Weekly Cyber News Rollup, November 28th, 2025
This is your weekly cyber news roll-up for the week ending November 28th, 2025.
You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
Japanese brewing group Asahi confirmed a ransomware attack that disrupted domestic operations while attackers stole data about customers, suppliers, and employees. The numbers are large. Roughly two million records are believed to be affected, blending personal and business details that criminals can reuse in fraud and extortion. Consumer brands with complex supply chains feel the hit on factory floors, distribution routes, and in the trust of people who buy their products. Response teams are restoring systems, working with regulators, and preparing long term monitoring and notification for the many third parties whose information has surfaced in the leak.
Investigators linked a North Korean threat group to malicious JavaScript packages in the npm ecosystem and related GitHub projects that quietly install OtterCookie malware. The infection path looks like a routine update. Once the tainted package lands on a developer workstation or build server, OtterCookie can harvest credentials, crypto wallets, and other sensitive data from common tools. Software and web three projects that lean heavily on open source dependencies are at particular risk because one poisoned library can ripple into many downstream applications. Development and security teams are reviewing new dependencies, enforcing stricter checks on npm usage, and watching endpoints and network telemetry for odd connections or credential access that trace back to these packages.
A separate campaign built on the Shai Hulud malware family is abusing npm packages and GitHub Actions workflows to compromise development pipelines. This one hits automation. Booby trapped dependencies and workflow files steal secrets from build jobs and cloud environments, then threaten a data wipe if attackers lose access. Continuous integration and continuous delivery systems that run with broad permissions are vulnerable because a single poisoned workflow can touch many repositories and environments. In response, organizations are tightening workflow permissions, hardening secrets management, and combing pipeline logs and repository histories for unauthorized changes or strange automation identities that appeared around the time of the attacks.
A cyberattack forced the CodeRED emergency alert platform offline, cutting off automated warnings that many United States communities depend on during dangerous events. The silence was worrying. Cities, counties, and campuses had to scramble back to sirens, social media posts, radio, and local news partners to reach residents. Emergency managers who rely on a single cloud alert provider without tested backups are most exposed when outages hit during severe weather or public safety incidents. As the vendor restores portals and apps, agencies are updating incident playbooks, testing secondary channels, and demanding clearer failover plans so a similar attack does not leave people uninformed again.
New research showed that years of code snippets and configuration files pasted into popular online formatting and sharing tools have leaked thousands of live passwords and keys. The root cause is habit. Developers at banks, governments, healthcare providers, and technology firms used free web tools to clean up or share settings, not realizing inputs were stored for long periods and could be searched. Leaked material includes database connection strings, virtual private network, V P N, details, and administrator and application programming interface, A P I, logins that attackers can mine to walk into critical systems. Organizations are rolling out secrets scanning across code bases and paste sites, revoking exposed credentials, and tracing unusual logins that may already reflect abuse of these long lived secrets.
A ransomware group claimed it stole a massive trove of booking and loyalty data from Iberia, Spain's flag carrier airline, and posted sample records online. The data paints rich pictures. Stolen files reportedly include passenger names, contact details, travel histories, and some payment related information, all of which can fuel stalking, fraud, and highly convincing phishing. Airlines, travel agencies, and corporate travel desks hold similar datasets, so any compromise raises concerns about profiling high value travelers and tracking sensitive trips. Investigators and regulators are monitoring how widely the Iberia data spreads, while the airline works to notify affected customers and review how long attackers were inside its systems before detection.
Researchers reported that attackers slipped a self spreading JavaScript worm into widely used open source packages, causing developer credentials and other secrets to leak from thousands of repositories. The malware is aggressive. When a developer installs an infected package, the code harvests environment variables, Git credentials, and keys from build systems, then phones home and attempts to poison additional projects. Teams that rely on automated dependency updates and large continuous integration farms are especially exposed, because the worm rides normal update workflows without much human review. Many organizations are mapping where the affected packages were used, rotating exposed secrets, and rebuilding impacted applications from clean baselines to restore trust in their software supply chains.
Security teams are warning that high end artificial intelligence, A I, clusters are being hijacked after attackers began exploiting a flaw in the Ray orchestration framework. The bug is simple but powerful. Unprotected Ray dashboards and worker nodes can accept unauthenticated connections, allowing intruders to run arbitrary code across entire clusters. Cloud providers, research labs, and start ups that stand up Ray clusters quickly for experiments and leave management interfaces exposed are prime targets for cryptomining and potential data theft. Defenders are inventorying every Ray deployment, locking management endpoints behind authentication, reviewing clusters for unauthorized workloads, and watching for suspicious spikes in graphics processing unit, G P U, and network usage that fall outside normal training patterns.
