In September 2025, we saw a worm-style supply chain attack hit npm packages, a major ransomware incident in Brazil’s healthcare sector, an insider breach at a U.S. bank, and Cloudflare dealing with fallout from a vendor compromise.

In this blog, we’ll walk through four of the biggest incidents from the latest ColorTokens Threat Advisory, explain why they matter, and share what security teams can learn from them.

1. The Worm That Went Viral: npm’s “Shai-Hulud” Attack

A worm-style malware dubbed “Shai-Hulud” (a nod to the Dune universe) spread across the npm ecosystem. What makes this one different? It didn’t just infect packages, it used them to spread itself, worm-style.

Here’s what it did, automatically:

• Stole secrets from cloud metadata endpoints and local environments.
• Pushed those secrets to GitHub via auto-created public repos.
• Infected every npm package a maintainer had access to by modifying versions and inserting malicious scripts.
• Created GitHub workflows to leak even more data.

The attacker doesn’t need to manually target packages—once a single environment is compromised, the worm does the rest.

Why it matters: This is a wake-up call for every developer and DevOps team. One compromised maintainer = dozens (or hundreds) of poisoned packages. If your CI/CD pipelines aren’t locked down and secrets are floating around in environment variables, now’s the time to change that.

Also, if you’re running any of the compromised packages, clean your npm cache and reinstall from scratch.

Are You Breach Ready? Uncover hidden lateral attack risks in just 5 days. Get a free Breach Readiness Assessment with a visual roadmap of what to fix first.

2. KillSec Ransomware Targets Brazil’s Healthcare Backbone

It wasn’t just software that got hit. On September 8, ransomware group KillSec targeted MedicSolution, a healthcare software vendor in Brazil. The breach exposed 34 GB of sensitive medical data, including:

• Lab results and X-rays
• Images of patients (many unredacted)
• Records involving minors

And this vendor served multiple clinics. That means dozens of downstream organizations, and thousands of patients, are now caught in the blast radius.

The cause was a misconfigured AWS S3 bucket. The consequence? Months of quiet data theft before anyone noticed.

Why it matters: Healthcare breaches aren’t just about money. They hurt people. When your healthcare SaaS partner gets hit, it’s not just their problem, it becomes yours too. 

This attack also underlines how cybercriminals use data not just to extort organizations, but to emotionally blackmail them by threatening public exposure of deeply personal data.

3. Insider Gone Rogue: FinWise Bank Breach Hits 689,000

What’s worse than an outsider breaching your systems? An insider doing it after they’ve left the company.

In a jaw-dropping lapse, FinWise Bank revealed that a former employee accessed sensitive data belonging to 689,000 customers of American First Finance, months after they’d left the job. The breach only came to light after the data showed up in strange places.

No one knows yet how the ex-employee retained access. But what’s clear is that offboarding procedures failed in a big way.

Why it matters: Insider threats often fly under the radar. But this case shows how a single overlooked user account can turn into a full-blown breach months down the line.

A checklist for a strong offboarding process:

• Revoke all credentials immediately upon exit.
• Disable VPN, email, cloud, and device access.
• Regularly audit access logs.
• Don’t rely on manual processes. Automate.

Access ColorTokens Threat Advisory | Full list of CVEs, the npm packages affected, and forensic insights from the KillSec breach.

4. Cloudflare Caught in Drift/Salesloft Supply Chain Splash

Cloudflare, one of the internet’s most trusted guardians, confirmed that 104 of its API tokens were exposed in a third-party breach, part of the broader Drift and Salesloft compromise. The attackers exploited a Salesforce integration to exfiltrate customer case data.

Although no funds were touched and passwords remained safe, the stolen data includes customer contact information, case descriptions, and potentially sensitive configuration details shared during support sessions.

Why it matters: This is the cost of digital interconnectedness—one weak link affects hundreds. Cloudflare acted quickly, rotated tokens, and alerted customers. But the damage from these “support data leaks” often shows up weeks or months later in targeted phishing or credential stuffing attacks.

The OT Sector Isn’t Off the Hook Either

CISA released eight new advisories for industrial control systems in mid-September, impacting major vendors like Siemens, Hitachi, Delta Electronics, and Schneider Electric. These are the backbone systems that keep factories running and grids powered. Vulnerabilities in these environments don’t just pose cyber risk, they invite kinetic consequences.

If you’re running anything from Schneider Altivar to Delta DIALink, now’s the time to review patch guidance and lock down OT/ICS environments.

Access Forrester Wave Report | Discover why ColorTokens was rated ‘Superior’ in OT, IoT, and Healthcare Security.

One Common Thread: Stopping Lateral Movement

If there’s one lesson across these incidents, it’s this: attackers don’t stop at the first system they compromise. They move laterally, looking for higher privileges, more sensitive data, and bigger disruption.

That’s why traditional defenses that only focus on keeping bad actors out aren’t enough. In every case we’ve seen here—whether it’s a worm spreading through npm packages, ransomware jumping from a healthcare vendor to multiple clinics, or an insider abusing leftover access—the damage multiplied once attackers were able to move deeper into the environment.

This is where microsegmentation comes in. By breaking networks into smaller, controlled zones and enforcing “least privilege” communication between them, organizations can contain intruders to a single corner instead of letting them roam freely. Think of it like sealing off compartments on a ship: one leak doesn’t sink the whole vessel. That kind of containment is what separates a contained incident from a full-scale crisis.

And if you’d like to understand how ColorTokens can help stop lateral movement in your own environment, request a demo or set up a no-obligation consultation with one of our top advisors.

The post What a Rogue Package, a Ransomware Hit, and One Mistake Say About Cyber Risk Right Now appeared first on ColorTokens.

*** This is a Security Bloggers Network syndicated blog from ColorTokens authored by Tanuj Mitra. Read the original post at: https://colortokens.com/blogs/ransomware-protection-npm-worm-cloudfare-cyber-risk/