09/10/2025-09/17/2025 Chaos Mesh Critical GraphQL Flaws, New FileFix Phishing Variant Deploys StealC Malware, Self-Replicating Worm Hits 180+ npm Packages And More.

1. Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover

Cybersecurity researchers have disclosed multiple critical flaws in Chaos Mesh that could allow attackers to take over Kubernetes clusters. An attacker with minimal in-cluster network access could exploit these vulnerabilities to run fault injections (e. g., shutting down pods, disrupting networks) and steal privileged tokens for further malicious activity.

Chaos Mesh is an open-source chaos engineering platform that simulates system failures during development. The vulnerabilities, dubbed Chaotic Deputy, include:

• ● CVE-2025-59358 (7.5): Exposes an unauthenticated GraphQL debug server, enabling cluster-wide denial-of-service.
• ● CVE-2025-59359, CVE-2025-59360, CVE-2025-59361 (all 9.8): Command injection flaws in key mutations.

An attacker could chain these bugs for remote code execution, even under default settings. JFrog attributed the issues to weak authentication in the Controller Manager. The flaws were patched in Chaos Mesh v2.7.3 (released August 21, 2025). Users are urged to upgrade immediately or restrict network access if patching is delayed.

2. New FileFix Phishing Variant Deploys StealC Malware via Steganography

A new variant of the FileFix phishing tactic has emerged, delivering the StealC infostealer through multilingual phishing sites that impersonate Meta account suspension warnings. First observed in June 2025, the campaign uses Bitbucket-hosted images with steganography to hide payloads, tricking victims into copying malicious commands into Windows File Explorer’s address bar. This launches PowerShell scripts that bypass antivirus tools and install StealC, which steals credentials, browser data, and cryptocurrency wallets.

Unlike traditional phishing with attachments, this approach leverages social engineering and a patched Windows flaw (CVE-2025-24071), though many systems remain unprotected. Analysts note refinements like obfuscated JavaScript and dynamic payloads, with detections spiking globally across North America, Europe, and Asia.

Security firms warn the campaign’s stealth makes it harder to detect, echoing earlier FileFix-linked RAT attacks. Experts urge enterprises to patch systems, enable advanced threat protection, and monitor clipboard activity to counter this evolving malware delivery method.

3. Self-Replicating Worm Hits 180+ npm Packages to Steal Credentials in Latest Supply Chain Attack

Researchers have uncovered a major software supply chain attack on the npm registry, affecting more than 500 packages across multiple maintainers.  Dubbed the Shai-Hulud attack, the campaign trojanizes packages by injecting a malicious script (“bundle.js”) that installs TruffleHog to scan developer machines for secrets (e. g., GITHUB_TOKEN, NPM_TOKEN, AWS keys). Stolen credentials are exfiltrated to attacker-controlled servers and abused to create GitHub Actions workflows for persistence. The malware targets both Windows and Linux and spreads automatically by republishing infected packages, making it function like a self-propagating worm.
Notably impacted are packages maintained under @ctrl, @nativescript-community, and @crowdstrike. CrowdStrike confirmed malicious packages were published but said its Falcon platform is unaffected. Researchers warn the worm’s cascading compromise could spread widely given npm’s interdependencies. Developers are urged to audit environments, rotate tokens, and upgrade packages immediately.
The campaign follows last month’s s1ngularity attack, with experts calling it one of the most severe JavaScript supply chain incidents to date.

4. Critical CVE-2025-5086 Flaw in DELMIA Apriso Actively Exploited, CISA Warns

A critical flaw in Dassault Systèmes’ DELMIA Apriso (CVE-2025-5086, CVSS 9.0) is being actively exploited, according to CISA, which added it to its Known Exploited Vulnerabilities list on September 12, 2025. The bug stems from deserialization of untrusted data, enabling remote code execution.

DELMIA Apriso is a core Manufacturing Operations Management (MOM) platform used in automotive, aerospace, and consumer goods. Versions from 2020–2025 are vulnerable, exposing factories to production halts, data theft, or sabotage. Federal agencies must patch by October 2, but private firms face no mandate despite escalating risks.

Exploits observed in the wild inject payloads for ransomware or espionage, leveraging Apriso’s integration with physical machinery. Dassault has issued fixes, but patching in industrial settings is difficult due to downtime costs and legacy systems.
Experts urge immediate updates, network segmentation, and zero-trust strategies, warning that delays could trigger global supply chain disruptions and long-term industrial security fallout.