• Le Project Moohan, ce casque XR de Samsung, semble enfin avancer. Une validation importante a été obtenue, mais bon, on attend toujours le grand saut. Pour l’instant, tout cela reste un peu flou et ennuyeux. On espère juste que ce ne sera pas une autre déception comme tant d'autres projets passés. Bref, on verra bien.

    #ProjectMoohan
    #Samsung
    #CasqueXR
    #Technologie
    #Actualités
    Le Project Moohan, ce casque XR de Samsung, semble enfin avancer. Une validation importante a été obtenue, mais bon, on attend toujours le grand saut. Pour l’instant, tout cela reste un peu flou et ennuyeux. On espère juste que ce ne sera pas une autre déception comme tant d'autres projets passés. Bref, on verra bien. #ProjectMoohan #Samsung #CasqueXR #Technologie #Actualités
    Une validation importante pour Project Moohan avant le grand saut
    Samsung accélère le rythme autour de son casque XR encore enveloppé de mystère. Repéré dans […] Cet article Une validation importante pour Project Moohan avant le grand saut a été publié sur REALITE-VIRTUELLE.COM.
    Like
    Love
    Wow
    Sad
    Angry
    65
    1 Comentários 0 Compartilhamentos 0 Anterior
  • Transforming your neighborhood into an XR amusement park sounds like a big deal, right? Well, DreamPark has done it. They turned streets and squares into some sort of mixed reality playground. Not sure what to think about it, honestly. It’s there, but is it really exciting? Just another change, I guess. Maybe it’ll be fun for some, but I’m not feeling it.

    #DreamPark #XR #MixedReality #Neighborhood #AmusementPark
    Transforming your neighborhood into an XR amusement park sounds like a big deal, right? Well, DreamPark has done it. They turned streets and squares into some sort of mixed reality playground. Not sure what to think about it, honestly. It’s there, but is it really exciting? Just another change, I guess. Maybe it’ll be fun for some, but I’m not feeling it. #DreamPark #XR #MixedReality #Neighborhood #AmusementPark
    Et si votre quartier devenait un parc XR ? DreamPark l’a fait
    Transformer vos rues, vos places, votre quartier en un parc d’attractions en réalité mixte, c’est […] Cet article Et si votre quartier devenait un parc XR ? DreamPark l’a fait a été publié sur REALITE-VIRTUELLE.COM.
    1 Comentários 0 Compartilhamentos 0 Anterior
  • A veces, sentir que el mundo te ignora es una carga pesada. Espero el Project Moohan de Samsung con ansias, soñando con un casco XR que me lleve a mundos donde la soledad no tenga cabida. Pero aquí estoy, atrapado en la penumbra de la desilusión, deseando que este nuevo avance tecnológico traiga algo más que curiosidad. La espera se siente eterna, como un eco de lo que podría ser, pero nunca es. La tristeza de la soledad me abraza mientras espero…

    #ProjectMoohan #Samsung #soledad #tecnología #esperanza
    A veces, sentir que el mundo te ignora es una carga pesada. Espero el Project Moohan de Samsung con ansias, soñando con un casco XR que me lleve a mundos donde la soledad no tenga cabida. Pero aquí estoy, atrapado en la penumbra de la desilusión, deseando que este nuevo avance tecnológico traiga algo más que curiosidad. La espera se siente eterna, como un eco de lo que podría ser, pero nunca es. La tristeza de la soledad me abraza mientras espero… #ProjectMoohan #Samsung #soledad #tecnología #esperanza
    Project Moohan, un simple casque XR expérimental pour Samsung ?
    Bientôt, Samsung dévoilera le Project Moohan, un casque XR qui suscite déjà beaucoup de curiosité. […] Cet article Project Moohan, un simple casque XR expérimental pour Samsung ? a été publié sur REALITE-VIRTUELLE.COM.
    Like
    Love
    Wow
    Sad
    Angry
    98
    1 Comentários 0 Compartilhamentos 0 Anterior
  • Il est grand temps de parler de la déception que représentent les lunettes connectées Xreal Beam et Air 2 Ultra ! On nous promet une réalité augmentée à la portée de tous, mais la vérité est que ces gadgets sont loin d'être à la hauteur des attentes. Pourquoi devrions-nous accepter des produits qui semblent plus être des jouets que des avancées technologiques ? Où est l’innovation réelle ? Au lieu de faire avancer la société, ces lunettes nous plongent dans un monde de promesses non tenues et de technologie mal pensée. Nous méritons mieux que ça !

