CyberSecurity news

FlagThis - #supplychain

djohnson@CyberScoop //
The US Treasury Department has confirmed a major cyber incident involving Chinese state-sponsored hackers who gained unauthorized access to employee workstations and unclassified documents. The breach occurred after a third-party software provider, BeyondTrust, was compromised, allowing the attackers to obtain a security key used for remote technical support. This key enabled the hackers to bypass security measures and remotely access Treasury systems and exfiltrate sensitive information. The Treasury was notified of the breach on December 8th and has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other agencies to investigate the full impact of the incident.

The compromised BeyondTrust service has since been taken offline, and there is currently no evidence to suggest the threat actors still have access to Treasury systems. The Treasury Department has classified the incident as a “major incident” and has reaffirmed its commitment to bolstering cybersecurity defenses, highlighting the importance of addressing third-party vulnerabilities. The breach follows a series of other recent cyberattacks linked to China, further raising concerns about the security posture of the US government.

Recommended read:
References :
  • CyberScoop: Treasury workstations hacked by China-linked threat actors
  • Federal News Network: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • siliconangle.com: Third-party provider hack exposes US Treasury Department unclassified documents
  • Techmeme: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • bsky.app: Chinese state-sponsored hackers broke into the U.S. Treasury Department this month and stole documents from its workstations, according to a letter to lawmakers
  • Chuck Darwin: US treasury’s workstations breached in cyber-attack by China – report A Chinese state-sponsored actor broke into the US treasury department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday.
  • www.theguardian.com: US treasury’s workstations breached in cyber-attack by China – report
  • techcrunch.com: US Treasury says China accessed government documents in ‘major’ cyberattack
  • cyberscoop.com: Treasury workstations hacked by China-linked threat actors
  • techcrunch.com: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • International homepage: ‘In a letter to 🇺🇸 Senate banking committee seen by the Financial Times, the department said it had been informed on December 8 by software company BeyondTrust that a hacker had breached several remote government workstations by obtaining a security key and had in turn gained access to unclassified documents on them.’
  • www.benzinga.com: China-Linked Hackers Breach US Department Of Treasury
  • malware.news: Chinese-sponsored hackers accessed Treasury documents in ‘major incident’
  • www.cnn.com: CNN: China-backed hackers breached US Treasury workstations.
  • Michael West: Treasury says Chinese hackers accessed workstations
  • SiliconANGLE: Third-party provider hack exposes US Treasury Department unclassified documents
  • www.pymnts.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • www.engadget.com: The US Treasury Department says it was hacked in a China-linked cyberattack
  • federalnewsnetwork.com: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • WIRED: US Treasury Department confirms hack by China-backed group.
  • bsky.app: The U.S. Treasury announced a major cyberattack linked to a compromised API key from its contractor, BeyondTrust.
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • PYMNTS.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • san.com: Chinese-sponsored hackers behind ‘major’ breach: Treasury Department
  • securityaffairs.com: China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.
  • Hong Kong Free Press HKFP: US Treasury says was targeted by China state-sponsored cyberattack.
  • The Hacker News: The United States Treasury Department said it suffered a 'major cybersecurity incident' that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
  • Fortune | FORTUNE: Treasury Department says a China state-sponsored cyberattack gained access to workstations and documents
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • gbhackers.com: US Treasury Department Breach, Hackers Accessed Workstations.
  • SAN: Investigators accuse China of hacking U.S. Treasury Department computers.
  • blog.gitguardian.com: What Happened in the U.S. Department of the Treasury Breach? A Detailed Summary.
  • DataBreaches.Net: Chinese hackers breached Treasury Department workstations, documents in ‘major cybersecurity incident’.
  • go.theregister.com: US Treasury Department outs the blast radius of BeyondTrust's key leak
  • www.wired.com: US Department Admits It Got by Treasury says accessed “certain documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.
  • www.bleepingcomputer.com: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • Hacker News: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • OODAloop: What to know about string of US hacks blamed on China
  • Techmeme: Sources: Chinese government hackers breached the US Treasury Department's OFAC, which administers economic sanctions, and two other Treasury offices (Washington Post)
  • Dataconomy: According to the Washington Post Chinese government hackers compromised the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in December, targeting intelligence related to economic sanctions, officials reported.
  • Carly Page: China-backed hackers reportedly compromised the US Treasury’s highly sensitive sanctions office during December cyberattack
  • techcrunch.com: Chinese government hackers targeted the U.S. Treasury’s highly sensitive sanctions office during a December cyberattack, according to reports.
  • techcrunch.com: Chinese government hackers targeted US Treasury’s sanctions office during December cyberattack
  • Cybernews: On Thursday, it was revealed that PRC-backed hackers behind last month’s US Treasury hack accessed some senior officials' laptops.
  • Bloomberg Technology: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • www.techmeme.com: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • Techmeme: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • The Hacker News: CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
  • www.helpnetsecurity.com: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • www.the420.in: Chinese APT Exploits BeyondTrust Vulnerability to Breach U.S. Treasury Systems
  • Pyrzout :vm:: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • Help Net Security: CISA says Treasury was the only US agency breached via BeyondTrust
  • industrialcyber.co: US Treasury sanctions Beijing’s Integrity Tech for Flax Typhoon cyber intrusions on critical infrastructure
  • ciso2ciso.com: CISA: Third-Party Data Breach Limited to Treasury Dept. – Source: www.darkreading.com
  • Latest from TechRadar: Chinese cybersecurity firm hit by US sanctions over ties to Flax Typhoon hacking group

