Cybersecurity Today — Episode Summary

Episode: Cybersecurity Update: Incorrect Company Naming, Major Breaches, and New Malware Campaigns
Host: Jim Love
Date: November 27, 2025

Episode Overview

This episode provides an up-to-date briefing on recent and significant cybersecurity incidents affecting financial institutions, large enterprises, and software supply chains. Host Jim Love covers major ransomware and data theft breaches, emerging malware campaigns targeting creative and development ecosystems, and a reminder that basic phishing techniques remain devastatingly effective. He also apologizes and corrects a prior misnaming of a company involved in a recent breach, underlining the show’s commitment to accuracy and transparency.

Key Discussion Points & Insights

1. Correction of Company Naming in Previous Reporting

[00:01 – 01:45]
- Jim Love opens with an apology for incorrectly naming a company associated with a breach in a prior episode. The correct company is Citus AMC, not Ascensus (who were mistakenly mentioned).
- Importance of responsible reporting: “We’re never playing a blame game. We’re only trying to make sure our listeners know what to look for and get the facts.” (Jim Love, 00:22)
- Listener vigilance highlighted as a strength of the show’s community: “You are the best and you keep us honest.” (Jim Love, 01:18)

2. Citus AMC Data Theft Breach

[02:00 – 04:00]
- US banks are assessing impact after ransomware group AlphaV (Black Cat) claimed to steal 3TB of data from fintech vendor Citus AMC.
- No ransomware encryption was used—data theft only.
- Citus AMC responded by taking systems offline, launching an investigation, and notifying regulators; the FBI is now involved.
- Sample documents posted by attackers; full scope of breach still unknown.
- “This type of operation typically targets files sensitive enough to justify demanding payment from large institutions.” (Jim Love, 03:22)
- Ongoing uncertainty as banks determine exposure; investigators expect further developments.

3. Clop Ransomware Hits Broadcom via Oracle ERP Vulnerability

[04:00 – 06:00]
- Clop ransomware group is exploiting zero-day vulnerabilities in Oracle E-Business Suite, naming Broadcom as its latest target.
- Broadcom isn't confirming (or denying) a breach; acknowledges its Oracle instance was targeted, says patches are in place and “core systems remain intact”.
- Affected data believed to be limited, but investigation continues.
- Oracle has issued a patch; ongoing risk as Clop continues naming victims before reviews are complete.
- “We may see more names surface in the days ahead, either from investigations or from the attackers themselves.” (Jim Love, 05:46)

4. New Malware via Blender 3D Model Files (Steelsee)

[06:00 – 08:30]
- Increasing reports of malware hidden inside Blender .blend files; Blender’s autorun feature executes embedded Python when opened.
- Steelsee info-stealer targets over 23 browsers, crypto wallets, communication tools, VPN/mail clients; now with advanced evasion features.
- Updated variants undetected by current antivirus engines: “No security engine on VirusTotal detected the Steelsea variant they analyzed.” (Jim Love, 08:02)
- Serious supply chain risk as infected models are freely shared on creative platforms.

5. Shaihalud Worm Infects npm Packages

[08:30 – 10:30]
- “A new supply chain attack is sweeping through the JavaScript ecosystem…” (Jim Love, 08:34)
- 500+ npm packages compromised after attackers steal maintainer credentials, inject self-replicating malware (Shaihalud).
- On install, it harvests cloud/dev credentials and propagates itself.
- Compromise runs deep: trusted but backdoored packages, hard to rapidly detect.
- Warning: “Blindly pushing updates from NPM is no longer safe. The weakness isn’t one library, it’s how much trust we place in an ecosystem…” (Jim Love, 10:07)

6. Traditional Phishing Still Works — Microsoft Account Scam

[10:30 – 12:00]
- New phishing campaigns exploit visually similar domains: “rnicrosoft.com” vs “microsoft.com.”
- Tricked users redirected to fake login pages, compromising entire account suites.
- Visual deception (not malware) bypasses many defensive tools.
- Host’s practical security advice:
  - “I will not, repeat, not enter credentials into anything that's linked to a site that has been supplied to me in email or any other way. I will go on and type the name of that company, that URL myself and if I can't find what they sent me, I don't care. It doesn't exist.” (Jim Love, 11:30)
- Takeaway: simplest con games remain potent by preying on human attention, especially during holiday surges.

Notable Quotes & Memorable Moments

On journalistic integrity:
- “When we get it wrong, we'll tell you. No excuses. But also thanks to our listeners who alerted me before the company spotted it.” (Jim Love, 01:01)
On evolving threat landscapes:
- “Steelsee has been on the radar since 2023 and it's still slipping past defenses.” (Jim Love, 07:50)
- “The supply chain has multiple points where it could be compromised… It takes work to validate what you're installing…” (Jim Love, 09:50)
On persistent, low-cost threats:
- “While we focus on complex threats like AI driven attacks and supply chain compromises, the simplest tactics still work because they exploit human attention and not software flaws.” (Jim Love, 11:50)

Timestamps for Key Segments

| Segment | Timestamp | |-------------------------------------------------|-------------| | On-air correction & apology | 00:01–01:45 | | Citus AMC ransomware/data theft | 02:00–04:00 | | Clop/Oracle zero-day & Broadcom's response | 04:00–06:00 | | Blender/Steelsee malware campaign | 06:00–08:30 | | Shaihalud npm supply-chain worm | 08:30–10:30 | | Phishing campaign: Microsoft lookalike domains | 10:30–12:00 | | Security tip: Never click login links from emails| 11:30 |

Summary Tone

Jim Love maintains a direct, reassuring, and practical tone, blending technical accuracy with accessible language and actionable security advice.

Takeaways

Correction and transparency are crucial in cybersecurity journalism.
Major breaches continue to affect core infrastructure (fintech, enterprise software, and creative toolchains).
Supply-chain and social engineering attacks have become more sophisticated — but old tricks (phishing) still work.
Vigilance, critical thinking, and “never click login links in emails” remain among the best lines of defense.
The ecosystem’s structural weaknesses mean everyone (not just IT) needs ongoing security awareness.

Transcript

A (0:01)

