Chalk one up for defenders.

The open source community heads off a major npm supply chain attack. The Treasury Department sanctions cyber scam centers in Myanmar and Cambodia. Scammers abuse iCloud Calendar invites to send callback phishing emails. Researchers discover a new malware variant exploiting exposed Docker APIs. Phishing attacks abuse the Axios user agent and Microsoft’s Direct Send feature. Plex warns users of a data breach. Researchers flag a surge in scans targeting Cisco ASA devices. CISA delays finalizing its incident reporting rule. The GAO says federal cyber workforce figures are incomplete and unreliable. Our guest is Kevin Magee, Global Director of Cybersecurity Startups at Microsoft Security, discussing cybersecurity education going back to school. AI earns its own Darwin awards. 

Today is Tuesday September 9th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The open source community heads off a major npm supply chain attack. 

A major supply chain attack targeting the npm ecosystem was stopped thanks to the rapid response of the open source community. Attackers compromised the npm account of well-known developer Josh Junon (“qix”), publishing malicious versions of widely used packages such as chalk (300M weekly downloads) and strip-ansi (261M weekly downloads). The malware acted as a crypto-clipper, swapping wallet addresses or hijacking transactions to steal cryptocurrency.

The malicious packages were live for only a few hours before npm and maintainers removed them. Researchers noted that the attack chain was sophisticated but losses were minimal, estimated at just $20 to $66, thanks to fast community detection. Reports show developers flagged the threat within 15 minutes, with some packages taken down in under an hour.

Experts stressed that while any compromise is serious, this was not the “biggest supply chain attack ever.” Instead, it highlighted the strength of open source collaboration in preventing widespread damage.

The Treasury Department sanctions cyber scam centers in Myanmar and Cambodia. 

The U.S. Treasury Department has sanctioned individuals and companies tied to cyber scam centers in Myanmar and Cambodia that have defrauded Americans of over $10 billion. The measures target Burmese, Cambodian, and Chinese nationals running forced labor compounds where victims are trafficked, abused, and forced to carry out scams.

In Myanmar, sanctions focused on Shwe Kokko, a hub run by militia leaders of the Karen National Army (KNA), who profit by trafficking workers and supporting scam operations. 

In Cambodia, the crackdown hit casino-linked scam centers in Sihanoukville and Bavet, tied to Chinese gangs and billionaire Try Pheap. Officials said these sanctions aim to disrupt industrial-scale fraud while combating human trafficking and modern slavery in the region.

Scammers abuse iCloud Calendar invites to send callback phishing emails. 

Apple has issued a warning after scammers were found abusing iCloud Calendar invites to send callback phishing emails disguised as purchase notifications. The scheme embeds fake payment alerts, such as a $599 PayPal charge, into the invite’s notes field. Since these messages come from Apple’s legitimate servers, they bypass spam filters and appear authentic. Victims are urged to call fraudulent numbers, where attackers attempt to trick them into downloading malicious software. Experts advise treating calendar invites with the same caution as suspicious emails.

Researchers discover a new malware variant exploiting exposed Docker APIs. 

Akamai researchers have discovered a new malware variant exploiting exposed Docker APIs, evolving from a campaign first seen in June 2025. Unlike the earlier strain that deployed a cryptominer, the updated version now blocks external API access, gains host-level control, and installs persistence tools, indicating preparation for larger operations. The malware uses a Go-based binary dropper, scans for other vulnerable servers, and spreads itself, suggesting early botnet development. It also removes competing cryptominer containers to dominate infected systems. Notably, the code includes inactive routines for Telnet and Chrome’s remote debugging, hinting at future expansion. Akamai’s honeypot analysis revealed indicators of compromise tied to Tor domains and webhook addresses. Security experts warn that attackers are shifting from quick profits toward infrastructure building, urging Docker users to secure APIs and monitor activity closely.

Phishing attacks abuse the Axios user agent and Microsoft’s Direct Send feature. 

