Home 
The final week of August was marked by an unprecedented intersection of SaaS, supply chain, and state infrastructure attacks. Standout incidents included the highly technical s1ngularity AI-assisted supply chain compromise of Nx, the widespread theft of Salesforce and Google data via the Salesloft Drift OAuth breach, and ransomware that brought Nevada’s government services to a halt. Government, technology, and SaaS enterprises all faced advanced adversaries utilizing new vectors like AI-driven recon tools, malicious OAuth token persistence, and novel Windows driver bypass techniques. Critical vulnerabilities in Git and third-party platforms required aggressive, immediate response from defenders.
>>Outpace Attackers With AI-Based Automated Penetration Testing
New Hacking Techniques
AI-Assisted Developer Reconnaissance
A first-of-its-kind supply chain attack weaponized AI CLI tools (Anthropic Claude, Amazon Q, Google Gemini) to automatically search infected developer environments for credentials and secrets, dramatically accelerating reconnaissance and exposure.
OAuth Token Abuse for SaaS Persistence
UNC6395 used hijacked OAuth tokens from the compromised Drift-Salesforce integration to establish persistent, stealthy access to victim Salesforce and Google Workspace accounts. The attackers quer ied and exfiltrated sensitive objects and emails, then removed logs and jobs to hamper incident forensics.
Microsoft-Signed Driver Evasion Techniques
The Silver Fox APT group modified only a single byte in Microsoft-signed Windows drivers’ timestamp fields; this preserved signature validity but fooled hash-based blocklists, defeating EDR and AV on latest Windows 10 and 11 systems to drop the ValleyRAT backdoor.
Critical CVEs and Attack Campaigns
Git Arbitrary File Write Vulnerability (CVE-2025-48384)
Active Exploitation: August 26, 2025
A critical flaw in Git for Unix, macOS, and CI/CD systems allowed threat actors to use malicious .gitmodules files to place files anywhere on disk, leading to remote code execution upon clone—often as part of software development supply chain attacks.
- Technical detail: Attacker controls CR (\r) char handling between write/read, enabling crafted symlinks and arbitrary post-checkout script execution.
- Risk: Immediate exploitation in supply chain workflows, GitHub Desktop default-vulnerable; full system compromise possible in developer and build pipeline environments.
CISO takeaway: Patch immediately, audit for suspicious file writes, restrict use of git clone –recursive, and validate repositories used in CI.
Salesloft Drift OAuth Supply Chain Breach
Incident window: August 8–18, 2025 (disclosed Aug 26+)
Attackers compromised Drift’s OAuth integration with Salesforce, stole tokens, and mass-exfiltrated Salesforce objects and Google Workspace data from over 700 organizations including Zscaler.
- Technical detail: Automated SOQL queries for high-value Salesforce objects, lateral movement to Google via OAuth reuse, stealth via job log deletion and high-entropy User-Agent rotation.
- Risk: Cascading compromise of business SaaS and potential for downstream business email compromise in affected environments.
CISO takeaway: Rotate OAuth secrets, conduct SaaS app integration reviews, monitor for exfiltration/anomaly patterns, and disable legacy integrations.
Silver Fox APT ValleyRAT/Driver Campaign
Active: August 2025
Silver Fox APT leveraged modified, still-signed Microsoft and WatchDog drivers to kill protected security processes and install ValleyRAT for persistent surveillance and lateral movement.
- Technical detail: Use of dual driver approach to cover both legacy (Zemana Anti-Malware, Windows 7) and current Windows builds, anti-forensic binary manipulation, advanced blocking evasion.
- Risk: Defeat of security controls even in fully patched environments; especially impactful in organizations with legacy soft/hardware interdependencies.
CISO takeaway: Enforce latest vulnerable driver blocklists, monitor for unusual driver loads, and prioritize kernel-level event monitoring and behavioral analytics.
Nevada State Ransomware Incident
Disclosed: August 24, 2025 – Ongoing
Ransomware brought down all Nevada government DMV and administrative functions, marking the first full statewide government shutdown from cyberattack in US history. Service outages continued beyond 8 days, affecting residents and state operations.
- Impact: Government websites, phones, law enforcement resources, and scheduling for critical services were all made unavailable.
CISO takeaway: Harden recovery processes, segment government IT, and increase ransomware readiness in critical-infrastructure scenarios.
s1ngularity/Nx Supply Chain Attack
Attack Date: August 26, 2025
The popular Nx build system was compromised, delivering malicious packages for five hours and targeting developer environment variables, credentials, and digital wallets—while also leveraging AI toolchains for more efficient loot discovery.
- Impact: Risk to open-source supply chains, especially affecting software companies using modern CLI AI tools and bulk NPM installs.
CISO takeaway: Audit build pipeline dependencies, restrict shell/environment exposure in build containers, and monitor for credential exfiltration in dev workflow logs.
Operational Security Implications
The period highlights an accelerating convergence between SaaS trust abuse (OAuth), supply chain corruption, ransomware, and endpoint defense evasion, each demonstrated through technical novelty not effectively mitigated by patching alone. Focus areas for defense include OAuth supply chain hygiene, developer tool/app vetting, deep endpoint device monitoring, and rapid, organization-wide response drills.
Takeaway for CISOs
- Patch critical vulnerabilities (Git, supply chain tools) as an urgent priority.
- Audit and restrict third-party SaaS and OAuth permissions, with special attention to legacy business process integrations.
- Apply hardened EDR/AV blocklists and ensure lockdown of kernel-level/loadable components for all endpoints.
- Establish and test disaster recovery and crisis communication plans for all business-critical operations, as demonstrated by the Nevada and Pennsylvania attacks.
- Invest in continuous attack surface management and Red Team simulation focused on SaaS, supply chain, and endpoint bypass vectors.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
