In a world where threats are persistent, the modern CISO’s real job isn’t just to secure technology—it’s to preserve institutional trust and ensure business continuity.
This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the decisions you make now will shape your organization’s resilience for years to come.
This isn’t just a threat roundup; it’s the strategic context you need to lead effectively. Here’s your full weekly recap, packed with the intelligence to keep you ahead.
New HybridPetya Ransomware Bypasses UEFI Secure Boot — A copycat version of the infamous Petya/NotPetya malware dubbed HybridPetya has been spotted. But no telemetry exists to suggest HybridPetya has been deployed in the wild yet. It also differs in one key respect: It can compromise the secure boot feature of Unified Extensible Firmware Interface (UEFI) by installing a malicious application. Attackers prize bootkits since malware installed at that level can evade detection by antivirus applications and survive operating system reinstalls. With access to the UEFI, hackers can deploy their own kernel-mode payloads. ESET said it found HybridPetya samples uploaded to Google’s VirusTotal platform in February 2025.
- Samsung Patches Actively Exploited Flaw — Samsung has released a fix for a security vulnerability that it said has been exploited in zero-day attacks. The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution. The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025. Samsung did not share any specifics on how the vulnerability is being exploited in attacks and who may be behind these efforts. However, it acknowledged that “an exploit for this issue has existed in the wild.”
- Google Pixel 10 Adds Support for C2PA Standard — Google announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content. Support for C2PA’s Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency. “Pixel 10 phones support on-device trusted time-stamps, which ensures images captured with your native camera app can be trusted after the certificate expires, even if they were captured when your device was offline,” Google said.
- Chinese APT Deploys EggStreme Malware in Attack Targeting Philippines — A novel malware framework called EggStreme has been put to use in a cyber attack on a Philippine military company attributed to a government-backed hacking group from China. EggStreme framework is a tightly integrated set of malicious components that, unlike traditional malware, operates “with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems.” The backdoor offers a wide range of capabilities, allowing hackers to inject other payloads, move around a victim’s network and more. The activity was observed between April 9, 2024, and June 13, 2025, indicating a year-long effort. The attackers leveraged legitimate Windows services to blend into the system’s normal operations and maintain access.
- New RatOn Malware Targets Android — A new Android malware called RatOn has evolved from a basic tool capable of conducting Near Field Communication (NFC) relay attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. The trojan fuses NFC relay techniques, ransomware overlays, and ATS capabilities, making it a potent tool with dual-pronged objectives: initiate unauthorized fund transfers and compromise cryptocurrency wallet accounts associated with MetaMask, Trust, Blockchain.com, and Phantom.
- Apple Debuts Memory Integrity Enforcement in iPhone Air and 17 — Apple unveiled a comprehensive security system called Memory Integrity Enforcement (MIE) that represents a culmination of a five-year engineering effort to combat sophisticated cyber attacks targeting individual users through memory corruption vulnerabilities. The technology is built into Apple’s new iPhone 17 and iPhone Air devices, which feature the A19 and A19 Pro chips. It combines custom-designed hardware with changes to the operating system to deliver what Apple describes as “industry-first, always-on” memory safety protection. MIE works by allocating each piece of a newer iPhone’s memory with a secret tag. This means only apps with that secret tag can access that memory in the future. If the secret doesn’t match, the security protections are triggered to block the request, terminate the process, and log the event. With memory corruption vulnerabilities accounting for some of the most pervasive threats to operating system security, the initiative is primarily designed to defend against sophisticated attacks, particularly from so-called mercenary spyware vendors who leverage them to deliver spyware to targeted devices via zero-click attacks that require no user interaction. Unlike Google Pixel devices, where it’s an optional developer feature, MIE will be on by default system-wide. But third-party apps, including social media and messaging applications, will have to implement MIE on their own to improve protections for their users. While no technology is hack-proof, MIE is expected to raise the cost of developing surveillance technologies, forcing companies that have working exploits to go back to the drawing board, as they will stop working on the new iPhones.
