A single stolen token may have exposed 33.7 million customers of South Korea’s largest retailer. A supply chain attack quietly scattered 400,000 developer secrets across the internet. A botnet fired a 15.72 terabit per second blast at one IP address in Australia as if it were a routine stress test.
The latest ColorTokens Threat Advisory shows how attackers are moving fast, cutting through familiar environments, and turning small weaknesses into massive spillovers. One email account, one access token, one package upload, one firewall vulnerability. That is all it took in incident after incident.
So the question is simple. If attackers can move this quickly, what is stopping them from moving across your entire network once they get in?
Explore Key Findings| 33.7 Million Records Exposed, 400K Secrets Leaked, and a Record 15.72 Tbps Attack
33.7 Million Customers Impacted at Coupang
Coupang’s breach began as unauthorized access to 4,500 customer accounts grew into exposed personal information from 33.7 million users after deeper investigation. Names, phone numbers, email addresses, physical addresses, and order histories were all exposed.
The most troubling detail comes from reports that a former employee may have used unrevoked access tokens. A single leftover credential led to a national scale breach. That is the definition of preventable blast radius.
Shai Hulud 2.0 Exposes 400,000 Developer Secrets
The second wave of the Shai Hulud attack hit more than 800 NPM packages and leaked roughly 400,000 secrets across 30,000 GitHub repositories. Only a fraction were confirmed valid, yet more than 60 percent of NPM tokens in the dataset were still active.
The malware spread through developer laptops, CI runners, and publishing workflows. Almost all infections fired through a preinstall event that injected malicious code. Two packages alone accounted for more than 60 percent of the spread. If they had been flagged early, the overall impact could have been dramatically lower.
This is supply chain compromise in its rawest form. Attackers do not force their way in. They attach themselves to the tools developers already trust.
Are You Breach Ready? Uncover hidden lateral attack risks in just 5 days. Get a free Breach Readiness Assessment with a visual roadmap of what to fix first.
353 GB of Alleged Patient Data Highlight Healthcare Exposure
In the United States, Doctor Alliance is still investigating whether a hacker calling himself Kazu stole 353 GB of patient data. The posted sample contained Medicare numbers, diagnoses, treatment details, and provider information. It may belong to Doctor Alliance or could be from an earlier breach unrelated to them.
Even without confirmation, lawsuits are already underway. Healthcare breaches now trigger legal, financial, and reputational fallout long before forensics reach a conclusion.
Delta Dental of Virginia Email Compromise Impacts 146,000
Delta Dental of Virginia found that a single compromised email inbox resulted in the exposure of names, Social Security numbers, government ID numbers, and health information for around 146,000 people.
There is no evidence of misuse so far, but exposed personal data often sits quietly before it resurfaces in fraud campaigns months or years later.
Access Forrester Wave™Report | Discover why ColorTokens was rated ‘Superior’ in OT, IoT, and Healthcare Security.
SitusAMC Confirms Data Breach Affecting Clients and Their Customers
Real estate finance services provider SitusAMC confirmed that client related data and some customer information were accessed. The company supports more than 1,500 major financial institutions, which means even a small breach can ripple throughout the sector.
SonicWall Vulnerability Allows Firewall Crashes
A SonicWall SonicOS SSLVPN flaw can allow attackers to crash Gen7 and Gen8 firewalls through a stack based buffer overflow. While there is no evidence of active exploitation, the risk is straightforward. If a firewall falls, attackers get freedom of movement. Immediate patching or temporary disabling of SSLVPN is strongly recommended.
Microsoft Mitigates Record 15.72 Tbps DDoS Attack
Finally, Microsoft detected and blocked the largest cloud DDoS attack ever recorded. Fifteen point seven two terabits per second. Nearly 3.64 billion packets per second. All aimed at a single public IP in Australia.
The attack came from AISURU, a TurboMirai class IoT botnet built from routers, cameras, and DVRs. As home internet speeds increase and IoT devices grow more capable, attackers are scaling with them. The baseline for DDoS power keeps rising.
How to Slow Down or Stop Lateral Movement
Attackers rarely stop at the first compromised system. What happens next decides how much damage follows. These steps help shrink the blast radius and limit how far they can travel.
Ring fence vulnerable assets when patching is delayed.
Isolation prevents a weakness from becoming an attacker’s easy ramp. The system may stay exposed for a short time, but the risk stays contained.
Reduce unnecessary east west communication.
Shai Hulud spread because developer machines, CI runners, and publishing workflows could all interact freely. Cutting these pathways removes the attacker’s movement options.
Enforce least privilege at the network layer.
The Doctor Alliance incident showed how one client account was enough. Narrowing permissions blocks deeper movement.
Continuously visualize workload and device communication.
Many organizations only discover hidden pathways after a breach. Visibility helps surface unusual or risky traffic patterns early.
Apply microsegmentation to trap attackers at the first hop.
Microsegmentation breaks the environment into contained zones. If an attacker attempts to move laterally, policies block the attempt. This prevents ransomware spread, insider misuse, supply chain drift, and token abuse from escalating.
Attackers Are Not Thinking About How to Get In
They are thinking about how far they can move once inside. That is why a compromised email inbox exposed 146,000 records, a tampered NPM package leaked thousands of secrets, and a single access token may have opened data from 33.7 million people.
The entry point was never the real story. The spread was.
When you limit lateral movement, isolate critical systems, and enforce microperimeters, you take away the attacker’s greatest advantage. You shrink the blast radius. You turn a breach into a contained event instead of a headline.
If you want to see the full scope of these attacks, the numbers behind them, and the indicators tied to each one, the latest brief highlights everything.
You can also request a Breach Readiness and Impact Assessment for a visual roadmap of your lateral attack risks and what to fix first. Or reach out to one of our advisors if you want guidance on tackling any of the threats in this report.
