Cisco Zero-Days, Shai-Hulud Worm & CISA Alerts – 09/25/2025

Today’s security landscape is dominated by multiple actively exploited zero-day vulnerabilities in Cisco firewalls, prompting an emergency directive from CISA for immediate patching. A massive software supply chain attack, dubbed ‘Shai-Hulud,’ has compromised over 500 npm packages, affecting millions of downloads. We are also covering the significant financial fallout from the Co-op cyberattack and a critical data exposure flaw in a popular call-recording app. This digest provides essential details on these high-priority threats.

Top 5 Critical Security Alerts

• Cisco warns of ASA firewall zero-days exploited in attacks: Cisco has disclosed two critical zero-day vulnerabilities in its ASA and FTD firewall software that are being actively exploited in the wild, urging immediate patching. Read more
• CISA orders agencies to patch Cisco flaws exploited in zero-day attacks: CISA has issued an emergency directive ordering all U.S. federal agencies to secure their Cisco firewall devices against the two actively exploited zero-day flaws within one day. Read more
• As many as 2 million Cisco devices affected by actively exploited 0-day: Security scans reveal that up to two million Cisco devices with vulnerable SNMP interfaces are exposed to the internet, significantly increasing the attack surface for this exploited flaw. Read more
• Massive npm infection: the Shai-Hulud worm and patient zero: A widespread software supply chain attack involves a self-replicating worm named ‘Shai-Hulud,’ which has infected over 500 npm packages with millions of downloads. Read more
• Critical Vulnerability in Salesforce AgentForce Exposed: A critical flaw dubbed ‘ForcedLeak’ in Salesforce’s AgentForce AI platform allows for sensitive CRM data exfiltration through indirect prompt injection attacks. Read more

Threat Intelligence

• Microsoft warns of new XCSSET macOS malware variant targeting Xcode devs: Microsoft Threat Intelligence has identified a new variant of the XCSSET macOS malware, which now includes enhanced features for browser targeting and clipboard hijacking. Read more
• Malicious Rust packages on Crates.io steal crypto wallet keys: Two malicious packages on Rust’s official Crates.io repository, downloaded nearly 8,500 times, were found scanning developer systems to steal cryptocurrency private keys. Read more
• Unofficial Postmark MCP npm silently stole users’ emails: A malicious npm package impersonating the official ‘postmark-mcp’ library was discovered exfiltrating user email communications via a single line of malicious code. Read more

Security Breaches & Incidents

• Co-op says it lost $107 million after Scattered Spider attack: UK retailer The Co-op has reported a massive operating loss of £80 million ($107 million) as a direct result of the cyberattack it suffered in April. Read more
• Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts: The popular iPhone app Neon was pulled offline after a major security bug was discovered that allowed any user to access the call recordings and transcripts of other users. Read more

Security Tools & Best Practices

• How secure are passkeys, really? Here’s what you need to know: Passkeys offer significant advantages over traditional passwords by providing phishing resistance and simpler logins, though some hurdles to widespread adoption remain. Read more

Cloud & Network Security

• Chinese APT Drops ‘Brickstorm’ Backdoors on Edge Devices: The China-linked cyber-espionage group UNC5221 is actively compromising network edge devices with new versions of the ‘Brickstorm’ backdoor to evade traditional EDR solutions. Read more

Security Standards & Frameworks

• CISA urges orgs to review software after ‘Shai-Hulud’ supply chain compromise: In response to the ‘Shai-Hulud’ worm, CISA is urging all organizations to diligently review their software supply chains for potential compromise from infected packages. Read more