May 26, 2025Ravie LakshmananCybersecurity / Cryptocurrency As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The packages, published under three different accounts, come with an install‑time script that's triggered during npm install, Socket security researcher Kirill Boychenko said in a report published last week. The libraries have been collectively downloaded over 3,000 times. "The script targets Windows, macOS, or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance," the software supply chain security firm said. The names of the three accounts, each of which published 20 packages within an 11-day time period, are listed below. The accounts no longer exist on npm - bbbb335656 cdsfdfafd1232436437, and sdsds656565 The malicious code, per Socket, is explicitly designed to fingerprint every machine that installs the package, while also aborting the execution if it detects that it's running in a virtualized environment associated with Amazon, Google, and others. The harvested information, which includes host details, system DNS servers, network interface card (NIC) information, and internal and external IP addresses, is then transmitted to a Discord webhook. "By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns," Boychenko said. The disclosure follows another set of eight npm packages that masquerade as helper libraries for widely-used JavaScript frameworks including React, Vue.js, Vite, Node.js, and the open-source Quill Editor, but deploy destructive payloads once installed. They have been downloaded more than 6,200 times and are still available for download from the repository - vite-plugin-vue-extend quill-image-downloader js-hood js-bomb vue-plugin-bomb vite-plugin-bomb vite-plugin-bomb-extend, and vite-plugin-react-extend "Masquerading as legitimate plugins and utilities while secretly containing destructive payloads designed to corrupt data, delete critical files, and crash systems, these packages remained undetected," Socket security researcher Kush Pandya said. Some of the identified packages have been found to execute automatically once developers invoke them in their projects, enabling recursive deletion of files related to Vue.js, React, and Vite. Others are designed to either corrupt fundamental JavaScript methods or tamper with browser storage mechanisms like localStorage, sessionStorage, and cookies. Another package of note is js-bomb, which goes beyond deleting Vue.js framework files by also initiating a system shutdown based on the current time of the execution. The activity has been traced to a threat actor named xuxingfeng, who has also published five legitimate, non-malicious packages that work as intended. Some of the rogue packages were published in 2023. "This dual approach of releasing both harmful and helpful packages creates a facade of legitimacy that makes malicious packages more likely to be trusted and installed," Pandya said. The findings also follow the discovery of a novel attack campaign that combines traditional email phishing with JavaScript code that's part of a malicious npm package disguised as a benign open-source library. "Once communication was established, the package loaded and delivered a second-stage script that customized phishing links using the victim's email address, leading them to a fake Office 365 login page designed to steal their credentials," Fortra researcher Israel Cerda said. The starting point of the attack is a phishing email containing a malicious .HTM file, which includes encrypted JavaScript code hosted on jsDelivr and associated with a now-removed npm package named citiycar8. Once installed, the JavaScript payload embedded within the package is used to initiate a URL redirection chain that eventually leads the user to a bogus landing page designed to capture their credentials. "This phishing attack demonstrates a high level of sophistication, with threat actors linking technologies such as AES encryption, npm packages delivered through a CDN, and multiple redirections to mask their malicious intentions," Cerda said. "The attack not only illustrates the creative ways that attackers attempt to evade detection but also highlights the importance of vigilance in the ever-evolving landscape of cybersecurity threats." The abuse of open-source repositories for malware distribution has become a tried-and-tested approach for conducting supply chain attacks at scale. In recent weeks, malicious data-stealing extensions have also been uncovered in Microsoft's Visual Studio Code (VS Code) Marketplace that are engineered to siphon cryptocurrency wallet credentials by targeting Solidity developers on Windows. The activity has been attributed by Datadog Security Research to a threat actor it tracks as MUT-9332. The names of the extensions are as follows - solaibot among-eth, and blankebesxstnion "The extensions disguise themselves as legitimate, concealing harmful code within genuine features, and use command and control domains that appear relevant to Solidity and that would not typically be flagged as malicious," Datadog researchers said. "All three extensions employ complex infection chains that involve multiple stages of obfuscated malware, including