This week’s cybersecurity highlights include a supply chain attack compromising Ripple’s xrpl.js npm package, and a cyberattack on Marks and Spencer disrupting online orders and in-store payments. A critical Commvault vulnerability allows unauthenticated remote code execution, while deleted GitHub files continue to expose sensitive data.

The UK ICO fined Advanced £3.07 million over a ransomware breach affecting health records. Microsoft patched Remote Desktop freezes in Windows 11 and Server 2025, and Google dropped Chrome’s standalone cookie prompt. Meanwhile, attackers are abusing Google Sites and DKIM replay to send signed phishing emails.

Ripple’s xrpl.js npm Package Compromised in Major Supply Chain Attack

The official Ripple JavaScript library, xrpl.js, was compromised in a sophisticated supply chain attack, exposing users’ private cryptocurrency keys.

The malicious code, introduced by an attacker using the npm account “mukulljangid” on April 21, 2025, added a function named checkValidityOfSeed designed to exfiltrate private keys to an external domain (“0x9c[.]xyz”).

The vulnerability has been assigned CVE-2025-32965 with a CVSS score of 9.3 and affects versions 4.2.1 through 4.2.4 and 2.14.2 of the package. Users are urged to update to versions 4.2.5 or 2.14.3 and rotate any potentially compromised keys.

Marks and Spencer Confirms Cyberattack Disrupting Online Orders and In-Store Payments

Marks & Spencer (M&S) has confirmed a cyberattack that began earlier this week, disrupting its operations across the UK. The incident has led to the suspension of contactless payments in stores and delays in online order deliveries, including its Click and Collect service.

In response, M&S has taken precautionary measures by moving certain processes offline to protect its customers, employees, and business operations. Despite these challenges, all physical stores remain open, and the company’s website and app continue to function normally.

M&S has engaged cybersecurity experts and reported the incident to the National Cyber Security Centre. The company has reassured customers and staff that there is no evidence of compromised personal data and that no action is required from them at this time.

ICO Fines Advanced £3.07 Million for Ransomware Attack Exposing Sensitive Health Data

The UK’s Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd €3.59 million (£3.07 million) following a 2022 ransomware attack that compromised the personal information of 79,404 individuals.

The breach occurred when hackers exploited a customer account lacking multi-factor authentication (MFA), gaining access to Advanced’s health and care subsidiary systems. The compromised data included sensitive details, such as information on how to access the homes of 890 individuals receiving at-home care.

The ICO’s investigation revealed that Advanced failed to implement adequate security measures, including comprehensive MFA coverage, regular vulnerability scanning, and effective patch management.

Initially facing a provisional fine of €7.12 million (£6.09 million), the penalty was reduced after Advanced engaged proactively with the National Cyber Security Centre, the National Crime Agency, and the NHS, and took steps to mitigate risks to those affected. Advanced accepted the ICO’s decision and agreed to pay the reduced fine without appeal.​

Information Commissioner John Edwards emphasised the importance of robust security measures, stating, “Organisations risk becoming the next target without robust security measures in place.” He urged all organisations to ensure that every external connection is secured with MFA to protect personal information.

Critical Commvault Flaw Enables Remote Code Execution Without Authentication

A critical vulnerability, identified as CVE-2025-34028 with a CVSS score of 9.0, has been discovered in Commvault’s Command Center versions 11.38.0 through 11.38.19. This flaw allows unauthenticated attackers to execute arbitrary code remotely, potentially compromising the entire Command Center environment.

The issue stems from the “deployWebpackage.do” endpoint, which lacks proper host filtering, leading to a Server-Side Request Forgery (SSRF). Exploitation involves sending a crafted HTTP request to this endpoint, causing the system to retrieve and unpack a malicious ZIP archive containing a .JSP file. The attacker can then execute this file, gaining unauthorised access.

Commvault has addressed this vulnerability in versions 11.38.20 and 11.38.25. Users are strongly advised to update to these versions immediately to mitigate potential risks.

Deleted Files in GitHub Repositories Pose Security Risks by Retaining Sensitive Data

Security researcher Sharon Brizinov uncovered a significant vulnerability in GitHub repositories in regards to deleted files which may still contain sensitive information due to Git’s version control system. By restoring files previously removed from public repositories, Brizinov discovered hundreds of leaked secrets, including API keys and credentials.

This issue arises because Git retains all historical versions of files, even after deletion, unless specific actions are taken to remove them from the repository’s history. To fully eliminate sensitive data, developers must rewrite the repository’s history using tools like git filter-branch or git-filter-repo and perform garbage collection to remove unreferenced objects.

Brizinov’s findings highlight the importance of thoroughly purging sensitive information from all parts of a repository, not just the current working directory.

Microsoft Resolves Remote Desktop Freezes on Windows Server 2025 and Windows 11 24H2

Microsoft has addressed a persistent issue causing Remote Desktop sessions to freeze on Windows Server 2025 and Windows 11 24H2 systems. The problem, which emerged following the February 2025 security update (KB5051987), led to unresponsive mouse and keyboard inputs shortly after establishing a Remote Desktop connection, necessitating users to disconnect and reconnect.

While Windows 11 24H2 users received a fix via the optional KB5052093 update on February 25, the resolution for Windows Server 2025 was delivered through the KB5055523 cumulative update released on April 8.

Microsoft recommends that affected users install the latest updates to ensure optimal Remote Desktop functionality.

Google Abandons Standalone Cookie Prompt in Chrome Amid Regulatory Scrutiny

On April 23, 2025, Google announced it will not introduce a standalone prompt for third-party cookies in its Chrome browser, opting instead to maintain the existing user-managed settings through Chrome’s Privacy and Security Settings.

This decision follows feedback from publishers, developers, regulators, and the advertising industry, highlighting divergent perspectives on changes affecting third-party cookies. In lieu of the standalone prompt, Google plans to enhance tracking protections in Chrome’s Incognito mode, which already blocks third-party cookies by default, and introduce a new IP Protection feature in the third quarter of 2025. This feature aims to limit the availability of a user’s original IP address in third-party contexts to prevent cross-site tracking.

The move comes amid increasing regulatory scrutiny in the U.S., with recent rulings accusing Google of maintaining monopolies in the search and advertising markets, and proposals from the Department of Justice suggesting a breakup of Google’s ad tech business.

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

Cybersecurity researchers identified a sophisticated phishing campaign exploiting Google’s infrastructure to deliver deceptive emails that appear legitimate.

Attackers utilised Google’s Sites platform to create convincing phishing pages and manipulated the DomainKeys Identified Mail (DKIM) authentication process to bypass email security filters. By crafting OAuth applications with names containing the entire phishing message, they generated security alerts from Google that were signed with valid DKIM keys. These alerts were then forwarded through external email services, retaining their DKIM signatures, and landed in victims’ inboxes without triggering security warnings.

The phishing emails directed recipients to fraudulent Google Sites pages mimicking legitimate Google support pages, ultimately leading to credential harvesting. Google has acknowledged the issue and implemented measures to mitigate this attack vector, advising users to enable two-factor authentication and remain vigilant against such deceptive tactics.

If you’re ready to chat about how we can help protect your business from cyber threats, contact us using the form below 👇.