ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories

You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems

# The Week in Threats: $290M DeFi Heist Exposes the Uncomfortable Truth About Recurring Vulnerabilities

A $290 million decentralized finance exploit, fresh macOS Living-off-the-Land attacks, and a sprawling SIM farm operation reveal something uncomfortable about modern cybersecurity: we're not facing entirely new threats—we're watching old vulnerabilities mutate and persist across disconnected systems.

This week's threat landscape illustrates a pattern that will feel grimly familiar to defenders: the same attack surfaces, the same architectural weaknesses, and the same supply chain blind spots that have plagued the industry for years continue to yield successful compromises. The exploits remain simple. The fixes remain difficult. And the window between discovery and widespread adoption keeps growing wider.

## The Headline Incidents: Scale and Scope

The week brought several major incidents into sharp focus:

DeFi Protocol Breach ($290M)

A significant decentralized finance protocol fell victim to a sophisticated exploit that drained nearly $290 million in user funds. The incident underscores the persistent challenge of securing smart contracts—code that, once deployed, cannot be patched. The vulnerability reportedly involved a logic flaw in the protocol's token transfer mechanism, exploitable through a carefully orchestrated sequence of transactions.

macOS Living-off-the-Land Campaign

Threat actors have refreshed their approach to macOS compromise by abusing native system utilities to bypass detection. Rather than relying on malware detection evasion through obfuscation, these campaigns leverage legitimate tools already present on macOS systems—shell scripts, Swift, and built-in frameworks—to perform reconnaissance and data exfiltration. This tactic surfaces regularly because it works: security tools struggle to flag legitimate system binaries, even when used maliciously.

ProxySmart SIM Farm Network

Researchers identified a sprawling operation using thousands of SIM cards to conduct SMS-based fraud, account takeovers, and 2FA bypass attacks. SIM farming—the practice of buying bulk prepaid SIM cards and routing them through proxy services—has become industrialized. The scale suggests this isn't opportunistic crime; it's infrastructure-as-a-service for attackers.

Plus 25+ Additional Incidents

The noise floor of reported incidents continues to climb, suggesting either more breaches are occurring, more are being disclosed, or both.

## The Uncomfortable Pattern: Same Bugs, New Context

What ties these incidents together isn't novelty—it's persistence. The patterns repeat:

Smart Contract Logic Flaws

The DeFi incident represents a category of vulnerability that has plagued blockchain projects since their inception: insufficient access controls and logic errors in token transfer mechanisms. Audits exist. Best practices exist. Yet projects continue to deploy code with these weaknesses. The difference between 2018 and 2024 isn't that we learned to prevent these flaws—it's that the financial incentives to exploit them have grown enormously.

Living-off-the-Land Abuse

macOS defenders have been aware of LOLBAS (Living-off-the-Land Binaries and Scripts) attacks for years. The techniques—using AppleScript, osascript, shell commands, and built-in frameworks to perform post-compromise activity—aren't new. What's changed is the scale of adoption and the sophistication of delivery mechanisms. Attackers continue to find success because defenders struggle to balance detection (which would require flagging many legitimate activities) with usability.

SIM Swapping and 2FA Bypass

Account takeover through SIM swapping has been documented extensively since at least 2016. The attack is straightforward: compromise a user's SMS-based 2FA by convincing a telecom provider to reassign their phone number to an attacker-controlled SIM. Yet it remains effective because the operational friction—bribing telecom workers, acquiring bulk SIM inventory, managing proxy infrastructure—has become automated and scaled through services like ProxySmart.

## The Supply Chain Remains Broken

Beyond headline incidents, the week highlighted a category of threat that compounds the problem: malicious packages in trusted repositories.

Attackers continue to successfully poison software supply chains by:

Typosquatting legitimate packages with similar names

Compromising abandoned packages with minimal maintenance burden

Using dependency confusion to inject malicious versions into private networks

Submitting legitimate code, building trust, then adding backdoors in later versions

Package managers—npm, PyPI, RubyGems, Maven Central—implement various defense mechanisms, but the fundamental problem persists: the number of packages vastly exceeds the capacity for human review. A single compromised popular dependency can reach millions of projects.

The scale of this supply chain risk is staggering. A developer installing a single package may unknowingly bring in dozens or hundreds of transitive dependencies, each representing a potential attack surface.

## The Architecture Problem: Attacking Systems, Not Applications

A recurring theme in this week's threat briefing deserves emphasis: compromising the infrastructure behind applications is often easier than compromising the applications themselves.

This includes:

Cloud provider misconfigurations (exposed S3 buckets, overpermissioned IAM roles)

Lateral movement within networks after initial compromise

Supply chain attacks at the CI/CD level (compromised build systems, artifact repositories)

Third-party integrations with weak authentication or authorization

The $290M DeFi theft, while attributed to a protocol vulnerability, likely benefited from supplementary reconnaissance of the protocol's operational infrastructure. The macOS campaign, while using legitimate tools, depends on initial access—delivered through phishing, watering holes, or software supply chain compromises.

## Implications for Organizations

The pattern suggests several uncomfortable realities:

1. Zero-day exploits are not the primary threat. Most successful attacks leverage known or obvious vulnerabilities that organizations have not remediated or have failed to detect.

2. Defense at the application layer is insufficient. Even well-secured applications can be compromised through their infrastructure, dependencies, or operational context.

3. The security burden is distributed unevenly. A small team maintaining a popular open-source package bears responsibility for the security posture of millions of downstream users—yet lacks resources for comprehensive security practices.

4. Patches don't deploy themselves. Knowing about a vulnerability and fixing it are separated by operational friction: testing, deployment windows, downtime considerations, and competing priorities.

## Recommendations

For Developers:

Implement supply chain security practices: pin dependency versions, audit transitive dependencies, and use Software Composition Analysis (SCA) tools

Assume that dependencies can be compromised; monitor for unexpected behavior at runtime

Invest in secure code review processes, particularly for infrastructure and data handling code

For Security Teams:

Move beyond vulnerability scanning toward behavioral detection; many of this week's attacks evaded signature-based tools

Implement SIM swap protection at the authentication layer: push-based 2FA, passwordless authentication, or FIDO2 keys

Maintain a supply chain inventory; know what packages your applications depend on, directly and transitively

For Organizations:

Treat infrastructure security as critically as application security; misconfigurations in cloud environments are low-hanging fruit

Establish clear remediation timelines for known vulnerabilities, with accountability

Assume breach: implement detection capabilities that focus on post-compromise activity, lateral movement, and data exfiltration

## The Long Game

The week's incidents don't represent a new era of threats—they represent the consolidation and scaling of attacks that have worked for years. The exploit for this week's DeFi hack will be analyzed, published, and understood. Next month, a different protocol will fall to the same vulnerability class. The macOS LOLBAS campaigns will continue because the fundamental challenge of detecting malicious use of legitimate tools remains unsolved.

The uncomfortable truth is this: cybersecurity is not a problem awaiting a breakthrough innovation. It's a systems problem requiring consistent, unglamorous execution—patching, monitoring, updating dependencies, and securing infrastructure. The incidents that dominate headlines are usually the ones where these fundamentals were neglected or overwhelmed.

Until the industry raises the baseline—and makes it easier, not harder, to follow security best practices—expect to see the same vulnerabilities surface again, with small variations and fresh victims.