Week that Was for 09.20.25

Top stories.

1. Jaguar Land Rover extends shutdown as financial impact worsens.
2. New self-replicating malware infects npm packages.
3. SonicWall discloses breach of its cloud backup service.
4. OpenAI fixes zero-click flaw in ChatGPT's Deep Research agent.
5. Insight Partners notifies individuals affected by data breach.
6. Major cybercriminal groups announce retirement, likely to rebrand.
7. UK charges two teens over 2024 Transport for London hack.
8. BreachForums founder resentenced to three years in prison.

Jaguar Land Rover extends shutdown as financial impact worsens.

Jaguar Land Rover (JLR) said on Tuesday that its production will remain on pause until at least September 24th as it continues to investigate a cyberattack that occurred at the beginning of September, the Record reports. The company stated, "We have taken this decision as our forensic investigation of the cyber incident continues, and as we consider the different stages of the controlled restart of our global operations, which will take time."

The BBC cites industry sources as saying JLR's disruption may actually last into November, though JLR has dismissed these claims as "speculation." The company shut down its primary manufacturing plants in the UK following the attack, and the BBC says the shutdown is likely costing the company at least £50 million (US$68 million) per week in lost production. The Record cites higher estimates saying JLR may be losing up to £72 million (US$98 million) in sales per day. Reuters says the company is working with the British government to restore operations and assess the impact.

New self-replicating malware infects npm packages.

A new supply chain attack campaign compromised more than 180 npm packages with a self-replicating malware, SecurityWeek reports. Researchers at JFrog, Orca Security, Wiz, Palo Alto Networks, Arctic Wolf, and others are tracking the campaign. One of the infected packages, @ctrl/tinycolor, has more than two million weekly downloads, while others, including ngx-bootstrap and ng2-file-upload, receive hundreds of thousands of downloads per week.

Orca explains, "A function called NpmModule[.]updatePackage was inserted into the affected packages to perform several actions: download a package tarball, modify package.json, inject a local script (bundle.js), repack the archive, and republish it. This means any other packages or apps that use the newly published packages automatically get infected too." The researchers add that the apparent goal of the campaign is to "find secrets on developer machines, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY, using TruffleHog’s credential scanner, and publishing the collected secrets to a public GitHub repository called 'Shai-Hulud.'"

SonicWall discloses breach of its cloud backup service.

SonicWall is warning customers to reset their credentials following a breach affecting its cloud backup service for firewalls, SecurityWeek reports. The company stated, "Our investigation found that threat actors accessed backup firewall preference files stored in the cloud for fewer than 5% of our firewall install base. While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall. We are not presently aware of these files being leaked online by threat actors. This was not a ransomware or similar event for SonicWall; rather, this was a series of brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors."

SonicWall is notifying affected customers and will provide them with fresh preferences files. SonicWall users who have cloud backups enabled should follow the company's guidance to mitigate their potential exposure.

OpenAI fixes zero-click flaw in ChatGPT's Deep Research agent.

OpenAI has fixed a zero-click vulnerability in ChatGPT's Deep Research agent that could have exposed Gmail data, Infosecurity Magazine reports. Researchers at Radware discovered the flaw, explaining that "[u]nlike prior research that relied on client-side image rendering to trigger the leak, this attack leaks data directly from OpenAI’s cloud infrastructure, making it invisible to local or enterprise defenses."

Attackers could embed invisible instructions within an email before sending it to a targeted user. If the user asks ChatGPT Deep Research to analyze their emails, the AI agent will encounter the hidden instructions and follow them. In Radware's example, an attacker could send an email to an HR worker with instructions for Deep Research to find employee information and upload it to a URL.

OpenAI silently fixed the vulnerability in August, then acknowledged the flaw on September 3rd.

Insight Partners notifies individuals affected by data breach.

New York-headquartered venture capital giant Insight Partners is notifying thousands of individuals that their personal information was breached during a ransomware attack that took place in January 2025, TechCrunch reports. In a breach notification filed with the Maine Attorney General's Office, the firm said the breach affected more than 12,000 people.

The company hasn't disclosed what specific types of information were stolen, but earlier said the hackers accessed financial and personal data belonging to current and former employees as well as limited partners. TechCrunch notes that this may include "private and unnamed investors who help provide capital to Insight’s venture funds."

Major cybercriminal groups announce retirement, likely to rebrand.

Fifteen cybercriminal gangs, including Scattered Spider and Lapsus$, announced on BreachForums that they are shutting down to enjoy their "golden parachutes" with the millions they've accumulated from their ransomware and extortion attacks, the Register reports. The crooks say they've accomplished their goal of exposing insecure systems, and that "[o]thers will keep on studying and improving systems you use in your daily lives."

The announcement is almost certainly insincere, and the Register notes that the move is likely an attempt to evade law enforcement following a string of arrests and disruptions. Cybercriminals frequently move between groups and resurface under different names.

UK charges two teens over 2024 Transport for London hack.

The UK has charged two teenagers for their alleged involvement in an August 2024 cyberattack against Transport for London (TfL), the Register reports. The defendants are eighteen-year-old Owen Flowers from Walsall and nineteen-year-old Thalha Jubair from East London. The two teens are accused of being part of the Scattered Spider criminal group.

The UK's National Crime Agency stated, "Both will appear at Westminster Magistrates Court today (18 September), after the Crown Prosecution Service authorised [that] they be charged with conspiring together to commit unauthorised acts against TfL, under the Computer Misuse Act. Flowers was initially arrested for the TfL attack on 6 September 2024, at which point NCA officers identified further potential evidence of offending against US healthcare companies."

BreachForums founder resentenced to three years in prison.

BreachForums founder Conor Brian Fitzpatrick has been resentenced to three years in prison after a court ruled that his previous sentencing of time served (17 days) was too lenient. Fitzpatrick, who lives in New York, had pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.