We wrote the book on Modern Human Risk Management
Read now
Sign in
Book demo
Sign in
Book a demo

Month: November 2025

Don’t ignore Shai-Hulud

Posted on by Sanny Liao

The TL;DR

The Shai-Hulud malware campaign has quickly become one of the most disruptive npm supply chain events to date. Attackers compromised maintainer accounts and published malicious versions of legitimate npm packages seeded with credential-stealing malware. This means one compromised update can infect lots of organizations.

The worm malware steals sensitive credentials, including GitHub, npm, cloud, and CI credentials, by harvesting tokens from environment variables, local config files, and secrets exposed during CI builds. If it doesn’t find valuable credentials, it may try to delete local files. The attack can also derail development pipelines by injecting malicious GitHub Actions workflows designed to persist and steal more secrets.

Your developers are your first, and most affected, line of defense. Reduce exposure by briefing them about Shai-Hulud (and supply chain attacks generally), and urging them to validate updates before installing third-party software, use known-safe versions, and rotate potentially exposed credentials. Also, train them to disable automated install scripts where possible, and encourage them to flag unexpected prompts or behavior immediately.

To make it easy to brief your development teams, we produced a super-crisp, role-appropriate, personalized training video that explains Shai-Hulud in plain language and outlines the steps to take to safely navigate the threat. It’s available now inside your Fable platform and as a free download. It’s a fast, actionable way to alert your team about this and other supply chain threats.

Watch the briefing

And download for your own use below.

Download now

If you’d like risk-based briefings and nudges that are hyper-targeted and customized to your organization, try the Fable platform.

When a regional attack hit close to home, this team responded in hours, not weeks

Posted on by Curtis Casella

The TL;DR

  • Dayton Children’s needed to respond to an emerging social engineering attack
  • Fable helped its cybersecurity team deliver tailored, targeted training at scale
  • The team uses Fable’s automated insights to reduce workload
  • With Fable, they can remediate based on real risk

When you’re running cybersecurity in a busy hospital, you don’t have the luxury of long response times. This video features how Dayton Children’s cybersecurity team dealt with an emerging social engineering attack making the rounds in regional hospitals, and explains how the Fable platform helped them move quickly when they learned a nearby hospital had been hit—and been ransomed as a result. With the threat suddenly close to home, they needed to brief their entire workforce, quickly, accurately, and in a way people would actually pay attention to.

Instead of sending generic training, the Dayton Children’s team deployed tailored guidance specific to the attackers’ tactics, including a custom vishing-prevention video just for their help desk. The result was rapid, targeted communication delivered at scale—something they had not been able to do easily with their legacy platform.

Beyond incident response, the team shares how Fable now lightens their day-to-day workload by continuously analyzing risky user behavior and surfacing issues before they turn into problems. With a highly-competent staff, but one that’s never big enough for the growing demands, having automated, user-level risk insights helps the team stay ahead without losing precious time to manual review.

In the video, the team also highlights one of the biggest benefits of using Fable: the ability to prioritize remediation based on who was affected. A phish against a cafeteria worker is not the same as one against a nurse with an inbox full of protected health information. By giving them instant visibility into each employee’s data access and behavioral risk, Fable helps the team respond smarter and protect the organization more effectively. In their words: every company needs something like this—especially now.

Malware, not magic: lessons from the Disney breach

Posted on by Fable Security

The TL;DR

  • A Disney employee downloaded an AI tool that secretly contained malware
  • Attackers used stolen credentials to access internal systems and leak 1TB of data
  • Learn how the breach unfolded and what your employees can do to prevent similar attacks
  • Scroll down for a free, 2-minute Fable video briefing you can use to protect your organization

In early 2024, we learned that no amount of pixie dust could protect the Magic Kingdom from being breached—even from preventable attacks. A Disney employee downloaded what appeared to be a harmless AI image-generation tool from GitHub. Hidden in the download was malware that captured the employee’s stored credentials and cookies.

The attacker used those credentials to log into Disney’s internal Slack system and download roughly 1.1 terabytes of data, including sensitive employee records, internal communications, and even customer data from the Disney Cruise Line. The attacker later published the stolen data online after making threats to the employee and the company.

The human factors behind the breach

Only the bare necessities were required for this breach to be successful because it wasn’t an advanced exploit; it simply took advantage of an employee’s insecure practices to pivot from a personal computer to the corporate network.

Here’s what went wrong:

  • Mixing work and personal use: corporate credentials were stored on a personal gaming computer.
  • Unapproved software downloads: the employee installed an unvetted app from an unverified source.
  • Weak credential hygiene: persistent sessions and stored passwords without MFA gave the attacker easy access.
  • Lack of verification: the employee didn’t realize the tool was malicious until it was too late.

It’s ironic but appropriate to note how the combination of these factors allowed the holes in the metaphorical slices of Swiss cheese to align. Addressing any one of these issues could have prevented the breach.

How to prevent attacks like this

Most breaches are the result of inadvertent human error. But if employees know what to do, they can be your first line of defense.

Encourage them to:

  • Keep work and personal data separate, and use caution when intermingling data on personal devices.
  • Use only approved tools—if it’s not on the list, don’t install it.
  • Use multi-factor authentication everywhere.
  • Avoid storing passwords or cookies on unmanaged devices.
  • Report suspicious downloads or messages immediately.

Organizations should also enforce strong endpoint protection, software vetting, and behavioral monitoring to catch risky actions early, before they become breaches.

How Fable Security can help

Below is a short, 2-minute video briefing you can share with your employees that explains what went wrong in the Disney breach and what simple steps your people can take today to prevent the same mistake. Click the “download now” button below to share it with your team right away.

Download now

Love this briefing video, and want to see more videos like this that are hyper-targeted and customized to your organization? Try the Fable platform today. Schedule a demo, and we’ll get you access.