As your dedicated cybersecurity services provider, Cyberone equips you with timely and in-depth information about current cyber attacks. Discover a weekly cybersecurity report of the latest exploits and breaches shaping the ever-evolving cybersecurity landscape.
Weekly Cybersecurity Report | Week 35, 2025
Information security updates and events from the past week
-
Exploiting SaaS integrations via OAuth (mainly around CRM and business automation)
Campaigns leveraged OAuth tokens and third party access to organizational accounts, enabling extraction of contact details, emails, and sensitive content for phishing and social engineering, including MFA bypass via cookies/sessions stolen by infostealers. This pattern stood out in late August reporting and highlighted concentrated risks in Salesforce connections and adjacent tools such as Salesloft/Drift. Implications: increased BEC attempts, account takeover, and insertion of deceptive visibility into email threads. What to do: review all OAuth integrations, reduce scopes, decommission unused apps, monitor token anomalies, and harden refresh policies and short lived tokens alongside adopting FIDO2 for sensitive admins.
-
Large scale data leaks from late August
“Recent breaches” trackers indicated unusually high volumes of stolen credentials and cookies from infostealers, enabling MFA bypass and takeovers of enterprise accounts and cloud services. The phenomenon fuels supply chain style campaigns because the same data set is reused to break into multi tenant tools. Implications: expanded attack surface across SaaS, compliance exposure, and complex IR. What to do: find and revoke suspicious cookies, perform organization wide session kills, force password/API key resets, and harden enterprise browsers and EDR with credential theft detection.
-
DDoS attack on a major open source project (Arch Linux)
The website and online infrastructure were temporarily taken down on August 25 due to an availability attack. The incident underscores deep reliance of organizations and dev teams on community infrastructure that, without layered defenses, can stall build pipelines and security updates. Implications: delayed package/patch delivery and trust risks in distribution chains. What to do: deploy CDN/Anycast, rate limiting, cache pre warming, alternate mirrors, and DR procedures to preserve availability of critical repositories.
-
Supply chain compromise in Nx (build platform)
A rare event reported at week’s end highlighted potential exfiltration via build chains and helper tools, with public notes on August 28. Adversaries abused system trust in plugins/scripts to influence artifacts. Implications: code signing risk, secret leakage, and staged propagation via packages. What to do: enforce supply chain signing and provenance (SLSA/Provenance), run builds in isolated environments, use SBOM, and regression test third party plugins
-
Active exploitation of Citrix flaws and accelerated patching
Reports on August 27 of in the wild exploitation in Citrix products prompted immediate patch guidance from U.S. authorities. Implications: access to enterprise networks, webshell deployment, and lateral movement. What to do: patch per advisory, check external exposures, conduct threat hunting for webshell patterns, and enforce MFA/SSO at critical gateways.
-
Urgent Git update due to arbitrary file write vulnerability
On August 26, guidance was issued to update Git due to a flaw that could allow file writes and remote code execution under certain conditions. Implications: repository/CI contamination, developer workstation risk, and build environment compromise. What to do: update clients and servers, harden hooks, enable code scans pre merge, and lock down CI runners (least privilege, sandboxing).
The cybersecurity attacks highlighted in this report aren’t just incidents, they’re blueprints of the adversary’s arsenal. To protect your business you need the right partner. Cyberone is here to help! Check out our services.
