Filter articles

Weekly Cyber Briefing 16.09.2025

Cyber Intelligence Briefing: 15 September 2025

Author: Nick Harris, CISO in Residence, Assured

Cyber Intelligence Briefing: 15 September 2025

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.

Cyber attacks are hitting top execs where it hurts…in their pocket

In May 2025, it was reported that the M&S CEO was set to face a significant pay reduction of up to £1.1m following the notable cyber attack on the retailer. This weekend, the media reported that Rachel Higham, the executive responsible for the British retailer’s technology function, is stepping down and leaving the company.

Qantas Airways has penalised its CEO, Vanessa Hudson, with a 15% pay reduction in short-term compensation (equivalent to around $250,000) after a July cyber attack exposed the data of 5.7 million people.

Assured’s CISO reacts:

It feels like a very long time since Baroness Dido Harding’s bonus was cut in half to a not insubstantial £220,000 following the TalkTalk cyber attack of 2017. Eighteen months later, Harding stood down as CEO of TalkTalk, denying it had anything to do with the cyber incident. But the trend of impact on Board-level pockets has continued, as we’re being reminded of with M&S and Qantas. I’d like to think that these examples work as an incentive for those with strategic responsibility for business cybersecurity and broader resilience to take a more proactive interest in the risks they manage.

Supply chain npm package attack threatens carnage…but disaster averted!

 

On 8th September, attackers compromised the npm account of a maintainer known as Qix via a phishing attack. The attacker then published malicious updates to 18 extremely popular npm packages with a combined total of more than two billion weekly downloads. The malicious packages were only active for around two hours before being detected and subsequently removed. It is considered an averted crisis, thanks to the open-source community.

Assured’s CISO reacts:

The npm attack is an example of software supply chain risk. The attack began by phishing the account of “qix” (Josh Junon). Attackers used a spear phish from npmjs.help to impersonate NPM support and request an MFA reset via a fake site, thereby compromising his credentials.

With access to the account, attackers published new versions of 18 popular JavaScript packages – including debug and chalk – with malicious, obfuscated code. This malware was a cryptocurrency stealer designed to run on a compromised machine, intercepting browser activity and targeting Web3 wallets.

There is a lot of scaremongering around this event. While many jumped to call the hack “the biggest supply chain attack in history”, it was over very quickly. Malicious npms were only available for download for two hours, and the attack was unsuccessful in stealing cryptocurrency.

Unlike GitHub repositories, the code published to npm may not always reflect what’s committed in source control. In some cases, maintainers manually adjust files before running npm publish, which packages a tarball uploaded to the registry. This introduces a visibility gap: the code your developers review on GitHub isn’t always the code executed in production.

In this case, the attacker primarily targeted browser environments to intercept and manipulate crypto-related operations. However, most server-side Node.js deployments were not materially impacted, since the injected code was largely inert in backend contexts.

To tighten security in light of this npm attack, consider:

  • Phishing protection measures, such as FIDO keys
  • Credential harvest site blocking
  • Limiting privileges
  • Providing a 4-eyes workflow in the case of distributing publish rights (to prevent the release of dangerous code while using tooling)
  • Security monitoring services to detect when upstream dependencies become compromised.

A tale of two comms strategies: M&S vs. JLR

A major cyber incident sits tight on every business leader’s list of worst nightmares. But what happens next is critical. A well-practised and carefully crafted response can do much to mitigate the financial and reputational impact. The contrast in comms strategies between the recently attacked M&S and JLR is worth analysing. 

Assured’s CISO reacts:

While we’re led to believe that there is a significant data breach element of the Jaguar Land Rover cyber attack, let’s not dwell too much, beyond the analysis we did last week on Rey, formerly known as Hikki-Chan, a central figure in the HELLCAT cybercrime network. The limited information available makes it very difficult to glean much insight into the JLR incident, or more importantly, benefit from lessons on what to do differently to avoid being the next victim.

The lack of information isn’t just limited to the technical aspect, but there is, in fact, an absence of information across the entire corporate affairs department. In comparison, M&S was praised for its email communication strategy, its outreach to customers and also the in-store communications. Moreover, the M&S CEO, Stuart Machin, and other key staff were proactive in providing reassuring messaging and engaging with the media to control the narrative.

In stark contrast, JLR appears very quiet, with little being shared across its customer base and supply chain (the latter, in particular, seems to be really suffering). As a result, the media has been left to write its own narrative, which rarely serves well.

The two examples, in close proximity, show that good PR management during a crisis is paramount. Controlling outbound information is important, and yes, there’s a time in the early part of an incident where less is more. However, with time, the corporate affairs department has the opportunity to step into the media to drive reassurance, restore faith, and protect brand reputation.

Topics

Latest articles

Be an insider. Sign up now!