---
title: "GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02, 2025] | DuoCircle"
description: "GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/"
---

Quick Answer

Five items. Trail of Bits found backdoored GitHub repositories posing as malware tools (Sakura RAT, others); the operator Distributed Operations Group ran more than 100 trojanized projects targeting other criminals. Cartier confirmed a data breach following a wave of attacks on luxury retailers, names and email addresses exposed. Counterfeit RubyGems impersonating the Fastlane CI/CD tool stole Telegram bot tokens and chat data from developer pipelines. The North Face disclosed a credential-stuffing attack from April 2025 against vf.com customer accounts. And CISA added a ConnectWise ScreenConnect flaw (CVE-2025-3935) to its Known Exploited Vulnerabilities catalog with a federal patch deadline.

GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News \[June 02, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/06/GitHub-Backdoor-Threat-Cartier-Data-Breach-Fake-RubyGems-Steal---Cybersecurity-News-June-02-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-24-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=GitHub%20Backdoor%20Threat%2C%20Cartier%20Data%20Breach%2C%20Fake%20RubyGems%20Steal%2C%20Cybersecurity%20News%20%5BJune%2002%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-24-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-24-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-24-of-2025%2F&title=GitHub%20Backdoor%20Threat%2C%20Cartier%20Data%20Breach%2C%20Fake%20RubyGems%20Steal%2C%20Cybersecurity%20News%20%5BJune%2002%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=GitHub%20Backdoor%20Threat%2C%20Cartier%20Data%20Breach%2C%20Fake%20RubyGems%20Steal%2C%20Cybersecurity%20News%20%5BJune%2002%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-24-of-2025%2F "Share via Email") 

![cybersecurity](https://media.mailhop.org/duocircle/images/2025/06/email-smtp-service-0905.jpg) 

From hidden backdoors on GitHub to fake Fastlane plugins hijacking social media bots, this **week’s cyber updates** spotlight how trust in familiar tools is being silently exploited. Major brands like The [North Face and Cartier](https://www.bbc.com/news/articles/c39x3jpv8lyo) are also dealing with breaches, and U.S. agencies face urgent patch deadlines due to active vulnerabilities. Let’s take a closer look!

## Backdoored GitHub Repos Leveraged by Threat Actors to Target the Mob

A hacker is running a large-scale campaign targeting gamers, developers, and even fellow hackers by planting backdoors in **code shared on GitHub**.

The attack relies on disguising [malicious scripts](https://www.bleepingcomputer.com/news/security/malicious-web-redirect-scripts-stealth-up-to-hide-on-hacked-sites/), game cheats, and exploit tools as legitimate open-source software. The activity came to light after Sophos researchers were approached about the Sakura RAT-an openly available remote access **trojan on GitHub**. Though the tool itself looked nonfunctional, the [team discovered a hidden PreBuildEvent](https://news.sophos.com/en-us/2025/06/04/the-strange-tale-of-ischhfd83-when-cybercriminals-eat-their-own/) in its Visual Studio project that silently pulled malware when someone tried to compile it. The publisher behind it, going by “ischhfd83,” was tied to at least 141 repositories, 133 of which were linked to malware.

These repositories hosted everything from Python scripts with obfuscated payloads and Unicode-tricked .scr files to JavaScript and Electron-based files with [encoded malware](https://www.darkreading.com/cyberattacks-data-breaches/threat-actors-ramp-up-use-of-encoded-urls-to-bypass-secure-email). Commits to these projects are automated to simulate active development, with one project **racking up nearly 60,000 commits** since March 2025\. _The traffic comes from YouTube, Discord, and cybercrime forums, drawing in unsuspecting users_.

[![ cybercrime ](https://media.mailhop.org/duocircle/images/2025/06/spf-record-7723.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-7723.jpg)

Once downloaded, the victims were hit with **multiple stages of infection**, ultimately receiving trojans like Remcos or Lumma Stealer. Many of the repositories are still live, so you should be cautious. Always inspect code and check for hidden build events before compiling anything from GitHub.

## Cartier: A Victim of Data Breach Following Cyberattacks on Luxury Brands

This week, Cartier [notified its customers](https://x.com/%5Fcountry%5Faccent/status/1929652281563062285) of a data breach after unauthorized access to its systems was detected, which led to the exposure of personal client information.

