September reinforced how relentless and unpredictable the cyber threat landscape has become, from high-profile ransomware and data breach incidents causing widespread disruptions at major European airports to sensitive personal data exposures in education and corporate sectors. The month was dominated by growing risks around third-party and supply chain security, zero-day exploits in widely deployed enterprise software, active threat campaigns targeting critical infrastructure, and the evolving sophistication of criminal tooling highlighted that organisations of all sizes and industries remain squarely in the crosshairs of determined attackers.
Against this backdrop, defenders continued to race to patch vulnerabilities, strengthen controls and adapt to an expanding threat surface in an era where attacks are increasingly automated, AI-enabled and globally distributed.
Techniques
ShadowLeak: A Zero Click Prompt Injection for ChatGPT Deep Research
Security Researcher Marek Tóth has discovered that multiple major password managers are vulnerable to a clickjacking attack that can steal logins, MFA codes, credit-card details, and other sensitive data. The flaw affects major Password Managers, and their browser extension autofill prompts. Attackers can overlay invisible elements over a webpage so that when a user clicks something seemingly harmless, such as a cookie consent banner the password manager unknowingly autofills hidden fields, and sends these to the attacker, leaking the credentials.
The issue was disclosed at DEF CON 33 in August 2025 and impacts at least 11 widely used extensions, including 1Password, Bitwarden, LastPass, Enpass, iCloud Passwords, and LogMeOnce, which account for tens of millions of users worldwide. While some managers such as Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have released patches, several others remain exposed, while others, such as LastPass have introduced UI based mitigations – a prompt that pops up when auto filling sensitive information. Researchers emphasise that fixing the vulnerability is difficult because it stems from how browsers render extension overlays rather than a single coding flaw.
To reduce risk, is it recommend to disable automatic autofill, update to the latest versions of password manager extensions, restrict browser extension permissions to specific trusted sites, and to avoid browsing to unknown or dodgy websites. Despite the flaw, password managers remain safer than reusing weak or repeated passwords and it is still recommended best practice to use one.
Villager: AI-Native Pentesting Framework
Security researchers recently uncovered malicious uses for an advanced AI-powered penetration testing tool known as Villager, which operates within Kali Linux, a well-known penetration testing Operating System (OS). Villager takes natural language user input, which is processed by the Chinese Large Language Model (LLM) DeepSeek. DeepSeek orchestrates the tools on Kali to complete a multi-staged attack chain by using a vast library of around 4,200 system prompts, guiding payload generation and decision making. The tool runs on self-deleting containers, making it difficult to forensically examine after an incident. Villager’s automation lowers the skill and time required to execute attacker intrusions at scale, meaning attackers have easy access to advanced tooling which will increase the frequency of automated scanning and exploitation in the wild. A version of the tool that is usable on other operating systems was also published to an official Python repository in July and has amassed roughly 10-11k downloads in two months.
To prevent attackers breaching your environment using this tool, we recommend enforcing package allow-lists and blocking ad-hoc “pip install” on Linux systems. Implementing a monitoring and alerting tool for ‘Model Context Protocol-mediated agent’ activity can be beneficial, as it is the primary protocol used by LLMs to integrate with resources. AI-assisted attacks are on the rise, and it is important to implement protections as the threat evolves.
Happenings
[UK] Jaguar Land Rover Cyberattack Shuts Down Auto Production
Britain’s largest car manufacturer, Jaguar Land Rover (JLR), suffered a cyberattack in early September that paralysed production for four weeks. The company halted operations at its three UK plants (which output around 1,000 vehicles per day) and sent 33,000 employees home while responding to the incident, costing an estimated $115 million in lost revenue per week. Very few details have been made public about the attack’s nature, but the scale and duration point to a ransomware incident or destructive intrusion. JLR has acknowledged that some company data was stolen, although it has not specified what was taken, and no threat actor has been officially identified. Reports indicate JLR was in the process of renewing its cyber insurance and had not finalised coverage when the attack occurred, meaning the firm may have to absorb much of the incident’s cost directly.
The impact of this breach has rippled through the automotive supply chain, with JLR’s suppliers, many of them smaller manufacturers, facing serious financial strain due to halted orders, and some warning of potential bankruptcies if the stoppage continued. The UK government intervened, with ministers visiting JLR and pledging support to mitigate economic fallout and help get production back online. The attack demonstrates how a cyber incident can impact real world systems, causing disruption to factory floors and long-term financial damages. Organisations should ensure they have comprehensive Business Continuity Plans (especially for Production environments), take and regularly test backups, and confirm they have no gaps in cyber insurance coverage.
