Good morning. This is your security briefing for Monday, November 24, 2025, covering seven articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
DeceptIQ Ltd. reports on challenges detection engineers face when processing CloudTrail logs from multiple AWS accounts and regions. Traditional S3 synchronization tools are causing delays in log retrieval, impacting security teams' ability to detect threats and perform incident response effectively.
Security researcher 0x4d31 has released santamon, a lightweight macOS detection agent that works alongside Santa. The tool processes Endpoint Security telemetry locally using CEL-based rules, forwarding only matched signals rather than streaming all data, which significantly reduces transmission costs.
Sophos has identified Campaign STAC3150, which deploys the Astaroth banking trojan through malicious WhatsApp messages. The attack uses PowerShell and Selenium to hijack WhatsApp Web sessions and harvest credentials, affecting over 250 customers primarily in Brazil.
Aikido Security reports that the Shai Hulud threat actors have launched a second supply-chain attack, compromising 492 npm packages with 132 million monthly downloads. The malware steals credentials using TruffleHog and exfiltrates data to public GitHub repositories, and will wipe user home directories if authentication fails.
Wiz Blog provides additional details on the Shai-Hulud 2.0 campaign, confirming over 700 compromised npm packages through trojanized versions. The attack affected popular projects from Zapier, ENS Domains, PostHog, and Postman, with attackers creating over 25,000 malicious repositories to exfiltrate developer secrets and project files.
AI紫队安全研究 reports on coordinated operations between North Korean APT groups Kimsuky and Lazarus. Kimsuky is acting as the intelligence gathering arm while Lazarus focuses on cryptocurrency theft operations, representing a clear division of labor supporting North Korean state interests.
Enki WhiteHat Co., Ltd. describes the ongoing evolution of Kimsuky's KimJongRAT malware targeting South Korean residents. The malware uses phishing campaigns impersonating government institutions to steal browser credentials, cookies, and payment information from Chromium-based browsers, with recent variants focusing on data exfiltration without C2 communication.