CyberSecurity news
FlagThis
drewt@secureworldexpo.com (Drew@SecureWorld News
//
A surge in malicious packages targeting crypto wallets, Telegram tokens, and codebase integrity has been reported across npm, PyPI, and RubyGems, highlighting the persistent vulnerability of the open-source software supply chain. Threat actors are actively exploiting human trust by publishing clones of legitimate software packages. Once installed, these malicious clones execute harmful payloads, ranging from cryptocurrency theft to complete codebase deletion. Researchers have uncovered instances where Telegram API traffic is rerouted to attacker-controlled command-and-control servers, exfiltrating sensitive data like bot tokens, chat IDs, message content, and attached files.
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.
Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.
ImgSrc: www.secureworld
References :
This malicious activity is not limited to package repositories. A sophisticated campaign has been uncovered, utilizing deceptive websites spoofing Gitcodes and Docusign, to trick users into running malicious PowerShell scripts on their Windows machines. These websites lure victims into copying and pasting scripts into the Windows Run prompt, leading to the installation of the NetSupport RAT (Remote Access Trojan). The scripts often employ multi-stage downloaders, retrieving additional payloads from various domains to further compromise the infected system.
Sophos researchers also exposed a large-scale GitHub campaign where backdoored malware was disguised as legitimate tools. This campaign revolved around numerous repositories posing as exploits, game cheats, and open-source tools. Compiling the code triggered infection chains involving VBS scripts, PowerShell downloads, and obfuscated Electron apps, ultimately deploying info-stealers and RATs. These campaigns use various methods of deception, including automated commits to give the impression of active development and obfuscation of payloads to avoid detection, showing the lengths these actors will go to to exploit the software supply chain.
ImgSrc: www.secureworld
Share:
References :
- SecureWorld News: Malicious Open-Source Packages Target Crypto Wallets, Telegram Tokens, and Codebases
- The Hacker News: Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack
Classification:
- HashTags: #SupplyChain #Malware #OpenSource
- Company: Multiple
- Target: Developers, gamers, crypto users
- Product: npm, PyPI, RubyGems
- Feature: package management
- Malware: NetSupport RAT
- Type: Malware
- Severity: HighRisk