ZeroFox Daily Intelligence Brief - October 30, 2025

ZeroFox Daily Intelligence Brief - October 30, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Major Telecom Supplier Customer Files Allegedly Accessed by Nation-State Actor
• Typosquatted Npm Packages Deliver Infostealer Across Operating Systems
• Hackers Clone Contactless Payments via Android NFC Relay Malware

Major Telecom Supplier Customer Files Allegedly Accessed by Nation-State Actor

Source: https://www.theregister.com/2025/10/29/major_telco_networking_provider_compromised/

What we know: A major U.S. telecom supplier, Ribbon Communications, has disclosed a cyber incident that resulted in unauthorized access to its IT network. The company added that the threat actors are reportedly associated with a nation-state actor.

Context: The intruders reportedly remained hidden for nine months before the company became aware of the breach in early September 2025. The threat actors appear to have accessed customer documents saved outside the main network, affecting three companies. The company is known for providing software and networking gear to various organizations including in the U.S. government.

Analyst note: The involvement of a nation-state actor likely indicates reconnaissance to map telecom networks of high-value targets. Downstream entities related to Ribbon Communications are likely at risk of undetected intrusions. The incident highlights ongoing risks to the software supply chain.

Typosquatted Npm Packages Deliver Infostealer Across Operating Systems

Source: https://www.bleepingcomputer.com/news/security/malicious-npm-packages-fetch-infostealer-for-windows-linux-macos/

What we know: A malware campaign on the npm registry involves 10 malicious packages that have imitated popular JavaScript libraries like TypeScript, nodemon, react-router-dom, zustand, and more. These packages reportedly contained an information-stealing component capable of exfiltrating credentials and sensitive data from popular operating systems.

Context: The threat actor used typosquatting, creating names similar to legitimate projects, to trick developers into installing the malicious packages. Additionally, the malicious packages still remain online, at the time of writing, and necessitates immediate removal. So far, they have been downloaded at least 10,000 times.

Analyst note: If the malicious packages are not removed, any projects or applications that are likely to integrate these packages risk distributing the malware further down the software supply chain, compromising end users and production environments.

Hackers Clone Contactless Payments via Android NFC Relay Malware

Source: https://hackread.com/nfc-relay-malware-clone-tap-to-pay-android/

What we know: A large-scale Android malware campaign is exploiting Near Field Communication (NFC) and Host Card Emulation (HCE) to steal payment data and carry out tap-to-pay fraud.

Context: Since April 2024, over 760 fake banking and government apps have been found mimicking brands like Google Pay and Santander, spreading across multiple countries. The attackers trick users into making the app the default tap-to-pay handler, activate HCE/NFC relay to capture the card’s account number and Europay, Mastercard, and Visa (EMV) chip data, and forward that information to C2 servers and Telegram bots for live relay fraud or resale.

Analyst note: Attackers are exploiting built-in mobile payment features to bypass card security and conduct real-time fraud, causing financial losses for users and banks. The operation enables attackers to make unauthorized purchases, drain linked bank accounts, and resell stolen card data through Telegram or forums.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Mark1777: Untested threat actor "Mark1777" has advertised an auction for Fortinet VPN access bundle with domain user rights to two unnamed Indonesian companies on Exploit. Such access could expose aviation and logistics systems to data theft, enable lateral movement across networks, and cause service disruptions, potentially leading to ransomware attacks, airport outages, and widespread supply‑chain interruptions.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-24893: Attackers have exploited this previously-patched remote code execution flaw in XWiki to deploy cryptocurrency miners on vulnerable servers. The vulnerability, caused by improper input sanitization in the SolrSearch macro, enables unauthenticated attackers to execute arbitrary commands with web server privileges. Threat actors running commands with web server privileges could access and exfiltrate sensitive information stored on affected systems.

Affected products: XWiki platform