Daily Security Briefing #072
- DjediTech
- Security , Newsletter
- November 13, 2025
Table of Contents
November 13, 2025 | Read Online
Malicious npm package steals GitHub tokens, Palo Alto firewall exploit, Russian phishing spree targets hotel guests…
Executive Summary
Cybercriminals continue to exploit software supply chains and infrastructure vulnerabilities, with a malicious npm package that amassed over 200,000 downloads targeting GitHub repositories to steal tokens. Meanwhile, a critical denial-of-service flaw in Palo Alto Networks firewalls could allow attackers to reboot devices, disrupting network defenses. Phishing campaigns remain prevalent, as Russian hackers launch an extensive fake travel site operation to harvest payment credentials from hotel guests. On the defensive front, security researchers advocate proactive measures such as auditing service accounts to combat evolving Kerberoasting attacks. The threat landscape shows persistent innovation and diversification, requiring vigilance across multiple attack vectors.
Top Articles
Malicious npm Package with 206K Downloads Targeting GitHub Repositories to Steal Tokens
A typosquatting npm package “@acitons/artifact” mimicked the legitimate “@actions/artifact” module and was downloaded over 206,000 times before removal. Discovered by Veracode Threat Research, the package targeted GitHub Actions workflows, stealing sensitive build tokens and potentially enabling malicious repository activity. This incident highlights ongoing risks in open-source ecosystems and the need for supply chain protections.
GBHackers | CyberPress
Palo Alto PAN-OS Vulnerability Allows Attackers to Reboot Firewalls via Malicious Packets
A critical vulnerability in Palo Alto Networks’ PAN-OS permits unauthenticated attackers to remotely reboot firewalls by sending crafted packets, causing denial of service. Repeated exploitation could push firewalls into maintenance mode, disabling critical network security functions and exposing organizations to further risk. Timely patching is essential to defend affected systems.
CyberPress
Russian Hackers Create 4,300 Fake Travel Sites to Steal Hotel Guests’ Payment Data
Russian-speaking threat actors launched a widespread phishing campaign, registering over 4,300 domains impersonating legitimate travel sites. Targeting hotel guests, the operation sends spam emails aiming to steal payment details and traveler credentials. The campaign underscores the continued focus on the hospitality sector and the need for user awareness and enhanced email security.
The Hacker News
Time Travel Triage: An Introduction to Time Travel Debugging using a .NET Process Hollowing Case Study
Researchers present Time Travel Debugging (TTD) as an effective technique to analyze complex, multi-stage malware like AgentTesla. Unlike traditional live debugging, TTD captures a deterministic execution record that can be reviewed and shared for faster malware analysis, improving incident response efficiency in dealing with obfuscation and layered payloads.
Google Cloud
Book Review: The Business of Secrets
Fred Kinch’s book offers a historical perspective on the cryptography industry in the 1970s, highlighting the uncertainty and evolving trust in commercial encryption products. The review reflects on how far cryptographic practices have come and the lessons learned from earlier eras of secrecy and mistrust.
Schneier on Security
Threat Actors Use JSON Storage for Hosting and Delivering Malware via Trojanized Code
A North Korean-aligned threat campaign exploits legitimate JSON storage services to host and deliver malicious payloads with trojanized code. This method leverages trusted infrastructure to bypass security controls and maintain persistence, showcasing continuing innovation in malware distribution tactics.
GBHackers
Google Sues to Disrupt Chinese SMS Phishing Triad
Google filed lawsuits against over two dozen individuals connected to a China-based phishing operation that impersonated hundreds of brands to distribute SMS scam messages. The coordinated effort converted stolen payment card data into Apple and Google mobile wallets, demonstrating the integration of mobile payment theft in phishing schemes.
Krebs on Security
Kerberoasting in 2025: How to Protect Your Service Accounts
Kerberoasting remains a potent attack vector enabling adversaries to extract service account credentials and escalate privileges stealthily. Experts recommend auditing Active Directory password policies, enforcing long and unique passwords, and adopting AES encryption to mitigate these risks effectively.
BleepingComputer
Fake Chrome Extension “Safery” Steals Ethereum Wallet Seed Phrases Using Sui Blockchain
A malicious Chrome extension marketed as “Safery: Ethereum Wallet” has been discovered stealing user seed phrases to compromise Ethereum wallets. This extension poses as a secure crypto management tool but exploits users by exfiltrating sensitive cryptocurrency credentials, emphasizing the need for caution when installing browser extensions.
The Hacker News
AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.