This Week’s Cyber Incidents Show Where Defensive Priorities Must Realign

Cyberattacks this week underscored how inexpensively threat activity is evolving, from low-cost malicious AI to large-scale supply-chain compromises hitting npm ecosystems. 

As retail infrastructure scales for the holiday season, the week also echoed a broader reminder that “there’s never a slow period for bad actors,” as Tenable’s Scott Caveza noted, stressing the need for visibility into exposures, misconfigurations, and weak identities.

Trusted environments showed stronger internal vigilance, with CrowdStrike identifying and terminating a suspicious insider. 

The combined picture highlighted widening exposure across industries as attackers blended automation, third-party footholds, and correlate stolen data.

SitusAMC Breach Exposes Bank Data in Third-Party Cyberattack 

SitusAMC confirmed a November 12 cyberattack that compromised accounting documents, legal contracts, and some customer data tied to its banking clients. Reporting indicates information connected to JPMorgan Chase, Citi, and Morgan Stanley may have been exposed. The FBI says no banking operations were affected while the company continues assessing the scope of the breach.

CrowdStrike Fires Employee Accused Of Leaking Internal Screenshots To Hackers

CrowdStrike says an employee shared computer-screen photos that later appeared on a Telegram channel run by Scattered Lapsus$ Hunters. The firm denies any system breach, rejecting hacker claims linking access to the Gainsight–ShinyHunters ecosystem. CrowdStrike handed the case to law enforcement as recent third-party incidents show expanding insider and supply-chain risks.

Targeted Holiday Phishing Scams Surge With Fake Luxury Stores And Crypto Lures

A new BforeAI report identifies more than 1,700 malicious domains created for holiday-season scams, including fake Dolce & Gabbana, Pandora, and Amazon storefronts. Researchers warn that threat actors build infrastructure weeks ahead, exploiting high-traffic retail periods through phishing pages, and Telegram channels.

NPM Supply-Chain Attack Infects 400+ Packages Including ENS Crypto Librarie

Researchers  found over 400 npm packages compromised with the Shai Hulud worm, including at least 10 high-traffic libraries tied to Ethereum Name Service. The malware autonomously spreads across developer environments, harvesting secrets and exposing private repos, with researchers warning of tens of thousands of weekly downloads being impacted. 

Canon Confirms Subsidiary Breach Linked to Cl0p Oracle EBS Exploit

Canon says a subsidiary’s web server was compromised in the large-scale Cl0p campaign exploiting an Oracle E-Business Suite zero-day, with the breach contained and no data leaked so far. The incident adds Canon to more than 100 organizations named by Cl0p, including Broadcom, Mazda, and Estée Lauder. Companies worldwide are assessing exposure to the widespread EBS vulnerability.

Dartmouth College Confirms Data Breach After Clop Leaks Oracle EBS Files

Dartmouth says Clop exploited an Oracle E-Business Suite zero-day to steal files containing names, Social Security numbers, and financial account details for at least 1,494 people. The gang leaked the data online, with investigators warning the total impact may be far higher as Dartmouth has yet to file its home-state notice. 

Harvard University Discloses Data Breach After Phone-Based Phishing Attack

Harvard says a voice-phishing attack compromised its Alumni Affairs and Development systems, exposing contact details, donation records, and biographical data for alumni, donors, students, faculty, and parents. Officials confirmed no Social Security numbers, passwords, or financial information were stored in the affected systems.

WormGPT 4 Offers Low-Cost AI For Ransomware And Phishing

A new version of the WormGPT model is being sold for as little as $50 a month, offering on-demand malware, ransomware scripts, and phishing content. Researchers demonstrated that it can generate functional PowerShell ransomware and automate key attack stages including encryption and exfiltration. The rise of models like WormGPT 4 underscores how AI-driven cybercrime tools are simplifying entry for attackers.

US CodeRED Emergency Alert System Taken Down Due to Ransomware

The US CodeRED emergency alert system was taken offline prompting its full decommissioning, after a ransomware attack. Crisis24 is rebuilding the platform from backups, leaving municipalities to rely on alternative channels for emergency notifications. With CodeRED offline and backups only current through March, local governments are relying on social media and FEMA’s IPAWS alerts. Names, emails, phone numbers, addresses, and hashed passwords were leaked online. INC Ransom claimed responsibility for the attack.

FCC Warns of Hackers Exploiting Insecure ‘Barix’ Radio Transmission Equipment to Broadcast Inappropriate Material

Hackers are exploiting insecure Barix radio equipment tonject simulated alerts and inappropriate content, the FCC warns. The attacks exploit weak configurations, including default passwords, allowing threat actors to replace programming with attacker-controlled audio streams. 