The luxury brand has confirmed the incident and addressed the scope of the compromised information. [Threat actors](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) were able to access its **systems temporarily**, making away with limited customer data. S\_aid data includes names, email addresses, and their home countries\_. The brand emphasized that no sensitive financial info, such as passwords, banking details, or [credit card numbers](https://www.infosecurity-magazine.com/news/cyber-attack-exposes-credit-card/), was accessed during the breach. They highlighted they were able to promptly contain the incident have cautioned customers that while the exposed data may seem minimal, it could be used for phishing or other targeted scams. _Cartier has involved law enforcement and is collaborating with a third-party cybersecurity firm to investigate the breach as part of its remediation efforts_.

[![ cybersecurity ](https://media.mailhop.org/duocircle/images/2025/06/spf-record-check-7781.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-check-7781.jpg)

Customers are advised to stay cautious and report any suspicious messages. The organization has not disclosed the **full scope of the incident**, and investigations remain ongoing.

To further protect customers from phishing attempts following such breaches, **organizations should implement** [SPF](/resources/what-is-spf), [DKIM](/resources/what-is-dkim), and [DMARC](/resources/what-is-dmarc) to ensure [email authentication](/resources/email-authentication) and enhance [email security](/).

## Fake RubyGems Masquerading as Fastlane Steal Telegram API Credentials

Two malicious RubyGems packages disguised as Fastlane plugins have been caught intercepting **Telegram bot communications**, putting developers’ sensitive data at risk.

These lookalike plugins have managed to stay live and attract hundreds of downloads, raising concerns about supply chain security in open-source ecosystems. The incident revolves around two gems, [fastlane-plugin-telegram-proxy](https://socket.dev/rubygems/package/fastlane-plugin-telegram-proxy/overview/0.1.6?platform=ruby) and [fastlane-plugin-proxy\_teleram](https://socket.dev/rubygems/package/fastlane-plugin-proxy%5Fteleram/overview/0.1.0?platform=ruby), which imitate the legitimate [fastlane](https://fastlane.tools/)\-plugin-telegram, a tool used by mobile developers to receive **CI/CD updates via Telegram**.

[![who uncovered the attack](https://media.mailhop.org/duocircle/images/2025/06/spf-record-tester-7788.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-tester-7788.jpg)

While they appear identical in function and presentation, the difference lies in a hidden redirection: instead of routing messages through **Telegram’s official API endpoint**, these packages silently redirect all traffic to an attacker-controlled proxy, rough-breeze-0c37\[.\]buidanhnam95\[.\]workers\[.\]dev. This proxy captures Telegram chat IDs, messages, uploaded files, proxy login details, and even bot tokens, any of which could allow the attacker to [hijack bots](https://www.computerweekly.com/news/450427023/Global-hacker-botnet-tops-6-million-hijacked-devices) or spy on developer activity. Despite claiming not to log this data, the proxy’s behavior can’t be verified.

Researchers at Socket, [who uncovered the attack](https://socket.dev/blog/malicious-ruby-gems-exfiltrate-telegram-tokens-and-messages-following-vietnam-ban), emphasize that Cloudflare Workers used in the proxy are opaque and can be abused without visibility. Developers should uninstall them immediately, revoke any affected bot tokens, and rebuild impacted binaries. **Blocking wildcard access** to \*.workers\[.\]dev is also recommended.

## The North Face Alerts Users to April Credential Stuffing Incident

Cartier isn’t the only brand to suffer an attack this week. The [North Face](https://www.bbc.com/news/articles/c39x3jpv8lyo) also alerted customers to a data breach caused by credential stuffing attacks on its website in April.

[![Credential Stuffing Attacks Work](https://media.mailhop.org/duocircle/images/2025/06/spf-record-9004.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-record-9004.jpg)

The brand is known for its outdoor gear and apparel, with online sales forming a major part of its business. **On April 23, 2025**, [suspicious activity](https://www.msspalert.com/news/mssp-market-news-malicious-activity-spikes-after-crowdstrike-outage) was detected on thenorthface.com, [prompting an immediate investigation](https://ago.vermont.gov/sites/ago/files/documents/2025-05-29%20VF%20Outdoor%20Data%20Breach%20Notice%20to%20Consumers.pdf). It was later confirmed that attackers had launched a [credential stuffing attack](https://www.forbes.com/sites/daveywinder/2025/06/03/password-attack---the-north-face-confirms-data-breach/), an automated method where stolen username-password combinations from past breaches were used to break into accounts. Since many users reuse passwords across sites, the method often succeeds unless [Multi-Factor Authentication (MFA)](https://www.onelogin.com/learn/what-is-mfa) is enabled. _The attackers were able to access customer data, including full names, shipping addresses, email addresses, phone numbers, dates of birth, and purchase history_.