ReliaQuest has reported a sharp surge in phishing attacks abusing the Axios user agent and Microsoft’s Direct Send feature. Between June and August 2025, Axios-driven phishing activity jumped 241%, accounting for nearly 24% of all malicious user-agent traffic, 10 times higher than any other agent. Axios-enabled campaigns had a 58% success rate, compared to just 9% for other incidents, with success climbing to 70% when paired with Direct Send. Initially aimed at executives in finance, healthcare, and manufacturing, the attacks now target regular users. Axios, a lightweight HTTP client, allows attackers to easily intercept, replay, and manipulate HTTP requests, bypassing MFA and hijacking session tokens. Its legitimacy helps it evade filters, unlike more suspicious tools. ReliaQuest urged organizations to disable Direct Send if possible, tighten email security, and train users to recognize phishing red flags.

Plex warns users of a data breach.  

Popular streaming platform Plex has warned users of a data breach in which attackers accessed emails, usernames, hashed passwords, and authentication data from one of its databases. The company stressed that the breach was contained and the risk of cracked passwords is low but urged users to reset their passwords immediately and sign out of all connected devices. Plex has blocked the attackers’ access, launched a security review, and advised customers to watch for phishing attempts. The number of affected users remains undisclosed.

Researchers flag a surge in scans targeting Cisco ASA devices. 

Cybersecurity researchers have flagged a surge in scans targeting Cisco ASA devices, raising concerns of a possible upcoming vulnerability. GreyNoise observed two major spikes in August, with up to 25,000 IPs probing ASA login portals and Cisco IOS Telnet/SSH. One wave, largely driven by a Brazilian botnet, used Chrome-like user agents and focused on U.S. systems. Similar spikes often precede new flaw disclosures. Admins are urged to apply patches, enforce MFA, and restrict direct access.

CISA delays finalizing its incident reporting rule. 

CISA has delayed finalizing its rule requiring critical infrastructure operators to report major cyber incidents until May 2026, seven months past the original deadline. The rule, mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, requires reporting cyberattacks within 72 hours and ransomware payments within 24. Officials said the delay allows more time to streamline requirements, reduce industry burden, and harmonize with other federal regulations. Lawmakers and industry groups welcomed the extension if it ensures stakeholder input is incorporated, though some criticized CISA’s lack of progress. The law, inspired by attacks like the Colonial Pipeline hack, will have wide impact across sectors once implemented.

The GAO says federal cyber workforce figures are incomplete and unreliable. 

The GAO says federal cyber workforce figures are incomplete and unreliable. Across 23 civilian agencies (DoD excluded), it counted at least 63,934 full-time cybersecurity employees costing $9.3B annually, plus 4,151 contractors costing $5.2B, but most agencies lack quality data. Twenty-two reported only partial or no contractor data; 19 had no data-quality checks; 17 lacked standard criteria for who qualifies as a cyber employee. GAO faulted the ONCD and OMB for lacking plans to improve data, noting a key working group paused in February and it’s unclear if it resumed after Sean Cairncross’s August confirmation. GAO recommended closing data gaps, standardizing roles, improving reporting quality, and assessing workforce effectiveness. While Biden-era initiatives began in 2023, their current priority is uncertain, hindering sound staffing and security decisions.

AI earns its own Darwin awards. 

It was perhaps only a matter of time before the Darwin Awards, long a monument to human misadventure, spawned an AI edition. The 2025 AI Darwin Awards honor not tragic self-removal from the gene pool, but the hubris of deploying machine intelligence where wisdom plainly did not follow. Consider Taco Bell’s drive-thru AI, whose grasp of natural language proved as tenuous as its tortillas. Or Replit’s “vibe coding” episode, in which an overeager model dutifully ignored instructions and annihilated a production database, proof that “do not touch” is irresistible to algorithms and toddlers alike. McDonald’s, meanwhile, entrusted 64 million job applicants’ data to a chatbot felled by the mighty password “123456.” The awards remind us AI is merely a tool, though one with global reach, zero patience, and alarming enthusiasm.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.