Cybersecurity Today – NPM Attack Leaves Hackers Empty Handed
Host: David Shipley (subbing for Jim Love)
Date: September 15, 2025
Episode Overview
This episode delivers urgent updates on recent cybersecurity threats, including an unprecedented NPM supply chain attack, new sophisticated phishing-as-a-service offerings, the ripple effects of cyberattacks on the automotive supply chain, and a significant leadership change at Marks and Spencer after a major cyber incident. Host David Shipley emphasizes not just technical impacts, but also human and organizational consequences.
Key Discussion Points & Insights
1. Massive NPM Supply Chain Attack
- Summary:
Attackers compromised a top NPM maintainer’s account (Quix/Josh Junin), injecting malicious code into popular packages (notablychalkanddebug js), collectively downloaded 2.6 billion times weekly. - Impact:
- Compromised up to 10% of global cloud environments in just two hours.
- Code attempted to steal cryptocurrency; attackers netted only ~$1,000.
- Cleanup costs for organizations were projected in the tens or hundreds of thousands of dollars.
- Open source community responded rapidly; packages removed within hours.
- Quote:
- “Once a trusted maintainer is breached, malicious code can spread at lightning speed across the web.” (David Shipley, 03:16)
- Insight:
- The damage was limited this time, but the event is a warning about software supply chain fragility and growing attack speed.
- Timestamps:
- [00:30] Attack summary and technical details
- [02:10] Open source response and attack aftermath
- [03:00] Lessons learned and warnings
2. Void Proxy: New Phishing-as-a-Service Platform
- Summary:
"Void Proxy" targets Microsoft 365, Google accounts, and Okta SSO, employing adversary-in-the-middle tactics to harvest credentials, including MFA codes and session cookies. - How It Works:
- Malicious emails sent from previously compromised accounts (e.g., Constant Contact, activecampaign).
- Links use layered redirects; final phishing pages hosted on obscure TLDs and protected by Cloudflare.
- Victims face a Cloudflare captcha, then are phished for login credentials.
- Attackers intercept session cookies for full account access, bypassing even MFA until tokens expire.
- Quote:
- “The most dangerous part? Session cookies. Once issued by Microsoft or Google, Void Proxy intercepts them and hands a copy straight to attackers… no password or MFA needed again until the tokens expire.” (David Shipley, 06:00)
- Defensive Measures:
- Okta’s FastPass service protected users and alerted them in real time.
- Shipley stresses that MFA alone is not sufficient against modern phishing.
- Big Picture:
- Phishing as a service is making advanced attacks accessible to less skilled attackers.
- Defense must be layered—combining people, processes, and technology.
- Timestamps:
- [04:25] Introduction to Void Proxy
- [05:10] Attack methods and technology
- [06:20] Real world defenses & recommendations
3. Jaguar Land Rover Attack and Supply Chain Fallout
- Summary:
Jaguar Land Rover's production halted since September 1 due to a cyberattack, with immediate and severe effects on its supply chain. - Impact:
- Over £50 million in losses; daily costs up to £10 million.
- Suppliers—often small or mid-sized businesses—are at risk of bankruptcy, with layoffs and furloughs beginning.
- Incident highlights how attacks on large manufacturers threaten broader economic ecosystems and employment.
- Quote:
- “When a company at the top of the supply chain is hit, the shockwaves can put thousands of jobs at risk.” (David Shipley, 09:03)
- Timestamps:
- [07:30] Attack overview and production impact
- [08:15] Supply chain ripple effects and government response
4. Marks and Spencer CTO Departure After Cyber Incident
- Summary:
Chief Digital and Technology Officer Rachel Higgum steps down shortly after overseeing response to April’s Scattered Spider attack that halted online operations and cost the retailer £300 million. - Organizational Impact:
- Leadership changes and lasting strain on IT teams emphasized.
- Internal memo praised Higgum as “a steady hand at an extraordinary time.”
- Quote:
- “Cyber incidents don’t just cost money. They can shape careers, test leadership and they can be tremendously traumatic to IT and response teams.” (David Shipley, 10:53)
- Timestamps:
- [09:50] Leadership change announcement
- [10:30] Human impact of attack on leadership and teams
Memorable Quotes
- “What they could have done if they hadn’t just been small time crypto thieves, as the old MasterCard ad used to say, priceless.” (David Shipley, 02:45)
- “MFA isn’t always good enough, and certainly not on its own against a sophisticated, determined attacker.” (David Shipley, 06:22)
- “Protecting critical manufacturers means protecting entire ecosystems full of small and mid sized businesses.” (David Shipley, 09:30)
- “Always remember, take care of your people before and after a cyber incident.” (David Shipley, 11:17)
Takeaways & Final Thoughts
- Software supply chains are increasingly brittle; one credential compromise can threaten global systems almost instantly.
- Modern phishing is highly sophisticated, capable of bypassing traditional defenses, including MFA.
- Major cyberattacks cascade down to smaller suppliers, putting entire economic ecosystems at risk.
- Cyber incidents are deeply personal for leaders and response teams; their career paths and well-being are on the line as much as corporate data.
- Comprehensive defense and empathy—technological and human—are both essential.
Calls to Action
- Remain skeptical and vigilant.
- Stay patched.
- Prioritize people as much as technology before and after security incidents.
- Share feedback and support awareness for smarter, safer businesses.