Alan Grant | SOC Analyst | 30 September 2025
Welcome to Fortian's September 2025 cyber environment update!
September saw a wave of significant cyber incidents highlighting the ongoing risks in supply chains and open-source ecosystems.
Arrests of Scattered Spider members underscored the challenge of disrupting decentralised groups, while the Shai-Hulud NPM worm demonstrated how trust in repositories can be weaponised at scale.
At the same time, global automakers faced ransomware and data theft, and NSW government organisations reported a rise in third-party breaches alongside three new ACSC advisories.
The cybercriminal group known as Scattered Spider (notable for their alleged involvement in high profile attacks against brands such as Marks & Spencer, Harrods and closer to home, Qantas), is facing sustained law enforcement pressure, with a mix of arrests, surrenders and sentencing across multiple jurisdictions. In late September, a teenage affiliate surrendered to police in Las Vegas, charged with extortion, identity theft and unlawful computer use. Similarly, arrests in the U.K. of Thalha Jubair and Owen Flowers linked the group to attacks on Transport for London and other entities, while U.S. courts recently sentenced group member Noah Michael Urban to a decade in prison and more than USD 13 million in restitution for his role in SIM-swapping and social engineering campaigns. Prosecutors allege Scattered Spider has extorted at least USD 115 million in ransom payments, underlining both the scale and persistence of its operations. (Cyberscoop, Krebs on Security, ITNews)
Scattered Spider exemplifies the decentralised and reputation-driven nature of modern cybercrime. Its members, largely English-speaking, have documented links to other groups including LAPSUS$ and ShinyHunters, with reputations and handles reused across campaigns. Whilst these arrests will have a positive impact, this is likely to be short-lived. Dismantling one cell does little to diminish the broader threat, as the hallmark methods of Scattered Spider, including social engineering, credential theft and lateral compromise, have already been widely copied across the cybercriminal ecosystem. The implication for organisations is that they must focus on countering the tactics by strengthening credential hygiene, insider threat monitoring and early detection, rather than assuming the problem disappears when individuals are taken off the field.
In mid-September the JavaScript ecosystem was disrupted by a worm-style supply chain compromise known as Shai-Hulud, which infected more than 500 Node Package Manager (NPM) packages. For context, NPM is the world’s largest package registry for JavaScript, providing open-source modules that serve as building blocks for modern applications. Popular sites and enterprise platforms may rely on hundreds of such dependencies, often maintained by volunteers.
In this case, malicious code was added to widely used packages such as @ctrl/tinycolor, triggering post-install scripts that scanned for sensitive credentials including NPM tokens, GitHub personal access tokens and cloud API keys. These were exfiltrated to a public GitHub repository named “Shai-Hulud,” before being used to republish malicious versions of other packages under trusted maintainers’ namespaces. This self-replicating behaviour meant the worm could spread rapidly and affect projects far beyond those that explicitly imported the compromised modules. (CISA, KrebsOnSecurity)
The significance of this attack lies in both its scale and automation. Unlike previous one-off account takeovers, Shai-Hulud behaved like a worm, exploiting trust relationships within the NPM registry to propagate itself across the ecosystem. The open-source software supply chain is now an active attack surface, and defending against this new generation of self-propagating compromises requires moving from trust to verification across every stage of the development lifecycle.
The US Cybersecurity and Infrastructure and Security Agency (CISA) has advised that even organisations not directly using the affected packages may be at risk due to nested dependencies and transitive installs. Mitigation guidance includes:
September saw a string of seemingly unrelated cyber incidents affecting leading carmakers, highlighting the sector’s growing exposure to ransomware, supply chain breaches, and intellectual property theft. Automakers affected included the following:
Taken together, these incidents indicate that automakers are being targeted across several aspects of their digital footprint: third parties, subsidiaries and their core operations. Attackers are going after customer records as well as compliance data, design and intellectual property information, along with live manufacturing environments.
Different groups have claimed responsibility from Everest to Qilin to Scattered Lapsus$ Hunters and as such the convergence of attacks appears to be coincidence. Regardless, it seems evident that cybercriminals increasingly view automakers as high-value targets, exploiting suppliers and subsidiaries as weak points in the chain.
Cyber incidents tied to third-party systems used by New South Wales government agencies have more than quadrupled over the past two years, according to figures obtained under the state’s Government Information Public Access Act disclosures. In FY 2023-24 the state recorded 17 such incidents, more than double the eight from the previous year and over four times the number from FY 2021-22. (ITnews)
While the NSW Government says agencies are required to embed cybersecurity obligations into vendor contracts and conduct vendor risk assessments, the sharp increase suggests that oversight of third parties remains a persistent vulnerability. This is a recurring theme across sectors from global SaaS providers to automotivace supply chains, where attackers often exploit weak external links in addition to breaching core systems directly.
A 36-year-old man from Tomakin, NSW, has been charged by the Australian Federal Police in relation to a mobile phishing (smishing) scam targeting customers of a telecommunications provider. The alleged campaign began in August 2025, when the suspect sent text messages warning recipients of “service restrictions” and directing them to a malicious website designed to harvest personal and banking data. Authorities seized computers, laptops, mobile devices, SIM cards (some devices were even found hidden in an in-ground drain), and forensic analysis revealed files containing credentials and personal identifiable information. ( AFP)
The Akira ransomware gang has allegedly breached Intellect Systems, a Perth-based operational technology and engineering firm recently acquired by Quanta Services, claiming to have stolen 10GB of highly sensitive corporate and personal data including passports, contracts, and financial records. The attack is tied to Akira’s wider campaign exploiting SonicWall firewall vulnerabilities (notably CVE-2024-40766 and related flaws), with researchers at Rapid7 noting the group’s abuse of weak credentials, misconfigured LDAP default groups, and SonicWall’s Virtual Office Portal to bypass MFA and gain access. The incident highlights Akira’s ongoing targeting of Australian organizations and underscores persistent weaknesses in firewall configurations and patch management. (Cyberdaily)
In September 2025, The Property Business Australia, a Sydney real estate firm, was allegedly breached by the Kairos ransomware gang. Attackers claimed to have stolen sensitive tenant and agent data, including ID scans, credit card details, and tenancy agreements, posting samples on their dark web site. Kairos, active since 2024, gave the firm seven days to respond or risk public data leaks and further reputational damage. The company has declined to comment. (REB)
The ACSC published three advisories in September, covering Cisco and SonicWall vulnerabilities as well as online code repositories.
The ACSC raised the alarm on an ongoing wave of attacks targeting online code repositories, warning that threat actors are using phishing, stolen credentials, malicious packages and token abuse to access private or public repos. (ACSC)
This alert dovetails closely with the recent CISA advisory on the Shai-Hulud NPM worm, outlined above.
The ACSC advises organisation to:
Across September 2025, a recurring theme has been the exploitation of trust, whether in open-source ecosystems, SaaS integrations, government supply chains, or industrial partnerships. From the self-replicating Shai-Hulud NPM worm to the growing wave of third-party breaches in both government and the private sector, adversaries are increasingly targeting weaker external links.
For Australian organisations, the key takeaway is that supply chain security must be treated as a frontline priority, not a compliance exercise. That means embedding enforceable security obligations in vendor contracts, validating and monitoring third-party integrations, and investing in rapid detection and response. Repositories and code pipelines must be treated as a risk: enforce phishing-resistant MFA for developers, rotate tokens, scan repos for exposed secrets, and validate package provenance before deployment.
Request a consultation with one of our security specialists today or sign up to receive our monthly newsletter via email.
Get in touch Sign up!