ZeroFox Daily Intelligence Brief - September 30, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - September 30, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- Japan’s Brewer Asahi Suspends Operations Due to Cyberattack
- CISA Releases Joint Guidance on Securing OT Systems
- Fake Npm Package Targets Outgoing Emails
Japan’s Brewer Asahi Suspends Operations Due to Cyberattack
What we know: Japan’s major brewer, Asahi Group Holdings, has suspended its ordering and shipping operations due to a cyberattack. Call center operations, including customer service desks, are also suspended.
Context: The company which operates globally as well, said the cyberattack has affected only its Japan operations. Investigations are underway, but no threat actor has claimed responsibility for the incident yet.
Analyst note: The disruption to ordering and shipping operations suggests that customer data and order details are likely among other data that are compromised. In case of a ransomware attack, it is likely that Asahi cannot access necessary data due to encryption.
CISA Releases Joint Guidance on Securing OT Systems
What we know: This guidance aims to assist organisations using operational technology (OT) to maintain a continuously updated record of their systems to support cybersecurity and asset management. It is intended for cybersecurity professionals, integrators, and device manufacturers to guide system documentation and risk management.
Context: The guidance also emphasises understanding how attackers could use aggregated system information to refine attacks and prioritising protections based on system criticality, exposure, and third-party connections.
Analyst note: Monitoring an organization’s OT security using this guidance is likely to enable responders and security teams to detect anomalies and prevent attacks such as man in the middle (MitM), packet replay, and misuse of legitimate commands remotely.
Fake Npm Package Targets Outgoing Emails
Source: https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/
What we know: A threat actor has cloned a company's MCP server code and published it, adding a backdoor that enables secretly BCC’d outgoing emails. The fake package was reportedly downloaded about 1,500 times, affecting hundreds of developer workflows and potentially thousands of emails daily.
Context: The attacker reportedly cloned this company’s legitimate GitHub code, added a single malicious line, and published it to npm under a misleading name. This attack comes amid a wave of ongoing npm-involved supply chain attacks.
Analyst note: Threat actors likely gained access to sensitive information, including credentials and MFA codes, to take over accounts. They could use exfiltrated invoices, personal data, and other information to further sell, abuse, and weaponize in other attacks.
DEEP AND DARK WEB INTELLIGENCE
Canadian airline WestJet breach: Canadian carrier WestJet informed U.S. residents that personally identifiable information (PII) of some of its passengers was exposed in a June 2025 cyber incident. The data leaked could include names, contact information, travel details, and documents submitted for reservations. The carrier assured that financial information was not compromised in the breach. Exposed individuals are likely to be targeted in phishing and social engineering attacks, with scenarios including threat actors posing as WestJet representatives to defraud targets.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2025-43400: Apple has released an out-of-bounds patch for a vulnerability affecting the Font Parser in multiple products. The flaw can result in app termination or corrupt process memory due to a malicious font. While exploitation has not yet been observed in the wild, a successful attack is likely to result in operational disruption in the targeted device.
Affected products: The affected products are listed in this advisory.
Tags: DIB, tlp:green