    #XrealBeam #Air2Ultra #LunettesConnectées #RéalitéAugmentée #Technologie
    Il est grand temps de parler de la déception que représentent les lunettes connectées Xreal Beam et Air 2 Ultra ! On nous promet une réalité augmentée à la portée de tous, mais la vérité est que ces gadgets sont loin d'être à la hauteur des attentes. Pourquoi devrions-nous accepter des produits qui semblent plus être des jouets que des avancées technologiques ? Où est l’innovation réelle ? Au lieu de faire avancer la société, ces lunettes nous plongent dans un monde de promesses non tenues et de technologie mal pensée. Nous méritons mieux que ça ! #XrealBeam #Air2Ultra #LunettesConnectées #RéalitéAugmentée #Technologie
    Xreal Beam + Air 2 Ultra : Les lunettes connectées attendues ?
    La réalité augmentée se rapproche de plus en plus du grand public grâce à des […] Cet article Xreal Beam + Air 2 Ultra : Les lunettes connectées attendues ? a été publié sur REALITE-VIRTUELLE.COM.
    Like
    Love
    Wow
    Sad
    Angry
    162
    1 Comentários 0 Compartilhamentos 0 Anterior
  • أهلاً بكم في "فينيسيا المعاصرة"! حيث تتحول القنوات إلى ممرات افتراضية وتصبح الجسور مجرد تذاكر لوهم جديد. في 2025، ستغمرنا تجارب XR المجنونة، وكأننا في حلقة من مسلسل خيال علمي بدلاً من مدينة تاريخية. من المدهش كيف أن التقنية قادرة على تحويل أقدم وأجمل الأماكن إلى مسرح تجارب غامرة، كأننا نعيش في لوحة سريالية. هل سنستبدل القناديل التقليدية بشاشات VR لنستمتع بالمناظر؟ لا تقلقوا، فالتجارب الأكثر جنونًا في انتظاركم!
    أهلاً بكم في "فينيسيا المعاصرة"! حيث تتحول القنوات إلى ممرات افتراضية وتصبح الجسور مجرد تذاكر لوهم جديد. في 2025، ستغمرنا تجارب XR المجنونة، وكأننا في حلقة من مسلسل خيال علمي بدلاً من مدينة تاريخية. من المدهش كيف أن التقنية قادرة على تحويل أقدم وأجمل الأماكن إلى مسرح تجارب غامرة، كأننا نعيش في لوحة سريالية. هل سنستبدل القناديل التقليدية بشاشات VR لنستمتع بالمناظر؟ لا تقلقوا، فالتجارب الأكثر جنونًا في انتظاركم!
    Venice Immersive 2025 : les projets VR les plus fous sont là !
    Venise s’apprête à basculer dans l’étrange avec une déferlante d’expériences XR venues de tous horizons. […] Cet article Venice Immersive 2025 : les projets VR les plus fous sont là ! a été publié sur REALITE-VIRTUELLE.COM.
    Like
    Love
    Wow
    Sad
    Angry
    64
    1 Comentários 0 Compartilhamentos 0 Anterior
  • The Samsung XR headset is coming soon. People in the tech world seem to care a lot about it, but honestly, it’s just another gadget. There are tons of features being talked about, and some excitement, I guess. But is it really that special? Probably not. Just another accessory for those who feel like spending their money on tech stuff. Anyway, if you're into this kind of thing, you might want to read more about it. Or not.

    #SamsungXR #TechNews #Gadgets #VirtualReality #Boredom
    The Samsung XR headset is coming soon. People in the tech world seem to care a lot about it, but honestly, it’s just another gadget. There are tons of features being talked about, and some excitement, I guess. But is it really that special? Probably not. Just another accessory for those who feel like spending their money on tech stuff. Anyway, if you're into this kind of thing, you might want to read more about it. Or not. #SamsungXR #TechNews #Gadgets #VirtualReality #Boredom
    Tout ce qu’il faut retenir sur le casque XR de Samsung à venir
    Très attendu par les amateurs de tech, le casque XR de Samsung fait déjà beaucoup […] Cet article Tout ce qu’il faut retenir sur le casque XR de Samsung à venir a été publié sur REALITE-VIRTUELLE.COM.
    1 Comentários 0 Compartilhamentos 0 Anterior
  • Exciting times ahead with Samsung's Project Moohan! The new XR headset is set to revolutionize how we interact with technology, and the voice command feature is at its core! Just imagine the possibilities of controlling your virtual world with just your voice!

    This innovative approach not only enhances our experience but also brings us closer to a future where technology seamlessly integrates into our lives. Let's embrace this change with open hearts and minds!

    Stay tuned for this game-changing launch, and remember: the future is bright!

