Human Patch

‼️🚨 A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar. The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at `.claude`, `.cursor`, `.gemini`, and `.vscode` paths, a separate persistence and repo-poisoning angle.

🚨WhatsApp allegedly targeted in 3 Billion record data leak A threat actor on an underground forum is claiming to share a large dataset allegedly tied to WhatsApp users. The actor claims the dataset contains roughly 3B records, with sample rows showing contact, location, and account activity-related fields. 𝗪𝗵𝗮𝘁’𝘀 𝗮𝗹𝗹𝗲𝗴𝗲𝗱𝗹𝘆 𝗲𝘅𝗽𝗼𝘀𝗲𝗱: • First and last names • Email address fields • Cell phone number fields • WhatsApp active status • SMS delivery and verification fields • Date fields • Address, city, state, and country records • Postal code fields 𝗗𝗲𝘁𝗮𝗶𝗹𝘀: 𝗧𝗮𝗿𝗴𝗲𝘁: WhatsApp 𝗖𝗼𝘂𝗻𝘁𝗿𝘆: Global 𝗦𝗲𝗰𝘁𝗼𝗿: Messaging / Social Platform / User Data 𝗔𝗰𝘁𝗼𝗿: NormalLeVrai 𝗖𝗹𝗮𝗶𝗺: User database leak 𝗘𝘅𝗽𝗼𝘀𝘂𝗿𝗲: Roughly 3B records 𝗣𝗿𝗶𝗰𝗲: Free 𝗢𝗯𝘀𝗲𝗿𝘃𝗲𝗱: May 23, 2026 Stop guessing what's redacted. Subscribers see everything: https://t.co/281Qjc6p2J

My South African friends, breaches keep happening. Sorry, 🤷🏻‍♂️ 🇿🇦 A threat actor group identifying itself as “Nullsec” is claiming to have compromised South African Revenue Service and leaked data allegedly containing: • email addresses • passwords • names The underground post is relatively minimal and does not currently provide: • record counts • technical proof-of-compromise • sample database rows • infrastructure details • intrusion methodology The actor instead relies primarily on branding and broad claims to attract attention. If legitimate, this would represent a highly sensitive government-sector cybersecurity incident because tax authorities typically maintain: • national identity information • taxpayer financial records • corporate filings • payroll/tax submissions • banking-related data • confidential citizen information However, an important distinction must be made: the screenshot alone does not validate that the exposed data genuinely originates from SARS systems. Underground actors frequently: • repackage older credential leaks • relabel unrelated datasets • falsely associate government agencies • combine public data with credential collections • exaggerate breach impact for notoriety One notable pattern: hacktivist-style groups increasingly target government institutions for visibility and political signaling rather than purely financial motives. The mention of: “Nullsec Nigeria x Nullsec Philippines” suggests possible cross-regional branding or collaboration narratives commonly used by underground groups to amplify reputation and perceived reach. If any portion of the data is authentic, likely risks would include: • credential stuffing attacks • phishing against taxpayers • government impersonation scams • business email compromise attempts • identity theft operations Government-sector credential exposure is especially dangerous because attackers can leverage trust in official institutions to conduct highly effective fraud campaigns. Users connected to government services should: • avoid reusing passwords • enable MFA where available • monitor suspicious emails claiming to originate from tax authorities • remain cautious of refund/payment-themed phishing messages At this stage, the claim should be treated as unverified until independently confirmed by technical analysis or official disclosure. 🇿🇦 #DDW #Intelligence #CyberSecurity #SouthAfrica #Government #DataLeak #DarkWeb #ThreatIntelligence #Infosec #CyberThreats #OSINT #CredentialLeak #SARS

