Chrome Spyware Exploited, npm InfoStealer Attack, DELMIA XWiki Vulnerabilities – Cybersecurity News [October 27, 2025]

This week’s cybersecurity highlights include a Chrome zero-day exploited by Memento Labs for spyware attacks, new npm supply chain threats like PhantomRaven and an info-stealer campaign, and active exploitation of DELMIA Apriso and XWiki flaws. Meanwhile, ransomware hit Sedgebrook and Heartland Health Center, exposing patient data and prompting renewed healthcare security concerns.

Chrome Zero-Day Exploited to Deploy Memento Labs Spyware Attacks

Kaspersky has uncovered that a now-patched Google Chrome vulnerability, CVE-2025-2783 (CVSS 8.3), was exploited in targeted espionage attacks linked to European surveillance vendor Memento Labs. The flaw, a sandbox escape bug fixed in March 2025, was weaponized in a campaign dubbed Operation ForumTroll, which targeted media, universities, research institutions, government bodies, and financial organizations in Eastern Europe. The campaign, also tracked as TaxOff, Team 46, and Dante APT, used phishing emails posing as invitations to the “Primakov Readings” forum to trigger the exploit and deliver spyware.

The attackers deployed LeetAgent, a new espionage tool from Memento Labs capable of executing commands, stealing documents, injecting shellcode, and running keylogging tasks. In several cases, LeetAgent launched Dante, an advanced spyware framework designed to evade detection and resist analysis. Both tools share code and persistence techniques, indicating they stem from the same developer. Memento Labs, previously known as Hacking Team, confirmed that its Dante spyware was part of the breach, blaming an unnamed government customer for misuse. The incident underscores how commercial surveillance tools marketed for law enforcement continue to be repurposed for covert cyber-espionage operations.

npm Supply Chain Attack Targets Developers with Info Stealer

Cybersecurity researchers have uncovered ten malicious npm packages that delivered a multi-stage information stealer to developers on Windows, Linux and macOS. Uploaded to the registry on 4 July 2025, the typosquatted packages mimicked legitimate libraries such as discord.js, ethers.js, nodemon, react-router-dom, TypeScript and zustand and amassed 9,900 downloads. Each package uses a postinstall hook to spawn a separate terminal window, show a fake CAPTCHA, fingerprint the host by IP, and then fetch a heavily obfuscated loader. The JavaScript loader employs multiple obfuscation techniques, including a dynamic XOR cipher, URL encoding, and numeric encodings, to frustrate analysis.

The loader downloads a 24 MB PyInstaller stealer that scans browsers, config files, SSH keys, and the operating system keyring to harvest credentials, session tokens, and authentication artifacts from email clients, VPNs, cloud sync tools, and password managers. Harvested data is compressed into a ZIP archive and exfiltrated to an attacker-controlled server. By targeting system keyrings the malware bypasses application level protections and can grant immediate access to corporate email, cloud storage and production systems. Organisations should urgently audit dependencies, remove unfamiliar packages, avoid running npm with elevated privileges and rotate any credentials that may have been exposed. Investigations and monitoring remain ongoing.

Hackers Actively Exploit Critical Flaws in DELMIA Apriso and XWiki

Threat actors are actively exploiting multiple high-severity vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, according to alerts from CISA and VulnCheck. Two Apriso flaws, CVE-2025-6204 (code injection, CVSS 8.0) and CVE-2025-6205 (missing authorization, CVSS 9.1), affect versions from 2020 to 2025. When combined, these bugs allow attackers to create privileged accounts and drop executable files, leading to full system compromise. CISA has added both flaws to its Known Exploited Vulnerabilities (KEV) catalog, following another critical Apriso bug (CVE-2025-5086) flagged last month.

Meanwhile, VulnCheck has confirmed active exploitation of XWiki’s CVE-2025-24893 (CVSS 9.8), an eval injection flaw allowing remote code execution through the “/bin/get/Main/SolrSearch” endpoint. Attackers are using a two-stage chain to install a cryptocurrency miner, first staging a downloader and later executing it from Southeast Asia-based IPs. The miner kills competing processes like XMRig and connects to c3pool.org. Evidence suggests exploitation has been ongoing since March 2025. CISA has instructed federal agencies to patch the Apriso flaws by November 18, 2025, while all users of DELMIA Apriso and XWiki are strongly urged to update immediately, as exploitation remains active.

Patient Information Exposed in Sedgebrook and Heartland Cyberattacks

Sedgebrook, a retirement village and skilled nursing provider in Lincolnshire, Illinois disclosed a ransomware incident that disrupted its network in early May 2025. The organization detected the attack on May 5 and, with digital forensics support, found the ransomware actor had access from May 4 to May 5 and encrypted files. A review completed on August 26 confirmed that some of the exposed files contained protected health information, including names, addresses, birth dates, Social Security and driver’s license numbers, financial account and insurance details, medical treatment information and medical record numbers. Notification letters began going out on October 24. While Sedgebrook says there is no evidence so far of misuse, affected individuals with exposed identity numbers have been offered complimentary credit monitoring and identity theft protection. The incident is not yet visible on the HHS OCR breach portal.

Heartland Health Center, which operates clinics in Ravenna and Hastings, Nebraska, identified suspicious activity on February 4, 2025 and launched an investigation with outside cybersecurity experts. That review concluded on June 3 that sensitive patient data had been exposed and may have been stolen by the attacker. Information involved varies by person and include names, dates of birth, Social Security or driver’s license numbers, account details, diagnosis and treatment data, insurance information, medical record identifiers and other clinical data. Although Heartland says it maintains robust security controls and is strengthening them further, the Medusa ransomware group has claimed responsibility. Affected patients have been offered single bureau credit monitoring and related services. The HHS OCR portal does not currently list either breach.

PhantomRaven Campaign Targets npm Developers with 100+ Malicious Packages

Cybersecurity researchers have uncovered a new supply chain attack, codenamed PhantomRaven, that is targeting developers through the npm registry. Discovered by Koi Security, the campaign began in August 2025 and has since grown to 126 malicious npm packages with over 86,000 installs. The goal is to steal developer credentials, GitHub tokens, and CI/CD secrets from infected machines. Some of the flagged packages include op-cli-installer, unused-imports, and eslint-comments.

What makes PhantomRaven stand out is the way attackers hide their code. Instead of pulling dependencies from npmjs[.]com, the malicious packages point to an attacker-controlled domain, packages.storeartifact[.]com. This lets them avoid detection by security scanners and analysis tools. Once installed, the packages trigger a pre-install hook that downloads a remote payload, scans the system for sensitive data, and sends it back to the attacker’s server. Researchers say the threat actor used “slopsquatting,” creating fake yet super realistic package names that AI tools might suggest to developers. The campaign shows how threat actors are getting better and better at abusing open-source ecosystems, taking advantage of npm’s lifecycle scripts and weak dependency visibility to stay hidden.