ZeroFox Daily Intelligence Brief - September 9, 2025

ZeroFox Daily Intelligence Brief - September 9, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• U.S. Treasury Sanctions Southeast-Asian Cyber Scam Networks
• Supply Chain Attack Targets Popular Npm Packages with 2.6 Billion Downloads
• Geopolitical Focus: Political Upheavals, Security Challenges, and Casualties

U.S. Treasury Sanctions Southeast-Asian Cyber Scam Networks

Source: https://home.treasury.gov/news/press-releases/sb0237

What we know: The Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned scam networks across Southeast Asia, including Burma and Cambodia, that steal billions from Americans using forced labor and violence.

Context: Additionally, the Department of Justice sentenced an individual to 51 months in federal prison for laundering over USD 36.9 million from U.S. victims in a Cambodia-based digital asset investment scam. Transnational criminal organizations (TCOs) based in Southeast Asia have been increasingly targeting Americans through large-scale cyber scam operations.

Analyst note: U.S. citizens have faced severe financial losses due to overseas scam centers, with illicit funds funneled back through the American financial system. Besides, the stolen funds could fuel further criminal activity overseas, supporting organized fraud networks.

Supply Chain Attack Targets Popular Npm Packages with 2.6 Billion Downloads

Source: https://www.bleepingcomputer.com/news/security/hackers-hijack-npm-packages-with-2-billion-weekly-downloads-in-supply-chain-attack/

What we know: Npm packages with more than 2.6 billion weekly downloads have been compromised in a supply chain attack. Threat actors have injected the packages with malware, following a phishing attack targeting the package maintainer’s account.

Context: The malware injected into the packages is programmed to intercept cryptocurrency and web3 activity on browsers. Once the malware is executed, it hijacks network traffic to redirect crypto transactions to threat actor-controlled wallet addresses.

Analyst note: A phishing attack campaign targeting npm package maintainer accounts is likely to continue in the coming weeks. Popular JavaScript libraries are very likely to be targeted. Crypto holders and crypto organizations using compromised npm packages are likely to be affected and can face financial losses.

Geopolitical Focus: Political Upheavals, Security Challenges, and Casualties

• ZeroFox has observed the U.S. Department of War focusing on Latin America, targeting drug cartels. Tensions are likely to escalate with Venezuela as pressure increases from the United States, with the potential for disputes over sovereign waters and spillover into other countries in the region.
• France’s parliament has ousted Prime Minister François Bayrou’s government in a no-confidence vote over debt-reduction plans. President Emmanuel Macron now faces the task of appointing his fifth prime minister in under two years amid mounting fiscal and parliamentary impasses.
• At least six people have died in a shooting in Jerusalem, with eight injured. The incident occurred amid ongoing conflict in Gaza and heightened security operations in the West Bank.
• A freight train has collided with a double-decker passenger bus in central Mexico, killing 10 people and injuring at least 61, with several of the injured reported in serious condition. Authorities said the bus attempted to cross ahead of the moving train.
• Norway’s Labour party has secured another four years after winning 89 seats. Despite a surge in support for the Progress party, the Labour party emerged as the largest party, while the Conservatives suffered a defeat.

DEEP AND DARK WEB INTELLIGENCE

ShinyHunters hits Vietnam: Threat group ShinyHunters claims to have stolen over 160 million records from the Credit Institute of Vietnam, which manages the state-run National Credit Information Center. The records reportedly include sensitive personal information such as PII, credit payments, credit cards, government and military IDs, tax records, income statements, and debts owed. If the claim is true, it exposes impacted individuals and entities to threats of identity theft, financial fraud, and unauthorized access to sensitive government information.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-10088: This vulnerability in SourceCodester Time Tracker 1.0 enables remote cross-site scripting via the project-name parameter in /index[.]html. Threat actors could steal session cookies, enabling them to impersonate legitimate users.

Affected products: SourceCodester Time Tracker version 1.0