London councils hit by cyber attack causing widespread service disruption

Three London councils have been forced to activate emergency measures after a cyber attack caused major service disruption across shared IT systems. The Royal Borough of Kensington and Chelsea and Westminster City Council confirmed multiple internal systems were impacted, including phone lines and online contact services, prompting precautionary shutdowns to limit further damage and protect residents’ data. Due to shared infrastructure, the London Borough of Hammersmith and Fulham also implemented additional safeguards, which led to further operational disruption.

The authorities said they are working closely with specialist cyber incident responders and the National Cyber Security Centre. Investigations into the attack are ongoing, and although no threat group has publicly claimed responsibility, security experts believe the incident may involve ransomware linked to a third-party services provider. The Information Commissioner’s Office has been notified, and residents are being kept informed as systems are gradually restored.

Shai-Hulud supply chain attack jumps from npm to Maven, exposing thousands of developers

A second wave of the Shai-Hulud supply chain attack has expanded beyond npm and now reached the Maven ecosystem, highlighting the growing risk to open source software supply chains. Researchers identified a malicious Maven package, org.mvnpm:posthog-node:4.18.1, which mirrors the same stealthy components used in previously compromised npm libraries. While the package was not published directly by the original project, it was automatically generated by a system that repackages npm modules into Maven artifacts. All known infected copies have now been removed.

The attack is designed to steal sensitive data, including cloud credentials, API keys, and GitHub and npm tokens, while also enabling deeper compromise of development environments. More than 28,000 repositories have been affected, with thousands of secrets exposed. The malware uses advanced evasion techniques, rogue CI workflows, and self-replication to spread rapidly. Security teams are urging immediate key rotation, dependency audits, and CI/CD hardening.

Cyber attack on CodeRED vendor left US cities without emergency alert service

Towns and cities across the United States lost access to the CodeRED emergency alert system following a cyber attack on vendor Crisis24. The platform is used to deliver real time public safety messages, including severe weather warnings, missing person alerts and security incidents. Multiple municipalities issued near identical notices confirming service disruption after the breach.

Douglas County, Colorado has terminated its contract and is seeking an alternative provider, while other authorities are waiting for Crisis24 to complete work on a new platform that is said to operate in a separate, non compromised environment. Several regions have switched to social media and door to door notifications in the interim.

Crisis24 confirmed that personal data, including names, addresses, email details, phone numbers and passwords, was accessed. Residents have been advised to change passwords, particularly if reused elsewhere. The INC ransomware group has claimed responsibility, published samples of stolen data and threatened to sell the remaining information after failed ransom negotiations.

CISA warns of espionage campaigns targeting messaging apps with spyware

The U.S. Cybersecurity and Infrastructure Security Agency has issued a warning that threat actors are actively using commercial spyware and remote access trojans to target users of popular mobile messaging applications. According to the agency, attackers are using highly targeted social engineering techniques to hijack accounts and gain access to private communications, before deploying additional malware to fully compromise victims’ devices.

Recent campaigns include attempts to take over Signal accounts using the linked devices feature, Android spyware operations such as ProSpy, ToSpy and ClayRat, and targeted exploitation of previously unknown flaws in iOS, WhatsApp and Samsung devices. These attacks often rely on device linking QR codes, zero click exploits and fake versions of trusted apps.

The activity is primarily aimed at high value individuals, including government officials, military personnel and civil society figures across the United States, Europe and the Middle East. CISA has urged at risk users to adopt stronger authentication, secure mobile accounts and regularly update devices to reduce exposure.

FBI warns of sharp rise in account takeover fraud linked to bank impersonation scams

The FBI has reported a significant surge in account takeover fraud, with criminals stealing more than $262 million since the start of the year by impersonating financial institutions. The Internet Crime Complaint Center has received over 5,100 reports of these attacks, affecting individuals, businesses and organisations across multiple sectors.

In these schemes, threat actors use phishing, fake websites and social engineering to trick victims into handing over login details and one time passcodes. Once access is gained, criminals rapidly transfer funds to accounts connected to cryptocurrency wallets, then change passwords to lock legitimate users out. Recovery is often extremely difficult due to the speed of the transfers and the use of crypto.

The FBI has urged users to closely monitor financial accounts, use strong and unique passwords, enable multi factor authentication and only access banking sites through trusted bookmarks. Victims are advised to immediately contact their bank, request fund recalls and report incidents through official channels.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.