@gbhackers.com
//
CrazyHunter, a new ransomware group, has emerged as a significant cyber threat, specifically targeting organizations in Taiwan. Their victims predominantly include those in the healthcare, education, and industrial sectors, indicating a focus on organizations with valuable data and sensitive operations. Since January, CrazyHunter's operations have shown a clear pattern of specifically targeting Taiwanese organizations. The group made their introduction with a data leak site posting ten victims, all located in Taiwan, demonstrating a strategic, regionally focused campaign.
CrazyHunter's toolkit heavily relies on open-source tools sourced from GitHub, with approximately 80% of their arsenal being open-source. The group broadens its toolkit by integrating open-source tools from GitHub, such as the Prince Ransomware Builder and ZammoCide, to further enhance their operational capabilities. This approach significantly reduces the technical barrier for creating tailored, potent ransomware attacks, enabling rapid adaptation and enhancement of their operations. They have also been seen to modify existing open source tools as their capabilities grow.
The ransomware deployment process includes the use of Bring Your Own Vulnerable Driver (BYOVD) techniques to bypass security measures. A customized process killer derived from the open-source project ZammoCide exploits the zam64.sys driver to neutralize defenses, specifically targeting antivirus and endpoint detection and response (EDR) systems. The ransomware itself, a bespoke variant using the Go programming language, employs advanced ChaCha20 and ECIES encryption to lock files, appending them with a “.Hunter” extension. This demonstrates a sophisticated and targeted approach to ransomware deployment.
Recommended read:
References :
- gbhackers.com: Analysis of the CrazyHunter group highlights its sophisticated methodology in exploiting accessible open-source tools and targeting various sectors within Taiwan.
- www.trendmicro.com: Trend Micro details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwan's essential services.
- cyberpress.org: CyberPress - CrazyHunter Hackers Leverage GitHub Open-Source Tools to Launch Attacks on Organizations
- securityonline.info: The group's reliance on readily available GitHub resources underscores a trend of attackers leveraging public repositories for their operations.
Nathaniel Morales@feeds.trendmicro.com
//
The Albabat ransomware has evolved, now targeting Windows, Linux, and macOS systems, according to recent research. This marks a significant expansion in the group's capabilities, showcasing increased sophistication in exploiting multiple operating systems. Trend Micro researchers uncovered this evolution, noting the ransomware group leverages GitHub to streamline their operations, enhancing the efficiency and reach of their attacks.
Albabat ransomware version 2.0 gathers system and hardware information on Linux and macOS systems and uses a GitHub account to store and deliver configuration files. This allows attackers to manage operations centrally and update tools efficiently. The GitHub repository, though private, is accessible through an authentication token, demonstrating active development through its commit history.
Recent versions of Albabat ransomware retrieve configuration data through the GitHub REST API, utilizing a User-Agent string labeled "Awesome App." It encrypts file extensions, including .exe, .dll, .mp3, and .pdf, while ignoring folders like Searches and AppData. The ransomware also terminates processes like taskmgr.exe and regedit.exe to evade detection. It tracks infections and payments through a PostgreSQL database, potentially selling stolen data.
Recommended read:
References :
- Cyber Security News: The Albabat ransomware has expanded its operation by utilizing GitHub to streamline its operation.
- gbhackers.com: The Albabat ransomware group has been observed expanding its operations to target not only Windows but also Linux and macOS systems, marking a significant evolution in its capabilities. They are leveraging GitHub to streamline their ransomware operations.
- : Trend Micro observed a continuous development of Albabat ransomware, designed to expand attacks and streamline operations. The authors seem to be targeting Linux and macOS systems now.
- www.trendmicro.com: New versions of Albabat ransomware have been detected that target Windows, Linux, and macOS devices. The group is utilizing GitHub to streamline their operations.
