TL;DR

• [Critical Infrastructure/Ransomware] Nationwide disruption of CodeRED emergency alerts via INC Ransom exposed clear-text credentials and weak legacy isolation in public-safety SaaS.
• [Software Supply Chain] “Shai Hulud 2.0” npm worm exfiltrates CI/CD runtime secrets and cloud keys at scale, exploiting preinstall scripts and build-runner blind spots.
• [Vulnerabilities/Mobile] December Android patch batch closes 107 flaws, including two in-the-wild framework zero-days now in KEV; patch velocity and mobile telemetry prioritization are urgent.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

• [Critical Infrastructure / Ransomware] INC Ransom attack on Crisis24’s OnSolve CodeRED forces shutdown of legacy environment; millions of US residents’ alert accounts and clear-text passwords exposed.

• [Software Supply Chain] Shai Hulud 2.0 npm worm compromises ~1,200 orgs (banks, gov, Fortune 500), exfiltrating CI/CD runtime secrets and cloud keys from build systems.

• [Data Breach] South Korean e‑commerce giant Coupang breach exposes data for up to 33.7M customers, triggering regulatory probes and highlighting large‑scale retail cloud risk.

• [Vulnerabilities / Mobile] Google’s December Android update fixes 107 flaws, including two in‑the‑wild framework zero‑days; CISA adds both to KEV, raising patch urgency.

• [ICS / OT] CISA adds OpenPLC ScadaBR XSS flaw (CVE‑2021‑26829) to KEV after confirmed exploitation against water‑utility‑like HMI, underscoring risk from legacy web UIs in OT.

References

• (2025-11-27) Millions at risk after nationwide CodeRED alert system outage and data breach

• (2025-11-28) Ransomware Attack Disrupts Local Emergency Alert System Across US

• (2025-11-30) E-commerce platform breach exposes nearly 34 million customers' data

• (2025-12-02) Google patches 107 Android flaws, including two being actively exploited

• (2025-12-02) CISA Adds Two Known Exploited Vulnerabilities to Catalog

• (2025-12-02) OpenPLC ScadaBR added to CISA’s known exploited list after confirmed attacks

• (2025-11-28) Shai Hulud 2.0 Compromises 1,200+ Organizations, Exposing Critical Runtime Secrets

Suggested Pivots

How does the CodeRED/INC Ransom incident reshape our threat model for third‑party emergency and civic alert providers?

• Why: The combination of nationwide service disruption and clear‑text credential exposure is rare and high‑impact for public‑safety‑adjacent SaaS.
• What to expect: A clearer map of data types, tenant isolation, credential handling, and contingency expectations SOCs should validate with similar critical‑notification vendors.

What does Shai Hulud 2.0 reveal about systemic weaknesses in CI/CD security across banks, SaaS, and critical infrastructure?

• Why: The campaign targets runtime secrets and build runners, not just code repos, stressing a blind spot in many enterprise controls.
• What to expect: Concrete patterns in preinstall script abuse, memory scraping, and secret handling practices that can drive more realistic pipeline threat models and hunts.

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Emerging Stories

TL;DR