Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
As cybersecurity threats continue to evolve in scale and sophistication, recent headlines offer a sobering reminder of the vulnerabilities facing both public institutions and private enterprises. From healthcare system disruptions in Newfoundland & Labrador to a credential-stuffing attack targeting The North Face, and from a delayed earnings report following a data breach at Victoria’s Secret to persistent password issues plaguing the auto industry, the past weeks have underscored a troubling trend. Perhaps most alarming is the surge in open-source supply chain attacks, where malicious packages have infiltrated widely used repositories like PyPI, npm, and RubyGems. This blog post delves into these unfolding stories to highlight critical patterns, common oversights, and what organizations must do to stay ahead of cyber threats.
- N.L. Cyberattacks are ‘Canary in the Coal Mine’ for Canada, Says Security Expert
A leading Canadian cybersecurity expert says that recent cyber incidents in Newfoundland & Labrador should have served as a serious warning to the federal government about the evolving threats facing the country.
The province has endured several significant security breaches in recent years, most notably the 2021 ransomware attack on its healthcare system, which was attributed to the Russian cybercriminal group known as Hive.
David Shipley, co-founder of Beauceron Security, characterized the Newfoundland incident as an early indication of more severe challenges to come. He emphasized the broader implications of such attacks, arguing that when international criminal organizations are able to disrupt essential services without meaningful consequences, it creates an impression of permissiveness.
More recently, Bell Canada reported a deliberate severing of a subsea fibre optic cable between Nova Scotia and Newfoundland & Labrador, the second such incident involving the same infrastructure. According to Shipley, these events are symptomatic of a broader deterioration in global security, peace, and stability. He underscored that attacks on critical infrastructure, such as the damaged fibre optic cable, carry real economic consequences and long-term implications. While the RCMP is currently investigating the subsea cable incident, Shipley questioned whether law enforcement is the appropriate authority to handle such threats. He expressed concern about what he described as a lack of clarity and preparedness in Canada’s national security apparatus.
Shipley also criticized the government’s failure to pass Bill C-26, legislation that would have introduced mandatory cybersecurity standards for federally regulated sectors and strengthened national security protections for telecommunications. He noted that the bill, despite years of development, ultimately stalled due to legislative delays and a clerical error.
Beyond legislative concerns, Shipley also took aim at Canada’s weak enforcement mechanisms for privacy and cybersecurity. He pointed to a breach involving PowerSchool, an education technology platform, where sensitive data belonging to hundreds of thousands of Canadians was stolen. He further revealed that a Russian cyber group had at one point gained unauthorized access to a Canadian pipeline and attempted, though unsuccessfully, to trigger an explosion. The only reason the incident became public was due to an unrelated leak by a young U.S. Air Force intelligence officer who had posted classified documents online in an apparent attempt to impress friends.
- Victoria’s Secret Says It Will Postpone Earnings Report After Recent Security Breach
Victoria’s Secret has announced a delay in releasing its quarterly earnings due to a cybersecurity incident that significantly impacted its internal systems and online operations. The company disclosed that it first identified a breach of its information technology infrastructure on May 24th. In response, it activated established security protocols and enlisted the support of external cybersecurity experts to address the issue and mitigate further risks.
As a precautionary measure, the retailer temporarily suspended access to both its internal corporate systems and its U.S. e-commerce platform on May 26th. The website remained offline for several days, resuming full functionality only by late Thursday of that week.
Although Victoria’s Secret did not confirm the nature of the attack, the scale and duration of the disruption have led analysts to suggest the possibility of a ransomware incident. Industry experts have observed a rising trend of such cyberattacks targeting retail organizations, emphasizing the operational vulnerabilities that can be exploited by malicious actors. In addition to its website, certain in-store services at Victoria’s Secret and its Pink-branded locations were temporarily impacted. The company noted, however, that the majority of those functions have since been restored.
The ongoing recovery from the breach has hindered employees’ access to key systems and data required to finalize the company’s financial reporting. As a result, Victoria’s Secret has postponed the release of its fiscal first-quarter earnings. The company has not yet provided a revised timeline for the report’s publication.
This incident adds to a growing list of recent cyber intrusions affecting major retail brands. Notably, several U.K.-based companies, including Marks & Spencer, Harrods, and Co-op, have disclosed recent breaches. One such attack temporarily halted online sales and disrupted store inventory systems at Marks & Spencer, with financial losses estimated at £300 million ($400 million USD).
Similarly, Adidas reported last month that an external party had accessed limited consumer data, primarily contact information, through a third-party customer service provider.
Cybersecurity professionals continue to advise consumers to remain vigilant in the wake of such incidents. Threat actors frequently exploit public breaches by launching phishing campaigns or fraudulent promotions aimed at stealing personal information.
- Thousands Hit by The North Face Credential Stuffing Attack
VF Corporation, the parent company of The North Face, has disclosed a security incident involving unauthorized access to customer accounts. The company has begun notifying approximately 2,800 individuals whose personal data was exposed during the event.
According to the company’s notice, the breach resulted from a credential stuffing attack, an increasingly common tactic where cybercriminals use previously compromised login credentials (such as email addresses and passwords) to gain unauthorized access to accounts on other websites where the same credentials are used.
The attack targeted a subset of user accounts on thenorthface.com on April 23rd. VF Corporation reports that it identified and began investigating the activity on the same day. Affected users are being notified through formal communications, which have also been shared with regulatory authorities.