🇿🇦 A threat actor operating under the name “Nullsec” is claiming responsibility for compromising State Information Technology Agency (SITA), the government-owned IT agency responsible for providing technology services to multiple South African state institutions. According to the underground post, the alleged leak contains: • names • Gmail addresses • password hashes • plaintext/non-hashed passwords • platform access information The actor also references a downloadable leak package, suggesting the data is being publicly distributed rather than used solely for private extortion. This is particularly significant because SITA plays a critical role in South Africa’s governmental digital infrastructure and supports numerous public-sector services and departments. If authentic, even limited credential exposure tied to SITA environments could create risks including: • government account compromise • credential stuffing across public-sector systems • phishing against officials • lateral movement into connected agencies • intelligence collection operations • impersonation attacks targeting government personnel The mention of both: • hashed passwords • non-hashed passwords is especially concerning because it may indicate: • poor credential storage practices • plaintext credential exposure in logs/configurations • legacy systems • improperly secured exports Another notable detail: the actor specifically references “platform of entry,” which may imply: • initial access vectors • exposed panels • compromised portals • reused credentials • third-party vendor access From a geopolitical and cyber-intelligence perspective, government IT agencies remain extremely high-value targets because they often act as centralized technology hubs connecting: • ministries • citizen services • procurement systems • government email infrastructure • identity systems • interdepartmental platforms Compromising a centralized IT provider can create cascading downstream exposure across multiple agencies. At this stage, the authenticity and scope of the claims remain unverified. Possible scenarios include: • partial credential leak • recycled datasets • old credential dumps • third-party contractor compromise • phishing-derived access • exposed development systems • limited internal panel exposure rather than full infrastructure compromise Still, organizations connected to public-sector ecosystems should immediately review: • password reuse exposure • MFA enforcement • privileged account activity • SSO integrations • VPN access logs • credential rotation policies • exposed admin portals • government contractor access • suspicious authentication attempts This incident also reflects a broader trend: threat actors increasingly target centralized government technology providers because compromising one operational hub can potentially provide access paths into multiple institutions simultaneously. 🇿🇦 #DDW #Intelligence #CyberSecurity #SouthAfrica #SITA #DarkWeb #ThreatIntelligence #GovernmentSecurity #DataLeak #OSINT #Infosec #CyberThreats #CredentialLeak #PublicSectorSecurity

🇹🇷 🇿🇦 Fresh Access Listings Target Companies in Turkey & South Africa A threat actor has posted multiple initial access listings on a dark web marketplace, targeting organizations across energy, education, construction, aerospace, retail, and media sectors. 📊 Key Access Types: • SSH (Local Admin / Root) • Citrix Gateway (Domain User) • RDP (Server Admin) • RDWeb (Cloud Admin / Owner) • VPN (SYSTEM-level access) 🌍 Targeted Regions: • 🇿🇦 South Africa: Energy, University, Construction, Aerospace • 🇹🇷 Turkey: Retail/E-commerce, Media/Publishing 🛡️ Security Stack Observed: • Sophos, CrowdStrike Falcon, SentinelOne, Kaspersky • Some listings claim “no EDR detected” 🧠 Threat Intelligence Insight: • These are not exploits — they are ready-to-use access points • Typically leveraged for: Ransomware deployment Data exfiltration Lateral movement within enterprise networks Presence of EDR does not prevent access resale — it only raises attacker cost ⚠️ Potential Risks: • Full enterprise compromise • Supply chain impact across sectors • High-value targets with significant revenue exposure 📊 Status: Unverified — based on underground marketplace listings ⸻ 💬 The most dangerous breaches are the ones already inside — and for sale. #CyberSecurity #ThreatIntel #DarkWeb #Ransomware #InitialAccess #EDR #DDW

Adumo has allegedly suffered a data breach involving the sale of approximately 14GB of sensitive technical data, reportedly including terminal SDKs, firmware, and payment processing source code. This hits close to home. Our thoughts are with the teams at Lesaka Technologies and Lincoln Mali during what is undoubtedly a difficult moment. Today is a stark reminder of the realities we all face in cybersecurity.

🇿🇦 Alleged Breach of Standard Bank & Liberty Holdings Systems A threat actor claims to have gained access to systems belonging to Standard Bank and Liberty Holdings, maintaining persistence for over 3 weeks before exfiltration. 📊 Key Claims: • Access reportedly obtained in late February • Lateral movement across multiple enterprise platforms: •SharePoint •OneDrive •PowerApps •Jira / Confluence •Citrix & internal tools • Databases impacted: •Microsoft & Oracle SQL environments 📦 Data Exposure: • Claimed exfiltration of 1.2 TB of data • Includes: •~154 million SQL rows •Customer-related records (unverified) 🧠 Threat Intelligence Insight: • The attack suggests: •Deep internal access, not surface-level breach •Possible compromise of: •Identity systems •Enterprise SaaS integrations • Multi-platform movement indicates: •Weak segmentation or excessive trust between systems ⚠️ Risk Implications: • Financial sector targeting → high-value data • Potential for: •Fraud •Identity theft •Secondary attacks using internal access 📊 Status: Unverified — no official confirmation yet ⸻ 💬 Multi-platform lateral movement across SaaS and internal systems continues to be a major blind spot for large enterprises. #CyberSecurity #DataBreach #ThreatIntel #Banking #DarkWeb #CTI #DDW