In a recent autonomous penetration test, a novel cross-site scripting (XSS) bypass that sidesteps even highly restrictive Web Application Firewalls (WAFs). Security researchers uncovered a ASP.NET application protected by a rigorously configured WAF. Conventional XSS payloads—breaking out of single-quoted JavaScript strings—were promptly blocked. Yet by abusing HTTP parameter pollution, the team managed to split malicious […]
Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.
This week, one story stands out above the rest: the
A sophisticated supply-chain attack that impacted over 700 organizations, including major cybersecurity firms, has been traced back to a compromise of Salesloft’s GitHub account that began as early as March 2025.
In an update on September 6, 2025, Salesloft confirmed that an investigation by cybersecurity firm Mandiant found that threat actors leveraged this initial access to eventually steal OAuth authentication tokens from its Drift chat platform, leading to widespread data theft from customer systems.
The investigation, which began on August 28, revealed that threat actors had access to Salesloft’s GitHub account from March through June 2025.
During this period, the attackers downloaded content from private repositories, added a guest user, and established workflows while conducting reconnaissance on both the Salesloft and Drift application environments.
While the Salesloft platform itself was not breached, the attackers pivoted to Drift’s AWS environment, where they successfully obtained OAuth tokens for customer technology integrations.
Salesloft Drift Cyberattack
The threat actor, identified by Google’s Threat Intelligence Group as UNC6395, used these stolen tokens between August 8 and August 18 to access and exfiltrate data from customers’ integrated applications, most notably Salesforce instances.
The stolen data primarily included business contact information, such as names, email addresses, and job titles, as well as content from support cases.
The incident is considered one of the largest recent SaaS supply-chain attacks, highlighting the risks associated with third-party application integrations.
In response to the attack, Salesloft engaged Mandiant and took decisive action to contain the threat. The company took the Drift platform completely offline, isolated its infrastructure, and rotated all impacted credentials.
Mandiant has since verified that the incident is contained and that the technical segmentation between the Salesloft and Drift environments prevented the attackers from moving laterally.
The focus of the investigation has now shifted to a forensic quality assurance review. Salesloft has issued guidance to its partners, recommending that all third-party applications integrated with Drift via API key proactively revoke the existing key.
The company also published a list of Indicators of Compromise (IOCs), including malicious IP addresses and user-agent strings, to help customers search their own logs for suspicious activity.
Indicator Type
Value/Description
Malicious IP Addresses
Any successfully authenticated Drift connections from IPs not on Drift’s official whitelist should be considered suspicious. The following IPs are confirmed as malicious [user-provided text]: – 154.41.95.2 – 176.65.149.100 – 179.43.159.198 – 185.130.47.58 – 185.207.107.130 – 185.220.101.133 – 185.220.101.143 – 185.220.101.164 – 185.220.101.167 – 185.220.101.169 – 185.220.101.180 – 185.220.101.185 – 185.220.101.33 – 192.42.116.179 – 192.42.116.20 – 194.15.36.117 – 195.47.238.178 – 195.47.238.83 – 208.68.36.90 – 44.215.108.109
Malicious User-Agent Strings
The following user-agent strings have been associated with the threat actor’s activity [user-provided text]: – python-requests/2.32.4 – Salesforce-Multi-Org-Fetcher/1.0 – Python/3.11 aiohttp/3.12.15
While a group called “Scattered LAPSUS$ Hunters 4.0” claimed responsibility, investigators have not found credible evidence to support this claim.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
When Attackers Get Hired: Today’s New Identity Crisis
What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding.
Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out.
On day one, Jordan logs into email and attends
According to the Wall Street Journal, the deceptive message, purporting to come from Representative John Moolenaar, was dispatched in July to multiple U.S. trade groups, prominent law firms and government agencies. WASHINGTON, Sept. 7 (Reuters) – U.S. authorities have launched an investigation into a sophisticated malware-laden email that appears to have been crafted to glean […]
Microsoft’s Azure cloud platform is facing significant disruptions after multiple undersea fiber optic cables were severed in the Red Sea.
The US technology giant confirmed that users would experience delays and increased latency for services relying on internet traffic moving through the Middle East, although it has successfully rerouted data to prevent a complete outage.
The company stated that the issue began at approximately 05:45 UTC on Saturday, September 6. In a status update, Microsoft explained, “Network traffic traversing through the Middle East may experience increased latency due to undersea fiber cuts in the Red Sea.”
It assured customers that service was not interrupted, as traffic was immediately redirected through alternate network paths.
