Week 44 brings a fresh reminder of the diverse and persistent threats facing every organisation.
From a critical unpatched browser flaw that can crash billions of Chromium installations to a massive 183 million credential leak confirming that infostealer malware is an existential risk, defenders must prioritise patching and strong access controls.
Furthermore, critical infrastructure remains under threat, as evidenced by the attack on Sweden’s power grid operator, while financial teams must guard against sophisticated social engineering scams that continue to claim major victims.
1. Critical Vulnerabilities & Zero-Days
Unpatched ‘Brash’ Flaw Can Crash Billions of Chromium Browsers
A critical, currently unpatched vulnerability, dubbed “Brash,” has been disclosed in the Chromium Blink rendering engine, which powers browsers like Chrome, Microsoft Edge and Brave.
The flaw exploits the complete absence of rate limiting on the document.title API updates, allowing a malicious website to inject millions of mutations per second. This immediately causes a Denial-of-Service (DoS) condition, crashing the browser within seconds and, in some cases, freezing the host operating system.
The researcher publicly disclosed the bug after initial vendor reports went unanswered, affecting billions of users worldwide.
View SourceOur Take: Patching is critical.
Until a patch is released, warn employees to be highly cautious of unexpected browser pop ups or new tabs and consider temporary measures like using a non Chromium browser for sensitive work if feasible. The speed and impact of this DoS attack necessitate immediate communication to end users.
Chrome Zero Day Exploited to Deliver LeetAgent Espionage Spyware from Memento Labs
A now patched Google Chrome zero day vulnerability (CVE 2025 2783) was actively exploited as part of an espionage campaign, Operation ForumTroll, targeting organisations in Russia and Belarus. The attack chain leveraged spear phishing emails to execute a sandbox escape and deliver previously undocumented spyware called LeetAgent.
This surveillance tool was developed by the Italian company Memento Labs (formerly HackingTeam).
View SourceOur Take: Patch and defend against phishing.
Ensure your organisation applies Chrome patches immediately as zero days are frequently targeted. Conduct advanced phishing simulations that specifically test user response to emails containing malicious links.
2. Data Breach & Extortion Threats
Everest Group Steals 280GB from Sweden’s Power Grid Operator
Sweden’s state owned power grid operator, Svenska kraftnät, confirmed a data breach after a cyberattack targeted an isolated, external file transfer system.
The Everest ransomware group claimed responsibility, alleging they stole approximately 280 GB of data.
Crucially, Svenska kraftnät emphasised that the nation’s electricity supply, power grid operations and mission critical systems were not affected by the incident, underscoring the success of their network segmentation.
View SourceOur Take: Enforce Network Segmentation.
This incident confirms that well executed network segmentation works. Critically review the segmentation between your organisation’s IT systems and your OT systems to ensure no breach of IT can cascade into critical operations.
183 Million Passwords, Including Gmail Credentials, Exposed in Infostealer Log Leak
A massive data dump containing 183 million login credentials has been added to the Have I Been Pwned database, originating from nearly a year of monitoring infostealer platforms. Expert Troy Hunt confirmed the data includes compromised credentials for all major email providers, with Gmail passwords being heavily featured.
This confirms the severe risk of credential based attacks, reinforcing the need for proactive compromised credential monitoring.
View SourceOur Take: Credential Hygiene is a must.
Mandate the use of Multi Factor Authentication (MFA) across all critical services immediately to neutralise the utility of stolen passwords.
3. Supply Chain & Financial Risk
PhantomRaven Malware Steals GitHub Credentials, Infecting 86K NPM Installs
Cybersecurity researchers uncovered the PhantomRaven campaign, a sophisticated software supply chain attack targeting the npm registry with 126 malicious packages and over 86,000 installs.
The malware employs a novel evasion technique by hiding its malicious payload in Remote Dynamic Dependencies (RDDs), making it invisible to static analysis tools. The primary goal is to steal GitHub tokens, CI/CD secrets, and authentication credentials from developers’ machines.
View SourceOur Take: Secure your development environment.
Audit your use of third party dependencies. Restrict access to code repositories using least privilege and ensure that all development tokens and secrets are stored in secure vaults, not directly on developer machines, to limit the impact of a compromised workstation.
Irish University Loses Nearly €100K in BEC Scam After Failing to Verify Supplier Bank Details
The Technological University of the Shannon (TUS) reported a financial loss of €98,500 after falling victim to a fraudulent Business Email Compromise (BEC) scam.
A legitimate payment was successfully diverted to a rogue bank account after TUS received a fraudulent email directing a change in the supplier’s bank details. The University paid the invoice without independently verifying the change, an internal control failure that directly led to the financial loss.
View SourceOur Take: Enforce payment verification.
Implement and rigidly enforce a two person/two factor policy for all financial transactions, particularly when bank details are changed. The policy must require out of band verification (a phone call to a known, trusted number) before any wire transfer is executed. Technology solutions alone cannot prevent this social engineering failure.
4. Policy & Privacy
LinkedIn Forces Opt-In for AI Training, Using Millions of EU/UK User Profiles for Microsoft’s Generative AI
LinkedIn has revised its data policy for users in the EU, UK, Canada and Switzerland, effective Monday, November 3rd, 2025. By default, public profile details and activity will now be used to train Microsoft’s generative AI models.
Experts warn this shift to an opt-in default is designed to maximise data collection, potentially increasing the risk of sophisticated, personalised spear phishing by supplying AI models with richer professional context.
View SourceOur Take: Update employee policies.
Immediately notify all EU/UK staff and contractors that they must manually opt out of the LinkedIn AI training by November 3rd. Update social media guidelines to reflect the new default data sharing risk and minimise the exposure of organisational structure and personnel details.
Prioritise Fundamentals Against Pervasive Threats
This week’s intelligence underscores a critical reality that cyber threats are more pervasive and sophisticated than ever, targeting every layer of the modern enterprise, from the browser engine to the finance department.
The sheer volume of exposed credentials demands an immediate organisational push toward Multi Factor Authentication (MFA) and the adoption of modern, passwordless solutions like passkeys. Simultaneously, the unpatched “Brash” flaw and the Chrome zero day exploitation serve as a blunt reminder that rigorous patch management and software hygiene are non negotiable foundations for endpoint security.
For sectors dealing with sensitive financial data or critical infrastructure, the lessons are clear that organisations should isolate critical systems through strict network segmentation (as demonstrated by Svenska kraftnät) and enforce out-of-band verification policies (to counter BEC scams). Ignoring these fundamental controls is a direct path to preventable financial or operational disaster.
The shift in major platform privacy policies, like LinkedIn’s move to opt-in AI training, also necessitates a continuous review of employee policy and training. Security is not just a technology issue, it is a policy and people issue.
Your action plan for the coming week must be centered on strengthening fundamentals including patching vulnerabilities, enforcing MFA and training employees to be the human firewall against social engineering attacks.
Don’t get caught off guard. Get in touch with our team today to learn how our services can help you navigate these complex threats and secure your digital future. ⬇️