ZeroFox Daily Intelligence Brief - December 1, 2025
|by Alpha Team
ZeroFox Daily Intelligence Brief - December 1, 2025
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- French Football Federation Confirms Data Breach
- North Korean Threat Actors Load Npm Packages With Malware
- Phishing Network Impersonates Top Retailers During Major Online Sales
French Football Federation Confirms Data Breach
What we know: The French Football Federation (FFF), the football governing body in France, has confirmed a data breach exposing the personal and contact details of members of French football clubs.
Context: Threat actors used a compromised account to access an administrative management software used by football clubs to steal the data. Data stolen included full name, gender, date and place of birth, physical address, email, nationality, contact number, and license number.
Analyst note: The stolen data likely includes personally identifiable information (PII) belonging to high-profile players. Threat to the physical safety of high-profile players is likely to increase. Exposed individuals are likely to be targeted in financially-motivated phishing, social engineering, and identity theft attacks.
North Korean Threat Actors Load Npm Packages With Malware
Source: https://thehackernews.com/2025/11/north-korean-hackers-deploy-197-npm.html
What we know: North Korean threat actors behind the Contagious Interview campaign have reportedly added nearly 200 new malicious npm packages, which have been downloaded over 31,000 times, to deliver an updated OtterCookie malware variant.
Context: The malware is designed to steal browser credentials, documents, cryptocurrency wallet information, capture screenshots, read clipboard content, and log keystrokes. The malware strain attempts to evade sandboxes and virtual machines upon execution and then establishes a command-and-control (C2) channel for the threat actors.
Analyst note: Open-source npm packages should be approached with caution as threat actors increasingly target popular packages for infections. Installing or executing infected npm packages is likely to compromise not only the victim’s system, but also downstream users and organizations.
Phishing Network Impersonates Top Retailers During Major Online Sales
Source: https://hackread.com/fake-shopping-sites-cyber-monday/
What we know: A scam network of over 2,000 fake online stores have been found stealing personal and financial data of visitors during peak shopping events like Black Friday and Cyber Monday.
Context: The fake stores were linked through shared infrastructure and identical templates, forming two major clusters. The scam websites with [.]shop domains were found impersonating major brands like Apple and Samsung.
Analyst note: The operation is likely to result in millions in financial theft before authorities intervene. Consumers should remain cautious of unusually steep discounts, unfamiliar domains, and aggressive urgency tactics designed to rush purchases.
DEEP AND DARK WEB INTELLIGENCE
Coupang data breach: South Korean e-commerce company Coupang has confirmed a data breach impacting 33.7 million customer accounts, exposing names, contact details, addresses, and order history. Compromised users are likely to face an increased risk of phishing, smishing, and other social engineering attacks.
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE‑2021‑26829: This cross‑site scripting (XSS) flaw affects specific versions of OpenPLC ScadaBR, enabling attackers to inject and execute malicious scripts via a file path. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Threat group TwoNet is reportedly actively exploiting this vulnerability. Unpatched systems are likely to enable attackers to manipulate system settings, deface interfaces, and disrupt operations.
Affected products: OpenPLC ScadaBR versions up to 1.12.4 on Windows and up to 0.9.1 on Linux
Tags: DIB, tlp:green