#supply-chain-attack

#supply-chain-attack

As the U.S. federal government ground to a halt at 12:01 a.m. EDT on October 1, 2025, a cybercriminal group calling itself the Crimson Collective chose that precise moment to publicly disclose one of the most significant supply chain compromises in recent memory. The breach of Red Hat's consulting division, affecting approximately 800 organizations, including critical defense contractors and government agencies, represents more than just another data breach; it demonstrates a sophisticated understanding of how to weaponize American politics for maximum strategic impact.

Chinese AI firm DeepSeek revealed it spent only $294,000 training its R1 model far below the hundreds of millions claimed by U.S. rivals. Using 512 Nvidia H800 accelerators, the company trained R1 in just 80 hours. The release of R1 earlier this year rattled tech markets, even denting Nvidia's valuation. DeepSeek also acknowledged limited use of A100s and defended model distillation, stressing it makes AI more accessible despite U.S. accusations of copying OpenAI's work.

Following a previous series of victims, Zscaler has also been affected by a hacked Salesforce Drift instance. This resulted in the theft of customer data and information about support cases. Zscaler warns that hackers stole sensitive customer data after gaining access to their Salesforce environment. The stolen data includes customer names, email addresses, job titles, phone numbers, and location data. In addition, product licenses, commercial information, and the content of certain support cases have also been compromised.

Malicious packages published on npm and PyPI had been downloaded more than 56,000 times, containing malware that enabled keylogging and other surveillance functionalities.

The widespread supply chain attack targeted at least 500 e-commerce sites, compromising sensitive customer data by executing malicious code via visited browsers.