July 23, 2025 – Cyber Briefing

First time seeing this? Join us on Substack!

🚨 Cyber Alerts

1. MuddyWater Uses DCHSpy Amid Iran-Israel Clash

Lookout discovered new samples of the Android surveillanceware DCHSpy, leveraged by the Iranian cyber espionage group MuddyWater, approximately one week after the start of the Israel-Iran conflict. These new samples exhibit enhanced data collection capabilities, including WhatsApp data, and are being distributed using lures that appear to center around Starlink internet services.

2. npm Phishing Emails Target Developer Logins

A sophisticated phishing campaign is targeting Node.js developers by impersonating the npm package registry through the typosquatted domain “npnjs.com.” This attack aims to compromise high-value developer accounts, potentially infecting millions of downstream projects by tricking maintainers into revealing their credentials on a fake login page.

3. Lumma Stealer Returns with New Stealth Tactics

The Lumma infostealer malware operation is slowly coming back online after a large law enforcement action in May seized 2,300 domains and parts of its infrastructure. Despite the disruption, Lumma’s operators quickly began rebuilding, and the malware-as-a-service (MaaS) platform is now almost back to its previous activity levels, using new distribution channels and infrastructure providers to avoid future takedowns.

💥 Cyber Incidents

4. US Nuclear Agency Breached in SharePoint Hack

Chinese government-affiliated hacking groups exploited a flaw in Microsoft’s SharePoint software, leading to a breach of the National Nuclear Security Administration, though no sensitive data was reportedly leaked. This incident is part of a wider series of attacks affecting over 50 organizations, with Microsoft now having patched the vulnerability

5. European Healthcare Network Breached

The AMEOS Group, a major Central European healthcare provider, announced a security breach impacting customer, employee, and partner data, as mandated by GDPR. In response, AMEOS shut down IT systems, engaged experts, informed authorities, and filed a police report, while advising vigilance for affected individuals

6. Weak Password Triggers Ransomware on Old Firm

A single compromised password led to the downfall of KNP, a 158-year-old British transport company, displacing 700 employees and underscoring the severe consequences of cybersecurity vulnerabilities for UK businesses. This incident highlights the escalating ransomware threat, with thousands of UK companies targeted annually, prompting calls for stronger defenses and potential governmental intervention.

📢 Cyber News

7. Global Ransomware Attacks Drop 43% in Q2

Global ransomware attacks dropped by 43% in Q2 2025, totaling 1180 incidents, a significant decrease from Q1’s 2074 attacks. This decline is largely attributed to successful law enforcement actions and internal conflicts within ransomware groups, despite a record number of new active attack groups emerging this year.

8. UK Advances Plan to Mandate Ransomware Reports

The British government is moving forward with proposals to combat ransomware, including a potential ban on payments by critical entities and mandatory reporting, though experts question the effectiveness and resourcing of these measures. While these steps signal a more serious approach, concerns remain about their practical impact on attacker behavior and law enforcement’s capacity to utilize the increased intelligence.

9. Clorox Sues Cognizant Over 2023 Cyberattack

Clorox is suing its former IT service desk provider, Cognizant, for $380 million, alleging direct responsibility for a costly August 2023 cyber-attack. The lawsuit claims Cognizant’s failure to follow proper protocols and identity verification led to hackers gaining access to Clorox’s corporate network, causing months of operational disruption and significant financial losses.

For more news click here

Get Shield 360

💡 Cyber Tip

Be Cautious as Fake npm Login Pages Target Developer Credentials

A phishing campaign is impersonating the official npm package registry to steal developer login credentials. By swapping the “m” with “n” in the domain name (npnjs.com), attackers have created a convincing fake site that mirrors the real npm interface. The campaign uses spoofed emails and tracking links to lure developers into entering credentials, putting widely used packages and millions of downstream projects at risk.

✅ What you should do

• Always double-check URLs before logging in, especially for developer platforms and registries.
• Do not click on links from unsolicited or unexpected emails claiming to be from npm or support teams.
• Enable two-factor authentication (2FA) on your npm account and other development services.
• Monitor your packages for unauthorized changes or unexpected publishing activity.
• Use email protection tools that can detect spoofed sender domains and failed authentication checks.

🔒 Why this matters

Developer accounts with high-impact packages are prime targets for supply chain attacks. A single compromised login could introduce malicious code into countless applications. Staying alert and verifying login pages is essential to protect your projects and the wider open-source ecosystem.

📚 Cyber Book

Extreme Privacy: What It Takes to Disappear by Michael Bazzell

Get Book: https://amzn.to/3X61Q2O

Click to See Events

That concludes today’s briefing. You can check the top headlines here!

Copyright © 2025 CyberMaterial. All Rights Reserved.

Follow CyberMaterial on:

Substack, LinkedIn, Twitter, Reddit, Instagram, Facebook, YouTube, and Medium.