Salesloft GitHub Compromised in March 2025; npm Library Supply Chain Attack; SAP S/4HANA Critical Flaw Actively Exploited

Salesloft has posted a September 6 update to the Salesloft+Drift Trust Portal describing the results of Mandiant's investigation into the cause and scope of the widespread August 2025 Salesforce data theft attacks abusing stolen OAuth tokens for the Drift AI chatbot. Mandiant found that a threat actor compromised and maintained access to the Salesloft GitHub account from March to June 2025, conducting reconnaissance in the Salesloft and Drift application environments, downloading multiple repositories' content, adding a guest user, and establishing workflows. The threat actor stole OAuth tokens from Drift's Amazon Web Services environment, then using them to bypass normal authentication including MFA and access organizations' data through Drift integrations, primarily targeting access keys, credentials, and tokens. Mandiant believes that the incident is contained and has validated that Salesloft took the Drift application offline, isolated its infrastructure and code, rotated impacted credentials for both Drift and Salesloft, hardened the Salesloft environment against known attack methods, and segmented Salesloft and Drift applications and infrastructure environments. As of this writing, the latest update to the Salesloft+Drift Trust Portal is a September 7 post stating that integration between Salesloft and Salesforce has been restored. The total number of companies affected by Drift OAuth token compromise is unknown and continues to grow.

A phishing attack on a developer resulted in nearly 20 widely-downloaded JavaScript code packages being compromised with malware. The attack was quickly detected and mitigated and appears to have been launched with a goal of stealing cryptocurrency. In a September 8 blog post, Belgian security company Aikido wrote that their "intel feed alerted [them] to a series packages being pushed to npm, which appeared to contain malicious code." The 18 affected npm packages are collectively downloaded over two billion times each week. Aikido notified the maintainer, who has begun to clean up compromised packages.

Researchers at SecurityBridge urge users to immediately patch all private cloud and on-premises SAP S/4HANA releases, because a critical flaw disclosed in June 2025 and patched by SAP in August is currently under active exploitation. CVE-2025-42957, CVSS score 9.9, allows an attacker with low-level credentials to bypass essential authorization checks and inject arbitrary ABAP (Advanced Business Application Programming) code into the system by exploiting a vulnerability in the function module exposed via RFC. SecurityBridge emphasizes that the possible consequences of exploitation are severe: "Successful exploitation gives access to the operating system and complete access to all data in the SAP system. This includes, but is not limited to: Deleting and inserting data directly in the SAP Database; Creating SAP users with SAP_ALL; Downloading of password hashes; [and] Modifications to business processes," also noting, "this vulnerability effectively functions as a backdoor." SecurityBridge has verified abuse of this flaw in the wild, and offers mitigation steps in addition to their directive to patch immediately: users should "consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02," as well as monitoring logs for suspicious RFC calls, new admin users, and ABAP code changes, and hardening defenses through segmentation, backups, and SAP-specific monitoring.

Microsoft has published a blog post describing their ongoing effort first announced in May 2024 to implement mandatory MFA for Azure users, now reaching its second phase. Microsoft has been rolling out MFA enforcement gradually, beginning with users who were signing in to administer resources, then telling Entra global admins to enable MFA for all tenants by October 2024, and as of March 2025, "multifactor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants." Microsoft describes Phase 2, beginning October 1, 2025, as encompassing "Gradual enforcement for MFA requirement for users performing Azure resource management operations through any client (including but not limited to: Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools)." The gradual enforcement of Phase 2 will be applied via Azure Policy. Microsoft's post instructs administrators to enable MFA for users by October 1, 2025; apply a built-in Azure Policy definition in audit or enforcement mode; ensure your tenants are using current Azure CLI and Azure Powershell versions; communicate with tenants' Global Administrator if the enforcement date must be postponed; and monitor notification channels for ongoing communication.

