Skip to content
Contact Us
All posts

01.12.25 Threat Report

By  Craig Pepper  ·  7 minute read

This week's threat report. As we enter December 2025, we will explore the SHA1-Hulud supply chain attack that has infected over 800 npm packages, the ongoing cyber incident affecting multiple London councils, a significant data breach at British telecommunications provider Brsk involving over 230,000 customer records.

SHA1-Hulud Supply Chain Attack Affecting npm Packages

A significant supply chain attack, named SHA1-Hulud (Shai-Hulud 2.0), has compromised the npm (Node Package Manager) ecosystem, impacting over 800 software packages and counting. This attack introduces malicious code into trusted npm packages, meaning any developers who integrate these into their projects unknowingly include harmful components—potentially exposing thousands of organisations at once.

The breach was traced to a CI/CD workflow vulnerability at PostHog, where a compromised pull request initiated the spread of a worm that rapidly infected hundreds of packages. PostHog has acknowledged the incident, underlining the risks even security-focused companies can face from sophisticated supply chain threats.

Why This Matters

Supply chain attacks are a major threat to organisations, exploiting trusted relationships within the software ecosystem. When a widely used software package is compromised, thousands of organisations relying on it can be affected, resulting in security incidents that are challenging to manage.

For UK healthcare and public sector bodies, the risk is heightened. Many NHS trusts and government departments rely on digital services built with npm packages; compromised packages can lead to breaches, service outages, or unauthorised access to sensitive data.

This incident’s impact is extensive, with over 800 infected packages. Security teams must now audit their dependencies, a process that demands significant time and resources and can divert focus from other priorities.

Notably, the attack shows that even automated CI/CD pipelines—meant to speed up development—can be weaponised if not properly secured, allowing threats to propagate rapidly across digital environments.

Recommendations

To protect your organisation from supply chain attacks like SHA1-Hulud, we recommend implementing the following security measures immediately:
 
  1. Perform an Immediate Software Audit: Collaborate with development teams to create an up-to-date inventory of all npm packages and third-party components in your applications. Use software composition analysis tools to scan and identify any compromised packages automatically. Prioritise completing this audit within the next week.
  2. Implement Software Bill of Materials (SBOM) Practices: Establish a formal process for tracking all software components, dependencies, and their versions across your organisation. An SBOM acts like an ingredients list for your software, making it much easier to identify and respond to supply chain compromises. This should become a standard part of your software development lifecycle.
  3. Use Package Verification and Integrity Checking: Configure your development tools to verify the integrity and authenticity of packages before they are installed. Use package lock files to ensure consistent versions are deployed, and implement checksum verification to detect tampering. Consider using private package registries that allow you to vet and approve packages before they are made available to your developers.
  4. Strengthen CI/CD Pipeline Security: Review and harden your automated build and deployment pipelines. Implement strict access controls, require code review for all changes, use separate credentials for different pipeline stages, and enable comprehensive logging and monitoring. Ensure that automated processes cannot be exploited to spread malicious code as happened in this incident.
  5. Monitor for Indicators of Compromise: Deploy security monitoring tools that can detect unusual behaviour in your applications, such as unexpected network connections, unauthorised data access, or suspicious process execution. Establish baseline behaviour for your applications so that anomalies can be quickly identified and investigated.
  6. Establish Vendor Security Requirements: When procuring software or services, require vendors to demonstrate their supply chain security practices. Ask about their software composition analysis processes, vulnerability management procedures, and incident response capabilities. Make supply chain security a key criterion in vendor selection decisions.
  7. Maintain Offline Backups: Ensure that critical systems and data are backed up regularly to offline or immutable storage that cannot be affected by supply chain compromises. Test your backup restoration procedures regularly to ensure you can recover quickly if systems are compromised.

London Council's Cyber Incident Disrupts Shared IT Systems

Three London borough councils are currently investigating a significant cyber incident that has knocked their shared IT systems offline, causing widespread disruption to public services. The affected councils have confirmed service outages, disrupted phone lines, and severely limited online access for residents trying to access council services.
 