Information accessible through the compromised accounts may include users’ full names, contact information, birth dates, account preferences, and purchase history. However, VF Corporation emphasizes that payment card data was not at risk. The company does not store payment card details on its systems; instead, it uses secure tokenization in coordination with a third-party payment processor. This method ensures that credit card data remains protected and cannot be used outside of the designated platform.
VF Corporation is continuing to monitor the situation and has advised affected individuals to change their passwords and remain vigilant for any suspicious activity related to their online accounts.
- Auto Industry Still Runs on Weak Passwords
A recent report by NordPass, has raised significant concerns about password practices within the automotive industry. Despite substantial investments in smart vehicle technologies and automation, the sector remains vulnerable to cybersecurity threats due in large part to poor password hygiene.
The study analyzed a vast dataset, totaling 2.5 terabytes, comprising leaked credentials from publicly accessible sources, including data from the dark web. The findings reveal a troubling pattern: companies across the automotive supply chain, including manufacturers, parts suppliers, and dealerships, frequently rely on weak, reused, and easily guessable passwords to protect critical systems and data.
Among the most common credentials were simplistic entries such as “123456” and “P@ssw0rd,” alongside more personalized variants tied to company names or employee roles. Such practices significantly increase exposure to brute-force attacks and unauthorized access. Password reuse, especially with minor alterations like appending symbols or digits (e.g., “F3930ebbce” vs. “F3930ebbce@”), was also widely observed, further compounding the risk. NordPass, emphasized that these easily compromised credentials create substantial attack surfaces for malicious actors.
This issue is not confined to the automotive sector. The report indicates similar vulnerabilities across industries such as healthcare, education, finance, and retail, several of which have already experienced high-profile breaches. In fact, the automotive industry is just one of 11 sectors examined in a broader investigation into credential security trends. A significant contributor to these vulnerabilities is human error. Research suggests that user behavior, such as incorporating personal names or email addresses into passwords, accounts for up to 70% of security breaches. Another critical gap is the inconsistent use of multi-factor authentication (MFA), which could serve as a vital safeguard by adding an extra layer of user verification.
To address these issues, organizations are encouraged to prioritize employee education through cybersecurity awareness programs. Implementing secure password management solutions and enterprise-grade virtual private networks (VPNs) can also improve resilience. Furthermore, adopting advanced authentication methods, such as passkeys, represents a forward-looking step. Ultimately, the report underscores a pressing need for organizations, particularly those managing sensitive digital infrastructure, to elevate their cybersecurity standards. Strengthening password policies, enforcing MFA, and fostering a culture of cyber awareness will be essential to mitigate the growing threat of credential-based attacks.
- Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks
A series of coordinated supply chain attacks have recently targeted major open-source ecosystems, including npm, PyPI, and RubyGems, by introducing malicious packages that perform a range of harmful activities. These include stealing cryptocurrency funds, exfiltrating sensitive credentials, and even erasing developers’ entire codebases. The threat underscores the persistent vulnerabilities in software supply chains and the growing sophistication of attackers exploiting trust within developer communities.
Recent investigations by multiple cybersecurity firms have identified several malicious libraries impersonating legitimate tools. In the Ruby ecosystem, two packages mimicking the popular Fastlane plugin “fastlane-plugin-telegram” redirected Telegram API communications through an attacker-controlled server. This allowed for the silent collection of bot tokens, chat IDs, message contents, and other sensitive data. These packages emerged shortly after Vietnam banned Telegram, suggesting attackers may have been exploiting the situation to masquerade the libraries as legitimate proxies.
In the npm registry, the “xlsx-to-json-lh” package impersonated a legitimate utility but harbored a destructive payload capable of deleting entire projects. Triggered remotely by a French-language command (“remise à zéro”), the malware wiped source code, configurations, and even version control history. Similarly, other npm packages such as “pancake_uniswap_validators_utils_snipe” and “ethereum-smart-contract” targeted Ethereum and Binance Smart Chain wallets, siphoning off as much as 85% of user funds via obfuscated JavaScript code.
Malicious Python packages have also emerged, some of which target the Solana blockchain ecosystem. These packages stealthily altered Solana key-generation functions to intercept and encrypt private keys, which were then transmitted via Solana’s Devnet for later retrieval by attackers. Other packages were designed to exfiltrate Python scripts, target Jupyter Notebooks, or masquerade as legitimate utilities like the “solana-live” package.
An especially concerning trend involves attackers leveraging artificial intelligence tools as a distribution vector. PyPI packages disguised as SDKs for Aliyun AI Labs contained infostealers embedded within PyTorch machine learning models. These payloads extracted sensitive system information, including .gitconfig content and network identifiers, and were particularly tailored to target users of the Chinese videoconferencing tool AliMeeting.
Further, attackers have deployed cross-ecosystem typosquatting tactics, using names from one programming language’s ecosystem to impersonate tools in another. For example, malicious Python packages falsely adopted names from well-known JavaScript libraries. These attacks enabled persistent remote access and allowed for the exfiltration of configuration data from both Linux and Windows environments.
Collectively, these campaigns highlight the urgency of reinforcing software supply chain security. Developers and organizations must remain vigilant, verify package authenticity, and adopt proactive monitoring strategies to detect malicious behavior early.
References:
https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cybersecurity-david-shipley-1.7480190
https://www.securityweek.com/thousands-hit-by-the-north-face-credential-stuffing-attack/
https://hackread.com/smart-cars-dumb-passwords-auto-industry-weak-passwords/
https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html
