Scattered Spider LAPSUS$ Hunters are back with a confirmed 284-company supply chain breach via Gainsight, which likely resulted in Salesforce instances being stolen. Very similar to the Salesloft Drift hack. It is currently being investigated by Salesforce, and Scattered claims they hacked them by stealing secret tokens from a support case in the Salesloft Drift hack.

Speaking to "Dissent Doe, PhD" the group said 'The next DLS (Data Leak Site) will contain the data of the Salesloft and GainSight campaigns,' they stated, 'which is, in total, almost 1000 organisations. Only actual companies, mainly Fortune 500 will be listed or things I feel would be worth it. From the GainSight campaign the large companies were: Verizon, GitLab, F5, SonicWall, and others.'

Finally, the group advertises their Ransomware as-a-service launching Nov 24, and is taunting leading cybersecurity companies as usual.

Cross Prompt Injection Attacks (XPIA) are going to be a huge pain with Windows 11 new Agentic OS. The image does a good job showing how it works on Linkedin, so imagine that but just for stealing all your credentials, cookies, browser history, sensitive documents, etc.

We wrote a blog about it earlier in case you missed it - https://www.infostealers.com/article/microsofts-new-update-creates-an-agentic-os-infostealer-attack-vector/

NEW - Microsoft's new Windows 11 Agentic OS update just handed infostealers the ultimate upgrade. We’re officially moving from traditional stealers to Agent-Aware stealers. (TL;DR of the attack vector below ⬇️)

New blog - (read time - 3 mins) -https://www.infostealers.com/article/microsofts-new-update-creates-an-agentic-os-infostealer-attack-vector/

TL;DR of the attack vector:
1️⃣ Malware drops one normal-looking file with hidden (white-on-white) instructions.

2️⃣ User opens it and naturally says “Hey Copilot, summarize/help with this file.”

3️⃣ The trusted taskbar agent itself searches Recall, browser tabs, Slack, notes, files for keys/seeds/cookies and exfils everything in perfect JSON.

4️⃣ Often zero AV alerts because Microsoft’s own agent did the work.

I expect a huge surge in Infostealers infections and corporate breaches due to this update.

Microsoft warned about this exact XPIA vector in their 2025 security blogs.

Noting the recent letter from Senator Ron Wyden and Representative Raja Krishnamoorthi calling on the FTC to investigate Flock Safety's practices, which, based on Hudson Rock's data, highlights critical vulnerabilities that put Americans' privacy at risk.

At Hudson Rock, our cybercrime intelligence platform recently identified at least 35 Flock Safety customer accounts compromised by infostealer malware, data that underscores the risk of account takeovers and access abuse.

Flock Safety confirmed to Congress in October that they do not require MFA for law enforcement accounts, instead treating it as a voluntary option.

As noted in the letter: "This threat is not theoretical. A search by Congressional staff of a public tool operated by the cybersecurity company Hudson Rock documenting accounts compromised by a form of malware known as an “infostealer” reveals that passwords for at least 35 Flock customer accounts have been stolen."

Without mandatory MFA and infostealer credentials monitoring in place, systems like Flock Safety's automated license plate readers become easy targets for hackers, foreign spies, and unauthorized access through password sharing. This represents a systemic risk to national surveillance networks funded by taxpayer dollars, potentially exposing location data on millions.

We've seen this pattern in major breaches uncovered by Hudson Rock, such as the Snowflake incident, Airbus breach, Jaguar Land Rover hack, and the Orange network disruption, all highly preventable and traced back to Infostealer malware. It's why Hudson Rock exists: to shine a light on these threats and empower organizations to act before it's too late.

Source by The Record from Recorded Future News : https://lnkd.in/eGjQCbn3

Letter: https://lnkd.in/eEy82iqE

If Infostealer infections are happening in companies like Lockheed Martin, and even in the U.S Navy, we should conclude that the defense industry is also vulnerable to more sophisticated attacks. (new research) ⬇️

Infostealing Malware Infections in the U.S. Military & Defense Sector (6 minutes read) - https://www.infostealers.com/article/infostealing-malware-infections-in-the-u-s-military-defense-sector-a-cybersecurity-disaster-in-the-making/

In this new research, we examined the state of Infostealer infections in the most sensitive areas, and the results are concerning. Of the tens of millions of computers infected by Infostealers, a portion belong to individuals employed in sensitive companies.

We analyze the type of access hackers can gain from these infections and speculate on how they could exploit such access.

Someone called “NSA_Employee39” just dropped a 7-Zip 0day with some nasty potential, especially around Infostealer & supply chain attacks ⬇️

So this guy who seems to have serious exploitation experience just dropped an ACE 0day for 7-Zip, which can easily be weaponized by threat actors, especially in the Infostealers space.

Full blog (3 minutes read!) - https://www.infostealers.com/article/7-zip-zero-day-exploit-released-by-hacker-a-new-playground-for-infostealer-supply-chain-attacks/

This vulnerability in 7-Zip allows an attacker to create a malicious .7z file that, when opened or extracted in the latest version of 7-Zip, runs the attacker's code on the victim's computer.

In the context of Infostealers delivery, threat actors typically make victims open a password protected .rar/.zip files, so with this exploit they could potentially just get you to open the archive to get infected.

In another context, if for example your organization has some automation around 7zip files from third parties, if a hacker infiltrates into a supply chain they could change the 7zips into malicious ones and do some real nasty stuff, hope we don’t get there.

The challenge for hackers would be to have the malicious code running in a very limited space (100-200 bytes), and if done correctly, it could be very bad.

Love to hear more thoughts around this, I’m not in the 0days game.

Exploit source - https://pastebin.com/KxQYFqwR

The same hacker is also going to release a mybb 0day which is going to be used for breaching a lot of forums and leaking their databases.

Edit: Author of 7-ZIP is disputing the legitimacy of the reported 0-day, this article will get updated as soon as we have more information

Largest Retail Breach in History: 350 Million “Hot Topic” Customers’ Personal & Payment Data Exposed — As a Result of Infostealer Infection

https://www.infostealers.com/article/largest-retail-breach-in-history-350-million-hot-topic-customers-personal-and-payment-data-exposed-as-a-result-of-infostealer-infection/