Five newly disclosed vulnerabilities in the Fluent Bit logging agent can be chained to bypass protections, crash services, or execute code on systems that run it. The ubiquity is the concern. Fluent Bit is widely embedded in cloud images, Kubernetes clusters, and observability stacks, often as a default component that teams forget exists. Attackers who can reach its exposed interfaces or send crafted telemetry may pivot from a simple logging sidecar into broader host or container control. Organizations with large multi cloud logging pipelines are scanning for exposed Fluent Bit endpoints, tightening network rules around them, and fast tracking patches while watching for crashes, malformed log floods, and odd process activity coming from logging containers.
A critical flaw in the popular W three Total Cache plugin for WordPress now has a public proof of concept exploit, increasing risk for many business sites. The plugin is everywhere. Unauthenticated attackers can use the bug to execute code on vulnerable servers, turning a performance tuning tool into a path for full site takeover. Online retailers, professional services firms, and agencies that run multiple WordPress sites are at risk of defacement, card skimming, and being folded into phishing or malware campaigns. Defenders are identifying every site that uses W three Total Cache, updating to fixed versions, hardening administrator access, and watching for new admin accounts, template changes, or suspicious redirects that hint at active exploitation.
Customer data in Salesforce may have been copied from hundreds of companies after attackers abused Gainsight integrations in a supply chain style breach. The attack flowed through trust. ShinyHunters claims it stole data from more than two hundred organizations by compromising Gainsight, whose customer success apps often have broad read access into Salesforce tenants. Exposed records may include contact details, deal pipelines, and support histories that can power targeted phishing, business email compromise, and competitive intelligence. Companies are reviewing which Gainsight and other third party apps connect into Salesforce, tightening scopes, re authorizing only what is essential, and checking audit logs for unusual report runs or bulk exports tied to these integrations during the suspected attack window.
A critical flaw in Oracle Identity Manager is being actively exploited to take over enterprise accounts in the middle of single sign on flows. The impact is deep. The bug lives in Oracle Fusion Middleware and allows remote attackers to send crafted requests without valid credentials and still execute sensitive functions. Organizations that run Oracle Identity Manager on internet reachable endpoints or use it as a broker for finance and other high value applications are most exposed. Identity and security teams are installing Oracle's fixed release, narrowing network access to these servers, and combing audit trails for unexpected privileged accounts or strange request patterns that might indicate successful exploitation.
A serious vulnerability in Azure Bastion lets attackers bypass authentication and gain administrator access to cloud servers that should be protected behind the service. The flaw undermines a safety rail. By treating certain crafted requests as trusted sessions, it turns Bastion into a direct path onto virtual machines without user interaction. Cloud teams that centralize remote administration through internet facing Bastion instances fronting production workloads face the greatest risk. Administrators are updating all Bastion deployments to Microsoft's fixed versions, tightening identity and network controls, and reviewing Azure activity logs for unfamiliar Bastion connections or unusual administrator logins into critical servers.
A maximum severity flaw in Grafana Enterprise's identity integration can silently promote new users to administrators when the platform uses System for Cross domain Identity Management, S C I M, for provisioning. The privilege jump is dangerous. Certain S C I M payloads can create high level accounts instead of standard users, which means a compromised identity provider can open the door to full dashboard control. Environments where Grafana exposes sensitive metrics, logs, or embedded secrets and overlaps with other high privilege tools are especially at risk. Security teams are patching Grafana Enterprise, auditing S C I M role mappings, and reviewing recent provisioning events and admin account creations to verify that every privileged identity truly belongs.
A critical vulnerability in the seven zip compression tool can be abused through a public proof of concept exploit, but fixing it requires manual updates on many endpoints. The weakness lies in file handling. Older seven zip versions mishandle symbolic links inside crafted archives, allowing attackers to write or overwrite files outside the intended extraction path when users unpack malicious zips. Organizations with unmanaged workstations, shared admin jump boxes, or file servers where seven zip sits outside formal inventory are most exposed. Teams are standardizing on patched seven zip versions, pushing updated packages through endpoint tools, and monitoring telemetry for extractions from untrusted locations that lead to unexpected file writes in sensitive directories.
An exploit chain for Fortinet's FortiWeb web application firewalls has been added to the Metasploit framework, making it far easier to attack exposed devices. The barrier just dropped. By bundling multiple flaws into a ready made chain, the update lets both red teams and criminals quickly test internet facing FortiWeb appliances for compromise. Organizations that depend on FortiWeb to protect important public web applications and have delayed Fortinet's patches or mitigations are particularly exposed. Network and security engineers are reviewing firmware versions, tightening which management interfaces are reachable, and monitoring device logs for unusual administrative logins, configuration changes, or outbound connections that could signal successful exploitation through this new turnkey toolset.
That’s the BareMetalCyber Weekly Roll-Up for the week ending November 28th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber news dot com. We’ll be back next week.
