Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server ("firewall[.]tel"). This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain ("cdn.audiowave[.]org") and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB ("i.ibb[.]co"). "[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd" A recent render created using LuxCoreRender shared on the open-source renderer’s Instagram account. The LuxCoreRender team has released version 2.10 of the open-source physically based renderer and BlendLuxCore, its Blender integration plugin.The update – the first stable release in over three years – puts development “back on track”, adding support for the Blender 4 releases, and for Apple Silicon Macs. A hybrid CPU/GPU unbiased render engine, formerly known as LuxRender Formerly known as LuxRender, and rebooted in 2018, LuxCoreRender is an alternative to Blender’s native Cycles renderer, particularly for product and architectural visualization. It’s a physically based render engine with a range of production features and, as of LuxCoreRender 2.0, supports hybrid rendering on CPUs and GPUs. Now compatible with Blender 4.x, and available for Apple Silicon Macs LuxCoreRender 2.10 is the first stable version of the software in over three years: while there have been some experimental updates, the last stable release was LuxCoreRender 2.6.Development then stalled after several of the original key developers left the project. According to the release announcement, the 2.10 release is mainly intended to put development “back on track”. While it doesn’t introduce major new features, it makes the software compatible with the current Blender 4.x releases, and makes it “ready for new development work”. LuxCore Python bindings are now available as wheels on PyPi, making it easier for third-party developers to integrate the renderer into their software. The update also makes LuxCoreRender available for a greater range of platforms: as well as Windows, Linux and Intel Macs, it now runs current Macs with Apple Silicon processors. For GPU acceleration, the software still uses CUDA on NVIDIA hardware, and OpenCL elsewhere: it doesn’t currently use Apple’s Metal API when running on macOS. License and system requirements LuxCoreRender 2.10 is available under an Apache 2.0 licence for Windows, Linux and macOS. BlendLuxCore 2.10 is compatible with Blender 4.2 and 4.3. The experimental 3ds Max integration plugin, MaxToLux, has not been updated, and is no longer available on the downloads page of the LuxCoreRender website. Read more about the new features in LuxCoreRender 2.10 in the release announcement Download LuxCoreRender and BlendLuxCore Have your say on this story by following CG Channel on Facebook, Instagram and X (formerly Twitter). As well as being able to comment on stories, followers of our social media accounts can see videos we don’t post on the site itself, including making-ofs for the latest VFX movies, animations, games cinematics and motion graphics projects.

Someone's hunting for Instagram and TikTok email accounts and triggering the password reset process.

May 20, 2025Ravie LakshmananCybersecurity / Malware Cybersecurity researchers have uncovered malicious packages uploaded to the Python Package Index (PyPI) repository that act as checker tools to validate stolen email addresses against TikTok and Instagram APIs. All three packages are no longer available on PyPI. The names of the Python packages are below - checker-SaGaF (2,605 downloads) steinlurks (1,049 downloads) sinnercore (3,300 downloads) "True to its name, checker-SaGaF checks if an email is associated with a TikTok account and an Instagram account," Socket researcher Olivia Brown said in an analysis published last week. Specifically, the package is designed to send HTTP POST requests to TikTok's password recovery API and Instagram's account login endpoints to determine if an email address passed as input is valid, meaning there exists an account holder corresponding to that email address. "Once threat actors have this information, just from an email address, they can threaten to dox or spam, conduct fake report attacks to get accounts suspended, or solely confirm target accounts before launching a credential stuffing or password spraying exploit," Brown said. "Validated user lists are also sold on the dark web for profit. It can seem harmless to construct dictionaries of active emails, but this information enables and accelerates entire attack chains and minimizes detection by only targeting known-valid accounts." The second package "steinlurks," in a similar manner, targets Instagram accounts by sending forged HTTP POST requests mimicking the Instagram Android app to evade detection. It achieves this by targeting different API endpoints - i.instagram[.]com/api/v1/users/lookup/ i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/ i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/ www.instagram[.]com/api/v1/web/accounts/check_email/ "Sinnercore," on the other hand, aims to trigger the forgot password flow for a given username, targeting the API endpoint "b.i.instagram[.]com/api/v1/accounts/send_password_reset/" with fake HTTP requests containing the target's username. "There is also functionality targeting Telegram, namely extracting name, user ID, bio, and premium status, as well as other attributes," Brown explained. "Some parts of sinnercore are focused on crypto utilities, like getting real-time Binance price or currency conversions. It even targets PyPI programmers by fetching detailed info on any PyPI package, likely used for fake developer profiles or pretending to be developers." The disclosure comes as ReversingLabs detailed another malicious package named "dbgpkg" that masquerades as a debugging utility but implants a backdoor on the developer's system to facilitate code execution and data exfiltration. While the package is not accessible anymore, it's estimated to have been downloaded about 350 times. Interestingly, the package in question has been found to contain the same payload as the one embedded in "discordpydebug," which was flagged by Socket earlier this month. ReversingLabs said it also identified a third package called "requestsdev" that's believed to be part of the same campaign. It attracted 76 downloads before being taken down. Further analysis has determined that the package's backdoor technique using GSocket resembles that of Phoenix Hyena (aka DumpForums or Silent Crow), a hacktivist group known for targeting Russian entities, including Doctor Web, in the aftermath of the Russo-Ukrainian war in early 2022. While the attribution is tentative at best, ReversingLabs pointed out that the activity could also be the work of a copycat threat actor. However, the use of identical payloads and the fact that "discordpydebug" was first uploaded in March 2022 strengthen the case for a possible connection to Phoenix Hyena. "The malicious techniques used in this campaign, including a specific type of backdoor implant and the use of Python function wrapping, show that the threat actor behind it is sophisticated and very careful to avoid detection," security researcher Karlo Zanki said. "The use of function wrapping and tools like the Global Socket Toolkit show that the threat actors behind it were also looking to establish long-term presence on compromised systems without being noticed." The findings also coincide with the discovery of a malicious npm package called "koishi‑plugin‑pinhaofa" that installs a data‑exfiltration backdoor in chatbots powered by the Koishi framework. The package is no longer available for download from npm. "Marketed as a spelling‑autocorrect helper, the plugin scans every message for an eight‑character hexadecimal string," security researcher Kirill Boychenko said. "When it finds one, it forwards the full message, potentially including any embedded secrets or credentials, to a hard-coded QQ account." "Eight character hex often represent short Git commit hashes, truncated JWT or API tokens, CRC‑32 checksums, GUID lead segments, or device serial numbers, each of which can unlock wider systems or map internal assets. By harvesting the whole message the threat actor also scoops up any surrounding secrets, passwords, URLs, credentials, tokens, or IDs." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Cybersecurity leaders aren't just dealing with attacks—they're also protecting trust, keeping systems running, and maintaining their organization's reputation. This week's developments highlight a bigger issue: as we rely more on digital tools, hidden weaknesses can quietly grow. Just fixing problems isn't enough anymore—resilience needs to be built into everything from the ground up. That means better systems, stronger teams, and clearer visibility across the entire organization. What's showing up now isn't just risk—it's a clear signal that acting fast and making smart decisions matters more than being perfect. Here's what surfaced—and what security teams can't afford to overlook. ⚡ Threat of the Week Microsoft Fixes 5 Actively Exploited 0-Days — Microsoft addressed a total of 78 security flaws in its Patch Tuesday update for May 2025 last week, out of which five of them have come under active exploitation in the wild. The vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709. It's currently not known in what context these defects have been exploited, who is behind them, and who was targeted in these attacks. Download the Report ➝ 🔔 Top News Marbled Dust Exploits Output Messenger 0-Day — Microsoft