one that uses a payload hidden inside an image file hosted on the Internet Archive." Specifically, the extensions were advertised as offering syntax scanning and vulnerability detection for Solidity developers. While they offer genuine functionality, the extensions are also designed to deliver malicious payloads that steal cryptocurrency wallet credentials from victim Windows systems. The three extensions have since been taken down. The end goal of the VS Code extension is to slip a malicious Chromium-based browser extension that's capable of plundering Ethereum wallets and leaking them to a command-and-control (C2) endpoint. It's also equipped to install a separate executable that disables Windows Defender scanning, scans application data directories for Discord, Chromium-based browsers, cryptocurrency wallets, and Electron applications, and retrieves and executes an additional payload from a remote server. MUT-9332 is also assessed to be behind a recently disclosed campaign that involved the use of 10 malicious VS Code extensions to install an XMRig cryptominer by passing off as coding or artificial intelligence (AI) tools. "This campaign demonstrates the surprising and creative lengths to which MUT-9332 is willing to go when it comes to concealing their malicious intentions," Datadog said. "These payload updates suggest that this campaign will likely continue, and the detection and removal of this first batch of malicious VS Code extensions may prompt MUT-9332 to change tactics in subsequent ones." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Acurast has raised $5.4 million to use smartphones to power a global decentralized cloud computing network. The company raised the money in a community led investment round by premier cryptocurrency launchpad CoinList. The sale concluded on May 22, 2025, with Acurast’s ACU token priced at nine cents, resulting in a fully diluted valuation of $90 million.“Most of the newly raised capital will be used to enhance our protocol, which continues proving that compute can be verifiable, confidential, energy-efficient, and truly decentralised, powered by the phones in our pockets,” said Alessandro De Carli, president of the board and cofounder of Acurast, in a statement.Acurast has raised $5.4 million. Acurast enables users to participate in confidential compute tasks, decentralized AI, and blockchain infrastructure, all while earning rewards by leveraging the processing power of smartphones. The protocol transforms everyday phones into secure, decentralized compute nodes, powering a global networkspanning over 130 countries.Acurast has onboarded over 72,000 smartphones, or “compute units,” worldwide onto its decentralized testnet with over 256 million transactions, making it the most decentralized and verifiable computenetwork available today, eliminating the need for centralized data centers. Acurast utilizes Trusted Execution Environments (TEEs) and Hardware Security Modules (HSMs) of the mobile phones to ensure secure and scalable compute, while maintaining confidentiality without requiring trust in the device owner. “The ACU token lies at the heart of this economy. Acurast allows anyone and everyone to run compute with their mobile phones, providing real decentralisation, and become stakeholders in the networkpowering a secure, scalable and decentralised computer economy while incentivising activecollaboration and sustainable growth,” said De Carli.Over 300 websites and games were created on Acurast in the last 24 hours using just a prompt with Vibe Code and Deploy — live instantly on a decentralized network powered by phones. Acurast’s high-performance Proof of Stake blockchain orchestrates global demand and supply for secure decentralized compute, without centralized data centers. This chain verifies genuine hardware on-chain with Smartphone manufacture attestations and anchors confidential workloads, ensuring trustless and verifiable execution across billions of smartphones. Acurast’s Android and iOS apps offer end-to-end checks of each phone’s secure elements, delivering unstoppable trustless compute at scale. Acurast is creating a global decentralized cloud using smartphones in 130 countries. Acurast delivers a next-generation decentralized confidential compute platform, purpose-built for the demands of web3, AI, and beyond. Developers can seamlessly deploy and scale JavaScript, TypeScript, Node.js, and WASM workloads via a simple CLI, with access to thousands of NPM packages and deep integration across major ecosystems. Centered on openness, composability, and decentralization, Acurast forms the foundational layer for the decentralized compute economy, unlocking mass adoption and enabling unprecedented innovation for web3 and beyond. ACU tokens have a total supply of 1,000,000,000 tokens at genesis with the token utility being around network fees, settlement layers, staking and governance. Daily insights on business use cases with VB Daily If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI. Read our Privacy Policy Thanks for subscribing. Check out more VB newsletters here. An error occured.

A total of 60 packages were recently removed from NPM.

