This week’s Threat Report reveals a cross-origin vulnerability in Google Chrome, a ransomware assault on Christie’s auction house by DragonForce, and a remarkably stealthy npm malware campaign using Google Calendar as a command-and-control mechanism.
Each of these threats poses significant risks for organisations striving to maintain trust, compliance, and data protection.
A critical zero-day vulnerability in Google Chrome (tracked as CVE-2024-4671) has been exploited in the wild, allowing attackers to access sensitive data from other domains—a breach of the browser’s Same-Origin Policy.
The vulnerability stems from a use-after-free flaw in Chrome’s Visuals component, which could be triggered by crafted web content. Malicious sites can exploit this flaw to bypass sandboxing and exfiltrate data from secure domains (e.g., online banking, internal apps, or cloud dashboards).
Credential theft and session hijacking.
Unauthorised access to sensitive business or user information.
Potential for further malware injection via abused browser sessions.
We now know who is behind the cyber-attack that brought parts of Marks & Spencer (M&S) to a standstill. The hacking group DragonForce has claimed responsibility for the breach, which was made possible through a third-party supplier with privileged access to M&S systems.
This sophisticated attack caused widespread operational disruption and led to the compromise of highly sensitive customer data, highlighting how even established retail giants remain vulnerable to supply chain threats.
Attack launched over the Easter bank holiday weekend (April 2025).
Online orders were paused for over three weeks.
M&S shut down major internal IT systems to contain the breach.
Food logistics were hit, leaving some stores with empty shelves.
The attackers exfiltrated a wide array of personal customer information.
Full names, dates of birth, and telephone numbers
Home and email addresses
Household profile information
Online order history
M&S has confirmed that full card payment details were not stored, so these were not compromised.
DragonForce—a group already linked to attacks on the Co-op and an attempted hack on Harrods—is believed to be orchestrating a coordinated campaign against major British retailers. The M&S incident is their most high-profile and damaging breach to date.
Bank of America estimates M&S has lost over £40 million in sales every week since the attack, severely impacting its digital revenue streams. Online retail—especially clothing and homeware—has been hardest hit.
Change your M&S password immediately, and do not reuse old or common credentials.
Enable two-factor authentication (2FA) where possible to secure your accounts.
Be vigilant for phishing emails or scam calls referencing M&S orders or customer service.
If in doubt, verify communications via the official website or contact centre before taking action.
Security researchers have uncovered a multi-stage supply chain attack via npm packages that cleverly uses Google Calendar events as a command-and-control (C2) mechanism—an unprecedented method that evades traditional security tools.
Threat actors uploaded benign-looking npm packages to the public registry.
When installed, the package checks an attacker-controlled Google Calendar event for encoded instructions.
The technique allows remote command execution, data theft, and malware updates without direct C2 server detection.
This represents a major evolution in covert C2 infrastructure, potentially impacting:
Open-source software projects and developers.
Any business leveraging npm packages, including healthtech apps built in JavaScript frameworks.
npm audit and socket.dev to detect malicious packages.