revealed that a Türkiye-affiliated threat actor codenamed Marbled Dust exploited as zero-day a security flaw in an Indian enterprise communication platform called Output Messenger as part of a cyber espionage attack campaign since April 2024. The attacks, the company said, are associated with the Kurdish military operating in Iraq. The attacks exploited CVE-2025-27920, a directory traversal vulnerability affecting version 2.0.62 that allows remote attackers to access or execute arbitrary files. It was addressed in December 2024. Konni APT Focuses on Ukraine in New Phishing Campaign — The North Korea-linked threat actor known as Konni APT has been attributed to a phishing campaign targeting government entities in Ukraine, indicating the threat actor's targeting beyond Russia amidst the ongoing Russo-Ukrainian war. Proofpoint, which disclosed details of the activity, said the objective of the attacks is to collect intelligence on the "trajectory of the Russian invasion." The attack chains entail the use of phishing emails that impersonate a fictitious senior fellow at a non-existent think tank, tricking recipients into visiting credential harvesting pages or downloading malware that can conduct extensive reconnaissance of the compromised machines. Coinbase Discloses Data Breach — Cryptocurrency giant Coinbase disclosed that unknown cyber actors broke into its systems and stole account data for a small subset of its customers. The activity bribed its customer support agents based in India to obtain a list of customers, who were then approached as part of a social engineering attack to transfer their digital assets to a wallet under the threat actor's control. The attackers also unsuccessfully attempted to extort the company for $20 million on May 11, 2025, by claiming to have information about certain customer accounts as well as internal documents. The compromised agents have since been terminated. While no passwords, private keys, or funds were exposed, the attackers made away with some amount of personal information, including names, addresses, phone numbers, email addresses, government ID images, and account balances. Coinbase did not disclose how many of its customers fell for the scam. Besides voluntarily reimbursing retail customers who were duped into sending cryptocurrency to scammers, Coinbase is offering a $20 million reward to anyone who can help identify and bring down the perpetrators of the cyber attack. APT28 Behind Attacks Targeting Webmail Services — APT28, a hacking group linked to Russia's Main Intelligence Directorate (GRU), has been targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities. The attacks, ongoing since at least 2023, targeted governmental entities and defense companies in Eastern Europe, although governments in Africa, Europe, and South America were also singled out. The victims in 2024 alone included officials from regional national governments in Ukraine, Greece, Cameroon and Serbia, military officials in Ukraine and Ecuador, and employees of defense contracting firms in Ukraine, Romania and Bulgaria. The group's spear-phishing campaign used fake headlines mimicking prominent Ukrainian news outlets like the Kyiv Post about the Russia-Ukraine war, seemingly in an attempt to entice targets into opening the messages using the affected webmail clients. Those who opened the email messages using the affected webmail clients were served, via the XSS flaws, a custom JavaScript payload capable of exfiltrating contacts and email data from their mailboxes. One of the payloads could steal passwords and two-factor authentication codes, allowing the attackers to bypass account protections. The malware is also designed to harvest the email credentials, either by tricking the browser or password manager into pasting those credentials into a hidden form or getting the user to log out, whereupon they were served a bogus login page. Earth Ammit Breaches Drone Supply Chains to Target Taiwan and South Korea — The threat actor known as Earth Ammit targeted a broader range of organizations than just Taiwanese drone manufacturers, as initially supposed. While the set of attacks was believed to be confined to drone manufacturers in Taiwan, a subsequent analysis has uncovered that the campaign is more broader and sustained in scope than previously thought, hitting the heavy industry, media, technology, software services, healthcare, satellite, and military-adjacent supply chains, and payment service providers in both South Korea and Taiwan. The attacks targeted software vendors and service providers as a way to reach their desired victims, who were the vendors' downstream customers. "Earth Ammit's strategy centered around infiltrating the upstream segment of the drone supply chain. By