Major npm supply chain attack has been largely averted.

Summary

By the CyberWire staff

Major npm supply chain attack has been largely averted.

Attackers launched a widespread supply chain attack yesterday after hacking an npm developer's account, though the campaign isn't as serious as some initial reports suggested, Infosecurity Magazine reports. Package maintainer Josh Junon confirmed yesterday that his npm account was compromised after he received a phishing email posing as a 2FA reset notification. The hackers then used Junon's "qix" npm account to publish malicious versions of dozens of packages Junon had maintained, which collectively receive more than 2.6 billion weekly downloads. The malicious code monitored the user's web browser for cryptocurrency addresses and replaced them with attacker-controlled addresses.

Less than four hours after Junon disclosed the hack, npm confirmed that all the malicious package versions had been shut down. Observers say the quick response highlighted the strength of the open-source security model. Arda Büyükkaya from EclecticIQ notes that npm recorded zero downloads of the malicious packages, and the attacker's cryptocurrency account currently has a balance of only sixty-six dollars.

Think your certificate security is covered? 47-day renewals will raise the stakes.

By March 2026, TLS certificate lifespans will be cut in half, meaning double today’s renewals. In 2029, certificates will expire every 47 days, demanding 8–12x the renewal volume. That’s exponential complexity, operational workload, and risk...unless you modernize your strategy. CyberArk — proven in identity security — is your partner in certificate security. We simplify lifecycle management with visibility, automation, and control at scale. Scan for vulnerabilities. Streamline operations. Scale security. Master the 47-day shift with CyberArk.

Attackers send phishing messages via iCloud Calendar invites.

BleepingComputer warns that attackers are abusing iCloud Calendar invites to send callback phishing messages that come from Apple's email servers. The notifications posed as invoices informing users of a six-hundred-dollar charge from their PayPal account. BleepingComputer explains, "[T]his email is actually an iCloud Calendar invite, where the threat actor included the phishing text within the Notes field and then invited a Microsoft 365 email address that they controlled. When the iCloud Calendar event is created and external people are invited, an email invitation is sent from Apple's servers at email.apple.com from the iCloud Calendar owner's name with the email address 'noreply@email.apple[.]com.'"

Aside from abusing Apple's infrastructure, the phishing attack is fairly generic. Users should always be wary of unexpected, urgent-sounding messages encouraging them to click a link, call a number, or open an attachment.

DMV Rising, D.C.’s Premier Conference for Cyber Execs.

The Washington, D.C. Maryland, and Virginia (DMV) region has established itself as a top-tier player in the global cyber industry. Join us on September 18, 2025 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.

US Treasury sanctions Southeast Asian scam networks.

The US Treasury Department has imposed sanctions on companies and individuals allegedly involved in large scam networks in Southeast Asia, Reuters reports. Treasury said the action "includes nine targets operating in Shwe Kokko, Burma, a notorious hub for virtual currency investment scams under the protection of the OFAC-designated Karen National Army (KNA), as well as ten targets based in Cambodia."

The scam compounds, particularly along the Thai-Myanmar border, are known for using forced labor and debt slavery to compel thousands of human-trafficking victims into carrying out online scams. The Treasury Department says these networks stole more than $10 billion from Americans last year.

Notes.

Today's issue includes events affecting Cambodia, Myanmar, and the United States.

Attacks, Threats, and Vulnerabilities

The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows (GitGuardian Blog) On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.

Surge in networks scans targeting Cisco ASA devices raise concerns (BleepingComputer) Large network scans have been targeting Cisco ASA devices, prompting warnings from cybersecurity researchers that it could indicate an upcoming flaw in the products.

Axios User Agent Helps Automate Phishing on “Unprecedented Scale” (Infosecurity Magazine) ReliaQuest warns that phishing campaigns abusing the Axios user agent have surged 241% in three months

New Docker Malware Strain Spotted Blocking Rivals on Exposed APIs (Hackread) Akamai finds new Docker malware blocking rivals on exposed APIs, replacing cryptominers with tools that hint at early botnet development.

Marketplace

Mitsubishi Electric to Acquire Nozomi Networks to Improve Industrial Cyber Defenses and Power Operational Transformation (Cision PR Newswire) /PRNewswire/ -- Nozomi Networks, the global leader in OT, IoT and CPS security, and Mitsubishi Electric Corporation (TOKYO: 6503) today announced they have...

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

DMV Rising '25 (Washington, DC, USA, Sep 18, 2025) Join us on September 18, 2025 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.

HackAICon 2025 (Lisbon, Portugal, Sep 25, 2025) The first conference dedicated to combining AI and Ethical Hacking. We're bringing together OffSec pros, hackers, and leading researchers to find practical ways of using AI to secure the internet. Learn about the latest AI Hacking cosmic trends and connect with fellow professionals in engaging conversations. We banned sales pitches from the event - just knowledge sharing, leadership and technical insights.

Don’t miss Jen Easterly, former CISA Director, headlining HIP Conf 25 (Charleston, SC, USA, Oct 7 - 9, 2025) Jen Easterly, former CISA Director, keynotes HIP Conf 2025. A globally recognized cybersecurity leader, Easterly brings unmatched insight into hybrid identity security and resilience. Register now for this must-attend event.

Uniting Women in Cyber 2025 (Crystal City, Virginia, USA, Oct 9, 2025) UWIC is the premier event for cybersecurity leaders, professionals, and aspiring practitioners. Connect with a vibrant community focused on emerging global trends, technological advancements, and workforce development. Attend UWIC 2025 to learn, share ideas, and expand your professional network!

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 09.09.25

Top stories.

Major npm supply chain attack has been largely averted.

Attackers send phishing messages via iCloud Calendar invites.

US Treasury sanctions Southeast Asian scam networks.

Notes.

Attacks, Threats, and Vulnerabilities

Marketplace

Events