Nepal Goes Offline, Then Up in Flames

Nepal’s government, via the Ministry of Communication and Information Technology, demanded that social media platforms register under vague rules, then banned 26—including Facebook, Instagram, WhatsApp, and WeChat—when they didn’t.

This act of censorship detonated public anger already primed by endemic corruption, 20% youth unemployment, and mass labor migration (1 in 13 Nepalis work abroad). Since shelving the monarchy in 2008, Nepal has cycled through 14 governments; none lasted a full term. The blackout sparked protests in Kathmandu, Pokhara, Chitwan, and Janakpur, with students walking out mid-lecture and clashing with riot police. At least 19 died. Protesters breached a security post near Parliament, and Prime Minister K.P. Sharma Oli’s residence was torched—he resigned without a successor.

WhatsApp storefronts collapsed, online tutors vanished, remittances went silent. A backpedal restored the platforms, but not legitimacy. Seven embassies, including those of the U.S. and France, issued a joint rebuke. Trust remains offline.

Read: https://reclaimthenet.org/nepal-tried-to-censor-the-internet-the-people-set-parliament-on-fire

Wyden Targets Microsoft Over RC4 Use in Ransomware-Fueled Healthcare Breach

Senator Ron Wyden (D–Ore.) urged FTC Chair Andrew Ferguson to investigate Microsoft for “gross cybersecurity negligence,” blaming the default use of RC4 encryption in Active Directory for the 2024 ransomware breach of Ascension that exposed 5.6 million patient records. RC4—developed by RSA’s Ron Rivest in 1987, leaked on the Cypherpunks mailing list in 1994, and broken within days—continues as a fallback cipher in Kerberos authentication despite long-known vulnerabilities and deprecated status in modern cryptography.

Wyden accused Microsoft of hiding “dangerous software engineering decisions” from customers, enabling organization-wide ransomware attacks through a single compromised user. He condemned Microsoft’s business model of selling costly security add-ons as equivalent to “an arsonist selling firefighting services.” Microsoft, while claiming RC4 accounts for less than 0.1% of its traffic and pointing to the deprecation of DES, defends its gradual approach to phasing out RC4 to preserve legacy system functionality. RC4 will be disabled by default in Windows Server 2025 Active Directory domains starting Q1 2026.

Read: https://arstechnica.com/security/2025/09/senator-blasts-microsoft-for-making-default-windows-vulnerable-to-kerberoasting/

Salesloft Breach Exposes OAuth Supply Chain Weakness Across Major Tech Platforms

In March, attackers breached Salesloft’s GitHub, quietly lingered through June, and used that access to download code, add a guest user, and create workflows. From there, they jumped to the AWS environment of Drift, Salesloft’s AI chatbot platform, stealing OAuth tokens that exposed customers like Google, Cloudflare, Bugcrowd, Tenable, Proofpoint, and Palo Alto Networks. The attackers—later identified as UNC6395 by Google’s Mandiant team, and possibly the extortionist group ShinyHunters per Bleeping Computer and DataBreaches.net—exfiltrated sensitive Salesforce support ticket data including AWS keys, passwords, and Snowflake tokens.

Salesloft only detected the breach six months later, raising questions about its detection capabilities. Google’s Threat Intelligence Group disclosed the supply chain compromise in August. While the incident is now “contained” and Salesforce integration restored, the full scope remains murky, with unnamed victims likely. The episode spotlights how token-based trust models like OAuth—designed for seamless integration—can serve as backdoors when a single supplier’s security breaks.

Read: https://techcrunch.com/2025/09/08/salesloft-says-drift-customer-data-thefts-linked-to-march-github-account-hack/

Red Sea Cable Cut Forces Azure Reroute and Slows Asia-Europe Internet

On September 6, Microsoft rerouted Azure traffic after the SEA-ME-WE-4 and IMEWE submarine cables were severed near Jeddah, Saudi Arabia—a geopolitically tense bottleneck for global Internet flow. NetBlocks attributed the disruption to a “series of subsea cable outages,” slowing connectivity across Pakistan, India, and Gulf nations.

Azure system messages confirmed service degradation for traffic routed through the Middle East, with latency persisting into September 7. These cables are core arteries linking Asia and Europe, vital not just for consumer Internet but for hyperscalers like Google and Meta. Microsoft engineers diverted data through longer paths, but scarcity of repair ships and difficult Red Sea logistics mean weeks-long delays.

This follows February 2024’s multi-cable failures—including AE-1, SEACOM, and EIG—and a January 2025 shunt fault in the AAE-1 cable off Qatar, which took two weeks to fix. Azure remains up, but cross-region workloads—especially between South Asia, Europe, and the Middle East—face sluggish, uncertain performance.

Read: https://www.tomshardware.com/tech-industry/red-sea-cable-cut-takes-azure-routes-down

Supply Chain Malware in Billion-Download NPM Packages

A sweeping NPM supply-chain attack hijacked the account of prolific developer qix, injecting malware into ubiquitous packages like chalk, strip-ansi, color-convert, color-name, error-ex, simple-swizzle, and has-ansi. The breach was discovered when a CI build failed with the error “fetch is not defined,” revealing obfuscated code in error-ex version 1.3.3 containing a suspicious function named checkethereumw.

The payload is a sophisticated crypto-clipper. It modifies network methods like fetch, XMLHttpRequest, and wallet APIs such as send and eth_sendTransaction to swap wallet addresses using Levenshtein distance and hijack transactions. In older Node.js environments, the malware fails silently—modern ones wouldn’t notice.

Malicious packages persist due to transitive dependencies, including through is-core-module. Stolen funds are linked to addresses like 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 (visible on Etherscan). Developers should pin safe versions using overrides in package.json and regenerate lockfiles.

Trust remains critical in open-source. Audit everything.

Read: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the