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
- Carly Page: Mastodon: Hackers are ramping up attempts to exploit a trio of year-old ServiceNow vulnerabilities to break into unpatched company instances
- techcrunch.com: TechCrunch: Hackers are ramping up attacks using year-old ServiceNow security bugs to break into unpatched systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- bsky.app: Albabat Ransomware Group Potentially Expands Targets to Multiple OS, Uses GitHub to Streamline Operations https://buff.ly/IWRowB3
- Talkback Resources: New Attacks Exploit Year-Old ServiceNow Flaws - Israel Hit Hardest [app] [exp]
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- Cyber Security News: Albabat Ransomware Adds Linux and macOS to its Expanding List of Targets
- gbhackers.com: Albabat Ransomware Expands Reach to Target Linux and macOS Platforms
- www.cysecurity.news: Albabat Ransomware Evolves with Cross-Platform Capabilities and Enhanced Attack Efficiency
- ciso2ciso.com: New versions of the Albabat ransomware target Windows, Linux, and macOS, and retrieve configuration files from GitHub. The post appeared first on SecurityWeek.
Divya@gbhackers.com
//
Critical vulnerabilities in the ruby-saml library, tracked as CVE-2025-25291 and CVE-2025-25292, allow attackers to bypass authentication in applications using the library for Single Sign-On (SSO). These flaws stem from discrepancies in XML parsing between REXML and Nokogiri, potentially leading to account takeovers. An attacker possessing a valid signature from the targeted organization can craft SAML assertions to log in as any user.
The vulnerabilities were discovered during a security review by GitHub's Security Lab, prompting GitLab to release critical patches in versions 17.9.2, 17.8.5, and 17.7.7 for Community Edition and Enterprise Edition. Organizations are urged to upgrade to the latest ruby-saml version to mitigate the risk of authentication bypass and account hijacking. The ruby-saml library is used in various applications and products, including GitLab.
Recommended read:
References :
- www.scworld.com: Account hijacking possible with ruby-saml library bugs
- gbhackers.com: Critical ruby-saml Vulnerabilities Allow Attackers to Bypass Authentication
- bsky.app: GitHub's security team has discovered a combo of two bugs in the Ruby-SAML library that can be used to bypass authentication in apps that use the library.
@itpro.com
//
A critical security incident has been detected involving the widely-used GitHub Action "tj-actions/changed-files," resulting in CVE-2025-30066. The compromise involved attackers modifying the action's code and retroactively updating multiple version tags to point to the malicious commit. This allowed the malicious code to print CI/CD secrets in GitHub Actions build logs, potentially exposing them in public repositories. The "tj-actions/changed-files" GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. GitHub has removed the "tj-actions/changed-files" Action, preventing it from being used in GitHub Actions workflows.
The malicious commit, identified as 0e58ed8 ("chore(deps): lock file maintenance (#2460)"), was added to all 361 tagged versions of the GitHub action. This commit resulted in a script that can leak CI/CD secrets from runner memory. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. Immediate actions are necessary to mitigate the risk of credential theft and CI pipeline compromise. Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs.
Recommended read:
References :
- Open Source Security: tj-action/changed-files GitHub action was compromised
- securityonline.info: Popular GitHub Action “tj-actions/changed-files� Compromised (CVE-2025-30066)
- Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
- Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
@itpro.com
//
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.
Recommended read:
References :
- Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
- Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
- Open Source Security: tj-action/changed-files GitHub action was compromised
- Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
- securityonline.info: Popular GitHub Action “tj-actions/changed-files� Compromised (CVE-2025-30066)
- Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
- www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
- : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
- Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
- The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
- BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
- www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
- Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
- gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
- hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
- www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
- bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
- Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
- unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
- Legit Security Blog: Github Actions tj-actions/changed-files Attack
- Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-files� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
- securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
- bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
- blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
- Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
- Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
- thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
- The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
- Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
- Schneier on Security: Critical GitHub Attack
- Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
- www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
- tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram
Amar Ćemanović@CyberInsider
//
Microsoft is warning of a large-scale malvertising campaign that has impacted nearly one million devices worldwide, starting in early December 2024. The attack originates from illegal streaming websites using embedded malvertising redirectors. These redirectors lead users to GitHub, Discord, and Dropbox where initial access payloads are hosted. The primary goal of this campaign, tracked under the name Storm-0408, is to steal sensitive information from both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.
