For the latest discoveries in cyber research for the week of 1st December, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- OpenAI has experienced a data breach resulting from a compromise at third-party analytics provider Mixpanel, which exposed limited information of some ChatGPT API clients. The leaked data includes names, email addresses, approximate location, operating system, browser information, referring websites, and organization or user IDs. No sensitive credentials or API keys were exposed.
- Dartmouth College, a private Ivy League research university in New Hampshire, has been a victim of a data breach that resulted in the theft of personal information, including names, Social Security numbers and financial details, from its Oracle E-Business Suite servers. The Cl0p extortion gang was responsible for exploiting zero-day vulnerability as part of a broader campaign. Other targets include Harvard University, Envoy Air, and others with sensitive data exposed via dark web and torrent sites.
Check Point IPS, Threat Emulation and Harmony Endpoint provide protection against this threat (Oracle Concurrent Processing Remote Code Execution; Ransomware.Win.Clop; Ransomware.Wins.Clop; Ransomware.Wins.Clop.ta.*)
- Crisis24, a leader in crisis and risk management, was hit by a cyberattack on its OnSolve CodeRED emergency alert platform that resulted in widespread disruption of notification systems nationwide and the theft of user data. Leaked information including names, addresses, email addresses, phone numbers, and clear-text passwords affecting state and local governments, public safety agencies, and residents across the US. The INC Ransomware gang has claimed responsibility for the attack and is offering stolen data for sale.
Check Point Threat Emulation provides protection against this threat (Ransomware.Wins.INC)
- Major American investment advisory provider SitusAMC has confirmed a data breach that resulted in the compromise of corporate data associated with client relationships, including accounting records, legal agreements, and potentially customer data. The breach impacted an undisclosed number of clients and customers, likely including largest banks and financial institutions in the US, with no information yet provided on the amount or exact type of data leaked.
- A Russian postal operator Donbas Post has encountered a cyber-attack that disrupted its corporate network, web platform, and email systems, destroying over 1,000 workstations, 100 virtual machines, and several dozen terabytes of data, and forcing the suspension of services at postal branches and the call center. The Ukrainian Cyber Alliance has claimed responsibility.
- The French Football Federation (FFF) has suffered a data breach that resulted in unauthorized access to administrative management software and theft of personal and contact information from members of French football clubs. Exposed data includes names, email addresses, and more.
VULNERABILITIES AND PATCHES
- A new Mirai-based botnet, ShadowV2, was observed exploiting multiple known vulnerabilities (including CVE-2024-10914, CVE-2024-10915, and CVE-2024-53375) in IoT devices to gain control and launch distributed denial-of-service (DDoS) attacks. The botnet leveraged command injection and other flaws in routers, NAS devices, and DVRs across global sectors.
Check Point IPS provides protection against this threat (D-Link DNS NAS Devices Command Injection (CVE-2024-10914); D-Link DNS Series Command Injection; TP-Link Archer AXE75 Command Injection (CVE-2024-53375))
- Security researcher uncovered more than 17,000 exposed credentials during a scan of 5.6 million public GitLab repositories, including API keys, passwords, and access tokens associated with over 2,800 domains. Many of these credentials – primarily Google Cloud, MongoDB, Telegram, and OpenAI keys – remain active. While most were leaked after 2018, some valid keys date back to 2009.
- A patch was released for a critical authentication bypass vulnerability (CVE-2025-59366) in ASUS routers with AiCloud enabled, which allows remote attackers to exploit chained path traversal and OS command injection flaws for unauthorized function execution. Successful exploitation does not require user interaction and could result in attackers gaining control over vulnerable devices.
THREAT INTELLIGENCE REPORTS
- Check Point researchers analyzed the Shai-Hulud 2.0 npm supply chain campaign that compromised over 600 npm packages and 25,000 GitHub repositories. Malicious preinstall scripts stole developer and multi-cloud credentials, exfiltrated them to attacker GitHub repos, registered infected hosts as self-hosted runners, and used the stolen tokens for worm-like propagation across npm and GitHub.
Check Point Threat Emulation provides protection against this threat (Trojan.Wins.ShaiHulud.ta.*)
- Check Point researchers uncovered GhostAd, a large-scale Android adware campaign where at least 15 Google Play applications with millions of installs abuse foreground services, blank notifications, JobScheduler, and ad SDKs to run persistent background ads and drain device resources. These applications also use background execution and storage permissions to persist, hide, and silently exfiltrate external-storage files, including corporate documents, to attacker infrastructure.
- Check Point overviews expected cyber risks at 2026, including converging agentic AI, quantum computing, and Web 4.0. The blog outlines 12 trends: autonomous AI operations, digital-twin/XR environments, LLM-native attacks, deepfake fraud, quantum “harvest-now, decrypt-later” exposure, data-pressure ransomware, expanding supply-chain, SaaS, and identity threats.
- Researchers detailed HashJack, an indirect prompt injection technique that embeds malicious instructions in elements like URL fragments or emails to manipulate AI browser assistants – including Comet, Copilot for Edge, and Gemini for Chrome. This method enables threat actors to trigger phishing, misinformation, data exfiltration, and credential theft, exploiting LLMs’ inability to distinguish instructions from legitimate data.
