The IT Nerd

Recently, a malicious NPM package called Lotusbail, masquerading as a WhatsApp Web API library, secretly intercepted authentication tokens, messages, contacts, and media from developers’ applications and exfiltrated the data after encrypting it to evade detection. The supply chain attack also hijacked WhatsApp’s device pairing process to give attackers persistent backdoor access to accounts, which remains even after uninstalling the package unless all linked devices are manually removed.

SecurityWeek has more on this here: https://www.securityweek.com/npm-package-with-56000-downloads-steals-whatsapp-credentials-data/

CEO of DryRun Security, James Wickett had this to say:

“Backdoors don’t just happen to other people. They happen inside real organizations, often through code that looks legitimate at first glance. Sometimes it’s a malicious dependency, sometimes it’s copied or AI-generated code, and sometimes it’s an internal actor abusing trust. As development accelerates, security teams need visibility into what’s being added to the codebase and the ability to flag suspicious behavior early, so risky changes get reviewed before they turn into credential theft or persistent access in production.”

Developers need to make sure that the code that they use is secure. Otherwise they will get into a situation that isn’t good for them or the people who use their apps.

The University of Phoenix has today begun notifying over 3.4 million individuals that their data was stolen in a hack by the notorious ransomware gang known as Cl0p. Yeah. That Cl0p. Clearly they’ve been busy this year by being naughty and not nice.

Rebecca Moody, Head of Data Research at Comparitech had this to say:

“According to our data, this is the fourth-largest ransomware attack in the world this year (based on records affected). It highlights the ongoing threat that companies face via ransomware — and not just via attacks on their own systems. Attacks on third parties like Oracle often give hackers access to a multitude of companies (and their data) via one central source. And as Clop is now rumored to be exploiting a new vulnerability through another software company (Gladinet CentreStack), its devastating data breaches look set to continue well into 2026.”

Paul Bischoff, Consumer Privacy Advocate at Comparitech follows with this:

“Clop has been on a rampage this year, targeting zero-day vulnerabilities in software used by large enterprises. Specifically, it targets Oracle’s E-Business Suite and the Cleo file transfer software. This attack on the University of Phoenix is most likely related to the former.

According to our research, Clop has claimed the third-most data breaches of any ransomware gang in 2025.”

See: https://www.comparitech.com/news/ransomware-roundup-november-2025/

Chris Hauk, Consumer Privacy Champion at Pixel Privacy adds this:

“This is just the latest data breach of US universities, with Harvard University, the University of Pennsylvania, and Princeton University having been compromised by hackers, who stole the personal information of donors, students, alumni, staff, and faculty. We will surely see this trend continue, as bad actors around the world look to increase the size of their data cache from US educational institutions.

I would urge any individuals affected by this breach to take advantage of the university’s offer of free identity protection services, fraud reimbursement policy, one year of credit monitoring, identity theft recovery, and dark web monitoring. This will give them a leg up in detecting if bad actors are attempting to use the data gathered from the breach for nefarious purposes, as the information stolen includes dates of birth, social security numbers, and bank account and routing numbers.”

Finally, Ensar Seker, CISO of SOCRadar had this to say: 

“This breach underscores a troubling pattern we’ve seen throughout 2025: threat actors like Clop continuing to weaponize zero-day vulnerabilities and mass data exfiltration campaigns against large, centralized educational platforms with insufficient segmentation between student, staff, and supplier data.

Universities remain attractive targets due to sprawling digital ecosystems and a mix of legacy and cloud infrastructure. Attackers exploit these complexities often entering through third-party vendors or outdated portals—and move laterally across systems before exfiltrating millions of records. The fact that Clop accessed data tied to nearly 3.5 million individuals suggests minimal micro-segmentation or inadequate identity and access management (IAM) protocols.

Clop’s playbook is not new. They’ve repeatedly exploited MOVEit and other file transfer software to compromise vast amounts of sensitive data. Their ransomware operations are increasingly interwoven with pure data theft and extortion, leveraging leak sites and public shaming campaigns to pressure victims. In this case, the potential inclusion of personal data from students and faculty introduces FERPA, HIPAA, and contractual risk dimensions for University of Phoenix.

Given the scale and societal impact of this attack, it’s time for educational institutions to be held to the same cybersecurity standards as critical infrastructure. That includes mandatory vendor security assessments, data minimization strategies, and endpoint telemetry across hybrid environments. Breaches like this are not just IT issues,they’re national resilience risks when millions of PII records are involved.

Transparent forensic reporting, mass notification procedures, and proactive credit monitoring must be prioritized. From a policy standpoint, it’s time for federal regulators to reevaluate breach notification thresholds and introduce industry-wide frameworks tailored for academia.”

While Cl0p isn’t the only ransomware gang out there, they’ve clearly been busy. Which doesn’t bode well for any of us in 2026.