In today’s cybersecurity news…
Scattered Spider, LAPSUS$, and ShinyHunters join forces
Trustwave SpiderLabs said in a report shared with The Hacker News that three major cybercrime groups: Scattered Spider, LAPSUS$, and ShinyHunters, have merged into a new collective called Scattered LAPSUS$ Hunters (SLH), operating at least 16 Telegram channels since August.. running an “extortion-as-a-service” model and possibly developing its own ransomware, Sh1nySp1d3r. Trustwave describes the group as blending profit-driven crime with hacktivist theatrics, using Telegram for coordination and reputation-building. (The Hacker News)
Nikkei reports data breach impacting 17,000 people
Japanese publishing giant Nikkei disclosed a Slack breach affecting 17,368 employees and partners after malware stole an employee’s credentials. Exposed data included names, emails, and chat histories, but no journalistic sources appear to be affected. The breach was discovered in September and prompted password resets and voluntary notification to Japan’s Personal Information Protection Commission. (BleepingComputer)
React Native NPM flaw leads to attacks
JFrog researchers discovered a critical vulnerability in the popular React Native Community CLI NPM package, used roughly two million times weekly. The flaw lets unauthenticated attackers execute arbitrary code via crafted POST requests. It affects developers running the Metro development server on Windows, macOS, and Linux. Meta, which maintains React Native, patched the issue and developers are urged to update immediately. (SecurityWeek)
Data stolen in university hacking
The University of Pennsylvania confirmed a cyber incident on October 31st after mass emails were sent from compromised Graduate School of Education accounts criticizing the university. The purported attacker told BleepingComputer they accessed a PennKey SSO account, gaining entry to Penn’s VPN, Salesforce, SAP, and other systems. About 1.2 million records were reportedly stolen, including names, contact details, donation history, and demographic data. A 1.7GB archive of the data has since been published online. (Security Magazine)
Huge thanks to our sponsor, ThreatLocker
‘TruffleNet’ Wields Stolen Credentials Against AWS
Fortinet AI researchers uncovered a large-scale campaign dubbed TruffleNet that uses stolen AWS credentials and open-source tools like TruffleHog to perform reconnaissance and launch business email compromise (BEC) scams. The attackers exploited AWS’s Simple Email Service through hundreds of compromised hosts across 57 networks, using Docker management tool Portainer to coordinate their infrastructure. Fortinet warns the attack highlights how credential theft enables large-scale AWS abuse and cloud-based fraud. (Dark Reading)
8 sanctioned for laundering North Korea earnings
The U.S. Treasury sanctioned eight individuals and two North Korean entities: Korea Mangyongdae Computer Technology Company (KMCTC) and Ryujong Credit Bank, for laundering funds from North Korea’s cybercrime and IT worker schemes. Officials say KMCTC runs IT operations in China that use local proxies to funnel earnings home, while Ryujong manages laundering. Treasury linked the network to $5.3 million in stolen crypto tied to ransomware and broader efforts toward a weapons program. (The Record)
Cybersecurity program ‘not effective’ after staff cuts
The Federal Reserve’s Office of Inspector General found the Consumer Financial Protection Bureau cybersecurity program “ineffective” after staff cuts and reduced contractor support. The audit noted the agency is not keeping up with system authorizations, relying on undocumented risk acceptance, and using outdated software. The program dropped to level-2 maturity in 2025 from level-4. Remaining staff have been implementing some mitigations, including ransomware response processes and weekly risk meetings, while legacy IT modernization continues. (FedScoop)
Swedish data breach impacts 1.5 million
Swedish IT supplier Miljödata [moh-BEEL DAY-tuh] experienced a cyberattack exposing data for 1.5 million people. The breach impacted roughly 80% of Sweden’s municipalities, including names, addresses, emails, phone numbers, government IDs, and dates of birth. Attackers demanded 1.5 Bitcoin and later posted the stolen data on the dark web via threat group Datacarry. Sweden’s Authority for Privacy Protection (IMY) is now investigating potential GDPR violations. (BleepingComputer)