Multiple London Councils Hit by Coordinated Cyberattack, Services Disrupted

A cyberattack affecting shared IT systems has disrupted services across three London councils and triggered a national investigation. Officials have alerted the ICO, warned that personal data may be at risk, and urged residents to watch for suspicious correspondence. Councils activated emergency plans, closed parts of their networks, and advised staff to work remotely while systems undergo restoration.

Qilin Claims Santa Paula Ransomware Attack as City Investigates Major Network Outage

The City of Santa Paula reported a major network outage affecting email and internal servers, with the Qilin ransomware group later claiming responsibility. Officials have not confirmed ransomware involvement or disclosed the scope of data affected. The incident adds to a series of Qilin attacks on U.S. municipalities and international healthcare organizations.

Tyler Technologies Jury System Flaw Exposes Sensitive Personal Data in US States

A flaw in Tyler Technologies’ jury systems exposed sensitive juror data across several U.S. states due to weak design and no rate limiting. Sequential juror IDs allowed brute-force access to profiles containing highly sensitive personal, demographic, and health information. Tyler confirmed the vulnerability after disclosure, deployed a fix, and has not said whether the flaw was exploited or if individuals will be notified.

Mixpanel Breach Exposes Limited OpenAI API User Analytics Data

OpenAI confirmed that a breach at its now former analytics vendor Mixpanel exposed limited profile and analytics data for some API users. The incident stemmed from a smishing attack on Mixpanel and did not affect OpenAI’s systems or expose chat content, API keys, or payment details. OpenAI removed Mixpanel, and is reviewing other vendors.

Lawmakers Seek Anthropic to Testify on AI Tools Used in Intrusions

U.S. lawmakers have summoned Anthropic CEO Dario Amodei to testify on December 17 about a Chinese state-backed cyber-espionage campaign that used Claude Code to automate intrusion requiring minimal human inputs. This marks the first time an Anthropic executive will face Congress over what is being described as the first documented AI-orchestrated cyberattack. Google Cloud’s CEO and Quantum Xchange’s CEO were also called to explain how AI and emerging technologies may accelerate offensive cyber operations and how industry should defend against them.

Scattered Lapsus$ Hunters Impersonate Zendesk for Phishing

Scattered Lapsus$ Hunters is running a phishing campaign using over 40 fake Zendesk domains to steal credentials. The group harvests logins through fraudulent SSO pages and submits weaponized support tickets that can deploy RATs on helpdesk systems. Researchers say the infrastructure mirrors the Salesforce-focused operation linked to ShinyHunters.

Social Data and LLMs Can Reveal Guessable Passwords 

New university research shows how public social-media data can be reconstructed to make passwords more guessable. The study uses a tool called SODA ADVANCE to merge public profiles, measure password exposure, and test how LLMs generate or evaluate passwords when given personal context. Results show that models like Claude, ChatGPT, and Gemini become far better at identifying risky passwords when supplied with reconstructed personal data.

Why Attackers Might Be Targeting Microsoft

Across the past month, Microsoft has faced an unusual cluster of outages. This relates to updates, and authentication across Windows, Teams, and Microsoft 365. The Teams B2B guest-invitation security gap strips users of Defender protections, Windows 11 update bugs crash core system components, and hotpatch install loop that required an out-of-band fix.

Gaming performance problems triggered by recent Windows updates, with a surge in ClickFix malware using fake Windows Update screens, Exchange Online outages affecting Outlook users and unexpected FIDO2 PIN prompts after recent patches have widened the attack surface at a time when users are contending with instability

Mixed Exposure and Uneven Protections

The Oracle EBS incident reveals a deeper issue. While some institutions kept Social Security numbers out of reach, others suffered direct SSN theft, showing that identity data is secured unevenly across organizations. 

Emergency services and public-sector systems faced surmounting pressure, with a ransomware hit forcing shutdow. These incidents create operational confusion and leave a web of exfiltrated data that threat actors can match across systems to gain broader control.

Researchers, meanwhile, are pushing defensive insight forward, highlighting that academic security work is evolving to spot systemic weaknesses, even as adversaries test every available foothold.

The weekly cybersecurity news shows how government, public, and corporate systems all remain a persistent target. Security lapse underscored that even without a breach, weak design can expose sensitive data. 

Microsoft’s recent cluster of outages, update failures, authentication inconsistencies, and Windows-wide security gaps continues to attract attackers. As the pervasive presence of Microsoft systems across enterprises, governments, and consumers gives adversaries a single point to test misconfigurations, exploit default weaknesses, and create instability.

Scattered Lapsus$ Hunters impersonating Zendesk to manipulate support staff points to enhancing technical defenses that are getting stronger to bypass than human judgment. That leaves organizations with another unavoidable task: treating employee training and operational awareness as critical as the tools designed to protect them.