ZeroFox Daily Intelligence Brief - November 25, 2025

ZeroFox Daily Intelligence Brief - November 25, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications
• DeepSeek AI Produces More Vulnerable Code on China-Sensitive Triggers
• Shai-Hulud Supply-Chain Attack Floods Npm with 27,000 Malicious Packages

Spyware Allows Cyber Threat Actors to Target Users of Messaging Applications

Source: https://www.cisa.gov/news-events/alerts/2025/11/24/spyware-allows-cyber-threat-actors-target-users-messaging-applications

What we know: CISA has issued an alert regarding threat actors using spyware to compromise messaging apps such as Signal and WhatsApp. High-value individuals, such as current and former government, military, and political officials, as well as civil society organizations (CSOs) are usually targeted.

Context: Threat actors use phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices, use zero-click exploits, or impersonate messaging platforms.

Analyst note: CISA encourages messaging app users to review the updated Mobile Communications Best Practice Guidance and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society to prevent spyware attacks.

DeepSeek AI Produces More Vulnerable Code on China-Sensitive Triggers

Source: https://thehackernews.com/2025/11/chinese-ai-model-deepseek-r1-generates.html

What we know: Chinese AI model DeepSeek-R1 has been found generating up to 50 percent more severe security vulnerabilities in code produced by it, when prompted with topics sensitive to the Chinese government, such as the political status of Taiwan, Uyghurs, or Tibet.

Context: In usual instances, DeepSeek-R1 has reportedly been found to be an efficient coding model, generating vulnerable code only in 19 percent of cases. However, this percentage of vulnerable code increased when geopolitical trigger words were added.

Analyst note: The keyword-based guardrails in DeepSeek have likely been implemented to prevent users opposed to the Chinese government from using the country’s AI services. The guardrails are also likely to prevent dissenters based in China from using AI services, depriving them of modern technology and tools.

Shai-Hulud Supply-Chain Attack Floods Npm with 27,000 Malicious Packages

Source: https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/

What we know: A massive Shai-Hulud supply-chain attack has flooded the npm registry with over 27,000 trojanized packages, compromising more than 350 maintainer accounts and stealing GitHub, npm, and cloud credentials.

Context: The malware strain harvests developer and continuous integration (CI) and continuous delivery (CD) secrets during the npm pre-install stage, storing them in files like cloud.json and truffleSecrets.json before uploading them to attacker-created GitHub repositories labeled “Shai-Hulud” or “Sha1-Hulud: The Second Coming.”

Analyst note: Stolen GitHub, npm, and cloud provider secrets are likely to give the threat actors the ability to pivot directly into developer environments, CI/CD pipelines, and cloud accounts, enabling code tampering, repository hijacking, and supply-chain poisoning at scale.

DEEP AND DARK WEB INTELLIGENCE

Telegram users Inteid and Keymous: Pro-Russian threat group “Inteid” and threat group “Keymous,” have claimed to breach the Supervisory Control and Data Acquisition (SCADA) systems of an Italy-based retail energy company. The actors allegedly claimed full operational access, including control over automated processes, real-time monitoring, diagnostics, and remote management capabilities. If Inteid and Keymous’s claims are true, full SCADA access is likely to enable attackers to move laterally across industrial networks, compromising other critical infrastructure and assets connected to the plant.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Fluent Bit flaws now patched: Open-source log collector Fluent Bit reportedly had multiple vulnerabilities exposed for years, enabling attackers to bypass authentication, perform remote code execution, and manipulate logs. The flaws have now been patched in Fluent Bit versions 4.1.1 and 4.0.12. This campaign could have affected major cloud providers and thousands of deployed systems that use Fluent Bit over several years to alter and steal data.

Affected products: Fluent Bit