Two Ivy League schools reported data breaches, and even a leading AI company had some user information exposed through a third-party vendor. On top of that, a massive supply chain attack is sweeping through developer platforms for the second time while the latest global fraud exposure rankings show that some countries are still lagging in protecting their citizens.
Let's dive in.
Dartmouth College Data Breach Leaks 226 GB of Files in Oracle Hack
Dartmouth College confirmed a large-scale data breach after attackers exploited an Oracle E-Business Suite zero-day vulnerability.
The attack occurred between August 9 and August 12. Dartmouth later discovered that attackers had exfiltrated large amounts of sensitive data, including personal and financial information such as Social Security numbers.
The cybercriminal group Cl0p, which has claimed other Oracle EBS breaches, released a 226 GB archive of stolen Dartmouth files. In New Hampshire, authorities were informed that more than 31,000 were affected but the total number of affected individuals is likely higher.
It stands among the largest university-related data leaks confirmed this year.
Harvard University Hit by Phone Phishing Attack, Data Stolen
Harvard University reported a security incident exposing personal information of alumni, donors, students, parents, and staff.
Unlike Dartmouth’s hack, this breach started with a phone phishing attack. A staff member was tricked, giving attackers access to systems used by the Alumni Affairs and Development department.
The compromised data included names, addresses, email addresses, phone numbers, donation history, event attendance, and biographical notes.
Social Security numbers, financial accounts, and passwords were not part of the exposure.
But the exposure of donor and alumni information raises privacy and reputational concerns. Harvard is notifying affected individuals and investigating the full scope.
It is the second significant security incident Harvard has faced this year. It also follows a similar incident at Princeton University the week before, suggesting that social engineering targeting Ivy League schools may be part of a coordinated effort.
OpenAI Discloses Mixpanel Data Breach Affecting API Users
OpenAI confirmed that a third-party analytics vendor, Mixpanel, suffered unauthorized access to part of its systems, affecting some OpenAI API users. ChatGPT users were not impacted.
Exposed data included; names, email addresses, approximate location (city, state, country), browser and operating system details, referring websites, and organization or user IDs
OpenAI’s internal systems, API keys, password data, chats, payment details, and government IDs were not involved.
OpenAI removed Mixpanel from production, ended the vendor relationship, and began notifying affected customers. They also warned users to be alert for phishing attempts since email and name combinations are valuable to scammers.
This shows that even top-tier tech companies can be affected when a vendor in their supply chain is compromised.
Shai-Hulud v2 Malware Spreads From npm to Maven, Exposes Thousands of Secrets
A second wave of the Shai-Hulud supply chain attack has hit developers, spreading from npm packages to the Java/Maven world.
Researchers found over 830 npm packages were compromised, and at least one Maven package was rebuilt with the same malicious payload. The malware collects API keys and cloud credentials. It also targets access linked to GitHub, npm, AWS, Google Cloud, and Microsoft Azure.
The new version acts like a "worm" that automatically propagates with researchers discovering a "dead man's switch”. It uses the Bun runtime to hide its core logic, injects malicious GitHub workflows, registers victim machines as self-hosted runners, and automatically harvests secrets from repositories.
More than 28,000 repositories are affected, with over 11,000 unique secrets exposed while more than 5,000 files uploaded to GitHub contain compromised credentials.
This attack shows how fragile developer platforms are. One compromised package can quickly infect thousands of users. It is linked to earlier campaigns, including the S1ngularity attack in August, indicating an ongoing pattern of supply chain infiltration.
Nigeria Ranked Among World’s Most Fraud-Exposed Countries; Push for Modern Digital Rights Laws Intensifies
Nigeria saw two major cybersecurity-related developments this week.
First, the Sumsub 2025 Global Fraud Index ranked Nigeria 110 out of 112 countries for fraud exposure, placing it among the world's least protected nations. Only Pakistan (112) and Indonesia (111) performed worse, marking Nigeria's inclusion in the Index for the first time.
Tanzania and Uganda were also among Africa’s most vulnerable nations. Weak digital infrastructure, limited law enforcement, and slow policy reforms leave these countries exposed.
Experts warn that criminals using AI are staying ahead of governments, making fraud more automated, personalized, and difficult to detect.
The second story is more hopeful. Lawmakers, civil society groups, and digital rights experts gathered in Lagos to push for updated digital rights legislation. Nigeria’s current laws are still largely designed for an analog world.
However, the National Digital Economy and E-Governance Bill 2025 and the separate Online Harm Protection Bill are being actively advanced, alongside the ongoing review of the Digital Rights and Freedoms Bill. Stakeholders hope it will move forward after years of delay.
Lessons Learned
1. Supply Chain Attacks
The spread of Shai-Hulud v2 from npm to Maven shows how one compromised package or vendor can affect thousands of systems.
2. Zero-Day Vulnerabilities
Dartmouth College hack via an Oracle E-Business Suite zero-day indicates how attackers move fast once a critical flaw is discovered.
3. Social Engineering
The Harvard University breach started with a phone phishing attack, meaning that human error remains the easiest and cheapest entry point. Sophisticated security systems are useless if an employee is tricked.
4. Third-Party Vendor Risk
OpenAI's user data exposed through analytics partner Mixpanel is proof that your security is only as strong as the weakest vendor you trust.
5. AI-Driven Fraud
Nigeria's ranking in the Global Fraud Index is a warning that criminals are using AI to automate, personalize, and scale fraud schemes, pushing countries with weak digital governance further behind.
6. Modern Legal Infrastructure
The push for the Digital Rights and Freedoms Bill reflects the need for modern laws that define digital rights, privacy, and government responsibilities online.
What You Can Do About these Developments
- Enable phishing-resistant Multi-Factor Authentication (MFA) on all developer and privileged accounts, using hardware security keys where possible
- Stay alert for phishing attempts, including AI-generated content like deepfakes or written messages that are very convincing.
- Regularly audit dependencies in npm, Maven, and other packages using tools like Dependabot or Snyk.
- Immediately identify and uninstall any compromised supply chain packages (like Shai-Hulud) and clean your environment before deploying a fix
- Rotate API keys, tokens, and cloud credentials immediately if exposure is suspected. Automate rotation where possible.
- Enforce least-privilege access and integrate strong secret-scanning tools in CI/CD pipelines.
- Conduct strict vendor risk assessments and maintain continuous monitoring of third-party services.
- Provide frequent and mandatory training on social engineering and phishing attacks.
- Use machine learning-powered fraud detection tools to detect evolving, automated attacks.
It can feel overwhelming to follow incidents happening around the world. You do not have to track all of it on your own. We review the developments, clarify the details, and highlight the steps that matter most. If you want steady, reliable security insights, join our newsletter.