Weekly threat intelligence digest: August 18 - 24, 2025

Executive summary

This week tracked 2 curated intelligence items and 0 newly published CVEs. The risk profile remained elevated, with 0 critical and 0 high severity disclosures in public reporting. Priority themes were supply-chain, campaign and active exploitation pressure around internet-exposed enterprise software.

Critical & high priority

1. Volt Typhoon Pre-Positions in US Critical Infrastructure Water Systems

• What happened: CISA, NSA, and FBI published a joint advisory revealing that Volt Typhoon, a Chinese state-sponsored threat group, has expanded its pre-positioning campaign into US water treatment and distribution systems. The advisory details tactics, techniques, and procedures used by the group to maintain long-term persistent access to operational technology networks. Intelligence assessments indicate the access is intended for potential disruptive or destructive operations during a future geopolitical crisis rather than immediate espionage or data theft.
• Who's affected: US water treatment facilities and water distribution systems, particularly small and medium-sized utilities that often lack dedicated cybersecurity staff. The advisory also reinforces ongoing concerns about Volt Typhoon access in energy, transportation, and communications sectors. The pre-positioning posture means no immediate disruption is occurring, but the capability for future disruption is in place.
• What to do: Hunt for related indicators, tighten identity controls, and validate incident response playbooks for lateral movement and data theft scenarios.

2. npm Supply Chain Attack Compromises Popular Event-Stream Successor Package

• What happened: Security researchers discovered a supply chain compromise affecting a popular npm package with over 12 million weekly downloads. A social engineering campaign convinced the maintainer to transfer publishing rights to a threat actor, who then published a new version containing obfuscated code designed to steal cryptocurrency wallet credentials and private keys. The malicious version was available for approximately five days before detection and removal by the npm security team.
• Who's affected: Any Node.js application or CI/CD pipeline that installed or updated the affected package during the five-day window. Developers working on cryptocurrency-related projects are at highest risk for credential theft. Organizations using the package in server-side applications may have had environment variables and secrets from build environments exfiltrated.
• What to do: Verify software provenance, rotate exposed secrets, and enforce dependency controls including signing and attestations where available.

Notable developments

Most tracked items this week were critical/high vulnerability stories, with no major medium or informational shifts requiring separate strategic treatment.

Vulnerability landscape

This week saw 0 newly published CVEs in NVD-aligned tracking for the reporting window.

• Critical: 0
• High: 0
• Medium: 0
• Low: 0

Recommended actions

1. Prioritize internet-facing patching: Resolve critical and high-severity items first, with strict SLA enforcement for edge systems.
2. Harden identity and admin pathways: Require phishing-resistant MFA, reduce standing privileges, and audit privileged sessions.
3. Operationalize detections: Convert this week's CVEs and campaign behaviors into SIEM/SOAR detections and threat hunts.
4. Protect recovery paths: Isolate and test backups, then validate restoration workflows against ransomware and destructive attack scenarios.

Looking ahead

For August 25 - 31, 2025, expect continued exploitation attempts against newly disclosed enterprise software flaws, plus copycat scanning after proof-of-concept publication. Teams should maintain elevated monitoring for externally exposed assets and review compensating controls where patch windows are delayed.