Cyber Briefing: 2025.07.23

Iran-linked MuddyWater deploys DCHSpy amid conflict. npm phishing, Lumma Stealer resurgence, US nuclear breach, AMEOS hack, UK ransomware fallout, Clorox sues Cognizant over 2023 cyberattack.

Jul 23, 2025

👉 What's happening in cybersecurity today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. MuddyWater Uses DCHSpy Amid Iran-Israel Clash

Lookout discovered new samples of the Android surveillanceware DCHSpy, leveraged by the Iranian cyber espionage group MuddyWater, approximately one week after the start of the Israel-Iran conflict. These new samples exhibit enhanced data collection capabilities, including WhatsApp data, and are being distributed using lures that appear to center around Starlink internet services.

2. npm Phishing Emails Target Developer Logins

A sophisticated phishing campaign is targeting Node.js developers by impersonating the npm package registry through the typosquatted domain "npnjs.com." This attack aims to compromise high-value developer accounts, potentially infecting millions of downstream projects by tricking maintainers into revealing their credentials on a fake login page.

3. Lumma Stealer Returns with New Stealth Tactics

The Lumma infostealer malware operation is slowly coming back online after a large law enforcement action in May seized 2,300 domains and parts of its infrastructure. Despite the disruption, Lumma's operators quickly began rebuilding, and the malware-as-a-service (MaaS) platform is now almost back to its previous activity levels, using new distribution channels and infrastructure providers to avoid future takedowns.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. US Nuclear Agency Breached in SharePoint Hack

Chinese government-affiliated hacking groups exploited a flaw in Microsoft's SharePoint software, leading to a breach of the National Nuclear Security Administration, though no sensitive data was reportedly leaked. This incident is part of a wider series of attacks affecting over 50 organizations, with Microsoft now having patched the vulnerability

5. European Healthcare Network Breached

The AMEOS Group, a major Central European healthcare provider, announced a security breach impacting customer, employee, and partner data, as mandated by GDPR. In response, AMEOS shut down IT systems, engaged experts, informed authorities, and filed a police report, while advising vigilance for affected individuals

6. Weak Password Triggers Ransomware on Old Firm

A single compromised password led to the downfall of KNP, a 158-year-old British transport company, displacing 700 employees and underscoring the severe consequences of cybersecurity vulnerabilities for UK businesses. This incident highlights the escalating ransomware threat, with thousands of UK companies targeted annually, prompting calls for stronger defenses and potential governmental intervention.

For more incidents, click here!

Click to Read

📢 Cyber News

7. Global Ransomware Attacks Drop 43% in Q2

Global ransomware attacks dropped by 43% in Q2 2025, totaling 1180 incidents, a significant decrease from Q1's 2074 attacks. This decline is largely attributed to successful law enforcement actions and internal conflicts within ransomware groups, despite a record number of new active attack groups emerging this year.

8. UK Advances Plan to Mandate Ransomware Reports

The British government is moving forward with proposals to combat ransomware, including a potential ban on payments by critical entities and mandatory reporting, though experts question the effectiveness and resourcing of these measures. While these steps signal a more serious approach, concerns remain about their practical impact on attacker behavior and law enforcement's capacity to utilize the increased intelligence.

9. Clorox Sues Cognizant Over 2023 Cyberattack

Clorox is suing its former IT service desk provider, Cognizant, for $380 million, alleging direct responsibility for a costly August 2023 cyber-attack. The lawsuit claims Cognizant's failure to follow proper protocols and identity verification led to hackers gaining access to Clorox's corporate network, causing months of operational disruption and significant financial losses.

For more news, click here!

Check Events

📈Cyber Stocks

Cybersecurity stocks declined on Wednesday, July 23, 2025, as macroeconomic uncertainty and valuation concerns weighed on the broader tech sector

Okta (OKTA) slipped 0.23% to $95.65, as investors reassessed valuations across AI-focused software stocks amid a broader tech sector pullback.
Radware (RDWR) dropped 2.52% to $29.04, due to profit-taking and a sector-wide rotation ahead of the Q2 earnings season.
CrowdStrike (CRWD) fell 2.17% to $471.23, pressured by rebalancing away from high-valuation AI names and concerns over concentration risk in megacap tech.
Palo Alto Networks (PANW) declined 1.58% to $196.73, as the stock cooled off following a strong AI-driven rally and growing investor caution around cybersecurity spending forecasts.
Fortinet (FTNT) eased 1.99% to $104.81, as profit-taking followed recent gains and broader consolidation across the technology sector.

💡 Cyber Tip

Be Cautious as Fake npm Login Pages Target Developer Credentials

A phishing campaign is impersonating the official npm package registry to steal developer login credentials. By swapping the “m” with “n” in the domain name (npnjs.com), attackers have created a convincing fake site that mirrors the real npm interface. The campaign uses spoofed emails and tracking links to lure developers into entering credentials, putting widely used packages and millions of downstream projects at risk.

✅ What you should do

Always double-check URLs before logging in, especially for developer platforms and registries.
Do not click on links from unsolicited or unexpected emails claiming to be from npm or support teams.
Enable two-factor authentication (2FA) on your npm account and other development services.
Monitor your packages for unauthorized changes or unexpected publishing activity.
Use email protection tools that can detect spoofed sender domains and failed authentication checks.

🔒 Why this matters

Developer accounts with high-impact packages are prime targets for supply chain attacks. A single compromised login could introduce malicious code into countless applications. Staying alert and verifying login pages is essential to protect your projects and the wider open-source ecosystem.