Threat Briefing: November 14, 2025

Recent cyber-intelligence reporting shows rising risks for financial institutions as threat actors exploit trust, technology, and interconnected supply chains. AI-driven companies are inadvertently exposing credentials on public repositories, creating downstream vulnerabilities.

Phishing campaigns now weaponize legitimate domains, like Meta’s, to bypass defenses and target SMBs that act as gateways to larger enterprises. Emerging threats in developer environments, including rogue MCP servers that can hijack AI-enabled browsers, are further widening the attack surface.

Meanwhile, actions such as Google’s lawsuit against large-scale smishing operators and Europol’s Operation Endgame disruption of ransomware networks highlight both progress and the ongoing scale of organized cybercrime.

• Forbes AI 50 Firms Leak Credentials on GitHub – Wiz researchers found that 65% of the top AI companies had exposed API keys and credentials in public GitHub histories, risking access to private models and infrastructure. The leaks spanned firms worth over $400B. While some, like ElevenLabs and LangChain, reacted quickly, many did not. Wiz urges routine secret scanning, clear reporting channels, and stronger policies to curb credential sprawl. SecurityWeek
• Fake “Meta Business Suite” Phishing Hits SMBs – Check Point researchers uncovered a phishing campaign exploiting Meta’s facebookmail.com domain. Cybercriminals sent 40,000+ emails linking to spoofed Business Suite pages that stole credentials via sites on networks like Vercel. The scam targeted 5,000+ companies across the U.S., Europe, Canada, and Australia, hitting finance, automotive, and real estate sectors. Checkpoint Blog
• Rogue MCP Servers Target Cursor Browser – Knostic.ai researchers showed that malicious MCP servers can trick Cursor’s internal browser into loading fake login pages, stealing credentials, and executing code with full privileges. Unlike VS Code, Cursor lacks integrity checks, enabling silent takeovers. Hundreds of misconfigured servers were found, exposing risks for remote code execution and prompt injection. CSO Online
• Google Sues Chinese Cybercriminals Over Lighthouse Phishing Kit – Google filed a lawsuit under RICO, Lanham, and CFAA against the “Smishing Triad,” operators of the Lighthouse phishing-as-a-service kit. Since 2023, the group has sent 194,000+ malicious SMS domains, targeting users with fake shipping, banking, and law enforcement alerts. The campaign is linked to up to 115 million compromised credit cards and 1+ million victims across 120+ countries. Google seeks domain seizures and ISP cooperation to dismantle the operation. SecurityWeek
• Operation Endgame Disrupts Cybercrime Networks – In May 2025, Europol, the FBI, and international partners targeted malware and dropper networks, dismantling infrastructure for the Elysium botnet, VenomRAT trojan, and Rhadamanthys infostealer. Over 1,000 servers and 20 domains were seized, and a VenomRAT-linked actor was arrested in November 2025. The Record