compromising trusted vendors, the group positioned itself to target downstream customers – demonstrating how supply chain attacks can ripple out and cause broad, global consequences," Trend Micro noted. "Earth Ammit's long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach." ‎️‍🔥 Trending CVEs Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out. This week's list includes — CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 (Microsoft Windows), CVE-2025-42999 (SAP NetWeaver), CVE-2024-11182 (MDaemon), CVE-2025-4664 (Google Chrome), CVE-2025-4632 (Samsung MagicINFO 9 Server), CVE-2025-32756 (Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera), CVE-2025-4427, CVE-2025-4428 (Ivanti Endpoint Manager Mobile), CVE-2025-3462, CVE-2025-3463 (ASUS DriverHub), CVE-2025-47729 (TeleMessage TM SGNL), CVE-2025-31644 (F5 BIG-IP), CVE-2025-22249 (VMware Aria Automation), CVE-2025-27696 (Apache Superset), CVE-2025-4317 (TheGem WordPress theme), CVE-2025-23166 (Node.js), CVE-2025-47884 (Jenkins OpenID Connect Provider Plugin), CVE-2025-47889 (Jenkins WSO2 Oauth Plugin), CVE-2025-4802 (Linux glibc), and CVE-2025-47539 (Eventin plugin). 📰 Around the Cyber World Attackers Leverage PyInstaller to Drop Infostealers on Macs — Attackers are using PyInstaller to deploy information stealers on macOS systems. These ad-hoc signed samples bundle Python code into Mach-O executables using PyInstaller, allowing them to be run without requiring Python to be installed or meet version compatibility requirements. "As infostealers continue to become more prevalent in the macOS threat landscape, threat actors will continue the search for new ways to distribute them," Jamf said. "While the use of PyInstaller to package malware is not uncommon, this marks the first time we've observed it being used to deploy an infostealer on macOS." Kosovo National Extradited to the U.S. for Running BlackDB.cc — A 33-year-old Kosovo national named Liridon Masurica has been extradited to the United States to face charges of running an online cybercrime marketplace active since 2018. He has been charged with five counts of fraudulent use of unauthorized access devices and one count of conspiracy to commit access device fraud. If convicted on all counts, Masurica faces a maximum penalty of 55 years in federal prison. He was taken into custody by authorities in Kosovo on December 12, 2024. Masurica is alleged to be the lead administrator of BlackDB.cc from 2018 to the present. "BlackDB.cc illegally offered for sale compromised account and server credentials, credit card information, and other personally identifiable information of individuals primarily located in the United States," the Justice Department said. "Once purchased, cybercriminals used the items purchased on BlackDB.cc to facilitate a wide range of illegal activity, including tax fraud, credit card fraud, and identity theft." Former BreachForums Admin to Pay $700k in Healthcare Breach — Conor Brian Fitzpatrick, aka Pompompurin, a former administrator of the BreachForums cybercrime forum, will forfeit roughly $700,000 in a civil lawsuit settlement related to Nonstop Health, a health insurance company whose customer data was posted for sale on the forum in 2023. Fitzpatrick was sentenced to time served last year, but he went on to violate the terms of his release. He is set to be resentenced next month. Tor Announces Oniux for Kernel-Level Tor Isolation — The Tor project has announced a new command-line utility called oniux that provides Tor network isolation for third-party applications using Linux namespaces. This effectively creates a fully isolated network environment for each application, preventing data leaks even if the app is malicious or misconfigured. "Built on Arti, and onionmasq, oniux drop-ships any Linux program into its own network namespace to route it through Tor and strips away the potential for data leaks," the Tor project said. "If your work, activism, or research demands rock-solid traffic isolation, oniux delivers it." DoJ Charges 12 More in RICO Conspiracy — The U.S. Department of Justice announced charges against 12 more people for their alleged involvement in a cyber-enabled racketeering conspiracy throughout the United States and abroad that netted them more than $263 million. Several of these individuals are said to have been arrested in the U.S., with two others living in Dubai. They face charges related to RICO conspiracy, conspiracy to commit wire fraud, money laundering, and obstruction of justice. The defendants are also accused of stealing over $230 million in cryptocurrency from a victim in Washington D.C. "The enterprise began no later than October 2023 and continued through March 2025," the Justice Department said. "It grew from friendships developed on online gaming platforms. Members of the enterprise held different responsibilities. The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets." The attacks involved database hackers breaking into websites and servers to obtain cryptocurrency-related databases or acquiring databases on the dark web. The miscreants then determined the most valuable targets and cold-called them, using social engineering to convince them their accounts were the subject of cyber attacks and that they were helping them take steps to secure their accounts. The end goal of these attacks was to siphon the cryptocurrency assets, which were then laundered and converted into fiat U.S. currency in the form of bulk cash or wire transfers. The money was then used to fund a lavish lifestyle for the defendants. "Following his arrest in September 2024 and continuing while in pretrial detention, Lam is alleged to have continued working with members of the enterprise to pass and receive directions, collect stolen cryptocurrency, and have enterprise members buy luxury Hermes Birkin bags and hand-deliver them to his girlfriend in Miami, Florida," the agency said. ENISA Launches EUVD Vulnerability Database — The European Union launched a new vulnerability database called the European Vulnerability Database (EUVD) to provide aggregated information regarding security issues affecting various products and services. "The database provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services," the European Union Agency for Cybersecurity (ENISA) said. The development comes in the wake of uncertainty over MITRE's CVE program in the U.S., after which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stepped in at the last minute to extend their contract with MITRE for another 11 months to keep the initiative running. 3 Information Stealers Detected in the Wild — Cybersecurity researchers have exposed the workings of three different information stealer malware families, codenamed DarkCloud Stealer, Chihuahua Stealer, and Pentagon Stealer, that are capable of extracting sensitive data from compromised hosts. While DarkCloud has been advertised in hacking forums as early as January 2023, attacks distributing the malware have primarily focused on government organizations since late January 2025. DarkCloud is distributed as AutoIt payloads via phishing emails using PDF purchase order lures that display a message claiming their Adobe Flash Player is out of date. Chihuahua Stealer, on the other hand, is a .NET-based malware that employs an obfuscated PowerShell script shared through a malicious Google Drive document. First discovered in March 2025, Pentagon Stealer makes use of Golang to realize its goals. However, a Python variant of the same stealer was detected at least a year prior when it was propagated via fake Python packages uploaded to the PyPI repository. Kaspersky Outlines Malware Trends for Industrial Systems in Q1 2025 — Kaspersky revealed that the percentage of ICS computers on which malicious objects were blocked in Q1 2025 remained unchanged from Q4 2024 at 21.9%. "Regionally, the percentage of ICS computers on which malicious objects were blocked ranged from 10.7% in Northern Europe to 29.6% in Africa," the Russian security company said. "The biometrics sector led the ranking of the industries and OT infrastructures surveyed in this report in terms of the percentage of ICS computers on which malicious objects were blocked." The primary categories of detected malicious objects included malicious scripts and phishing pages, denylisted internet resources, and backdoors, and keyloggers. Linux Flaws Surge by 967% in 2024 — The number of newly discovered Linux and macOS vulnerabilities increased dramatically in 2024, rising by 967% and 95% in 2024. The year was also marked by a 96% jump in exploited vulnerabilities from 101 in 2023 to 198 in 2024, and an unprecedented 37% rise in critical flaws across key enterprise applications. "The total number of software vulnerabilities grew by 61% YoY in 2024, with critical vulnerabilities rising by 37.1% – a significant expansion of the global attack surface and exposure of critical weaknesses across diverse software categories," Action1 said. "Exploits spiked 657% in browsers and 433% in Microsoft Office, with Chrome leading all products in known attacks." But in a bit of good news, there was a decrease in remote code execution vulnerabilities for Linux (-85% YoY) and macOS (-44% YoY). Europol Announces Takedown of Fake Trading Platform — Law enforcement authorities have disrupted an organized crime group that's assessed to be responsible for defrauding more than 100 victims of over €3 million ($3.4 million) through a fake online investment platform. The effort, a joint exercise conducted by