ross.kelly@futurenet.com (Ross@itpro.com //
On March 20, 2025, a user on the Breach Forums, identified as "rose87168," claimed to have stolen six million records from Oracle Cloud's Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) services. The user offered the data for sale or in exchange for zero-day exploits. The compromised database allegedly contains sensitive information, including Java KeyStore (JKS) files, encrypted SSO and LDAP passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys. This could impact over 140,000 tenants, potentially creating a significant supply chain compromise.

Oracle has denied any breach of its cloud infrastructure. According to Oracle a spokesperson stated, "There has been no breach of Oracle Cloud...The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." However, the attacker claimed to have planted evidence on Oracle's login server, specifically login.us2.oraclecloud.com, creating a text file captured by the Internet Archive's Wayback Machine as proof of access. Cybersecurity firm CloudSEK suggests that the US2 server might not have been patched against CVE-2021-35587, a known vulnerability in Oracle Access Manager within Fusion Middleware.

Recommended read:
References :
  • hackread.com: Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records
  • BleepingComputer: The threat actor who claimed to breach Oracle Cloud shared the following URL as proof of the breach showing what appears to be a file containing their email address uploaded to Oracle's servers
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Hacker Claims vs. Oracle's Denial
  • www.bleepingcomputer.com: Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers
  • research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
  • The Register - Software: Oracle Cloud says it's not true someone broke into its login servers and stole data
  • BrianKrebs: CloudSEK’s XVigil discovered a threat actor, selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud
  • www.cybersecurity-insiders.com: Oracle Cloud denies data breach claims of 6 million data files leak
  • Patrick C Miller :donor:: Oracle denies breach after hacker claims theft of 6 million data records
  • www.csoonline.com: Oracle Cloud breach may impact 140,000 enterprise customers
  • www.it-daily.net: 6 million data records: Oracle was allegedly hacked
  • eSecurity Planet: Oracle Cloud breach exposed 6M records from 140k+ tenants. Learn how attackers exploited vulnerabilities and steps organizations must take to secure data. The post appeared first on
  • www.techradar.com: Oracle denies data breach after hacker claims to hold six million records
  • securityonline.info: BreachForums Claims: Millions of Oracle Cloud Records Stolen
  • Arctic Wolf: On March 20, 2025, a Breach Forums user, “rose87168,†claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Information Security Buzz: Cybersecurity Firm Uncovers Major Oracle Cloud Breach—Oracle Denies It
  • Arctic Wolf: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers back claim of Oracle Cloud breach despite company’s denials
  • www.scworld.com: A Breach Forums user claimed to have stolen six million records from Oracle Cloud's SSO and LDAP services and offered the data for sale.
  • www.scworld.com: Details of the alleged Oracle Cloud breach.
  • The DefendOps Diaries: Oracle Cloud Breach Allegations: Unraveling the Controversy
  • www.itpro.com: Oracle breach claims spark war of words with security researchers
  • SpiderLabs Blog: Trustwave SpiderLabs Threat Review: Alleged Oracle Compromise
  • The Register - Security: There are perhaps 10,000 reasons to doubt Oracle Cloud's security breach denial
  • Lobsters: Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid.
  • : A threat actor, known as “rose87168,â€� claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and offered the data for sale or in exchange for zero-day exploits.
  • Rescana: The Oracle Cloud breach resulted in the unauthorized access and alleged theft of 6 million records from Oracle's SSO and LDAP services,...
  • DataBreaches.Net: Oracle continues to deny it had any breach, but customers and researchers are claiming otherwise.
  • SpiderLabs Blog: On March 20, a relatively unknown user on Breach Forums posted the allegation that Oracle had suffered a data breach. According to   , the attacker claimed that 6 million customer records were exfiltrated from Oracle's SSO and LDAP systems.
  • GreyNoise: Alleged Oracle Cloud Supply Chain Attack: Six Million Records Stolen, 140K Companies Affected
  • www.cybersecuritydive.com: Researchers from CloudSEK are analyzing a data sample from a threat actor that claimed a massive breach involving 6 million records.
  • SecureWorld News: In what may become one of the most scrutinized cloud security incidents of 2025, Oracle has come under fire following claims by a threat actor alleging the exfiltration of more than six million records from Oracle Cloud Infrastructure (OCI), impacting more than 140,000 tenants.