However, the company warned, “We do expect higher latency on some traffic that previously traversed through the Middle East.” Microsoft did not provide any details regarding the cause of the cable damage.
The Impact of Latency
For businesses and users relying on Azure, increased latency translates to slower response times for applications, websites, and data access.
While not a full-scale outage, these delays can impact performance-sensitive operations, such as financial transactions, real-time data processing, and cloud-hosted services that require near-instantaneous communication.
The rerouting of data, while a critical mitigation step, means information must travel a longer, less direct path to its destination, creating a noticeable lag for affected users in various regions.
The Red Sea serves as a vital and heavily trafficked corridor for global internet connectivity, linking Europe, Asia, and Africa
A significant portion of the world’s internet data passes through the subsea cables laid on its seabed. Damage in this narrow channel can have a disproportionately large impact on international connectivity.
This incident follows other reports from the weekend suggesting that the cable cuts had already affected internet services in the United Arab Emirates and parts of Asia, indicating a potentially widespread problem affecting multiple telecommunication providers.
Microsoft confirmed that network traffic not routed through the Middle East remains completely unaffected by the incident.
The company is continuing to monitor the situation closely and has promised to provide daily updates to its customers, with the last communication being logged at 19:52 UTC on September 7.
The focus remains on managing network performance via the alternate routes while awaiting further information on the complex and costly process of repairing the damaged deep-sea infrastructure. The cause of the cuts is still under investigation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
When a security breach occurs, vital evidence often appears in unexpected places. One such source is Microsoft Azure Storage logs, which play a critical role in digital forensics. While storage accounts are often overlooked, enabling and analyzing their logs can help investigators detect unauthorized access, trace attacker activity, and protect sensitive data. Azure Storage Accounts are […]
The cybersecurity landscape for macOS users has taken a dangerous turn as cybercriminals increasingly target Apple’s ecosystem with sophisticated malware campaigns. Atomic macOS Stealer (AMOS), a specialized data-theft malware, has emerged as one of the most significant threats to Mac users, particularly those seeking cracked software applications. While macOS has historically maintained a reputation as […]
An important security vulnerability has been discovered in Apache Jackrabbit, a popular open-source content repository used in enterprise content management systems and web applications.
This flaw could allow unauthenticated attackers to achieve arbitrary code execution (RCE) on servers running vulnerable versions, presenting a critical risk to system security and data confidentiality.
The vulnerability, tracked as JCR-5135, is classified as a “Deserialization of Untrusted Data” issue. It resides in how certain Apache Jackrabbit components handle Java Naming and Directory Interface (JNDI) lookups.
Specifically, if a deployment is configured to accept JNDI URIs for Java Content Repository (JCR) lookups from untrusted or public-facing sources, an attacker can exploit this pathway.
By submitting a specially crafted, malicious JNDI reference, an attacker can trick the application into processing it.
This action triggers the deserialization of untrusted data from an attacker-controlled source, which can result in the execution of arbitrary commands on the underlying server with the privileges of the application.
A successful exploit could allow an attacker to install malware, steal sensitive data, or take complete control of the affected system. Security researcher James John reported the issue.
Affected Versions
The vulnerability is widespread, affecting over two decades of releases for two of the project’s foundational components. All users running the following versions are considered at risk and should review their systems immediately.
Apache Jackrabbit Core (org.apache.jackrabbit:jackrabbit-core): Versions 1.0.0 through 2.22.1
Apache Jackrabbit JCR Commons (org.apache.jackrabbit:jackrabbit-jcr-commons): Versions 1.0.0 through 2.22.1
Mitigation And Recommendations
To address this significant security risk, the Apache Jackrabbit project team has released a patch. Administrators are strongly urged to upgrade all affected deployments to version 2.22.2 or later.
The primary security fix in the new version is the default disabling of JCR lookups through JNDI, which closes the attack vector for most users.
For those who require this specific functionality for their operations, it must now be enabled explicitly through a system property.
Developers advise that anyone re-enabling this feature must perform a careful security review of its use, ensuring that no unvalidated, user-supplied data can influence the JNDI URI being processed.
Applying the update is the most effective way to mitigate the threat.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Groundbreaking research reveals the inner workings of cybercriminal networks targeting Australia and allied nations. Australian researchers have completed a comprehensive analysis of ransomware criminal groups, providing unprecedented insights into one of the most damaging cybercrime threats of the modern era. The study, conducted by the Australian Institute of Criminology, examined 865 ransomware attacks across Australia, […]
