---
title: "JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15, 2025] | DuoCircle"
description: "JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/"
---

Quick Answer

Four cyber incidents shaped the week of September 15, 2025\. Jaguar Land Rover extended a UK production shutdown into a fourth week after a cyberattack, halting roughly 1,000 vehicles per day across three British plants while forensic work continues. Researchers exposed SlopAds, an Android ad-fraud network spanning 224 apps with 38 million downloads that generated up to 2.3 billion fake ad requests daily by hiding fraud logic in PNG files and only firing on non-organic installs. A self-replicating npm worm dubbed Shai-Hulud compromised more than 500 packages, installing TruffleHog to harvest GitHub, npm, and AWS tokens, then republishing infected versions automatically and creating malicious GitHub Actions workflows for persistence. A Chinese-language SEO poisoning campaign pushed lookalike software download pages that bundle real installers with HiddenGh0st, Winos, and the new kkRAT, using DLL side-loading and Bring Your Own Vulnerable Driver techniques to evade detection. RevengeHotels (TA558) was also seen using LLM-generated JavaScript and PowerShell loaders to drop Venom RAT in phishing emails to hospitality targets.

JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News \[September 15, 2025\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2025/09/JLR-Cyber-Shutdown-SlopAds-App-Fraud-Worm-Hits-npm---Cybersecurity-News-September-15-2025.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-39-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=JLR%20Cyber%20Shutdown%2C%20SlopAds%20App%20Fraud%2C%20Worm%20Hits%20npm%2C%20Cybersecurity%20News%20%5BSeptember%2015%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-39-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-39-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-39-of-2025%2F&title=JLR%20Cyber%20Shutdown%2C%20SlopAds%20App%20Fraud%2C%20Worm%20Hits%20npm%2C%20Cybersecurity%20News%20%5BSeptember%2015%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=JLR%20Cyber%20Shutdown%2C%20SlopAds%20App%20Fraud%2C%20Worm%20Hits%20npm%2C%20Cybersecurity%20News%20%5BSeptember%2015%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-39-of-2025%2F "Share via Email") 

![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/09/spf-permerror-0009.jpg) 

[Cyber incidents](https://www.bleepingcomputer.com/news/security/the-heat-wasnt-just-outside-cyber-attacks-spiked-in-summer-2025/) this week underline just how disruptive attacks have become. One of the **country’s biggest carmakers** has kept its production lines shut, losing around 1,000 vehicles a day while work continues to restore systems. _Investigators also uncovered a [vast ad-fraud scheme](https://www.malwarebytes.com/blog/news/2023/01/vastflux-ad-fraud-massively-affected-millions-of-ios-devices-dismantled) that ran across 224 apps with 38 million downloads, generating more than two billion fake ad requests daily_. Alongside that, a worm-like breach spread through hundreds of [npm packages](https://thehackernews.com/2025/09/40-npm-packages-compromised-in-supply.html), while poisoned search results and [phishing emails](/content/phishing-prevention/phishing-email) delivered remote-access malware to new victims.

## JLR Faces Extended Shutdown After Major Cyber Incident

[Jaguar Land Rover (JLR) has announced](https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident-2) production at its UK factories will remain suspended until 24 September, and it might get extended well beyond that, as it continues to deal with the impact of a cyberattack. [The stoppage, now stretching beyond three week](https://www.reuters.com/en/jlrs-uk-factory-stoppage-cyber-attack-stretches-three-weeks-2025-09-16/)[s](https://www.reuters.com/en/jlrs-uk-factory-stoppage-cyber-attack-stretches-three-weeks-2025-09-16/), has forced the company to shut down its systems and stop operations at three British plants that usually produce around a **total of 1,000 vehicles a day**, causing significant disruption to both staff and output.

