Security Check-in Quick Hits: OpenAI/Mixpanel Vendor Breach, Qilin Ransomware via Korean MSP, Shai-Hulud 2.0 Worm in PostHog, Persistent NTLM Flaws, and Infrastructure Attacks on Emergency Systems

For November 28, 2025

OpenAI Data Exposure via Mixpanel Hack: A Vendor Breach Wake-Up Call

In today’s interconnected digital ecosystem, third-party vendors remain a critical weak link in cybersecurity defenses. On November 28, 2025, OpenAI confirmed a significant data exposure incident stemming from a hack on their analytics vendor, Mixpanel. Attackers used targeted SMS phishing (smishing) to compromise Mixpanel employees, gaining access to internal datasets. This breach affected users of OpenAI’s API platform, leaking names, emails, coarse location data (city/country), and organizational details. While API keys and payment information were reportedly unaffected, the incident highlights the risks of shared ecosystems where a single vendor compromise can ripple across multiple services.

OpenAI has responded by terminating Mixpanel’s use in production environments and notifying affected users. However, this event underscores a broader trend: supply chain attacks are evolving, with attackers bypassing fortified targets like OpenAI by exploiting less-secure partners. For organizations relying on AI services, this serves as a reminder to audit vendor security practices rigorously and implement zero-trust architectures that limit data sharing. As AI adoption accelerates, expect more such incidents unless vendor vetting becomes a standard protocol.

Qilin Ransomware Strikes via South Korean MSP: Global Supply Chain Ripples

Ransomware groups continue to exploit managed service providers (MSPs) as entry points for widespread attacks, and the Qilin group’s latest operation exemplifies this tactic. On November 28, 2025, reports emerged of Qilin infiltrating a South Korean MSP, leading to downstream compromises across client networks. This breach has potentially exposed sensitive data and disrupted operations, with parallels to other high-profile ransomware incidents like those affecting global emergency systems.

Qilin’s approach involves initial access through vulnerable MSP infrastructure, followed by data exfiltration and encryption demands. This incident, combined with similar attacks on U.S. emergency notification systems, illustrates how ransomware actors are targeting critical infrastructure for maximum leverage. Organizations should prioritize MSP security assessments, enforce multi-factor authentication (MFA), and maintain robust backup strategies isolated from primary networks. As ransomware evolves with AI-assisted evasion techniques, proactive threat hunting and international collaboration will be key to mitigating these threats.

NTLM Vulnerabilities Persist: The Zombie Protocol Haunting 2025 Networks

Legacy protocols like NTLM (NT LAN Manager) are proving to be undead threats in modern networks, with ongoing exploitation highlighted on November 28, 2025. Flaws such as CVE-2024-43451 allow attackers to abuse NTLM for relay attacks, privilege escalation, and unauthorized access, even in environments that have migrated to more secure alternatives like Kerberos.

Dubbed the “Zombie Protocol,” NTLM’s persistence stems from backward compatibility needs in Windows ecosystems. Recent analyses show attackers leveraging these vulnerabilities in phishing and man-in-the-middle scenarios, leading to data breaches and lateral movement within networks. To combat this, enterprises must disable NTLM where possible, enforce strict authentication policies, and monitor for anomalous relay attempts using tools like endpoint detection and response (EDR) systems. As 2025 progresses, phasing out legacy tech will be essential to closing these long-standing gaps.

Shai-Hulud 2.0 Supply Chain Attack: Worming Through Analytics Tools

Supply chain compromises are surging, with the Shai-Hulud 2.0 worm making headlines on November 28, 2025, after infecting over 1,200 organizations via the PostHog analytics platform. This sophisticated attack involved hijacking a GitHub bot to inject malicious code into official SDK repositories, specifically targeting posthog-node versions 4.18.1 and above. The malware hunts for AWS keys and GitHub tokens, exfiltrating them to public repositories for further exploitation.

This incident, part of a broader November chaos including Cloudflare and GitHub outages, demonstrates how attackers are weaponizing automation tools for propagation. Victims include developers blindly trusting dependencies, amplifying the worm’s reach. Mitigation strategies include regular dependency audits, using software bill of materials (SBOMs), and implementing runtime security monitoring. As open-source ecosystems grow, expect more “thriller” attacks like this—developers must treat package.json as a potential threat vector.

AI-Powered Malware and Emerging Threats: From Voice Bots to IoT Exploits

AI integration is a double-edged sword, as evidenced by the November 28, 2025, bulletins on AI malware, voice bot flaws, and crypto laundering. Threats like AI-generated phishing via fake voice calls are exploiting vulnerabilities in conversational AI, while IoT attacks—such as ShadowV2 spreading post-AWS outages—are targeting connected devices for botnet assembly.

Additional highlights include Google’s AI Threat Tracker and AWS’s Agentic AI Security Matrix, aimed at countering these innovations. Ransomware variants like Splunk PromptLock PoC further blend AI with traditional attacks. For defenders, this means adopting AI-driven security tools while hardening endpoints and IoT networks with firmware updates and segmentation. As AI lowers the barrier for sophisticated threats, education on emerging tactics will be crucial to staying ahead.

Critical Infrastructure Outages: Ransomware Hits Emergency Systems and Councils

Global system outages dominated discussions on November 28, 2025, with ransomware crippling U.S. emergency alert systems (CodeRED) and London councils’ IT infrastructure. These attacks exposed personal data nationwide and disrupted public services, including phone lines and alerts for disasters.

Linked to groups like Cl0p and Rhysida, these incidents reflect a spike in critical sector targeting, with healthcare and transportation also vulnerable. Stats show 317 attacks analyzed this week, with ICT and the U.S. most impacted. Response measures include air-gapped backups, rapid incident response plans, and enhanced monitoring for early detection. As threat actors prioritize disruption for ransom, international cooperation and resilience investments are imperative to protect essential services.