Weekly Report: New Hacking Techniques and Critical CVEs 2 Dec – 10 Dec 2025

Between 2-10 December 2025, three developments stand out for enterprise defenders:

• Shai-Hulud 2.0 npm worm: A rapidly evolving supply chain threat abusing npm and GitHub Actions to build a self-propagating CI/CD worm, with active reporting and defensive guidance released during this week. The underlying campaign began in September but continued and evolved into December, especially around its CI/CD runner persistence mechanisms.​
• Aisuru botnet hyper-volumetric DDoS operations: Updated analysis and telemetry in early December confirmed 29.7 Tbps UDP carpet-bombing attacks driven by Aisuru, with the record-breaking event in Q3 2025 and continuing heavy activity into late 2025; the event itself is older than this week, so only the technique and current operational behaviors are included, not the original September incident.​
• Microsoft zero-day CVE-2025-62221: A Windows Cloud Files Mini Filter Driver local privilege escalation vulnerability, confirmed as actively exploited and patched in the December 10, 2025 Patch Wednesday.​

This report focuses on new or evolving techniques and currently exploited vulnerabilities that are operationally relevant this week, not historical breaches.

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Hacking Techniques This Week

1. Shai-Hulud 2.0 – CI/CD Worming through npm & GitHub

Incident Activity Window (Technical Evolution):

• Initial worm activity: mid-September 2025 (not in scope as an “incident” for this week).​
• New behaviors and wider impact documented and confirmed this week: early December 2025, with multiple research teams publishing deeper analysis of its use of GitHub self-hosted runners and destructive fallback logic.​

Overview

Shai-Hulud 2.0 is a wormable npm supply chain malware campaign that compromises JavaScript packages, steals secrets, and uses victim infrastructure (GitHub, CI/CD runners) to propagate and persist. The key evolution highlighted in early December is the shift from pure data theft to deep CI/CD infrastructure co-option and potential data-wiping behaviors.​

Explanation (Deep Technical Insights)

1. Initial Infection: npm Package Installation
   • Malicious npm package versions ship with scripts that run at install time (preinstall/postinstall) to guarantee execution on developer endpoints and build servers.​
   • The malware enumerates files such as .npmrc and environment variables for npm tokens, GitHub PATs, and cloud API keys (AWS, GCP, Azure).​
2. Credential Exfiltration & Weaponized GitHub Repos
   • Stolen secrets are exfiltrated to attacker-controlled GitHub repositories often named variants of “Shai-Hulud,” sometimes publicly visible, embedding credentials into commits.​
   • This technique uses GitHub itself as a low-friction exfiltration and staging medium.​
3. Self-Propagation Across Packages
   • Using compromised npm tokens, the worm enumerates other packages administered by the victim and republishes new malicious versions with the same loader, achieving exponential spread.​
4. Newly Highlighted CI/CD Behavior (Dec 2025)
   • Recent analysis emphasizes that Shai-Hulud 2.0 creates or abuses a GitHub Actions workflow (e.g., discussion.yaml) to register the infected machine as a self-hosted runner.​
   • Attacker-controlled “Discussions” events then trigger arbitrary code execution on victim runners, effectively turning CI/CD into a persistent remote execution channel.​
   • A destructive fallback was also documented: when the worm cannot exfiltrate or propagate, it attempts to wipe the user’s home directory, shifting the behavior from pure espionage to sabotage.​

Impact / Risk

• Supply Chain Contamination: Hundreds of npm packages and tens of thousands of malicious repositories have been impacted, widening blast radius to customers and downstream projects.​
• CI/CD Compromise: GitHub workflows and self-hosted runners are converted into persistent backdoors with highly privileged credentials and access to production pipelines.​
• Data Destruction Potential: The home-directory wiping behavior means incidents can quickly escalate from stealthy compromise to destructive outages.​

Takeaway for CISOs

• Demand full SBOM visibility and provenance controls for npm dependencies across all internal and vendor codebases.​
• Enforce least privilege for GitHub tokens and review/restrict the creation of self-hosted runners and workflow files, especially ones not part of documented pipelines.​
• Treat CI/CD platforms as Tier-0 infrastructure and ensure incident response runbooks explicitly cover compromised runners and pipelines.​

New Critical Attack Techniques & CVEs This Week

2. CVE-2025-62221 – Windows Cloud Files Mini Filter Driver (Actively Exploited)

Vulnerability Event Window:

• Publicly patched: 10 December 2025 (December Patch Wednesday).​
• Exploitation: Confirmed in the wild prior to patch release; exploitation continues to be observed this week in real-world attacks.​

Overview

CVE-2025-62221 is an Elevation of Privilege (EoP) vulnerability in the Windows Cloud Files Mini Filter Driver that allows a local authenticated attacker to escalate to SYSTEM via a use-after-free flaw. Microsoft and multiple vendors confirmed this vulnerability is being actively exploited in the wild.​

Explanation (Deep Technical Insights)

