A (0:01)

Hackers left nearly empty handed after massive NPM attack New Void Proxy phishing service targets Microsoft and Google accounts, some Jaguar suppliers facing bankruptcy and Marks and Spencer tech chief leaves months after cyber attack this is Cybersecurity Today and I'm your host, David Shipley. And I'm coming to you once again from the road, this time from the good city of Toronto, where I'll be speaking at the RSA E Fraud Canada Summit later this week. A single phishing attack led to the infection of up to 10% of global cloud environments. You heard that right. Last week we got a stark reminder of just how fragile our software supply chain can be with the latest in what researchers are calling the largest supply chain compromise in NPM history. With a single account compromise, attackers slipped malicious code into packages downloaded billions of times a week. This incident started when popular NPM maintainer Josh Junin, known as Quix, fell for a phishing lure that reset his credentials. Attackers pushed malicious updates using those credentials to widely used packages, including chalk and debug js. Together, those libraries see 2.6 billion downloads every week. The injected code tried to steal cryptocurrency. According to cybersecurity firm Wiz. During the two hours the malicious versions were online, they reached 10% of cloud environments. That shows just how fast malicious code can ripple across our modern ecosystems. The open source community acted quickly. Remove the package within hours. And while organizations face cleanup and audit work, fortunately the damage appears limited. The same phishing campaign also hit DuckDB's maintainer. The attacker's total haul from these recent attacks, about $1,000. The damage to companies likely in the tens of thousands, if not hundreds of thousands of dollars in response and cleanup costs. What they could have done if they hadn't just been small time crypto thieves, as the old MasterCard ad used to say, priceless. This time the impact was small. But the lesson here is big. Once a trusted maintainer is breached, malicious code can spread at lightning speed across the web. This constant drumbeat of recent software supply chain attacks feels like we're heading for a catastrophic moment, and no one seems to have the solution on how to stop that from happening. And the tools to make that moment happen are getting even more powerful. Researchers have uncovered a new phishing as a service platform with some dangerous new tricks. It's called Void Proxy, and it targets Microsoft 365 Google accounts, and even Okta single sign on users. Okta's threat intelligence team describes it as scalable, evasive, and sophisticated. At its core, Void Proxy uses adversary in the middle tactics to steal credentials, things like MFA codes and even session cookies in real time. Here's how it works. Phishing emails come from already compromised accounts at providers like Constant Contact or activecampaign. The emails contain shortened links that bounce through multiple redirects before landing on the real phishing site. Those sites sit on cheap domains like icu, SBS and xyz, all shielded by Cloudflare. Victims first see a cloudflare captcha which asks them to confirm they're humans, and then selects targets to get fake Microsoft or Google logins. This move blocks automated scans used by email filters and other security tools. Users will enter their credentials and Void Proxy silently proxies them to the real servers, capturing everything along the way. The most dangerous part? Session cookies. Once issued by Microsoft or Google, Void Proxy intercepts them and hands a copy straight to attackers that gives them full access, no password or MFA needed again until the tokens expire. Okta says users with its FastPass service were protected and even warned about the attacks in real time. The lesson here is clear. MFA isn't always good enough, and certainly not on its own against a sophisticated, determined attacker. This discovery underscores an important trend. Phishing as a service is lowering the barrier for advanced attacks. Defending against them requires a robust and defense in depth approach with people, Process culture and technology. Never rely on any vendor's claim that any one approach or technology is phishing proof or phishing resistant. It takes multiple layers to be resilient against this threat. Speaking of people, it's important to always remember that cyber attacks, they don't just take a toll on technology. There's always a human cost too, and our next two stories bring that price into clearer focus. One of the UK's biggest automakers is still reeling from a cyber attack, and the impact is rippling across its supply chain. Jaguar Land Rover has been offline since September 1, shutting down production in the UK. Losses are already at over 50 million pounds, with daily costs running as high now as 10 million pounds. But experts warn the real danger to this attack and its disruption is to Jaguar Land Rover suppliers. Many are small and medium sized firms that rely heavily on jlr. The supply chain supports a quarter of a million jobs. Some companies are already laying off staff, while others are sending workers home. If the outage continues, some suppliers could go bust. Unions and lawmakers are urging the government to consider emergency employee supports. Jaguar Land Rover says it shut down systems deliberately to protect them. But restarting has not been simple. Some of its data may also have been Accessed and the UK's National Cybersecurity Centre is now involved. This incident shows a hard truth. When a company at the top of the supply chain is hit, the shockwaves can put thousands of jobs at risk. Protecting critical manufacturers means protecting entire ecosystems full of small and mid sized businesses. And finally, a leadership change at Marks and Spencer. Just months after its massive cyber attack, the retailer's chief digital and technology officer, Rachel Higgum, is stepping down. She joined Marks and Spencers last year after senior roles at BT&WPP. An internal memo praised her as, quote, a steady hand at an extraordinary time, end quote. That extraordinary time, of course, was the April attack by Scattered Spider, which halted online operations and cost over £300 million in damages. Marks and Spencer has confirmed her departure, but hasn't said if the role will be filled. What is clear is the strain that cyberattacks place on IT leaders and their teams. When operations stop and losses mount, executives shoulder tremendous responsibilities. And cyber incidents don't just cost money. They can shape careers, test leadership and they can be tremendously traumatic to IT and response teams. Those are your updates for Monday, September 15th. As always, stay skeptical, stay patched and remember, take care of your people before and after a cyber incident. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or leave a comment under the YouTube video. Please help us spread the word about the show, like subscribe or leave a review. And if you enjoy the show, please tell others we'd love to grow our audience and we need your help. I've been your host David Shipley, Jim Love will be back on Wednesday.