[![Cyber Incident](https://media.mailhop.org/duocircle/images/2025/09/hosted-email-server-2301.jpg)](https://media.mailhop.org/duocircle/images/2025/09/hosted-email-server-2301.jpg)

The company explained that the delay is necessary while forensic investigations continue and a careful, staged restart plan is put in place. Although JLR has admitted that some data was affected by the breach, it hasn’t specified whether customer, supplier, or internal systems were involved. Reports suggesting [the disruption could last into November](https://www.bbc.com/news/articles/czewlj57e24o) have been dismissed by the company as speculation. This incident is raising serious concerns for the wider supply chain, and government cyber experts are now working closely with JLR to help get their **systems back online**.

## SlopAds Fraud Network Exploits 38 Million App Downloads

A massive ad fraud and click fraud operation named [SlopAds](https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/) has been uncovered. It was running across [224 Android apps](https://www.humansecurity.com/wp-content/uploads/2025/09/SlopAds-App-List.html) that managed to get 38 million downloads all over the world. The apps were secretly committing ad fraud by loading hidden web pages and connecting to sites controlled by the attackers. This generated billions of fake ad impressions and clicks every single day. _At its peak, the campaign was triggering 2.3 billion ad requests daily, with most of the traffic coming from North America, South Asia, and South America_. 

What really set SlopAds apart was how it decided when to commit fraud. The apps would check if they were downloaded organically from [the Play Store](https://support.google.com/googleplay/answer/2812853?hl=en) or through an ad click. The fraudulent parts, which were [hidden in PNG image files](https://github.com/packing-box/awesome-executable-packing), would only activate on non-organic installs. This made the apps seem legitimate to regular **users and security researchers**. While Google has taken all the SlopAds apps down, researchers are warning that this campaign shows how much more sophisticated mobile ad fraud is becoming. 

[![security measure](https://media.mailhop.org/duocircle/images/2025/09/what-is-dkim-6700.jpg)](https://media.mailhop.org/duocircle/images/2025/09/what-is-dkim-6700.jpg)

## Self-Replicating Worm Compromises 500+ npm Packages

Security researchers have discovered an enormous [npm supply chain attack](https://www.kaspersky.co.in/blog/tinycolor-shai-hulud-supply-chain-attack/29541/), which they’ve nicknamed Shai-Hulud. It’s already affected more than 500 packages from a bunch of different maintainers. The attack starts with Trojanised packages that contain a malicious script. This script installs [TruffleHog](https://github.com/trufflesecurity/trufflehog), a credential scanner that harvests valuable secrets like **GitHub, npm, and AWS tokens**.

_The attackers then use these stolen credentials to set up malicious GitHub Actions workflows. It’s an effective strategy because it allows them to keep stealing data during future development runs, long after the initial breach_. The most alarming feature of the attack is i[ts worm-like spread](https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again). Each infected package automatically republishes a compromised version, allowing the malware to ripple quickly across npm’s ecosystem.

Researchers believe it began with a package called [rxnt-authentication](https://www.reversinglabs.com/blog/shai-hulud-worm-npm), with already breached accounts helping it gain momentum. The malware also attempts to clone private repositories, likely in search of embedded secrets and source code. **Experts warn that Shai-Hulud** may be one of the most serious JavaScript supply chain breaches yet and are urging developers to audit systems, replace exposed credentials, and upgrade to secure releases without delay.

[![Remote Access Trojans (RATs) Threats ](https://media.mailhop.org/duocircle/images/2025/09/spf-record-generator-4501.jpg)](https://media.mailhop.org/duocircle/images/2025/09/spf-record-generator-4501.jpg)

## SEO Poisoning Attack Uses Fake Software Sites to Spread RATs

A widespread [SEO-poisoning campaign](https://www.fortinet.com/blog/threat-research/seo-poisoning-attack-targets-chinese-speaking-users-with-fake-software-sites) is inflating bogus sites in search results, luring users to polished lookalike download pages that masquerade as trusted **browser and messaging services**. When someone downloads an installer, they get the real application, but it’s bundled with malicious payloads, which makes the infection much more challenging to spot. The campaign is delivering several [Remote Access Trojans (RATs)](https://www.fortinet.com/uk/resources/cyberglossary/remote-access-trojan), including HiddenGh0st, Winos, and a new one [called kkRAT](https://www.zscaler.com/blogs/security-research/technical-analysis-kkrat). Once on a system, these malware families can log keystrokes, hijack crypto wallets, capture screenshots, and install other spying tools. 