Hey, there's no Thursday show. What gives? If you thought that, you're right. This is the episode we ran yesterday, but we made a mistake on a company name. We should have said Citus amc. We said something that sounded a lot like another company's name. Now we think a lot before we name a company that has involvement in a breach. We're never playing a blame game. We're only trying to make sure our listeners know what to look for and get the facts. And speaking of the facts, we were wrong so we corrected the recording and our apologies and I'm only going to whisper this once to Ascensus who are in no way involved in this preach and God bless them have been most understanding and accepted my sincere apologies. We try to get it right every day. When we get it wrong, we'll tell you. No excuses. But also thanks to our listeners who alerted me before the company spotted it, so I was already working on correcting the error. You are the best and you keep us honest. Just a reminder before we get started that because of the holiday, the American Thanksgiving, our weekend show will air on Friday and continue through the weekend. David Shipley will be back on Monday morning. And now a more accurate version of the show. Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST US banks assess fallout after data Theft Attack Clop claims Broadcom in Oracle ERP breach campaign steals C malware, hides inside blender files in a new supply chain attack. Shaihalud worm compromises 500 npm packages and old tricks still work with phishing scammers. This is Cybersecurity Today. I'm your host Jim Love. US Banks are assessing the fallout from a major security breach at Citus amc, a financial technology vendor that provides recordkeeping, transaction processing and regulatory compliance to major institutions. TechCrunch reported that the ransomware group AlphaV, also known as Black Cat, claims it stole three terabytes of data from the company in early November. Citus AMC confirmed the incident on its website, saying the attack involved data theft only, not encryption. That means systems weren't locked, but information was taken. The company said it brought systems offline, launched an investigation and notified federal regulators the FBI is involved, and the bureau's director issued a public statement confirming the investigation. Banks that rely on Citus AMC told TechCrunch that they're still trying to determine what information was taken. The attackers posted sample documents online to prove access, but neither Citus AMC nor its clients have identified the full scope of the exposure. Based on the history of the ALFV group, however, this type of operation typically targets files sensitive enough to justify demanding payment from large institutions. For now, the industry is in assessment mode, but it's likely we'll learn more in the days ahead as investigators determine what was taken and who may ultimately be affected. Clop, the ransomware group behind the wave of attacks on companies running Oracle's E business suite, is now claiming Broadcom as its latest victim. The group added Broadcom to its leak site as part of the same campaign that's believed to have affected anywhere from 30 to 100 large organizations through zero day vulnerabilities in Oracle's financial operations software. Broadcom isn't confirming a breach, but it isn't denying one either. In a statement, the company said Broadcom uses Oracle's E business suite for certain internal corporate financial operations. Like many organizations that use this software, Broadcom has been targeted by cybercriminals who have exploited zero day vulnerabilities in the Oracle product. Broadcom has forensically examined and patched our Oracle system to remediate the vulnerabilities. Broadcom added that its core systems remain intact, Broadcom operations are unaffected, and we are confident in the integrity of our financial data. If any of the limited types of data processed in Oracle are unlawfully disclosed, we do not expect it to pose significant risk to any of our customers, vendors, partners or employees. Oracle has issued a patch for the exploited flaw, and most organizations are expected to have applied it by now. But with Clop continuing to name victims publicly, often before companies can complete their internal reviews, we may see more names surface in the days ahead, either from investigations or from the attackers themselves. A new malware campaign is hiding malicious code inside Blender 3D models, turning an everyday creative workflow into an entry point for attackers. Bleeping computer reports that tainted blend files, often shared on freelancing sites and model repositories, contain Python scripts that execute the moment the file is opened. Blender includes an autorun feature designed to support rigged models and animation tools. And since many users leave Autorun enabled for convenience, attackers are taking advantage of that default behavior. The payload is called Steelsee, a rapidly evolving information stealing malware. This latest version targets more than 23 browsers, supports server side credential decryption, and works with the newest Chrome builds. It goes after 100 cryptocurrency wallet extensions, 15 standalone wallet apps and communication tools like Telegram, Discord Talks and Pidgin. It also collects data from VPN and mail clients, includes an updated UAC bypass, and uses an encrypted multi stage delivery chain that hides most of the malicious logic from scanners. What makes this even more concerning is that Steel C has been on the radar since 2023 and it's still slipping past defenses. Morphisec reports that no security engine on VirusTotal detected the Steelsea variant they analyzed, meaning a single model file can trigger a silent compromise with no anti malware warning at all. Researchers say that the group behind this campaign is skilled at planting steelsea into widely shared packages. And when a standard blender model can quietly deliver a highly capable infosteeler helped along by an autorun feature many users forget to disable, it becomes yet another serious supply chain risk. A new supply chain attack is sweeping through the JavaScript ecosystem, and it shows how fragile that ecosystem is. Bleeping Computer reports that a self replicating malware called Shaihalud has compromised about 500 npm packages after attackers gained access to maintainer accounts and published backdoored versions of widely used modules. Once a developer installs one of the tainted packages, the malware runs. During NPM's install process, it scans the victim's environment using tools like Trufflehog to harvest GitHub tokens, npm credentials and cloud secrets. These stolen credentials are then pushed to attacker controlled GitHub repos in plain sight. With those tokens in hand, the malware can republish itself into even more packages, turning the open source ecosystem into its distribution network. These compromised libraries belong to trusted publishers and sit deep in dependency trees. And as a result, trusted developers may be installing malware because a package they've used for years was silently updated by someone with hijacked credentials. And the truth is, there's no quick fix. The supply chain has multiple points where it could be compromised GitHub repos, npm accounts, CI systems automation scripts, and the dependencies themselves. It takes work to validate what you're installing, but blindly pushing updates from NPM is no longer safe. The weakness isn't one library, it's how much trust we place in an ecosystem and where a single bad publish can ripple through thousands of projects. But not every cyber attack involves zero days or high end malware kits. Cybersecurity News reports a phishing campaign targeting Microsoft account holders. Using a simple visual swap, replace the letter M with the characters R and N in many fonts, especially on phones. Rnicrosoft.com looks almost identical to Microsoft.com attackers are using these lookalike domains to send fake password reset notices and security alerts that lead to phishing pages. Once a victim enters their Microsoft credentials, attackers gain access to email, OneDrive files, Teams, chats, and anything tied to that identity. Because the technique relies on visual deception rather than malware, traditional security tools often don't detect it. And as the holiday shopping rush gets underway, flooding inboxes with shipping updates, promotions and account alerts, this kind of low tech phishing becomes even more effective. And hey guys, I'm not the God of all this, but one rule I have adopted. I will not, repeat, not enter credentials into anything that's linked to a site that has been supplied to me in email or any other way. I will go on and type the name of that company, that URL myself and if I can't find what they sent me, I don't care. It doesn't exist. But that's just me. And simple dumb things like this may be the big thing we can use to help ourselves. Because while we focus on complex threats like AI driven attacks and supply chain compromises, the simplest tactics still work because they exploit human attention and not software flaws. And that's our show. And in the spirit of Thanksgiving, we'd like to thank Meter for their support in helping bring you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST and in our tradition of taking both U S and Canadian holidays, we'll be taking the Thanksgiving holidays and our weekend shows will be running Thursday to Sunday. David Shipley will be back on Monday morning with the cybersecurity news. I'm your host Jim Love and to our US Audience, Happy Thanksgiving and to everyone, thanks for listening.