June 09, 2025 – Cyber Briefing

👉 What’s happening in cybersecurity today?

Malware hits npm, PyPI, and Salesforce via SOQL flaw, HelloTDS uses fake CAPTCHAs for mass infections. Chaos gang breaches Optima Tax, Sorbonne leaks staff data, Brazil city health services go offline. Trump rolls back Biden-era cyber rules, DOJ targets North Korean IT scam funds, and OpenAI bans state hackers from ChatGPT.

🚨 Cyber Alerts

1. Sabotage Theft Malware On npm And PyPI

Cybersecurity researchers have uncovered a new supply chain attack where malicious code was injected into over a dozen packages related to GlueStack, delivering a remote access trojan to users. In a separate incident on npm, two rogue packages were discovered that act as destructive wipers, designed to delete entire application directories in an unusual case of sabotage rather than for financial gain. Concurrently, a new Python-based credential harvester on the PyPI repository, posing as an Instagram growth tool, has been found to steal user logins and broadcast them to multiple bot services.

2. Salesforce SOQL Flaw Exposed User Records

A critical zero-day vulnerability was discovered in a default Salesforce Aura controller, allowing attackers to extract sensitive user and document details via Salesforce Object Query Language (SOQL) injection techniques. Security researcher Tobia Righi found that the flaw, affecting thousands of deployments by default, could be exploited using error-based blind injection to enumerate database information. After being notified of the issue in late February 2025, Salesforce quietly patched the widespread vulnerability without issuing a public advisory, CVE number, or release notes. This silent patching approach has left the security community without official guidance on detection methods or indicators of compromise, making it difficult for organizations to assess if they were previously breached.

3. HelloTDS Spreads Malware Via Fake CAPTCHAs

Cybersecurity researchers have uncovered a complex Traffic Direction System dubbed “HelloTDS” that orchestrated the delivery of malware to over 4.3 million devices in April and May 2025 alone. This system uses advanced fingerprinting on users visiting compromised websites to selectively redirect suitable targets to malicious landing pages, most often deceptive FakeCaptcha verification screens. The FakeCaptcha pages then trick victims into executing harmful commands which initiate a multi-stage attack that ultimately installs infostealers like LummaC2 or remote access trojans. The campaign’s ability to serve benign content to evade researchers and dynamically rotate its infrastructure highlights a sophisticated threat that exploits user trust in familiar CAPTCHA interfaces.

Click to See Jobs

💥 Cyber Incidents

4. Chaos Gang Leaks Optima Tax Client Data

U.S. tax resolution firm Optima Tax Relief has been hit by the Chaos ransomware gang, who on June 6th claimed to have stolen 69 GB of data and added the company to its data leak site. This double-extortion attack involved both data theft and server encryption, with the stolen information including sensitive customer case files containing personal details like Social Security numbers. The Chaos ransomware gang, which emerged in March 2025 and should not be confused with the older Chaos ransomware builder, has also recently claimed an attack on the Salvation Army. As of the report, Optima Tax Relief had not yet issued an official statement regarding the incident or formally notified its affected customers and relevant authorities about the breach.

5. Sorbonne University Hit By Staff Data Breach

Sorbonne University in France has been hit by a cyberattack that caused major disruptions to its information systems and resulted in a sensitive data breach. An investigation with external cybersecurity experts revealed that compromised data includes staff professional email addresses, banking information, Social Security numbers, and compensation details. Following GDPR protocols, the university has notified French data protection and cybersecurity authorities (CNIL and ANSSI) and filed a police complaint while working to restore all services. While essential digital services are functioning, Sorbonne University is establishing a toll-free number and FAQ to support affected staff, reaffirming its commitment to data protection.

6. Hack Shuts Down Brazil City Health Systems

The City Hall of São José do Rio Preto, Brazil, suffered a major cyberattack on Thursday, June 5th, which compromised all municipal administration systems and prompted an immediate shutdown. The city’s IT provider, Empro, isolated the network and began restoring from backups while stating databases were not compromised, as cybercrime authorities launched an investigation. Healthcare services were severely affected, forcing emergency and basic health units to use manual processes that caused long queues and suspended non-urgent exams and some emergency phone lines. Empro highlighted that this attack managed to overcome their usual digital barriers, which typically block over a dozen attempts daily, underscoring the severity of this particular incident.

Click to See Tools

📢 Cyber News

7. New Trump Cyber EO Rolls Back Biden Rules

President Donald Trump signed a new executive order on Friday to amend cybersecurity policies from the Biden and Obama administrations, focusing on areas like software security, AI, and digital identity. The order immediately strikes a controversial section from a January 2025 Biden Executive Order that encouraged accepting digital IDs for public benefits, a move the White House claimed prevents fraud but which the Better Identity Coalition criticized. It also reverses Biden-era policies on AI defense collaboration and removes requirements for federal contractors to attest to their software’s security, while simplifying the roadmap for post-quantum cryptography. Finally, the order amends an Obama-era sanctions policy, changing the target from “any person” to “any foreign person” to, according to the administration, prevent its use against domestic political opponents.

8. DOJ Seeks $7.74M From North Korean IT Scam

The U.S. Department of Justice has filed a civil forfeiture complaint to permanently claim over $7.74 million linked to an illicit North Korean IT worker scheme that generates revenue for the regime. These funds were connected to North Korean Foreign Trade Bank representative Sim Hyon Sop, who was indicted in 2023 for conspiring with IT workers to launder money obtained from their illegal employment at U.S. companies. The scheme involved laundering cryptocurrency obtained with stolen American identities through a complex network, with Sim and another official, Kim Sang Man, acting as central clearinghouses for the proceeds. This forfeiture action is part of the broader “DPRK RevGen” initiative, which aims to disrupt the financial networks that North Korea uses to fund its weapons programs by exploiting global IT work.

9. OpenAI Bans State Hackers From ChatGPT

OpenAI announced this week that it has taken down accounts linked to state-backed threat actors from China, Russia, North Korea, and Iran who were using ChatGPT for illicit purposes. The malicious activities included refining malware like the “ScopeCreep” RAT, researching U.S. defense technology, and bulk-generating social media posts for covert influence and disinformation campaigns. Notably, Chinese groups APT5 and APT15 used the models for reconnaissance, while North Korean operators used ChatGPT to generate fake resumes for their widespread IT worker employment scams. While OpenAI found no evidence that the actors gained novel capabilities from their models, the company’s actions highlight the increasing trend of state-sponsored groups weaponizing large language models for cybercrime.

💡 Cyber Tip

Be careful when installing software packages from npm or PyPI.

Cybersecurity researchers have found malicious code in open-source packages used by developers around the world. Some packages install remote access tools that let attackers take control of your device. Others delete files or steal social media passwords like Instagram, Facebook, and Gmail.

✅ What you should do

Only install packages from trusted, verified authors and check for recent security warnings before using them.
Review recent changes and updates in package repositories before downloading or updating software.
Avoid using tools that promise quick growth on social media as they are often scams or contain hidden malware.
Keep your development environment secure by using endpoint protection, limiting permissions, and backing up important files.
If you suspect a malicious package is installed, uninstall it immediately and run a full malware scan.

✅ Why this matters

Just one bad package from a public repository can allow hackers to steal your data, destroy your files, or hijack your system. Staying alert while installing software helps protect your work and your identity.