The delivery is controlled by a sneaky script that drops DLL files designed to evade security software, sometimes by using [Bring Your Own Vulnerable Driver (BYOVD) techniques](https://blogs.vmware.com/security/2023/04/bring-your-own-backdoor-how-vulnerable-drivers-let-hackers-in.html). After it’s active, the malware sends back system information by connecting to command and control servers and downloads more plugins for data theft. [Cybersecurity](/) experts are warning that even top search results can be weaponized. It’s a reminder to always **double-check your download sources**, scrutinize domain names, and keep your endpoint protection updated.

[![AI Scripts](https://media.mailhop.org/duocircle/images/2025/09/windows-smtp-service-6700.jpg)](https://media.mailhop.org/duocircle/images/2025/09/windows-smtp-service-6700.jpg)

## RevengeHotels Uses AI Scripts to Target Hospitality Sector

Researchers have spotted the [threat actor](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) [TA558, also known as RevengeHotels](https://securelist.com/revengehotels-attacks-with-ai-and-venomrat-across-latin-america/117493/), launching new attacks against the hospitality industry in 2025\. The group is sending out phishing emails disguised as invoices, reservations, and job applications to deliver Venom RAT, a commercial remote access trojan that’s based on Quasar RAT. A concerning new development is their use of code that was likely generated by [large language models (LLMs)](https://www.ibm.com/think/topics/large-language-models). These AI-created **JavaScript loaders and PowerShell scripts** are being used to fetch the malware.

[Venom RAT](https://www.acronis.com/en/tru/posts/venomrat-a-remote-access-tool-with-dangerous-consequences/), which sells for around $650, is a powerful tool. It’s capable of stealing data, setting up a reverse proxy to hide its tracks, and using an anti-kill feature to terminate processes used by security analysts. The malware modifies registry **keys to stay on a system**, can spread through USB drives, and is even able to disable Microsoft Defender. RevengeHotels has been going after hotels and travel organizations to steal financial data [since 2015](https://securelist.com/revengehotels/95229/), and their new use of AI shows a growing trend of [cybercriminals](https://edition.cnn.com/2025/05/16/politics/cybercriminal-group-targets-us-retailers) refining their operations.

## Topics

cyber securityNewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 6m  Microsoft Cybersecurity Transparency, Chrome Update Required, Google Calendar Phishing, Cybersecurity News \[December 23, 2024\]  Jan 2, 2025 ](/blog/announcements/cyber-security-news-update-week-1-of-2025/)[  News 6m  Trust Wallet Hack, Browser Extension Espionage, Unleash Protocol Loss, Cybersecurity News \[December 29, 2025\]  Jan 5, 2026 ](/blog/announcements/cyber-security-news-update-week-1-of-2026/)[  News 7m  Bybit’s $1.5B Loss, FatalRAT Hits APAC, GitVenom Targets Wallets,, Cybersecurity News \[February 24, 2025\]  Mar 3, 2025 ](/blog/announcements/cyber-security-news-update-week-10-of-2025/)[  News 6m  LastPass Users Phished, Amazon Down US, UK Cybersecurity Boost, Cybersecurity News \[March 02, 2026\]  Mar 9, 2026 ](/blog/announcements/cyber-security-news-update-week-10-of-2026/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15, 2025]","description":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/","datePublished":"2025-09-23T13:23:12.000Z","dateModified":"2025-09-23T13:32:52.000Z","dateCreated":"2025-09-23T13:23:12.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1006,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/09/spf-permerror-0009.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15, 2025]","description":"JLR Cyber Shutdown, SlopAds App Fraud, Worm Hits npm, Cybersecurity News [September 15.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/","datePublished":"2025-09-23T13:23:12.000Z","dateModified":"2025-09-23T13:32:52.000Z","dateCreated":"2025-09-23T13:23:12.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-39-of-2025/"},"articleSection":"announcements","keywords":"cyber security, News, Security, Updates","wordCount":1006,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/09/spf-permerror-0009.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```