The incident involves shared IT infrastructure, which means that multiple councils are using the same computer systems and networks to deliver their services. This is a common arrangement in local government, where councils pool their resources to save money and improve efficiency. However, when these shared systems are attacked, the impact is multiplied across all the organisations that depend on them.
 
Details about the specific nature of the attack have not been publicly disclosed while the investigation is ongoing. However, the symptoms, including offline systems, disrupted communications, and limited online services, are consistent with either a ransomware attack or a significant network intrusion. Council staff are working with cybersecurity specialists to understand the full scope of the incident and restore services safely.
 
Residents in the affected boroughs have been unable to access online services such as council tax payments, housing applications, social care referrals, and planning applications. Phone lines have been disrupted, making it difficult for vulnerable residents to contact the council for essential services. This incident demonstrates how cyber attacks on public sector organisations can have direct and immediate impacts on citizens' daily lives.
 

Why This Matters

This incident highlights several critical issues for public sector organisations, especially those using shared IT infrastructures. Shared services offer cost and efficiency benefits, but they also introduce concentration risk—allowing a single security event to affect multiple councils and significantly amplify disruption.

For UK local authorities, this attack reinforces that councils remain prime targets for cybercriminals. Holding sensitive resident data and providing essential services, local government bodies are particularly vulnerable to ransomware demands designed to disrupt vital operations.

Service interruptions from this incident have left residents unable to access important council functions, from tax payments to housing and social care support. For the most vulnerable, lost access poses serious consequences—highlighting that public sector cybersecurity is integral to service continuity and community wellbeing.

The situation also calls attention to the challenges many councils face in cybersecurity. Limited budgets and competition for skilled professionals leave public sector organisations exposed to threats that may be more easily managed in better-resourced environments.

Recommendations

To prevent similar incidents and strengthen resilience, public sector organisations and those operating shared IT infrastructure should take the following key actions:

  1. Assess Shared Services Risk: Evaluate how a cyber incident affecting shared IT systems could impact your organisation. Identify critical dependencies and potential cascading effects, and use these findings to update business continuity and disaster recovery plans.
  2. Enforce Network Segmentation: Use network segmentation, strict access controls, firewalls, and monitoring to prevent an attack on one part of the shared environment from spreading to others.
  3. Clarify Incident Response for Shared Infrastructure: Develop specific incident response procedures for shared IT environments, with clear roles and communication protocols between your organisation and service providers. Regularly test these procedures.
  4. Maintain Alternative Service Channels: Ensure essential services remain accessible during IT disruptions by providing alternative delivery methods, such as hotlines or in-person centres, and preparing staff to support these channels.
  5. Enhance Backup and Recovery: Regularly back up critical systems and data to secure, offline locations. Test recovery processes frequently and maintain an independent backup infrastructure wherever possible.
  6. Strengthen Access Controls: Require strong authentication, such as multi-factor authentication, especially for admin accounts. Regularly review access rights, remove unnecessary accounts, and monitor for unusual login activity.
  7. Invest in Cybersecurity Resources: Advocate for sufficient cybersecurity funding and, where possible, pool resources across councils to access specialist staff and advanced tools. Participate in information-sharing networks to stay informed of threats and share intelligence.
 

BT has launched an investigation after the Black Basta Ransomware Group Exposed 230,000+ Customer Records

British telecommunications (BT) provider Brsk has confirmed a significant data breach affecting more than 230,000 customer records. The company, which provides broadband internet services to homes and businesses across the UK, discovered that cyber criminals had gained unauthorised access to their customer database and stolen sensitive personal information.
The stolen data includes customer names, addresses, contact details, and account information. Most concerning is that the criminals claim to have information identifying which customers are marked as "vulnerable" in Brsk's systems. Telecommunications providers maintain vulnerability registers to identify customers who may need additional support, such as elderly people, those with disabilities, or individuals with serious health conditions who depend on their internet connection for medical devices or emergency communications.
 
