Marks and Spencer confirms customer data was stolen during cyberattack.

Summary

By the CyberWire staff

At a glance.

Marks and Spencer confirms customer data was stolen.
New infostealer uses PyInstaller to target macOS.
Turkish threat actor exploits zero-day to target Kurdish military.

Marks and Spencer confirms customer data was stolen during cyberattack.

British retailer Marks and Spencer (M&S) has confirmed that customer data was stolen during last month's ransomware attack, BleepingComputer reports. The company says the leaked data includes "name, email address, addresses, telephone number, date of birth, online order history, household information, and ‘masked’ payment card details used for online purchases." M&S said in a Facebook post that the data "does not include usable card or payment details, or account passwords," but the company is forcing password resets for customer accounts as a precaution.

The company also warns customers to be on the lookout for phishing attacks exploiting the leaked information: "You do not need to take any action, but you might receive emails, calls, or texts claiming to be from M&S when they are not, so do be cautious. We will never contact you and ask you to provide us with personal account information, like usernames, and we will never ask you to give us your password."

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

New infostealer uses PyInstaller to target macOS.

Jamf has published a report on a new infostealer that's abusing PyInstaller to target macOS systems. PyInstaller is a legitimate tool used for packaging Python scripts into standalone binaries, allowing apps to run even if Python isn't installed on the system. In this case, attackers are using the tool to create malicious payloads that will work properly on macOS. Jamf explains, "By combining PyInstaller with additional obfuscation, attackers can potentially execute malicious payloads on macOS systems without requiring a native Python installation, while also potentially evading traditional detection mechanisms."

On the State of modern web application security

Web applications remain a top attack vector for cybercriminals, according to the latest Verizon DBIR. Take a listen to the on-demand discussion with Outpost24 and N2K CyberWire’s Dave Bittner on today’s web application threats, vulnerabilities, and practical strategies to strengthen your defenses. Register now to access it on-demand.

Turkish threat actor exploits zero-day to target Kurdish military.

Researchers at Microsoft warn that Marbled Dust, a threat actor associated with the Turkish government, exploited a zero-day flaw to compromise Output Messenger accounts used by the Kurdish military operating in Iraq. Srimax, the developer of Output Messenger, has issued a patch for the flaw. The vulnerability (CVE-2025-27920) can allow attackers to "access files such as configuration files, sensitive user data, or even source code, and depending on the file contents, this could lead to further exploitation, including remote code execution."

Microsoft notes, "This new attack signals a notable shift in Marbled Dust’s capability while maintaining consistency in their overall approach. The successful use of a zero-day exploit suggests an increase in technical sophistication and could also suggest that Marbled Dust’s targeting priorities have escalated or that their operational goals have become more urgent."

Web applications remain a top attack vector for cybercriminals, according to the latest Verizon DBIR. Join us Tuesday, May 13th at 12pm ET for a live discussion with Outpost24 and N2K CyberWire’s Dave Bittner on today’s web application threats, vulnerabilities, and practical strategies to strengthen your defenses. Register now to join the live event or access it on-demand.

Notes.

Today's issue includes events affecting Iraq, Turkey, the United Kingdom, and the United States.

Attacks, Threats, and Vulnerabilities

Exclusive: North Korean scammers land jobs in U.S. with help from Chinese companies (Axios) North Korean IT workers are setting up front companies across China as part of their global operation to trick Western companies into hiring them, according to a new report shared first with Axios.

Hackers now testing ClickFix attacks against Linux targets (BleepingComputer) A new campaign employing ClickFix attacks has been spotted targeting both Windows and Linux systems using instructions that make infections on either operating system possible.

Critical Security flaw in ASUS mainboard update system (BeyondMachines) A critical security flaw in ASUS mainboards' automatic update system allows attackers to exploit Windows' Platform Binary Table mechanism to execute malicious HTTP requests, enabling persistent system compromise that survives storage device replacement similar to the previous "Lojax" UEFI rootkit attack.

Litigation, Investigation, and Law Enforcement

Google to pay $1.375 billion to settle Texas data privacy violations (BleepingComputer) Google has agreed to a $1.375 billion settlement with the state of Texas over a 2022 lawsuit that alleged it had been collecting and using biometric data of millions of Texans without properly acquiring their consent.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

CYSAT (Paris, France, May 14 - 15, 2025) In today’s society, we heavily rely on space-based assets, and considering the continuously evolving cyber threats in the current geopolitical environment, securing space data is a major challenge. Since 2021, CYSEC has been organizing CYSAT to bring together all the players in the space cybersecurity domain.

CyberWiseCon Europe 2025 (Vilnius and virtual, Lithuania, May 21 - 23, 2025) CyberWiseCon is a premier IT security conference that brings together cybersecurity experts, industry leaders, and IT professionals from around the Europe.

NICE Conference (Denver, Colorado, USA, Jun 1 - 4, 2025) The NICE Conference is the annual convening of community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. This event provides an opportunity to share best practices from around the world and across sectors in order to build the workforce we need to confront cybersecurity risks today and in years to come.

2025 Space Regulatory Bootcamp (Albuquerque and Virtual, New Mexico, USA, Jun 10 - 11, 2025) ACSP's Bootcamps educate new and established space professionals on must-know fundamentals and arm them for success. The 2025 Space Regulatory Bootcamp, hosted in Albuquerque, New Mexico, is a two day comprehensive industry deep dive with advanced training and meaningful networking. Learn directly from leading subject matter experts on topics including space law, export controls, space telecommunications, government contracting, and more.

AWS re:Inforce 2025 (Philadelphia, Pennsylvania, USA, Jun 16 - 18, 2025) AWS re:Inforce is our annual, immersive, cloud-security learning event delivering hands-on training and collaboration with AWS experts. It’s your opportunity to learn about the latest AWS security innovations, get direct access to the AWS teams and partners who build the security tools you rely on, and connect with cloud security peers from around the world. You’ll leave with actionable next steps to raise your security posture.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 05.13.25

At a glance.

Marks and Spencer confirms customer data was stolen during cyberattack.

New infostealer uses PyInstaller to target macOS.

Turkish threat actor exploits zero-day to target Kurdish military.

Notes.

Attacks, Threats, and Vulnerabilities

Litigation, Investigation, and Law Enforcement

Events