Cloud
-
Zscaler confirms Salesforce data exposure tied to Salesloft Drift compromise amid wider Salesforce breach activity
Zscaler confirms a data breach tied to the Salesloft Drift supply-chain attack, exposing customer Salesforce data due to compromised Drift credentials. The company revoked Drift integrations, rotated tokens, and reinforced customer authentication while investigations continue; Google Threat Intelligence links UNC6395 to the broader campaign affecting Salesforce environments.
-
Amazon says APT29 attempted watering-hole attack to harvest Microsoft credentials; AWS says no systems affected
Amazon said it disrupted an APT29 watering-hole campaign aimed at harvesting Microsoft credentials, stressing that no AWS systems were compromised. The operation used spoofed Cloudflare pages and randomized redirects to trick users, with Google Threat Intelligence and AWS detailing evasion techniques and previous similar activity.
-
MathWorks reports ransomware breach exposed data of 10,476 individuals
MathWorks disclosed that a ransomware group stole the data of 10,476 individuals after breaching its network in April, prompting outages affecting MFA, SSO, and other services. The company has not named the ransomware operator, and authorities note that a resolution or ransom payment, if any, remains undisclosed.
-
Nx supply-chain attack: Malicious npm packages exfiltrate credentials and tokens
Security researchers say a supply-chain attack on the nx build system led to malicious nx npm packages that exfiltrated credentials and tokens. The breach was tied to a vulnerable PR workflow and elevated GitHub permissions, prompting widespread token rotation and intensified vendor-targeted remediation.
-
Storm-0501 Debuts Brutal Hybrid Ransomware Attack Chain, Microsoft Warns
Microsoft Threat Intelligence warns Storm-0501 has deployed a brutal hybrid ransomware chain, exploiting hijacked privileged accounts to pivot between on‑prem and cloud, exfiltrate data, delete backups and encrypt remaining cloud resources, pressuring victims to pay or face potential shutdown.
-
SSA whistleblower alleges DOGE duplicated NUMIDENT in unauthorized cloud, risking Americans’ data
A government whistleblower alleges that DOGE, a non-official federal client, copied the NUMIDENT database into an unauthorized cloud environment, risking all Americans’ Social Security data, with additional claims of improper access and potential privacy violations.
-
Salesloft breach linked to theft of Drift OAuth tokens used to access Salesforce, Google says UNC6395 behind attack
Hackers breached Salesloft to steal Drift OAuth and refresh tokens used for Salesforce integration, enabling data exfiltration from customer environments. Google’s threat intelligence assigns UNC6395 to the activity and notes credential theft across cloud services, with administrators urged to rotate credentials and reauthenticate Drift-Salesforce connections.
-
Cheap VPS Hijacking Drives New Wave of SaaS-Based Business Email Compromises, Darktrace Finds
A Darktrace security report details a new wave of attacks where criminals rent cheap VPS services to hijack business email accounts, bypass traditional defenses, and establish covert, long-term access through subtle inbox rules.
-
China-linked Murky Panda exploits cloud trust to move laterally, CrowdStrike finds
A CrowdStrike 2025 Threat Hunting Report finds a 136% increase in cloud intrusions, driven by Murky Panda’s use of zero-day exploits and, more notably, their manipulation of trusted cloud relationships to move from SaaS providers into downstream customer environments, with links to a February 2025 breach of Commvault’s Microsoft Azure cloud environment highlighted as a…
-
DripDropper Linux malware patches exploited flaw to lock out rivals, Red Canary says
Red Canary researchers describe DripDropper, a Linux malware that exploits Apache ActiveMQ CVE-2023-46604 to gain access to cloud servers, then patches the vulnerability to keep rivals out and maintain control, using Sliver for persistence and Dropbox as a command channel.