- Open-Source Community Rallies Against npm Supply Chain Attack — A software supply chain attack that compromised several npm packages with over 2 billion weekly downloads was mitigated swiftly, leaving attackers with little profits off the cryptocurrency heist scheme. The incident occurred after some of the developers fell for an npm password reset phishing attack, allowing the threat actors to gain access to their accounts and publish trojanized packages with malicious code to steal cryptocurrency by redirecting transactions to wallets under their control. Specifically, the malware replaces legitimate wallet addresses with attacker-controlled ones, using the Levenshtein distance algorithm to pick the most visually similar address, making the swap nearly undetectable to the naked eye. “The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” JFrog said. According to data from Arkham, the attackers managed to steal about $1,087. During the two-hour window they were available for download, the compromised packages were pulled by roughly 10% of cloud environments, per cloud security firm Wiz, which characterized the impact of the campaign as a “denial-of-service” attack on the industry that wasted “countless hours of work” in order to ensure the risk has been mitigated. “In the case of npm, I think the big answer is trusted publishing, which includes the use of attestation and provenance,” Aikido Security’s lead malware researcher Charlie Eriksen told The Hacker News. “Once a package becomes popular enough, it should not be possible to publish new versions of it without the use of this, in my opinion. Using trusted publishing, maintainers can configure it so that the only source that can publish new versions is through GitHub or GitLab. This requires all the normal workflows and controls that source repositories provide – like requiring multiple people to review a Pull Request before it can be merged into the main branch and cause a new release to be published.”
🔥 Trending CVEs#
Hackers don’t wait. They exploit newly disclosed vulnerabilities within hours, transforming a missed patch or a hidden bug into a critical point of failure. One unpatched CVE is all it takes to open the door to a full-scale compromise. Below are this week’s most critical vulnerabilities, making waves across the industry. Review the list, prioritize patching, and close the window of opportunity before attackers do.
This week’s list includes — CVE-2025-21043 (Samsung), CVE-2025-5086 (Dassault Systèmes DELMIA Apriso), CVE-2025-54236 (Adobe Commerce), CVE-2025-42944, CVE-2025-42922, CVE-2025-42958 (SAP NetWeaver), CVE-2025-9636 (pgAdmin), CVE-2025-7388 (Progress OpenEdge), CVE-2025-57783, CVE-2025-57784, CVE-2025-57785 (Hiawatha), CVE-2025-9994 (Amp’ed RF BT-AP 111), CVE-2024-45325 (Fortinet FortiDDoS-F CLI), CVE-2025-9712, CVE-2025-9872 (Ivanti Endpoint Manager), CVE-2025-10200, CVE-2025-10201 (Google Chrome), CVE-2025-49459 (Zoom Workplace for Windows on Arm), CVE-2025-10198, CVE-2025-10199 (Sunshine for Windows), CVE-2025-4235 (Palo Alto Networks User-ID Credential Agent for Windows), CVE-2025-58063 (CoreDNS etcd plugin), CVE-2025-20340 (Cisco IOS XR), CVE-2025-9556 (Langchaingo), and CVE-2025-24293 (Ruby on Rails).
📰 Around the Cyber World#
- VS Code, Cursor, and Windsurf Users Targeted by WhiteCobra — A threat actor known as WhiteCobra is targeting Visual Studio Code, Cursor, and Windsurf Users with 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The same threat actor is believed to be behind other VS Code extensions that masqueraded as the Solidity programming language to deliver stealer malware, leading to the theft of around $500,000 in crypto assets from a Russian developer. The end goal of the campaign is to promote the extensions on social media platforms like X, trick developers into installing them, and exfiltrate cryptocurrency wallet phrases for profit using Lumma Stealer. According to a leaked internal playbook, the threat actors, cybercriminals, set revenue projections between $10,000 and $500,000, provide command-and-control (C2) infrastructure setup guides, and describe social engineering and marketing promotion strategies. The activity also involves running automated scripts to generate 50,000 fake downloads for social proof. “By faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace review systems, into thinking their extensions are safe, popular, and vetted,” Koi Security said. “To a casual observer, 100K installs signals legitimacy. That’s exactly what they’re counting on.”