• The Cloud Files Mini Filter Driver mediates operations for cloud-synced files (e.g., OneDrive, SharePoint) via reparse points and placeholders.​
• An attacker can craft a sequence of I/O operations that causes the driver to access memory after it has been freed (use-after-free), leading to arbitrary code execution in kernel context.​
• In practice, this is chained with other techniques:
  • Initial compromise via phishing, browser exploit, or a document macro obtains a low-privileged user shell.​
  • A local exploit for CVE-2025-62221 then elevates privileges, handing attackers full control of the endpoint (SYSTEM).​

Impact / Risk

• Privilege Escalation: Converts any low-privilege foothold into full endpoint takeover, enabling EDR tampering, credential dumping, and lateral movement.​
• Prevalence: Impacts supported Windows versions leveraging the Cloud Files stack; widely present on enterprise workstations integrated with cloud file sync.​

Takeaway for CISOs

• Prioritize emergency patching for CVE-2025-62221 across user endpoints, starting with high-risk users (admins, developers, finance, executives).​
• Monitor for attempts to disable security tools or anomalous token elevation patterns, indicating exploitation after initial compromise.​
• Treat any unpatched endpoint with signs of compromise as potentially fully owned and consider credential rotation.​

3. Aisuru Botnet – Hyper-Volumetric DDoS TTPs (Ongoing)

Incident Dates & Scope Clarification:

• The record 29.7 Tbps attack linked to Aisuru occurred in Q3 2025, with Cloudflare and others surfacing detailed analytics and threat reporting on 2-3 December 2025.​
• Because the underlying record attack predates this week, it is not treated here as a “new incident.” Instead, this section focuses on current operational techniques and botnet behavior as updated this week.

Overview

Aisuru is an extremely large DDoS botnet-for-hire, composed of hundreds of thousands to millions of compromised routers and IoT devices, responsible for multiple Tbps-level attacks in 2025. Early December analysis confirms continued high-volume operations, leveraging UDP carpet-bombing across many ports and targets simultaneously.​

Explanation (Deep Technical Insights)

• Aisuru predominantly exploits unpatched IoT and SOHO router flaws and weak credentials to grow its botnet.​
• Attacks analyzed this quarter:
  • Peak volumes up to 29.7 Tbps (historical record in Q3).​
  • UDP-based “carpet bombing,” sending high-rate garbage traffic to an average of 15,000 destination ports per second, making per-IP or per-port rate-limiting ineffective.​
  • Hyper-volumetric events (>1 Tbps) that last seconds to minutes, designed to overwhelm upstream links before on-demand mitigation can fully ramp.​

Impact / Risk

• ISP and Cloud Impact: These floods can saturate backbone links, impacting not only the intended targets but also tenants sharing the same infrastructure.​
• Enterprise Risk: Even with a robust on-premise firewall, upstream congestion can render services unreachable.​

Takeaway for CISOs

• Confirm with ISPs and DDoS providers that they can absorb multi-Tbps floods and specifically UDP carpet-bombing patterns.​
• For critical public services (DNS, VPN gateways, APIs), ensure anycast or cloud-based protection is in place rather than relying solely on on-prem hardware.​

Dark Web & Underground Chatter (Refocused)

Date Window: Early December 2025 (reports and synthesis dated within or after Dec 2, 2025)​

While specific underground posts are not all directly accessible, aggregated intelligence reports this week highlight the following operationally relevant trends:

4. Ransomware Alliances and CaaS Maturation

Overview

Recent reporting (released December 10, 2025, summarizing Q3-Q4 2025 activity) confirms that ransomware groups such as Qilin, Akira, and affiliates of former LockBit infrastructure increasingly share tooling, access, and execution capacity via Cybercrime-as-a-Service (CaaS) platforms.​

Explanation (Technical/Operational)

• Access brokers sell RDP, VPN, and cloud console access to multiple ransomware groups, resulting in multi-gang hits on the same victim environment.​
• CaaS offerings package:
  • Malware builders.
  • Initial-access phishing kits.
  • DDoS extortion services.​

Impact / Risk

• Overlap and persistence: Even after one ransomware incident is contained, the same access may be reused or resold to another actor.​
• Noise vs. signal: Multiple extortion attempts against the same environment complicate attribution and response.​

Takeaway for CISOs

• Treat any ransomware incident as a full environment compromise—not just a single payload event.​
• Focus on eradicating initial access methods and rotating credentials, not just decrypting data.​

Call to Action: FireCompass Free Demo

Shai-Hulud 2.0, CVE-2025-62221 exploitation, and Aisuru’s hyper-volumetric DDoS patterns all reinforce one reality: attackers see your organization the way your external attack surface looks today, not how it appears on internal inventories.​

FireCompass continuously scans the internet to discover, prioritize, and safely validate exposed assets and misconfigurations the way an attacker would, enabling CISOs to:​

• Identify vulnerable services and software versions (including internet-exposed Windows endpoints and CI/CD systems) before they are exploited.​
• Detect shadow assets such as forgotten GitHub repositories, dev servers, and exposed CI/CD endpoints that can be chained with vulnerabilities like CVE-2025-62221 or supply-chain worms such as Shai-Hulud 2.0.​

Next Step:
Book a free FireCompass demo and external attack surface assessment to understand how your environment looks to real adversaries and where Shai-Hulud-like worms, DDoS operators, and zero-day exploitation campaigns would strike first.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial