Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad.
A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week.
"On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA," Department of Energy Press Secretary Ben Dietderich told BleepingComputer. "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems."
Dietderich added that only "a very small number of systems were impacted" and that "all impacted systems are being restored."
As first reported by Bloomberg, sources within the agency also noted that there's no evidence of sensitive or classified information compromised in the breach.
The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update.
Attacks linked to Chinese state hackers, over 400 servers breached
On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups.
"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said.
"In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."
Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies.
Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
bleepingcomputer.com -
npm has taken down all versions of the real Stylus library and replaced them with a "security holding" page, breaking pipelines and builds worldwide that rely on the package.
A security placeholder webpage is typically displayed when malicious packages and libraries are removed by the admins of npmjs.com, the world's largest software registry primarily used for JavaScript and Node.js development.
But that isn't quite the case for Stylus: a legitimate "revolutionary" library receiving 3 million weekly downloads and providing an expressive way for devs to generate CSS.
Stylus 'accidentally banned by npmjs'
As of a few hours ago, npmjs has removed all versions of the Stylus package and published a "security holding package" page in its place.
"Stylus was accidentally banned by npmjs," earlier stated Stylus developer Lei Chen in a GitHub issue. The project maintainer is "currently waiting for npmjs to restore access to Stylus."
"I am the current maintainer of Stylus. The Stylus library has been flagged as malicious..., which has caused many [libraries] and frameworks that depend on Stylus to fail to install," also posted Chen on X (formerly Twitter). "Please help me retweet this msg in the hope that the npmjs official team will take notice of this issue."
bleepingcomputer.com - The Lumma infostealer malware operation is gradually resuming activities following a massive law enforcement operation in May, which resulted in the seizure of 2,300 domains and parts of its infrastructure.
Although the Lumma malware-as-a-service (MaaS) platform suffered significant disruption from the law enforcement action, as confirmed by early June reports on infostealer activity, it didn't shut down.
The operators immediately acknowledged the situation on XSS forums, but claimed that their central server had not been seized (although it had been remotely wiped), and restoration efforts were already underway.
Gradually, the MaaS built up again and regained trust within the cybercrime community, and is now facilitating infostealing operations on multiple platforms again.
According to Trend Micro analysts, Lumma has almost returned to pre-takedown activity levels, with the cybersecurity firm's telemetry indicating a rapid rebuilding of infrastructure.
"Following the law enforcement action against Lumma Stealer and its associated infrastructure, our team has observed clear signs of a resurgence in Lumma's operations," reads the Trend Micro report.
"Network telemetry indicates that Lumma's infrastructure began ramping up again within weeks of the takedown."
bleepingcomputer.com - The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.
The House of Dior (Dior) is sending data breach notifications to U.S. customers informing them that a May cybersecurity incident compromised their personal information.
Dior is a French luxury fashion house, part of the LVMH (Moët Hennessy Louis Vuitton) group, which is the world's largest luxury conglomerate.
The Dior brand alone generates an annual revenue of over $12 billion, operating hundreds of boutiques worldwide.
The security incident occurred on January 26, 2025, but the company only became aware of it on May 7, 2025, launching internal investigations to determine its scope and impact.
"Our investigation determined that an unauthorized party was able to gain access to a Dior database that contained information about Dior clients on January 26, 2025," reads the notice sent to affected individuals.
"Dior promptly took steps to contain the incident, and we have no evidence of subsequent unauthorized access to Dior systems."
Based on the findings of the investigation, the following information has been exposed:
Full names
Contact details
Physical address
Date of birth
Passport or government ID number (in some cases)
Social Security Number (in some cases)
The company clarifies that no payment details, such as bank account or payment card information, were contained in the compromised database, so this information remains safe.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version.
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned.
Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide.
Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues.
BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices.
The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack.
It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government.
The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price.
"The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement.
"These sensitive data were directly linked to politicians, members of the central and regional governments, and media professionals."
The first suspect is believed to have specialized in data exfiltration, while the second managed the financial part by selling access to databases and credentials, and holding the cryptocurrency wallet that received the funds.
The two were arrested yesterday at their homes. During the raids, the police confiscated a large number of electronic devices that may lead to more incriminating evidence, buyers, or co-conspirators.
A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users.
#Android #Breach #Code #Computer #Data #Europcar #GitLab #InfoSec #Security #Source #iOS
Cisco warned customers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely.
A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider.
#Breach #Computer #Data #Email #Extortion #InfoSec #Jira #Leak #Orange #Ransom #S.A. #Security
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
#CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections.
#ADFS #Account #Computer #InfoSec #Lateral #MFA #Microsoft #Notification #Phishing #Push #Security #Takeover
Security researchers have discovered an arbitrary account takeover flaw in Subaru's Starlink service that could let attackers track, control, and hijack vehicles in the United States, Canada, and Japan using just a license plate.
#Account #Canada #Car #Computer #Hacking #InfoSec #Japan #Security #Starlink #Subaru #Takeover #USA
A new ransomware campaign encrypts Amazon S3 buckets using AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
Apple recently addressed a macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) and install malicious kernel drivers by loading third-party kernel extensions.
#Apple #Computer #InfoSec #Integrity #Microsoft #Protection #SIP #Security #System #Vulnerability #macOS
Attackers can downgrade Windows kernel components to bypass security features such as Driver Signature Enforcement and deploy rootkits on fully patched systems.
#Attack #Bypass #Computer #Downgrade #Elevation #Escalation #InfoSec #Privilege #Privileges #Rootkit #Security #Windows #of
A notorious hacker named USDoD, who is linked to the National Public Data and InfraGard breaches, has been arrested by Brazil's Polícia Federal in
WordPress plugin Jetpack released a critical security update earlier today, addressing a vulnerability that allowed a logged-in user to access forms submitted by other visitors to the site.