[Europe] Ransomware Disrupts Airline Check-In Systems
Collins Aerospace suffered a ransomware attack that crippled its cMUSE passenger processing system, the commonly used platform relied upon by multiple airlines for shared check in and boarding desks. The disruption spread quickly across busy European airports including Heathrow, Brussels, and Berlin. Check-in kiosks, bag-tag printers, and boarding systems tied into the cMUSE backend were all taken offline forcing airlines and airports to revert to manual processing. The consequences were immediate and visible; long queues formed, flights were delayed or cancelled, and in Brussels the airport asked carriers to cut half of their departures while waiting for a secure system update. Heathrow reported that most flights still departed, but only after staff implemented contingency procedures to keep passengers moving. Authorities confirmed that aviation safety and air-traffic control were never at risk, but the operational bottleneck showed how deeply their critical aviation infrastructure depends on third-party IT platforms.
While the initial attack lasted 3 days, the disruption to passengers was ongoing for a week, with Berlin warning it may take several more days before check-in systems were restored to functional and secure operation. The UK’s National Crime Agency announced the arrest of a man in his 40s from West Sussex in connection with the incident, confirming it as a ransomware case. No large adversary groups have claimed responsibility and no data has appeared on known data leak sites.
The attack demonstrated the vendor concentration risk in aviation IT: a single vendor outage rippled across independent airports and airlines, stranding thousands of passengers. This is a timely reminder to organisations of their single-point of failure IT risks.
[Albania] AI Minister Put in Charge of Public Procurement
Albania has appointed Diella, an AI virtual minister, to oversee and award public tenders, a move billed as a world first and central to Prime Minister Edi Rama’s EU-accession agenda. Diella was unveiled to parliament on the 18th of September 2025, appearing via video in traditional attire and delivering a short address about transparency and impartial service. The government says Diella was developed with Microsoft and evolved from an e-Albania virtual assistant that has already handled around one million user interactions and documents. Parliament subsequently confirmed Rama’s new cabinet, with Diella presented as a fully transparent, incorruptible tool intended to purge corruption from procurement, as corruption is a chronic barrier to Albania’s EU ambitions.
The opposition condemned the move as unconstitutional, arguing a non-human entity cannot hold ministerial authority, and warned of accountability, legality, and oversight gaps. The practical risks of AI in government are centred around governance: who is accountable for Diella’s decisions, how are procurement criteria and models audited, and what human checks and balance mechanisms exist when awards are contested. On top of these risks there are also technical risks, as Large Language Models (LLM)s are notorious for being jailbroken, where attackers use specially crafted prompts to shape the model’s output, and inherent bias in training data which may lead to biased procurement without careful controls.
Supporters praise Diella as a bold move to curb favouritism and bribery in procurement, while critics warn about black-box decision making, lack of recourse for bidders, and cybersecurity risks. AI-driven anti-corruption methods are currently used in two other countries, with Brazil using a tool dubbed ‘ALICE’ to analyse public contracts and identify any irregularities, and the Ukraine developing ‘Dozorro’ to flag suspicious tenders with a high corruption risk for further investigation. As Albania is attempting to join the EU, Diella is being monitored closely to see if it can reduce corruption, the main hurdle for Albania’s EU accession.
[Global] “Shai-Hulud” – Worm Tears Through npm Packages
A worm in the npm ecosystem (a package manager for the JavaScript programming language) has been nicknamed ‘Shai-Hulud’ after the giant worms from the popular Dune book series. The worm steals developer secrets and then uses harvested npm and GitHub tokens to trojanise and republish packages. The stolen credentials were also published on a new GitHub repository created on the compromised account which included the name ‘Shai-Hulud’ and allowed anyone to search this term to get access to numerous developer accounts. The campaign surfaced around the 15th of September, initially tied to a malicious release of the package ‘@ctrl/tinycolor’, before rippling across inter-dependent projects, with the estimated number of infected packages ranges being anywhere from 180 to 500.
The payload typically drops an obfuscated JavaScript file that runs on install, executes a free credential discovery tool ‘TruffleHog’ to gather credentials, and plants hidden GitHub Action workflows to exfiltrate secrets and maintain persistence. Even packages maintained by security vendors, such as CrowdStrike, were briefly affected before being pulled and having the keys rotated.
It is recommended that organisations using npm should audit their dependency chains for compromised packages, rotate potentially exposed credentials, and use lockfiles to pin versions of dependencies released prior to the 16th of Sept 2025. Implementing automated supply chain security tools such as dependency integrity checks and secret scanning can help detect anomalies early. Developers should implement phishing-resistant Multifactor Authentication (MFA) on all platforms, but especially GitHub and npm in relation to this worm.