December 3rd – This Week’s Top Cybersecurity and Dark Web Stories

London Councils Hit by Cyber Attacks

Several London councils are believed to have been targeted in cyberattacks within the past few days, leading to significant disruption across shared IT systems and services.

The Royal Borough of Kensington & Chelsea (RBKC) and Westminster City Council confirmed they are “responding to a cyber incident affecting some shared IT systems,” which has disrupted services including phone lines. RBKC reported that the issue was quickly identified on Monday, prompting the activation of emergency plans to ensure critical services could still be delivered.

The two councils are working closely with cyber specialists and the National Cyber Security Centre (NCSC) to protect data and restore services. The Metropolitan Police is investigating the incident following a referral from Action Fraud, though no arrests have been made, with enquiries remaining in the early stages within the Met’s Cyber Crime Unit.

In a separate but connected incident, Hammersmith & Fulham Council issued a memo stating it had experienced a “serious cyber security incident.” The council suggested its issues are linked to the attack affecting RBKC and Westminster. While working to fix the problem as quickly as possible, they noted that connectivity issues would remain until RBKC could guarantee its networks were safe – a process that could take several days. Staff were urgently advised not to click on any links from Kensington and Chelsea Council and Westminster City Council colleagues in Outlook or Teams accounts “until further notice.”

RBKC has notified the Information Commissioner’s Office and stated that while they are investigating, it is “too early to say who did this, and why, but we are investigating to see if any data has been compromised.”

Elsewhere, Hackney Council, which suffered a serious cyber attack in 2020, raised its cyber security threat level to “critical” after receiving intelligence that “multiple London councils have been targeted by cyber-attacks within the last 24 – 48 hours.” Although the east London authority itself has not been targeted, an urgent memo was sent to staff warning them against phishing attacks and stressing that their immediate co-operation is “essential to protect the council and the data of our residents.”

Mayor of London Sir Sadiq Khan, when asked about the attacks, highlighted that City Hall is assisting councils to build “better cyber-resilience” and learn lessons from previous high-profile attacks on organisations like Transport for London, Marks & Spencer, and Heathrow Airport. “We are trying to encourage councils to have better resilience but the reality is, I’m afraid, those who breach protections are going to try more and more ways to get into those systems,” he said.

Both Hammersmith & Fulham and RBKC have apologised for the disruption and thanked residents for their patience as they work to safely bring systems back online.

Second Wave of Sha1-Hulud Malware Compromises Thousands of Projects

The JavaScript ecosystem is dealing with a severe supply-chain crisis following the second, more aggressive wave of the Sha1-Hulud malware. Initially launched in September, this latest campaign has successfully compromised thousands of development projects by exploiting malicious packages on the popular Node Package Manager (NPM).

Over the past week, cybersecurity researchers have confirmed widespread credential theft, large-scale repository compromises, and an alarming rate of automated propagation through standard developer tooling. This incident serves as a stark reminder for organisations about the fundamental fragility of modern software dependency chains.How the Sha1-Hulud Malware Operates

The attack leverages malicious preinstall scripts embedded within compromised NPM packages. These scripts execute automatically the moment a package is installed, bypassing many standard scanning tools and protective controls.

Once active, the malware’s primary objective is to exfiltrate a wide array of sensitive credentials, including GitHub tokens, cloud access keys, and NPM authentication tokens. A particularly insidious feature is its ability to register the victim’s machine as a self-hosted GitHub Actions runner, granting attackers a remote execution point within the victim’s secure build environment.

The malware then weaponises recovered NPM tokens to publish altered versions of the victim’s own packages, ensuring the infection spreads quickly and with minimal manual intervention from the attacker. In cases where data exfiltration fails, the malware has also been observed attempting destructive actions.Significant Scale and Impact on Development

The fallout from this second wave is substantial. Tens of thousands of GitHub repositories have been implicated, with secrets being uploaded to public locations controlled by the attacker. Many maintainers only became aware of the breach after discovering unexpected workflows, rogue runners, or unusual package versions associated with their accounts.

Victims span from independent developers to major software vendors who depend on the now-compromised, widely trusted software dependencies. Developers are now facing a substantial undertaking to rotate credentials, review build pipelines, and audit package histories to confirm the full scope of the compromise.

The core issue lies in modern development practices: developers relied on a trusted ecosystem designed for minimal friction, expecting convenience and speed. Attackers have demonstrated they can exploit these qualities, rapidly propagating malware across layered dependencies – it is truly “dependencies all the way down.

Defending against this form of attack is complex. While preinstall scripts are a legitimate and necessary component of NPM, attacks like this may necessitate blocking them entirely, despite the fact that this would break many functional packages. Other suggested defensive measures include restricting outbound network access from build environments and implementing credentials with extremely short expiry periods for all automated processes.

The question of developer fault is tempting, but most victims acted responsibly, using reputable packages with millions of installations that are foundational to the modern software ecosystem. They followed normal practices and had no reasonable means of spotting the compromise before it happened.

However, this incident strengthens the case for more stringent oversight and processes for evaluating package suitability in the supply chain. Certification or governance, especially regarding access management and code review for open-source packages, could provide upstream assurance. Yet, the challenge remains: most of these packages are maintained voluntarily, making the enforcement of compliance requirements difficult and costly.

Iberia Notifies Customers of Data Security Incident Linked to Supplier Breach

Spanish flag carrier Iberia has begun the process of notifying customers about a data security incident that originated from a compromise at one of its third-party suppliers.

The airline, which is Spain’s largest and a part of IAG (International Airlines Group), confirmed that unauthorized access to the vendor’s systems resulted in the exposure of specific customer information.

According to a security notice sent to customers, the compromised data may include:

• Customer’s full name and surname.
• Email address.
• Loyalty card (Iberia Club) identification number.

Crucially, Iberia confirmed that customers’ account login credentials, passwords, banking information, or payment card details were not compromised in the incident.Actions Taken by Iberia

The airline stated it immediately activated its security protocol to contain the incident, mitigate its effects, and prevent future recurrence. In addition, Iberia has implemented new security measures, including:

• Enhanced Email Protection: The email address linked to customer accounts now requires a verification code before any changes can be made.
• System Monitoring: The airline is actively monitoring its systems for any suspicious activity.
• Authority Notification: Relevant authorities have been notified, and the investigation is ongoing in coordination with the involved supplier.

The disclosure of the supplier breach comes shortly after an unrelated claim surfaced on hacker forums. A threat actor alleged they had accessed and were attempting to sell 77 GB of data, purportedly stolen directly from the airline’s internal servers, for $150,000. This claimed trove reportedly contained technical and internal documents, such as A320/A321 technical data and engine information, but did not mention customer data.

Iberia has not clarified a link between the two events, attributing its reported breach to a third-party vendor, not its own internal servers. The authenticity of the data advertised online remains unverified.