Security Bulletin

September 30th, 2025

❓What:

• KNP Logistics Group (UK, operating 158 years, ~500 trucks) was hit by a ransomware attack by the Akira group after hackers guessed an employee’s weak, internet‑facing password.

• Because no multi-factor authentication (MFA) protected that access, the attackers moved laterally, encrypted systems, and destroyed backups and disaster recovery.

• The ransom demanded was ~£5 million — far more than KNP could pay. The company lost operations, entered administration, and 700 employees lost their jobs.

September 17th, 2025

❓What:

• ReversingLabs discovered a self-replicating worm, coined Shai-hulud (named after the giant sand worm in the Dune series) infecting packages on the npm registry.

• The worm takes over compromised maintainers’ npm accounts and injects malicious code into their public and private packages so downloads spread the worm further.

• It harvests developer/cloud secrets (tokens for npm, GitHub, AWS, GCP) and installs TruffleHog to hunt for hundreds of secret types; it has also made some private GitHub repositories public.
  

September 8, 2025

❓What:

• Security firm ESET uncovered a novel ransomware variant dubbed PromptLock, believed to be the first AI-powered ransomware.

• Researchers at NYU Tandon confirmed they authored the code as part of a research project named Ransomware 3.0 ("Self-Composing and LLM-Orchestrated"), with intent to expose potential future threats. PromptLock is considered to be Proof-of-Concept (PoC), and while it has yet to be observed in real world attacks, it is theoretically capable of autonomously scanning files, deciding which to exfiltrate or encrypt, and can even destroy data altogether.
  

⚠️Impact:

August 15th, 2025

❓What:

• The city of Saint Paul confirmed the cyber attack they experienced in late July to be a ransomware attack carried out by ransomware gang Interlock. Threat intel company PRODAFT reports that the actors were able to access the city's systems via custom SystemBC Remote Access Trojan (RAT) malware.

• After the incident exceeded city response capacity, the state of Minnesota activated the National Guard's Cyber Protection Unit to work jointly with the city and the FBI in a recovery effort the Mayor has named Operation Secure St. Paul.

• Interlock claims it stole ~66,000 files / 43 GB and has begun leaking data. The mayor said residents’ personal/financial info was "not impacted".