

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.