The attackers used a multi-stage approach, with GitHub serving as the primary platform for delivering the initial malware. This malware then deploys additional malicious files and scripts designed to collect system information and exfiltrate documents and data. Microsoft has since taken down the malicious repositories with the collaboration of the GitHub security team. The attack also employs a sophisticated redirection chain, with the initial redirector embedded within an iframe element on the illegal streaming websites.
Recommended read:
References :
- The Hacker News: Microsoft Warns of Malvertising Campaign Infecting Over 1 Million Devices Worldwide
- Microsoft Security Blog: Malvertising campaign leads to info stealers hosted on GitHub
- CyberInsider: Microsoft has uncovered a large-scale malvertising campaign that compromised nearly one million devices worldwide, distributing information-stealing malware via GitHub. The attack, detected in early December 2024, originated from illegal streaming websites that redirected users through multiple malicious domains before delivering payloads hosted on GitHub, Dropbox, and Discord.
- Hidden Dragon ??: Nearly 1 million Windows devices were targeted in recent months by a sophisticated "malvertising" campaign that surreptitiously stole login credentials, cryptocurrency, and other sensitive information from infected machines.
- hackread.com: Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox
- www.techradar.com: Microsoft reveals over a million PCs hit by malvertising campaign
- www.bleepingcomputer.com: Microsoft says malvertising campaign impacted 1 million PCs
- Tech Monitor: Microsoft neutralises malvertising scheme that affected one million devices
- Cyber Security News: Microsoft Warns That 1 Million Devices Are Infected by Malware from GitHub
- gbhackers.com: 1 Million Devices Infected by Malware from GitHub
- The Register - Security: Microsoft admits GitHub hosted malware that infected almost a million devices
- securityonline.info: Microsoft Uncovers Massive Malvertising Campaign Distributing Info Stealers via GitHub
- Virus Bulletin: Microsoft researchers detail their investigation of a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information.
- www.itpro.com: Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
- Security Risk Advisors: Malvertising Campaign Targets One Million Devices with Info Stealers Hosted on GitHub
- Digital Information World: Microsoft Discovers Massive Malvertising Campaign Infecting Over 1 Million Devices
- securityaffairs.com: Microsoft Threat Intelligence Center (MSTIC) observed a massive malvertising campaign leveraging GitHub to deliver malware.
- www.csoonline.com: Almost 1 million business and home PCs compromised after users visited illegal streaming sites: Microsoft
- The DefendOps Diaries: 🚩 Malvertising Campaign Targets One Million Devices with Info Stealers Hosted on GitHub
Pierluigi Paganini@Security Affairs
//
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
Recommended read:
References :
- Cyber Security News: GitVenom Campaign Exploits Thousands of GitHub Repositories to Spread Infections
- gbhackers.com: The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
- Talkback Resources: Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials through fraudulent repositories, resulting in the attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
- Talkback Resources: Open-source code has a significant impact on software development, but developers should be cautious of the GitVenom campaign involving threat actors creating fake projects on GitHub to distribute malicious code and steal sensitive information.
- The Hacker News: GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets
- securityaffairs.com: GitVenom campaign targets gamers and crypto investors by posing as fake GitHub projects
- The Register - Security: Reports that more than 200 GitHub repos are hosting fake projects laced with malicious software.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Talkback Resources: Malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Help Net Security: Hundreds of GitHub repos served up malware for years
- bsky.app: Bluesky post about the malware campaign GitVenom.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers.
- aboutdfir.com: GitVenom attacks abuse hundreds of GitHub repos to steal crypto
- bsky.app: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
|
|
FlagThis - #github