Germany, Albania, Cyprus, and Israel, has also led to the arrest of a suspect in Cyprus. "The criminal network lured victims with the promise of high returns on investments through a fraudulent online trading platform," Europol said. "After the victims made initial smaller deposits, they were pressured to invest larger amounts of money, manipulated by fake charts showing fabricated profits. Criminals posing as brokers used psychological tactics to convince the victims to transfer substantial funds, which were never invested but directly pocketed by the group." Two other suspects were previously arrested from Latvia in September 2022 as part of the multi-year probe into the criminal network. New "defendnot" Tool Can Disable Windows Defender — A security researcher who goes by the online alias es3n1n has released a tool called "defendnot" that can disable Windows Defender by means of a little-known API. "There's a WSC (Windows Security Center) service in Windows which is used by antiviruses to let Windows know that there's some other antivirus in the hood and it should disable Windows Defender," the researcher explained. "This WSC API is undocumented and furthermore requires people to sign an NDA with Microsoft to get its documentation." Rogue Communication Devices Found in Some Chinese Solar Power Inverters — Reuters reported that U.S. energy officials are reassessing the risk posed by Chinese-made solar power inverters after unexplained communication equipment was found inside some of them. The rogue components are designed to provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, according to two people familiar with the matter. This could then be used to switch off inverters remotely or change their settings, enabling bad actors to destabilize power grids, damage energy infrastructure, and trigger widespread blackouts. Undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, the report added. Israel Arrest Suspect Behind 2022 Nomad Bridge Crypto Hack — Israeli authorities have arrested and approved the extradition of a Russian-Israeli dual national Alexander Gurevich over his alleged involvement in the Nomad Bridge hack in August 2022 that allowed hackers to steal $190 million. Gurevich is said to have conspired with others to execute an exploit for the bridge's Replica smart contract and launder the resulting proceeds through a sophisticated, multi-layered operation involving privacy coins, mixers, and offshore financial entities. "Gurevich played a central role in laundering a portion of the stolen funds. Blockchain analysis shows that wallets linked to Gurevich received stolen assets within hours of the bridge breach and began fragmenting the funds across multiple blockchains," TRM Labs said. "He then employed a classic mixer stack: moving assets through Tornado Cash on Ethereum, then converting ETH to privacy coins such as Monero (XMR) and Dash." Using V8 Browser Exploits to Bypass WDAC — Researchers have uncovered a sophisticated technique that leverages vulnerable versions of the V8 JavaScript engine to bypass Windows Defender Application Control (WDAC). "The attack scenario is a familiar one: bring along a vulnerable but trusted binary, and abuse the fact that it is trusted to gain a foothold on the system," IBM X-Force said. "In this case, we use a trusted Electron application with a vulnerable version of V8, replacing main.js with a V8 exploit that executes stage 2 as the payload, and voila, we have native shellcode execution. If the exploited application is whitelisted/signed by a trusted entity (such as Microsoft) and would normally be allowed to run under the employed WDAC policy, it can be used as a vessel for the malicious payload." The technique builds upon previous findings that make it possible to sidestep WDAC policies by backdooring trusted Electron applications. Last month, CerberSec detailed another method that employs WinDbg Preview to get around WDAC policies. 🎥 Cybersecurity WebinarsDevSecOps Is Broken — This Fix Connects Code to Cloud to SOC Modern applications don't live in one place—they span code, cloud, and runtime. Yet security is still siloed. This webinar shows why securing just the code isn't enough. You'll learn how unifying AppSec, cloud, and SOC teams can close critical gaps, reduce response times, and stop attacks before they spread. If you're still treating dev, infra, and operations as separate problems, it's time to rethink. 