19.05.25 Threat Report

This week’s Threat Report reveals a cross-origin vulnerability in Google Chrome, a ransomware assault on Christie’s auction house by DragonForce, and a remarkably stealthy npm malware campaign using Google Calendar as a command-and-control mechanism.

Each of these threats poses significant risks for organisations striving to maintain trust, compliance, and data protection.

New Google Chrome Zero-Day Enables Cross-Origin Data Theft

A critical zero-day vulnerability in Google Chrome (tracked as CVE-2024-4671) has been exploited in the wild, allowing attackers to access sensitive data from other domains—a breach of the browser’s Same-Origin Policy.

Technical Details:

The vulnerability stems from a use-after-free flaw in Chrome’s Visuals component, which could be triggered by crafted web content. Malicious sites can exploit this flaw to bypass sandboxing and exfiltrate data from secure domains (e.g., online banking, internal apps, or cloud dashboards).

Potential Impact:

• Credential theft and session hijacking.

• Unauthorised access to sensitive business or user information.

• Potential for further malware injection via abused browser sessions.

Recommendation:

• Urgently update all Chrome instances to version 124.0.6367.207 or later.

• Enforce browser update policies across managed endpoints.

• Monitor web logs for abnormal cross-domain requests or data exfiltration attempts.

• Inform staff to avoid suspicious links until the update is widely deployed.
  
  

M&S Breach: DragonForce Behind Devastating Attack via Third-Party Access

We now know who is behind the cyber-attack that brought parts of Marks & Spencer (M&S) to a standstill. The hacking group DragonForce has claimed responsibility for the breach, which was made possible through a third-party supplier with privileged access to M&S systems.

This sophisticated attack caused widespread operational disruption and led to the compromise of highly sensitive customer data, highlighting how even established retail giants remain vulnerable to supply chain threats.

Attack Timeline and Impact:

• Attack launched over the Easter bank holiday weekend (April 2025).

• Online orders were paused for over three weeks.

• M&S shut down major internal IT systems to contain the breach.

• Food logistics were hit, leaving some stores with empty shelves.

• The attackers exfiltrated a wide array of personal customer information.

Data Compromised Includes:

• Full names, dates of birth, and telephone numbers

• Home and email addresses

• Household profile information

• Online order history

M&S has confirmed that full card payment details were not stored, so these were not compromised.

Confirmed Attacker: DragonForce

DragonForce—a group already linked to attacks on the Co-op and an attempted hack on Harrods—is believed to be orchestrating a coordinated campaign against major British retailers. The M&S incident is their most high-profile and damaging breach to date.

Financial Repercussions:

Bank of America estimates M&S has lost over £40 million in sales every week since the attack, severely impacting its digital revenue streams. Online retail—especially clothing and homeware—has been hardest hit.

Customer Guidance:

Change your M&S password immediately, and do not reuse old or common credentials.
Enable two-factor authentication (2FA) where possible to secure your accounts.
Be vigilant for phishing emails or scam calls referencing M&S orders or customer service.
If in doubt, verify communications via the official website or contact centre before taking action.

Sophisticated npm Malware Uses Google Calendar for C2 Communications

Security researchers have uncovered a multi-stage supply chain attack via npm packages that cleverly uses Google Calendar events as a command-and-control (C2) mechanism—an unprecedented method that evades traditional security tools.

Attack Details:

• Threat actors uploaded benign-looking npm packages to the public registry.

• When installed, the package checks an attacker-controlled Google Calendar event for encoded instructions.

• The technique allows remote command execution, data theft, and malware updates without direct C2 server detection.

Why It Matters:

This represents a major evolution in covert C2 infrastructure, potentially impacting:

• Open-source software projects and developers.

• Any business leveraging npm packages, including healthtech apps built in JavaScript frameworks.

Recommendation:

• Audit recent npm dependencies across all projects.

• Use tools like npm audit and socket.dev to detect malicious packages.

• Employ egress filtering and anomaly detection for unusual cloud service usage.

• Encourage a secure SDLC and validate all third-party libraries.