The Public Access to Court Electronic Records (PACER) system is reportedly experiencing a bumpy start to its multi-factor authentication (MFA) rollout, including long wait times on call center help lines. In May 2025, PACER announced that MFA would be mandatory for accounts that are configured to allow them to file documents and for all case management accounts. At that time, enrollment in MFA was voluntary; the US Courts website noted that "users with Case Management/Electronic Case Files (CM/ECF) level access who do not voluntarily enroll will be randomly selected to do so beginning in August. By the end of 2025, everyone with CM/ECF-level access will be required to use MFA when logging in." Users who access PACER simply to view court documents are "strongly encouraged" to enroll in MFA but are not required to do so. Last month, the US federal Judiciary confirmed a breach of their Case Management System; Politico reported that "the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER." The court document systems faced scrutiny earlier this year: in June, The Honorable Michael Y. Scudder Jr., Chair of the Committee on Information Technology of the Judicial Conference of the United States told the US House of Representatives Judiciary Subcommittee on Courts, Intellectual Property, Artificial Intelligence, and the Internet that CM/ECF and PACER "are outdated, unsustainable due to cyber risks, and require replacement."

Argo CD, an open-source "GitOps continuous delivery tool for Kubernetes," has published a security bulletin disclosing a maximum-severity vulnerability in Argo CD versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12, and 3.1.0-rc1 through 3.1.1. While as Argo CD notes, "API tokens should require explicit permission to access sensitive credential information, [and] standard project permissions should not grant access to repository secrets," CVE-2025-55190, CVSS score 10.0, allows an authenticated user to use any API token with project get permissions and no explicit access to secrets to retrieve repository usernames and passwords through the project details API endpoint. ArgoCD is used for "large-scale, mission-critical deployments" by companies such as Adobe, Google, IBM, Intuit, Red Hat, Capital One, and BlackRock. Users must update to versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2 to patch the flaw.

Cloudflare has looked into the unauthorized issuance of 1.1.1.1 TLS certificates that came to light last week; 1.1.1.1 is one of the IP addresses that Cloudflare uses for its public DNS resolver service. The certificate authority (CA) responsible for the unauthorized certificates, Fina CA, told Ars Technica that they were "issued for internal testing of the certificate issuance process in the production environment. An error occurred during the issuance of the test certificates due to incorrect entry of IP addresses. As part of the standard procedure, the certificates were published on Certificate Transparency log servers." In addition, between February 2024 and August 2025, Fina CA issued a dozen certificates for 1.1.1.1, not just the three that were initially reported. All have since been revoked.

The Wall Street Journal reported that hackers with ties to China's government are behind spyware-laden emails spoofed to appear to come from chairman of the US House Committee on the Chinese Communist Party Rep. John Moolenaar (R-Michigan). The emails were sent in July to US trade groups, law firms and government agencies, just ahead of US-China trade talks that took place in Sweden this summer. The messages urged readers to offer feedback on proposed sanctions against China. They also included an attachment that purported to be a document, but which is actually spyware that has been traced to a Chinese state-sponsored cyberthreat group. (The Wall Street Journal article is behind a paywall.)

The Qantas Airlines executive management team has had their bonuses reduced by 15 percent following a cybersecurity breach that compromised information belonging to millions of individuals. A breach of a third-party Qantas call center database in July of this year compromised information of 5.7 million individuals; of those approximately 4 million are confirmed to have been exposed. Penalizing executives "reflects their shared accountability," according to Qantas Group Chairman John Mullen; it is uncommon for breach responsibility to be assigned to CEOs. The company posted a pre-tax profit of AU$2.39 billion (US$1.56 billion) in the last fiscal year.

On August 30, 2025, Canadian financial firm Wealthsimple "learned that a specific software package that was written by a trusted third party had been compromised. This resulted in personal data belonging to less than 1% of [their] clients being accessed without authorization for a brief period." The company notified all affected customers by email last week; they note that if customers have not received email about the incident, their data were not compromised. In addition to notifying affected individuals, Wealthsimple is offering credit monitoring and has informed relevant government regulators.