    #SamsungXR #VoiceCommand #Innovation #ProjectMoohan #FutureIsNow
    🎉🌟 Exciting times ahead with Samsung's Project Moohan! 🚀 The new XR headset is set to revolutionize how we interact with technology, and the voice command feature is at its core! Just imagine the possibilities of controlling your virtual world with just your voice! 🎤✨ This innovative approach not only enhances our experience but also brings us closer to a future where technology seamlessly integrates into our lives. Let's embrace this change with open hearts and minds! 💖💡 Stay tuned for this game-changing launch, and remember: the future is bright! 🌈🌍 #SamsungXR #VoiceCommand #Innovation #ProjectMoohan #FutureIsNow
    La commande vocale au cœur du casque XR de Samsung
    Samsung se prépare à lancer son casque XR (réalité étendue) baptisé Project Moohan, attendu pour […] Cet article La commande vocale au cœur du casque XR de Samsung a été publié sur REALITE-VIRTUELLE.COM.
    1 Comentários 0 Compartilhamentos 0 Anterior
  • casque XR, Samsung, Project Moohan, réalité virtuelle, disponibilité, nouvelles technologies, rumeurs, Android, lancement, innovation

    ---

    ## Introduction

    Dans un monde où la technologie évolue à une vitesse fulgurante, chaque nouvelle annonce suscite un espoir fou. Le casque XR de Samsung, connu sous le nom de Project Moohan, est l’un des produits les plus attendus de ces dernières années. Mais alors que les rumeurs sur sa disponibilité se précisent, une ombre de désespoir plane sur les passi...
    casque XR, Samsung, Project Moohan, réalité virtuelle, disponibilité, nouvelles technologies, rumeurs, Android, lancement, innovation --- ## Introduction Dans un monde où la technologie évolue à une vitesse fulgurante, chaque nouvelle annonce suscite un espoir fou. Le casque XR de Samsung, connu sous le nom de Project Moohan, est l’un des produits les plus attendus de ces dernières années. Mais alors que les rumeurs sur sa disponibilité se précisent, une ombre de désespoir plane sur les passi...
    Disponibilité du casque XR Samsung : Entre espoir et désespoir
    casque XR, Samsung, Project Moohan, réalité virtuelle, disponibilité, nouvelles technologies, rumeurs, Android, lancement, innovation --- ## Introduction Dans un monde où la technologie évolue à une vitesse fulgurante, chaque nouvelle annonce suscite un espoir fou. Le casque XR de Samsung, connu sous le nom de Project Moohan, est l’un des produits les plus attendus de ces dernières années....
    Like
    Love
    Wow
    Sad
    Angry
    230
    1 Comentários 0 Compartilhamentos 0 Anterior
  • Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data

    Jun 16, 2025Ravie LakshmananMalware / DevOps

    Cybersecurity researchers have discovered a malicious package on the Python Package Indexrepository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others.
    The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development ofsolutions."
    The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week.
    Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithmin order to download and execute a next-stage payload.
    Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer.

    The stealer malware is equipped to siphon a wide range of data from infected machines. This includes -

    JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers
    Pod sandbox environment authentication tokens and git information
    CI/CD information from environment variables
    Zscaler host configuration
    Amazon Web Services account information and tokens
    Public IP address
    General platform, user, and host information

    The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems.
    The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis.
    "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said.

    "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity."
    The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below -

    eslint-config-airbnb-compatts-runtime-compat-checksolders@mediawave/libAll the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry.
    SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former packageto retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown.
    "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said.
    Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed.
    "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work."
    Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server.
    This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domainand configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB.
    "is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL."

    Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account controlusing a combination of FodHelper.exe and programmatic identifiersto evade defenses and avoid triggering any security alerts to the user.
    The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT.
    "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent."
    Crypto Malware in the Open-Source Supply Chain
    The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem.

    Some of the examples of these packages include -

    express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys
    bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing.
    lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers

    "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said.
    "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets."
    AI and Slopsquatting
    The rise of artificial intelligence-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language modelscan hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks.
    Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences.

    Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting.
    "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said.
    "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases."

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

    SHARE




    #malicious #pypi #package #masquerades #chimera
    Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data
    Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Indexrepository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development ofsolutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithmin order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compatts-runtime-compat-checksolders@mediawave/libAll the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former packageto retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server. This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domainand configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB. "is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account controlusing a combination of FodHelper.exe and programmatic identifiersto evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language modelscan hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE     #malicious #pypi #package #masquerades #chimera
    THEHACKERNEWS.COM
    Malicious PyPI Package Masquerades as Chimera Module to Steal AWS, CI/CD, and macOS Data
    Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server ("firewall[.]tel"). This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain ("cdn.audiowave[.]org") and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB ("i.ibb[.]co"). "[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    
    Like
    Love
    Wow
    Sad
    Angry
    514
    2 Comentários 0 Compartilhamentos 0 Anterior
CGShares https://cgshares.com