Following the breach, the stolen customer data has appeared on criminal marketplaces where it is being offered for sale. Cyber criminals are actively bidding for the data, which could be used for various malicious purposes, including targeted phishing attacks, identity theft, fraud, and physical crimes targeting vulnerable individuals. The fact that vulnerability information is included makes this data particularly valuable to criminals and particularly dangerous for the affected customers.
Brsk has notified affected customers and is working with law enforcement and cybersecurity specialists to investigate the breach. However, once customer data has been stolen and distributed on criminal marketplaces, it is extremely difficult to contain the damage. The information could be used for years to come, and customers will need to remain vigilant against fraud and scams.
 

Why This Matters

This breach is significant for several reasons that extend beyond the immediate impact on Brsk and its customers. First, it demonstrates that telecommunications providers, which hold vast amounts of personal data and provide essential connectivity services, remain attractive targets for cyber criminals. The data held by these companies is valuable not just for the personal information it contains, but also for the insights it provides into customers' lives and vulnerabilities.
 
The inclusion of vulnerability markers in the stolen data is particularly concerning and raises serious questions about data protection practices. Information about vulnerable customers is highly sensitive and requires the strongest possible security measures. The fact that criminals now have access to this information puts some of the most at-risk members of society in danger of targeted exploitation. Elderly people, those with disabilities, and individuals with serious health conditions could be specifically targeted with scams and fraud attempts designed to exploit their circumstances.
 
For organisations across all sectors, this incident serves as a reminder that data classification and protection must be proportionate to the sensitivity of the information. Not all data is equal—some information, such as vulnerability indicators, health data, or financial details, requires enhanced security measures beyond what might be adequate for less sensitive information. Organisations must identify their most sensitive data and ensure it receives appropriate protection.
 
The fact that the stolen data is being actively traded on criminal marketplaces also highlights the commercialisation of cybercrime. Modern cyber criminals operate like businesses, with marketplaces, customer service, and specialisation of roles. Stolen data is a commodity that can be bought, sold, and used by multiple criminal groups for different purposes. This means that a single breach can lead to multiple waves of criminal activity affecting the victims.
 

Recommendations

To prevent similar breaches and protect customer data, organisations should adopt the following measures:

  1. Strengthen Sensitive Data Protections: Identify all high-risk data—such as vulnerability registers, health and financial records—and apply robust controls: encrypt data at rest and in transit, enforce strict access restrictions, maintain comprehensive audit logs, and schedule regular security reviews. Minimise risk by retaining only essential sensitive data.
  2. Conduct Ongoing Security Assessments: Regularly engage independent cybersecurity experts for penetration testing, vulnerability scans, and security architecture reviews. Address identified issues promptly and treat these exercises as continuous processes, not one-off events.
  3. Enhance Database Security: Implement network segmentation to isolate databases, monitor database activity for unusual access, encrypt sensitive fields, and restrict data exports. Regularly update and protect database credentials.
  4. Monitor Criminal Marketplaces: Leverage threat intelligence to track potential data exposure on criminal forums and the dark web. Early detection enables swift customer protection and coordination with law enforcement. Consider dark web monitoring services for timely alerts.
  5. Establish and Test Breach Response: Maintain a comprehensive incident response plan covering detection, containment, investigation, notification, and recovery. Be prepared to meet UK GDPR’s 72-hour breach notification rule. Regularly rehearse response procedures to identify improvements.
  6. Prepare Customer Communication Plans: Draft clear communication strategies for notifying customers in the event of a breach, including what happened, affected data, and remedial steps. Provide support such as credit monitoring and dedicated helplines to help maintain trust.
  7. Review Third-Party Access: Audit all third-party providers with customer data access. Ensure contractual data protection requirements are enforced, that external access is limited to necessity, and routinely reassess permissions and compliance.

This week's threat report has highlighted significant cybersecurity incidents that demonstrate the diverse and evolving nature of cyber threats facing UK organisations.

Contact Periculo today to learn more about our Threat Intelligence services to help protect your organisation from cyber threats. 

 

Talk to our team

Cyber Attacks on Healthcare Organisations

Cyber Attacks on Healthcare Organisations

 Weekly Round Up Issue 2

Weekly Round Up Issue 2

 Kido Cyber Attack

Kido Cyber Attack

Contact Us