SharePoint Breached, Meta in the Hot Seat, Dev Chains Poisoned

📬 This Week’s Clickables

• 🚨 Major Breaches & Incidents — Microsoft SharePoint exploited, schools hit, $44M crypto theft

• 🛡️ Emerging Threats & Vulnerabilities — ICS attacks surge, supply chain malware in NPM

• 🕵️ Privacy Watch — GDPR complaints filed against TikTok, AliExpress, and WeChat, Meta investor settlement, Meta health data trial

• 🔁 Story Follow-Ups — SharePoint patch status and persistent risk; Scattered Spider expands airline targeting

• 🕛️ Mitigation & Best Practices — Targeted actions by threat vector

🚨 Major Breaches & Incidents

• Microsoft SharePoint Zero-Day Exploited in the Wild
  CVE‑2025‑53770 (aka ToolShell) is being actively exploited across government and enterprise systems. A patch is now available, but attackers are abusing valid tokens and installing persistent implants.
  👉 Patch, investigate for token misuse, and monitor long-term beaconing.

• Ransomware Surge Hits U.S. Education Sector
  With 130+ attacks this year, the education sector saw a 23% jump in ransomware incidents and $556K average ransom demands.
  👉 Education orgs must prioritize backups and staff awareness despite limited budgets.

• CoinDCX Crypto Exchange Loses $44M in Hack
  A breach at India’s CoinDCX resulted in nearly $44M in losses. User balances were protected, but wallet infrastructure flaws were exposed.
  👉 Crypto exchanges remain top-tier targets. Secure your hot/cold key rotation.

🕵️ Privacy Watch

• TikTok, WeChat, AliExpress Face GDPR Complaints
  Privacy advocacy group NOYB filed complaints over failure to provide users with full access to personal data. Platforms cited are popular among younger and multilingual users.
  👉 Transparency isn’t optional—expect regulatory fines before Q4.

• Meta & Flo Health Face Federal Privacy Trial
  Trial begins over alleged unauthorized sharing of reproductive health data with Facebook ad partners. Privacy lawyers expect “massive” liability risk.
  👉 Health data is especially sensitive—regulators are watching closely.

• Meta Investors Settle $8B Shareholder Privacy Lawsuit
  Meta reached an $8B settlement with shareholders over failures tied to Cambridge Analytica. The deal avoids testimony by Zuckerberg and top execs.
  👉 Privacy risk is now material shareholder risk.

Fact-based news without bias awaits. Make 1440 your choice today.

Overwhelmed by biased news? Cut through the clutter and get straight facts with your daily 1440 digest. From politics to sports, join millions who start their day informed.

Sign up now!

🛡️ Emerging Threats & Vulnerabilities

• Hacktivists Target Industrial Control Systems in Q2 Spike
  Z‑Pentest executed 38 ICS-focused attacks across European critical infrastructure. Activity shifted from DDoS to deeper sabotage.
  👉 OT defenses must evolve: log, segment, and restrict protocol exposure.

• Malware Injected Into 6 NPM Packages Used by Thousands
  Threat actors snuck info-stealing malware into six popular NPM packages, compromising thousands of downstream projects.
  👉 This is a wake-up call for dev chains: enforce signed commits, scan dependencies, and rotate credentials.

• MCP Protocol Flaws Found in Popular Adtech Tools
  Researchers discovered exploitable flaws in Model Context Protocols used across marketing platforms. Attacks could spoof campaigns or exfiltrate advertiser data.
  👉 Martech is now in scope—tighten permissions, audit APIs, and monitor third-party plugins.

🧭 Mitigation & Best Practices

Thanks for reading this week’s edition. Like what you see? Forward it!

Hate everything you see or have other feedback? Reply back to this email!