🔧 Cybersecurity Tools Qtap → It is a lightweight eBPF tool for Linux that shows what data is being sent and received—before or after encryption—without changing your apps or adding proxies. It runs with minimal overhead and captures full context like process, user, and container info. Useful for auditing, debugging, or analyzing app behavior when source code isn't available. Checkov → It is a fast, open-source tool that scans infrastructure-as-code and container packages for misconfigurations, exposed secrets, and known vulnerabilities. It supports Terraform, Kubernetes, Docker, and more—using built-in security policies and Sigma-style rules to catch issues early in the development process. TrailAlerts → It is a lightweight, serverless AWS-native tool that gives you full control over CloudTrail detections using Sigma rules—without needing a SIEM. It's ideal for teams who want to write, version, and manage their own alert logic as code, but find CloudWatch rules too limited or complex. Built entirely on AWS services like Lambda, S3, and DynamoDB, TrailAlerts lets you detect suspicious activity, correlate events, and send alerts through SNS or SES—without managing infrastructure or paying for unused capacity. 🔒 Tip of the Week Catch Hidden Threats in Files Users Trust Too Much → Hackers are using a quiet but dangerous trick: hiding malicious code inside files that look safe — like desktop shortcuts, installer files, or web links. These aren't classic malware files. Instead, they run trusted apps like PowerShell or curl in the background, using basic user actions (like opening a file) to silently infect systems. These attacks often go undetected because the files seem harmless, and no exploits are used — just misuse of normal features. To detect this, focus on behavior. For example, .desktop files in Linux that run hidden shell commands, .lnk files in Windows launching PowerShell or remote scripts, or macOS .app files silently calling terminal tools. These aren't rare anymore — attackers know defenders often ignore these paths. They're especially dangerous because they don't need admin rights and are easy to hide in shared folders or phishing links. You can spot these threats using free tools and simple rules. On Windows, use Sysmon and Sigma rules to alert on .lnk files starting PowerShell or suspicious child processes from explorer.exe. On Linux or macOS, use grep or find to scan .desktop and .plist files for odd execution patterns. To test your defenses, simulate these attack paths using MITRE CALDERA — it's free and lets you safely model real-world attacker behavior. Focusing on these overlooked execution paths can close a major gap attackers rely on every day. Conclusion The headlines may be over, but the work isn't. Whether it's rechecking assumptions, prioritizing patches, or updating your response playbooks, the right next step is rarely dramatic—but always decisive. Choose one, and move with intent. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

May 13, 2025Ravie LakshmananSupply Chain Attack / Blockchain Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that purports to be an application related to the Solana blockchain, but contains malicious functionality to steal source code and developer secrets. The package, named solana-token, is no longer available for download from PyPI, but not before it was downloaded 761 times. It was first published to PyPI in early April 2024, albeit with an entirely different version numbering scheme. "When installed, the malicious package attempts to exfiltrate source code and developer secrets from the developer's machine to a hard-coded IP address," ReversingLabs researcher Karlo Zanki said in a report shared with The Hacker News. In particular, the package is designed to copy and exfiltrate the source code contained in all the files in the Python execution stack under the guise of a blockchain function named "register_node()." This unusual behavior suggests that the attackers are looking to exfiltrate sensitive crypto-related secrets that may be hard-coded in the early stages of writing a program incorporating the malicious function in question. It's believed that developers looking to create their own blockchains were the likely targets of the threat actors behind the package. This assessment is based on the package name and the functions built into it. The exact method by which the package may have been distributed to users is currently not known, although it's likely to have been promoted on developer-focused platforms. If anything, the discovery underscores the fact that cryptocurrency continues to be one of the most popular targets for supply chain threat actors, necessitating that developers take steps to scrutinize every package before using it. "Development teams need to aggressively monitor for suspicious activity or unexplained changes within both open source and commercial, third-party software modules," Zanki said. "By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent the kind of destructive supply chain attacks." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    