A new playground: Malicious campaigns proliferate from VSCode to npm
To avoid compromised packages being introduced as a dependency in a larger project, security teams need to keep an eye peeled for such malicious code.
Malicious Ads in Search Results Are Driving New Generations of Scams | WIRED
The scourge of “malvertising” is nothing new, but the tactic is still so effective that it's contributing to the rise of investment scams and the spread of new strains of malware.
Python Crypto Library Updated to Steal Private Keys
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean
Malicious NPM Packages Target Roblox Users with Data-Stealing Malware
A new campaign has targeted the npm package repository with malicious JavaScript libraries that are designed to infect Roblox users with open-source stealer malware such as Skuld and Blank-Grabber. "This incident highlights the alarming ease with which threat actors can launch supply chain attacks by exploiting trust and human error within the open source ecosystem, and using readily available commodity malware, public platforms like GitHub for hosting malicious executables, and communication channels like Discord and Telegram for C2 operations to bypass traditional security measures," Socket security researcher Kirill Boychenko said in a report shared with The Hacker News.
HijackLoader evolution: abusing genuine signing certificates
Since mid-September 2024, our telemetry has revealed a significant increase in “Lumma Stealer”1 malware deployments via the “HijackLoader”2 malicious loader. On October 2, 2024, HarfangLab EDR detected and blocked yet another HijackLoader deployment attempt – except this time, the malware sample was properly signed with a genuine code-signing certificate. In response, we initiated a hunt for code-signing certificates (ab)used to sign malware samples. We identified and reported more of such certificates. This report briefly presents the associated stealer threat, outlines the methodology for hunting these certificates, and providees indicators of compromise.
Hacker plants false memories in ChatGPT to steal user data in perpetuity
Emails, documents, and other untrusted content can plant malicious memories.
Malicious Plugin
Pidgin is a universal chat client, allowing you to consolidate all your different messaging apps into a single tool.
China-Linked Hackers Compromise ISP to Deploy Malicious Software Updates
Chinese hacking group Evasive Panda compromises ISP to push malware, targeting companies through DNS poisoning and insecure update mechanisms.
A Catalog of Hazardous AV Sites – A Tale of Malware Hosting
In mid-April 2024, Trellix Advanced Research Center team members observed multiple fake AV sites hosting highly sophisticated malicious files such as APK, EXE and Inno setup installer that includes Spy and Stealer capabilities. Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber-attacks. The hosted websites made to look legitimate are listed below.
PyPI halted new users and projects while it fended off supply-chain attack
Automation is making attacks on open source code repositories harder to fight.
New Go loader pushes Rhadamanthys stealer
A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware.
GitHub besieged by millions of malicious repositories in ongoing attack | Ars Technica
GitHub keeps removing malware-laced repositories, but thousands remain.
“SubdoMailing” — Thousands of Hijacked Major-Brand Subdomains Found Bombarding Users With Millions of Malicious Emails
Guardio Labs uncovers a sprawling campaign of subdomain hijacking, compromising already over 8,000 domains from esteemed brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay and others. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the Millions each day, cunningly using their credibility and stolen resources to slip past security measures. In our detailed analysis, we disclose how we detected this extensive subdomain hijacking effort, its mechanisms, its unprecedented scale and the main threat actor behind it. Furthermore, we developedthe “SubdoMailing” checker — a website designed to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. This report not only sheds light on the magnitude of the issue but also serves as a call to action for enhancing domain security against future exploits.
Disrupting malicious uses of AI by state-affiliated threat actors
We terminated accounts associated with state-affiliated threat actors. Our findings show our models offer only limited, incremental capabilities for malicious cybersecurity tasks.
Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
Did you download Warbeast2000 or Kodiak2k from npm? If so, your SSH keys might be compromised! These packages steal keys & upload them to GitHub.
Why Join The Navy If You Can Be A Pirate?
Analyzing a pirated application, that contains a (malicious) surprise A few days ago, malwrhunterteam tweeted about pirated macOS application that appeared to contain malware And even though as noted in the tweet the sample appeared to be from 2023, it was new to me so I decided to take some time to dig in deeper. Plus, I’m always interested in seeing if Objective-See’s free open-source tools can provide protection against recent macOS threats. In this blog post we’ll start with the disk image, then hone in on a malicious dynamic library, which turns out just to be the start!
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains
Using machine learning to target stockpiled malicious domains, the results of our detection pipeline tool highlight campaigns from phishing to scams.
A pernicious potpourri of Python packages in PyPI
The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository, ESET research finds.
The evolutionary tale of a persistent Python threat
Since early April 2023, an attacker has been relentlessly deploying hundreds of malicious packages through various usernames, accumulating nearly 75,000 downloads. Our team at Checkmarx’s Supply Chain Security has been on this malicious actor’s trail since early April, documenting each step of its evolution. We have been actively observing an attacker who seems to be evermore refining their craft.
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
A phony proof-of-concept (PoC) code for CVE-2023-40477 delivered a payload of VenomRAT. We detail our findings, including an analysis of the malicious code.
An Ongoing Open Source Attack Reveals Roots Dating Back To 2021
Developers in the cryptocurrency sphere are being targeted once again, as yet another threat actor has been exposed. This user has been publishing malicious NPM packages with the purpose of exfiltrating sensitive data such as source code and configuration files from the victim’s machines. The threat actor behind this campaign has been linked to malicious activity dating back to 2021. Since then, they have continuously published malicious code.
Security advisory: malicious crate rustdecimal
The Rust Security Response WG and the crates.io team were notified on 2022-05-02 of the existence of the malicious crate rustdecimal, which contained malware. The crate name was intentionally similar to the name of the popular rust_decimal crate, hoping that potential victims would misspell its name (an attack called "typosquattin
Hackers exploit gaping Windows loophole to give their malware kernel access
Microsoft blocks a new batch of system drivers, but the loophole empowering them remains.
Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…
Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks
“Write once, infect everywhere” might be the new cybercrime motto, with newly discovered campaigns showing malicious npm packages powering phishing kits and supply chain attacks.
How malicious extensions hide running arbitrary code
Eight malicious extensions still remain in Chrome Web Store. These use some interesting tricks to keep running arbitrary code despite restrictions of Manifest V3.
Malicious VSCode extensions with more than 45K downloads steal PII and enable backdoors - Check Point Blog
Highlights: CloudGuard Spectrals detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to
Threat Actors Rapidly Adopt Web3 IPFS Technology
Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it.
Qakbot mechanizes distribution of malicious OneNote notebooks
A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector
A Noteworthy Threat: How Cybercriminals are Abusing OneNote
Threat actors are taking advantage of Microsoft OneNote's ability to embed files and use social engineering techniques, such as phishing emails and lures inside the OneNote document, to get unsuspecting users to download and open malicious files.