Code beneath the sand.

A new self-replicating malware infects the NPM repository. Microsoft and Cloudflare disrupt a Phishing-as-a-Service platform. Researchers uncover a new Fancy Bear backdoor campaign. The VoidProxy phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Google accounts. A British telecom says its ransomware recovery may stretch into November. A new Rowhammer attack variant targets DDR5 memory. Democrats warn proposed budget cuts could slash the FBI’s cyber division staff by half at a heated Senate Judiciary Committee hearing. On our Industry Voices segment, we are joined by Abhishek Agrawal from Material security discussing challenges of securing the Google Workspace. Pompompurin heads to prison.

Today is Wednesday September 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A new self-replicating malware infects the NPM repository. 

A new self-replicating malware called Shai-Hulud has infected at least 187 packages in the JavaScript repository NPM. Named after the sandworms in Dune, the worm steals developer credentials and publishes them in public GitHub repositories. Security firm Aikido reports the malware spreads by hijacking NPM tokens, injecting itself into the 20 most popular packages linked to a victim’s account, and releasing altered versions. The attack briefly compromised CrowdStrike-managed packages, but they were quickly removed. Unlike past NPM breaches, Shai-Hulud self-propagates, using tools like TruffleHog to harvest secrets and spread further. Researchers warn the worm mimics a “living” virus, capable of lying dormant before flaring up again. Experts say stronger two-factor authentication for publishing packages is needed to prevent future outbreaks.

Microsoft and Cloudflare disrupt a Phishing-as-a-Service platform. 

Microsoft and Cloudflare have disrupted RaccoonO365, a Phishing-as-a-Service platform that sold subscription kits to steal Microsoft 365 credentials. With a court order, Microsoft seized 338 websites tied to the operation, cutting off attackers’ infrastructure. RaccoonO365, also known as Storm-2246, enabled low-skilled criminals to impersonate brands like DocuSign and SharePoint, creating fake Microsoft login pages. The kit used adversary-in-the-middle tactics to capture passwords and session cookies, bypassing MFA protections. Investigators tracked cryptocurrency payments after discovering the group’s leaked wallet, identifying Nigerian programmer Joshua Ogundipe as the ringleader. He marketed the service on Telegram and, along with associates, sold tiered subscription plans ranging from $355 to $999. The group made at least $100,000. Microsoft has filed suit and referred Ogundipe to international law enforcement.

Researchers uncover a new Fancy Bear backdoor campaign. 

Sekoia.io has uncovered a new APT28 (Fancy Bear) campaign, dubbed Operation Phantom Net Voxel, that uses malicious Microsoft Office documents to deliver advanced backdoors. The attack, aimed at Ukrainian military officials via Signal spearphishing, tricks victims into enabling macros. These drop a DLL and a PNG image that hides shellcode, which then loads an HTTP Grunt Stager from the open-source Covenant framework. This establishes command-and-control (C2) through the cloud service Koofr, where attackers used folders named “Tansfering” and “Keeping” to manage tasks and exfiltrated data. A second backdoor, BeardShell, uses icedrive for C2 and executes PowerShell commands. Researchers also linked APT28 to SlimAgent spyware, enabling keylogging and screenshots. At least 42 hosts may be compromised since late 2024, highlighting Fancy Bear’s growing reliance on blended open-source and legitimate cloud services for stealth and persistence.

The VoidProxy phishing-as-a-service (PhaaS) platform targets Microsoft 365 and Google accounts. 

Researchers at Okta have uncovered VoidProxy, a phishing-as-a-service (PhaaS) platform targeting Microsoft 365 and Google accounts. The operation uses adversary-in-the-middle (AitM) techniques to intercept logins, capturing credentials, MFA codes, and session tokens for use in business email compromise, fraud, and data theft. Experts warn VoidProxy is part of a growing wave of AitM-driven PhaaS tools, following kits like Evilginx. Security leaders stress an identity-first approach, reducing excessive privileges and monitoring identity interactions, since identity-based attacks are harder to detect and exploit user trust directly.

A British telecom says its ransomware recovery may stretch into November. 

British telecom Colt Technology Services says recovery from its August ransomware attack may not finish until late November, marking over three months of disruption. The Warlock group claimed responsibility, allegedly exfiltrating Colt’s data. While core network infrastructure remains operational, customer portals, hosting APIs, billing, and some voice services are still affected. Colt has engaged external experts, filed reports with authorities in 27 countries, and continues phased system restoration. Investigators suggest the attack may have exploited SharePoint vulnerabilities, followed by data theft and extortion attempts.

A new Rowhammer attack variant targets DDR5 memory. 

Researchers from Google and ETH Zurich have discovered a new Rowhammer attack variant, dubbed Phoenix, that targets DDR5 memory. Rowhammer exploits memory’s tendency to leak electrical charges, allowing attackers to corrupt adjacent cells, degrade performance, or escalate privileges by repeatedly accessing specific rows. While DDR5 was thought resistant, researchers found SK Hynix DDR5 vulnerable when tested on an AMD Zen 4 system. The attack is complex and resource-intensive but effective. Phoenix, tracked as CVE-2025-6202 with a 7.1 CVSS score, highlights gaps in DDR5 protections, particularly the absence of JEDEC’s Per-Row Activation Counting (PRAC) defense. ETH Zurich responsibly disclosed the flaw to memory and CPU vendors in June 2025. AMD has since released a BIOS update, and cloud providers were notified to mitigate risks.

Democrats warn proposed budget cuts could slash the FBI’s cyber division staff by half at a heated Senate Judiciary Committee hearing. 

At a heated Senate Judiciary Committee hearing, Democrats warned that proposed Trump-era cuts could slash the FBI’s cyber division staff by half, undermining defenses against foreign threats and ransomware. Sen. Dick Durbin cited a proposed $500 million FBI budget cut, while Sen. Alex Padilla argued shifting resources to immigration and politically motivated probes hurt core cyber missions. FBI Director Kash Patel countered that arrests rose 42%, with 409 arrests and 169 convictions in the past year, and insisted no resources were diverted from election security or counterterrorism. Patel highlighted ongoing efforts against Chinese hacking groups like Salt Typhoon and Volt Typhoon, as well as ransomware. Sen. Amy Klobuchar raised concerns about AI-driven election interference, which Patel attributed to loosely organized overseas actors.

Meanwhile, House lawmakers introduced a short-term funding bill to extend two key cyber programs, the 2015 Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program, until November 21. Both were set to expire September 30. The extension gives Congress more time to negotiate long-term renewals, with the House proposing a 10-year extension and the Senate, led by Sen. Rand Paul, expected to push for a shorter timeline with fewer safeguards for private entities sharing threat data. Uncertainty remains over bipartisan support.

 

Pompompurin heads to prison. 

Conor Brian Fitzpatrick, better known to the underworld as Pompompurin, has finally discovered that running the internet’s largest English-language data breach bazaar doesn’t come with frequent flyer miles, it comes with prison time. The 22-year-old BreachForums founder originally got off with 17 days served, a sentence so light an appeals court labeled it “substantively unreasonable,” which is judge-speak for are you kidding me? Now, he’ll serve three years, far short of the 15 prosecutors wanted but a notable upgrade from a long weekend behind bars.

During BreachForums’ year-long reign, Fitzpatrick facilitated the sale of 14 billion stolen records and made nearly $700,000, proving crime pays, just not sustainably. He’ll surrender his domains, devices, and crypto stash, while the FBI reminds cybercriminals: if your business model depends on VPNs and stolen identities, the retirement plan is usually an extended stay at Club Fed. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.