Researchers have demonstrated a novel AI-powered ransomware proof-of-concept that autonomously orchestrates attack lifecycles, highlighting significant future threats. - This technique leverages large language models (LLMs) to dynamically synthesize polymorphic malicious code, adapting to environments for reconnaissance, payload generation, and personalized extortion without human intervention. - The proof-of-concept evaded detection by major antivirus vendors, indicating the potential for sophisticated, hard-to-track attacks due to its polymorphic nature and varying telemetry. - The findings underscore the ease with which LLMs can be co-opted for cybercriminal operations, posing unique detection challenges and raising concerns about the effectiveness of current AI safety features.

A malicious npm package, nodejs-smtp, mimics the popular nodemailer library to steal cryptocurrency from Atomic Wallet users. The package includes a functional mailer API to avoid suspicion and targets multiple cryptocurrencies. The threat actor uses sophisticated tooling to inject malicious code into the wallet runtime, overwriting recipient addresses during transactions. Despite low current financial impact, the campaign's deliberate and scalable nature poses a significant risk, especially given the convincing appearance of the package and the potential for developers to mistakenly integrate it.

A newly identified, secretive malware-as-a-service (MaaS) operation, TAG-150, is actively distributing custom remote access Trojans (RATs) and commercial infostealers, targeting critical organizations, including government entities. * The group operates without a visible Dark Web presence, suggesting an exclusive, sophisticated customer base. * TAG-150 developed two variants of its custom CastleRAT (C and Python), with the Python version designed for stealth, forcing Windows Defender exclusion, and largely evading antivirus detection. * Initial operations involved CastleLoader in over 1,600 attacks, achieving a 28.7% success rate, and leveraging Steam gaming communities for C2 dead drops. * The operation has potential links to ransomware activity and is expected to expand its custom malware development and distribution efforts.

A new campaign leverages a novel Terminal-based execution method to deploy a macOS stealer, effectively bypassing Gatekeeper and posing a significant threat to enterprise data. * This method tricks users into pasting malicious commands, enabling the stealer to establish persistence and exfiltrate a wide range of sensitive data. * The malware targets browser credentials, cryptocurrency wallets, Keychain items, and various personal and enterprise files. * Its sandbox evasion capabilities and broad data theft potential highlight the evolving risks for macOS environments. * Organizations must prioritize user education against social engineering and implement defense-in-depth strategies beyond built-in OS protections.

Active exploitation of CVE-2025-53690 in ASP.NET machine key configurations has been observed, leading to remote code execution and unauthorized access. The vulnerability affects older Sitecore deployments relying on publicly exposed machine keys. Attackers leveraged ViewState deserialization to deploy reconnaissance tools and establish persistence. Mitigations include rotating and encrypting machine keys and restricting access to web.config files.

The Czech National Cyber and Information Security Agency (NÚKIB) issued a formal warning regarding products and services transferring user and system data to China, citing legal frameworks that compel data sharing with the state. * This data transfer enables remote administration and potential misuse by state interests, impacting national resilience beyond privacy concerns. * Chinese legal regulations, including National Security and Intelligence Laws, eliminate meaningful separation between private entities and state cyber operations. * Threat intelligence indicates a significant increase in intrusion activity and cloud targeting by Chinese operations. * The advisory highlights supply chain risks, as third-party dependencies can expose organizations to data theft and espionage.

A critical ABAP code injection vulnerability (CVE-2025-42957) in SAP S/4HANA and related products is actively exploited in the wild, enabling low-privileged users to achieve full system takeover. * Exploit development is trivial due to the ease of reverse engineering the patch and the open nature of ABAP code. * Successful exploitation allows for data theft, manipulation, privilege escalation, backdoor accounts, credential theft, and operational disruption. * Many systems remain unpatched despite the vendor fix, leaving them exposed to ongoing, albeit limited, attacks. * Immediate application of August 2025 Patch Day updates is critical for affected SAP S/4HANA, Landscape Transformation, Business One, and NetWeaver AS ABAP systems.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

A cyberattack severely disrupted Jaguar Land Rover's global IT systems, forcing production halts and staff stand-downs. - The company proactively took systems offline to mitigate impact, while English-speaking cybercriminals claimed responsibility and alleged data exfiltration via Telegram. - This incident aligns with a trend of similar attacks on other high-profile British entities by English-speaking hackers, some of whom were previously arrested and bailed. - The Information Commissioner’s Office confirmed a data breach report, suggesting potential data compromise despite initial company statements.