ZeroFox Daily Intelligence Brief - September 17, 2025

ZeroFox Daily Intelligence Brief - September 17, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CrowdStrike Namespace Targeted in Expanding Npm Supply Chain Attack
• BreachForums Founder Resentenced to Three Years in Prison
• ZeroFox Intelligence Brief: Detecting and Countering Synthetic Media

CrowdStrike Namespace Targeted in Expanding Npm Supply Chain Attack

Source: https://www.bleepingcomputer.com/news/security/self-propagating-supply-chain-attack-hits-187-npm-packages/

What we know: An npm supply chain attack campaign, dubbed “Shai-Hulud,” has compromised more than 180 packages, including ones under CrowdStrike’s namespace. CrowdStrike has confirmed its Falcon platform was unaffected and customer data remains secure.

Context: The campaign began by compromising @ctrl/tinycolor, a widely used package with over 2 million weekly downloads. From there, it reportedly spread by injecting malware into other packages maintained by the same developers. This attack follows a wave of recent software supply chain incidents, including the “s1ngularity” GitHub campaign late August.

Analyst note: If not contained immediately, this rapidly progressing campaign could lead to other developers or companies using compromised dependencies to unknowingly import malware into their own systems. Users could detect the campaign by analyzing their build logs and cross-check them with already documented indicators of compromise (IoCs) for suspicious elements.

BreachForums Founder Resentenced to Three Years in Prison

Source: https://www.justice.gov/opa/pr/founder-one-worlds-largest-hacker-forums-resentenced-three-years-prison

What we know: One of BreachForums’s founders was resentenced to three years in prison for running the dark web forum and possessing child sexual abuse material (CSAM). The resentencing followed a January 2025 decision by a U.S. court vacating the prior 17-day sentence and ordering a new one.

Context: The defendant admitted to profiting from the sale of large volumes of sensitive personal and commercial information. As part of the plea, over 100 domains, several devices, and cryptocurrency connected to the scheme were forfeited.

Analyst note: The stolen personal and commercial data likely resulted in identity fraud and monetary losses that could leave individuals and businesses to long-term financial risks. Meanwhile, the CSAM could likely threaten the security of impacted victims.

ZeroFox Intelligence Brief: Detecting and Countering Synthetic Media

Source: https://www.zerofox.com/advisories/35752/

What we know: The rapid development of artificial intelligence (AI) in recent years has enabled the creation of highly convincing synthetic media that is readily available across the digital landscape, which is likely especially appealing to low-skilled actors.

Context: Synthetic media refers to content (audio, video, imagery, or text) generated or modified using AI. By using manipulated synthetic media, attackers can better increase their chances of bypassing traditional security measures and enhance social engineering campaigns.

Analyst note: ZeroFox assesses that over the next one to three years, advances in GenAI models will very likely diminish the reliability of current forensic indicators. The convergence of detection with authentication frameworks will very likely shift the burden of proof from detecting fakes to verifying authenticity.

DEEP AND DARK WEB INTELLIGENCE

Scattered Lapsus$ Hunters announces exit: Prominent threat collective “Scattered Lapsus$ Hunters” had announced on its public Telegram channel that it was ceasing operations. ZeroFox observes that the main private Telegram channel of Scattered Lapsus$ Hunters is offline, further indicating the group has ceased operations. There could be a temporary decline in attacks attributed to Scattered Lapsus$ Hunters, while members disperse into smaller, independent groups, or rebrand under new aliases.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Chaos Mesh vulnerabilities: Cybersecurity researchers have found four vulnerabilities, together dubbed “Chaotic Deputy,” affecting open-source cloud-native platform Chaos Mesh. Three of the flaws are critical and command injection vulnerabilities. All the four vulnerabilities stem from insufficient authentication within Chaos Controller Manager's GraphQL server. Successful exploitation of the flaws can enable complete takeover in Kubernetes environment, very likely resulting in data breaches, disruptions, or even complete compromise of targeted systems.

Affected products: Chaos Mesh versions before 2.7.3