However, no payment details were affected as they are handled externally. They are still notifying affected users. Customers are advised to update their passwords and enable MFA to better **secure their accounts**.

## CISA Flags Actively Exploited Vulnerability in ConnectWise ScreenConnect

Federal agencies in the U.S. are being warned about active cyberattacks that exploit a [vulnerability in ConnectWise ScreenConnect](https://www.connectwise.com/company/trust/security-bulletins/screenconnect-security-patch-2025.4), recently patched in late April. The flaw, if abused, allows attackers to run malicious code on targeted servers.

Alongside this, several other serious vulnerabilities in ASUS routers and Craft CMS are also being actively targeted. The ScreenConnect issue tracked as [CVE-2025-3935](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search%5Fapi%5Ffulltext=CVE-2025-3935&field%5Fdate%5Fadded%5Fwrapper=all&field%5Fcve=&sort%5Fby=field%5Fdate%5Fadded&items%5Fper%5Fpage=20&url=), involves improper authentication and can be used for a ViewState code injection attack. Since ASP.NET Web Forms use ViewState to maintain page state with **base64-encoded data protected** by machine keys, a threat actor who gains access to those keys could execute code remotely on the server.

[![data protected](https://media.mailhop.org/duocircle/images/2025/06/spf-validator-7734.jpg)](https://media.mailhop.org/duocircle/images/2025/06/spf-validator-7734.jpg)

_The vulnerability gained attention following a breach at ConnectWise suspected to involve state-sponsored attackers_. ConnectWise has not detailed the attack or confirmed a link to this flaw, but many users believe it’s related. The vendor acknowledged that only a small number of **ScreenConnect users** were impacted. On the other hand, CISA also flagged four exploited bugs-two critical ones in ASUS routers (CVE-2021-32030, CVE-2023-39780) and two in Craft CMS (CVE-2024-56145, CVE-2025-35939).

They have added all five vulnerabilities [to their Known Exploited list](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and have asked agencies to apply fixes or stop using affected **systems by June 23**. Users should update their devices and CMS platforms promptly to reduce exposure.

## Topics

cyber securityDKIMDMARCemail securityNewsSecurityspfUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Hackers Hijack WordPress, SonicWall Backup Breach, Oracle Data Theft, Cybersecurity News \[October 06, 2025\]  Oct 13, 2025 ](/blog/announcements/cybersecurity-news-update-week-42-of-2025/)[  News 5m  Sri Lanka Cyberattack, SilentGlass Threat Defense, Rituals Data Breach, Cybersecurity News \[April 20, 2026\]  Apr 27, 2026 ](/blog/cyber-security-news-update-week-17-of-2026/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)[  News 6m  Vapor Apps Malware, Coinbase Phishing Scam, Medusa Ransomware Attack , Cybersecurity News \[March 17, 2025\]  Mar 24, 2025 ](/blog/announcements/cyber-security-news-update-week-13-of-2025/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02, 2025]","description":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/","datePublished":"2025-06-09T17:33:24.000Z","dateModified":"2025-06-09T17:36:26.000Z","dateCreated":"2025-06-09T17:33:24.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, email security, News, Security, spf, Updates","wordCount":1094,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/email-smtp-service-0905.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02, 2025]","description":"GitHub Backdoor Threat, Cartier Data Breach, Fake RubyGems Steal, Cybersecurity News [June 02.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/","datePublished":"2025-06-09T17:33:24.000Z","dateModified":"2025-06-09T17:36:26.000Z","dateCreated":"2025-06-09T17:33:24.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-24-of-2025/"},"articleSection":"announcements","keywords":"cyber security, DKIM, DMARC, email security, News, Security, spf, Updates","wordCount":1094,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/06/email-smtp-service-0905.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```