Cybersecurity With Sandra
Posts
Cyber News Bytes: What’s Happening in Cybersecurity This Week

Cyber News Bytes: What’s Happening in Cybersecurity This Week

This week's latest cybersecurity news and industry updates

Sandra Liu
December 09, 2025

Some weeks, the news lines up in a way that tells a much bigger story, and this is definitely one of those weeks.

Across threat groups, cloud platforms, and even analytics tools we all rely on, attackers are tightening their grip on identity. Tokens, secrets, browser data, OAuth sessions… they’re all becoming prime targets.

So, this week is really about one theme: whoever controls identity controls everything. And attackers know it.

Let’s break down what happened this week. 👇

1. ToddyCat’s New Tools Go After Outlook & Microsoft 365

What happened:
ToddyCat is back with a fresh toolkit designed to quietly pull Outlook emails and Microsoft 365 access tokens. They’re using custom tools like TCSectorCopy to clone OST files directly from disk, plus updated malware versions that steal browser cookies, credentials, and OAuth tokens even from domain controllers.

The group keeps evolving, shifting languages, tactics, and targets to stay hidden while pulling corporate correspondence.

Why it matters:
Identity based attacks are getting more precise. ToddyCat isn’t just stealing accounts they’re stealing the keys that unlock trust across mail, browsers, and cloud apps. This is the kind of threat that slips past traditional perimeter thinking.

How to use it:
This is a great moment to strengthen token hygiene, browser hardening, and conditional access policies. If you're interviewing or learning, this case is a strong example of why token theft matters just as much as password theft.

Read more on Hacker News

2. Mixpanel Breach Exposes OpenAI User Metadata

What happened:
Mixpanel suffered a smishing-driven breach that exposed analytics data from several customers, including OpenAI. While no ChatGPT conversations, API keys, or payments were compromised, attackers did obtain user metadata like names, emails, location hints, and browser details.

Why it matters:
Metadata is still an attack surface. Even “non sensitive” data becomes fuel for targeted phishing, supply chain reconnaissance, and social engineering. This is a reminder that your weakest third party link can still introduce real risk.

How to use it:
Use this as a clear talking point when discussing third party risk, logging exposure, and why security questionnaires matter. It’s also a solid example for teaching junior analysts how seemingly harmless data becomes useful to attackers.

Read more on Security Week

3.Shai hulud 2.0 Hits npm, GitHub, and Cloud Providers

What happened:
A new variant of the Shai-hulud worm is tearing through npm packages again but now it’s stealing AWS, GCP, and Azure credentials, raiding secret managers, poisoning repositories, and even wiping data if it can’t steal it.
It spreads fast: compromise a single developer account, and it backdoors every package they maintain.

Why it matters:
This is the nightmare intersection of supply-chain compromise and cloud credential theft. It shows how fragile the ecosystem becomes when developer trust is the initial entry point.

How to turn it into an advantage:
Use this story to revisit least-privilege cloud roles, short-lived tokens, CI/CD permissions, and dependency controls. It’s also a powerful case study for anyone learning modern software supply chain defense.