DanaBot Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying An example of how a single malware operation can enable both criminal and state-sponsored hacking. Andy Greenberg, WIRED.com – May 23, 2025 3:56 pm | 0 Credit: Getty Images Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments. The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US. Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement. Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike. At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a JavaScript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries. That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint. More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity. Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine. All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.” In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes. The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike. “Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.” This story originally appeared at wired.com Andy Greenberg, WIRED.com Wired.com is your essential daily guide to what's next, delivering the most original and complete take you'll find anywhere on innovation's impact on technology, science, business and culture. 0 Comments

Thrempshs npmopw apnn Oblmpmphon Rmphstrpmshrd mphd aphmt etmphing rshks. Sorry, I've finished chewing. There's now an Oblivion Remastered mod that lets you, the almighty Hero of Kvatch and saviour of the empire (well, in the short-term), eat rocks. Leave room for dessert - there are gemstones too. Read more

May 20, 2025Ravie LakshmananCybersecurity / Malware Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs. All three packages are no longer available on PyPI. The names of the Python packages are below - checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads) "True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account," Socket researcher Olivia Brown said in an analysis published last week. Specifically, the package is designed to send HTTP POST requests to TikTok's password recovery API and Instagram's account login endpoints to determine if an email address passed as input is valid, meaning there exists an account holder corresponding to that email address. "Once threat actors have this information, just from an email address, they can threaten to dox or spam, conduct fake report attacks to get accounts suspended, or solely confirm target accounts before launching a credential stuffing or password spraying exploit," Brown said. "Validated user lists are also sold on the dark web for profit. It can seem harmless to construct dictionaries of active emails, but this information enables and accelerates entire attack chains and minimizes detection by only targeting known-valid accounts." The second package "steinlurks," in a similar manner, targets Instagram accounts by sending forged HTTP POST requests mimicking the Instagram Android app to evade detection. It achieves this by targeting different API endpoints - i.instagram[.]com/api/v1/users/lookup/ i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/ i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/ www.instagram[.]com/api/v1/web/accounts/check_email/ "Sinnercore," on the other hand, aims to trigger the forgot password flow for a given username, targeting the API endpoint "b.i.instagram[.]com/api/v1/accounts/send_password_reset/" with fake HTTP requests containing the target's username. "There is also functionality targeting Telegram, namely extracting name, user ID, bio, and premium status, as well as other attributes," Brown explained. "Some parts of sinnercore are focused on crypto utilities, like getting real-time Binance price or currency conversions. It even targets PyPI programmers by fetching detailed info on any PyPI package, likely used for fake developer profiles or pretending to be developers." The disclosure comes as ReversingLabs detailed another malicious package named "dbgpkg" that masquerades as a debugging utility but implants a backdoor on the developer's system to facilitate code execution and data exfiltration. While the package is not accessible anymore, it's estimated to have been downloaded about 350 times. Interestingly, the package in question has been found to contain the same payload as the one embedded in "discordpydebug," which was flagged by Socket earlier this month. ReversingLabs said it also identified a third package called "requestsdev" that's believed to be part of the same campaign. It attracted 76 downloads before being taken down. Further analysis has determined that the package's backdoor technique using GSocket resembles that of Phoenix Hyena (aka DumpForums or Silent Crow), a hacktivist group known for targeting Russian entities, including Doctor Web, in the aftermath of the Russo-Ukrainian war in early 2022. While the attribution is tentative at best, ReversingLabs pointed out that the activity could also be the work of a copycat threat actor. However, the use of identical payloads and the fact that "discordpydebug" was first uploaded in March 2022 strengthen the case for a possible connection to Phoenix Hyena. "The malicious techniques used in this campaign, including a specific type of backdoor implant and the use of Python function wrapping, show that the threat actor behind it is sophisticated and very careful to avoid detection," security researcher Karlo Zanki said. "The use of function wrapping and tools like the Global Socket Toolkit show that the threat actors behind it were also looking to establish long-term presence on compromised systems without being noticed." The findings also coincide with the discovery of a malicious npm package called "koishi‑plugin‑pinhaofa" that installs a data‑exfiltration backdoor in chatbots powered by the Koishi framework. The package is no longer available for download from npm. "Marketed as a spelling‑autocorrect helper, the plugin scans every message for an eight‑character hexadecimal string," security researcher Kirill Boychenko said. "When it finds one, it forwards the full message, potentially including any embedded secrets or credentials, to a hard-coded QQ account." "Eight character hex often represent short Git commit hashes, truncated JWT or API tokens, CRC‑32 checksums, GUID lead segments, or device serial numbers, each of which can unlock wider systems or map internal assets. By harvesting the whole message the threat actor also scoops up any surrounding secrets, passwords, URLs, credentials, tokens, or IDs." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    