JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm – Cybersecurity News [September 15, 2025]

Cyber incidents this week underline just how disruptive attacks have become. One of the country’s biggest carmakers has kept its production lines shut, losing around 1,000 vehicles a day while work continues to restore systems. Investigators also uncovered a vast ad-fraud scheme that ran across 224 apps with 38 million downloads, generating more than two billion fake ad requests daily. Alongside that, a worm-like breach spread through hundreds of npm packages, while poisoned search results and phishing emails delivered remote-access malware to new victims.

JLR Faces Extended Shutdown After Major Cyber Incident

Jaguar Land Rover (JLR) has announced production at its UK factories will remain suspended until 24 September, and it might get extended well beyond that, as it continues to deal with the impact of a cyberattack. The stoppage, now stretching beyond three weeks, has forced the company to shut down its systems and stop operations at three British plants that usually produce around a total of 1,000 vehicles a day, causing significant disruption to both staff and output.

The company explained that the delay is necessary while forensic investigations continue and a careful, staged restart plan is put in place. Although JLR has admitted that some data was affected by the breach, it hasn’t specified whether customer, supplier, or internal systems were involved. Reports suggesting the disruption could last into November have been dismissed by the company as speculation. This incident is raising serious concerns for the wider supply chain, and government cyber experts are now working closely with JLR to help get their systems back online.

SlopAds Fraud Network Exploits 38 Million App Downloads

A massive ad fraud and click fraud operation named SlopAds has been uncovered. It was running across 224 Android apps that managed to get 38 million downloads all over the world. The apps were secretly committing ad fraud by loading hidden web pages and connecting to sites controlled by the attackers. This generated billions of fake ad impressions and clicks every single day. At its peak, the campaign was triggering 2.3 billion ad requests daily, with most of the traffic coming from North America, South Asia, and South America. 

What really set SlopAds apart was how it decided when to commit fraud. The apps would check if they were downloaded organically from the Play Store or through an ad click. The fraudulent parts, which were hidden in PNG image files, would only activate on non-organic installs. This made the apps seem legitimate to regular users and security researchers. While Google has taken all the SlopAds apps down, researchers are warning that this campaign shows how much more sophisticated mobile ad fraud is becoming. 

Self-Replicating Worm Compromises 500+ npm Packages

Security researchers have discovered an enormous npm supply chain attack, which they’ve nicknamed Shai-Hulud. It’s already affected more than 500 packages from a bunch of different maintainers. The attack starts with Trojanised packages that contain a malicious script. This script installs TruffleHog, a credential scanner that harvests valuable secrets like GitHub, npm, and AWS tokens.

The attackers then use these stolen credentials to set up malicious GitHub Actions workflows. It’s an effective strategy because it allows them to keep stealing data during future development runs, long after the initial breach. The most alarming feature of the attack is its worm-like spread. Each infected package automatically republishes a compromised version, allowing the malware to ripple quickly across npm’s ecosystem.

Researchers believe it began with a package called rxnt-authentication, with already breached accounts helping it gain momentum. The malware also attempts to clone private repositories, likely in search of embedded secrets and source code. Experts warn that Shai-Hulud may be one of the most serious JavaScript supply chain breaches yet and are urging developers to audit systems, replace exposed credentials, and upgrade to secure releases without delay.

SEO Poisoning Attack Uses Fake Software Sites to Spread RATs

A widespread SEO-poisoning campaign is inflating bogus sites in search results, luring users to polished lookalike download pages that masquerade as trusted browser and messaging services. When someone downloads an installer, they get the real application, but it’s bundled with malicious payloads, which makes the infection much more challenging to spot. The campaign is delivering several Remote Access Trojans (RATs), including HiddenGh0st, Winos, and a new one called kkRAT. Once on a system, these malware families can log keystrokes, hijack crypto wallets, capture screenshots, and install other spying tools.  

The delivery is controlled by a sneaky script that drops DLL files designed to evade security software, sometimes by using Bring Your Own Vulnerable Driver (BYOVD) techniques. After it’s active, the malware sends back system information by connecting to command and control servers and downloads more plugins for data theft. Cybersecurity experts are warning that even top search results can be weaponized. It’s a reminder to always double-check your download sources, scrutinize domain names, and keep your endpoint protection updated.

RevengeHotels Uses AI Scripts to Target Hospitality Sector

Researchers have spotted the threat actor TA558, also known as RevengeHotels, launching new attacks against the hospitality industry in 2025. The group is sending out phishing emails disguised as invoices, reservations, and job applications to deliver Venom RAT, a commercial remote access trojan that’s based on Quasar RAT. A concerning new development is their use of code that was likely generated by large language models (LLMs). These AI-created JavaScript loaders and PowerShell scripts are being used to fetch the malware.

Venom RAT, which sells for around $650, is a powerful tool. It’s capable of stealing data, setting up a reverse proxy to hide its tracks, and using an anti-kill feature to terminate processes used by security analysts. The malware modifies registry keys to stay on a system, can spread through USB drives, and is even able to disable Microsoft Defender. RevengeHotels has been going after hotels and travel organizations to steal financial data since 2015, and their new use of AI shows a growing trend of cybercriminals refining their operations.