@itpro.com //
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

Pierluigi Paganini@Security Affairs //
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
  • Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
  • Blog: Silk Typhoon levels up, goes after IT supply chains

Pierluigi Paganini@securityaffairs.com //
References: Sucuri Blog , ciso2ciso.com , ...
Hackers are exploiting Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites. According to reports from The Hacker News, Sucuri, and CISO2CISO, malicious actors are leveraging GTM to deliver malware that targets sensitive payment data. The attack involves injecting code that appears to be a standard GTM or Google Analytics script but contains an obfuscated backdoor. This allows the attackers to gain persistent access to the websites.

Sucuri's investigation into a customer's Magento site revealed that credit card details were being stolen via a skimmer loaded from the cms_block.content database table. The GTM tag contained encoded JavaScript designed to collect and transmit sensitive user data entered during the checkout process to a remote server controlled by the attackers. This highlights the importance of securing third-party integrations and regularly monitoring website files for any suspicious code.

Recommended read:
References :
  • Sucuri Blog: Sucuri warns of credit card data theft from website.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager
  • The Hacker News: The Hacker News reports on hackers exploiting Google Tag Manager to deploy credit card skimmers.
  • : Sucuri : Title is straightforward: Sucuri warns of credit card data theft from a customer's Magento-based eCommerce website. The credit card skimmer malware is delivered by leveraging Google Tag Manager (GTM). GTM is a free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores – Source:thehackernews.com
  • securityaffairs.com: Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
  • Security Intelligence: Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
  • www.scworld.com: Magento stores compromised with Google Tag Manager skimmer
  • gbhackers.com: Information on hackers exploiting Google Tag Manager to steal credit card data from e-commerce sites.
  • securityonline.info: SecurityOnline article on hackers exploiting Google Tag Manager.
  • gbhackers.com: Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites
  • securityonline.info: Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites
  • Sucuri Blog: Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.
  • Search Engine Journal: Hackers Use Google Tag Manager to Steal Credit Card Numbers
  • www.searchenginejournal.com: Hackers Use Google Tag Manager to Steal Credit Card Numbers

SC Staff@scmagazine.com //
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Recommended read:
References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
  • securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
  • BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
  • Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
  • Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
  • securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
  • Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
References: , Blog (Main) , hackread.com ...
A new malware campaign has been discovered targeting developers through malicious npm packages. Researchers at ReversingLabs identified two packages, ethers-provider2 and ethers-providerz, designed to inject reverse shells into locally installed instances of the popular 'ethers' library. This allows attackers to gain remote access to compromised systems. The attack cleverly hides its malicious payload, modifying legitimate files to ensure persistence even after the initial packages are removed.

This campaign showcases a sophisticated approach to software supply chain attacks. The malicious packages act as downloaders, patching the 'ethers' library with a reverse shell. Once 'ethers' is reinstalled, the modifications are reintroduced, granting attackers continued access. ReversingLabs detected the threat using their Spectra platform and have developed a YARA rule to identify compromised systems. While ethers-providerz has been removed, ethers-provider2 remains available, posing a substantial risk, especially if such tactics are deployed against more popular npm packages in the future.

Recommended read:
References :
  • : Malicious npm Packages Deliver Sophisticated Reverse Shells
  • Blog (Main): Malware found on npm infecting local package with reverse shell
  • thehackernews.com: Malicious npm Package Modifies Local 'ethers' Library to Launch Reverse Shell Attacks
  • hackread.com: New npm Malware Attack Infects Popular Ethereum Library with Backdoor
  • www.bleepingcomputer.com: Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor.
  • The DefendOps Diaries: Explore a sophisticated npm attack revealing software supply chain vulnerabilities and the need for enhanced security measures.
  • Datadog Security Labs: Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages
  • www.csoonline.com: Malicious npm packages found to create a backdoor in legitimate code
  • BleepingComputer: Infostealer campaign compromises 10 npm packages, targets devs

@Talkback Resources //
References: bsky.app , BleepingComputer , socket.dev ...
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.

A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.

Recommended read:
References :
  • bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
  • BleepingComputer: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
  • socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
  • bsky.app: A malicious PyPi package named 'automslc'  has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
  • The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
  • Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
  • gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
  • bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and  'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
  • gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
  • aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
  • bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
  • Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks

Ridhika Singh@cysecurity.news //
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.

The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.

Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.

Recommended read:
References :
  • Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
  • gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
  • The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
  • Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
  • thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
  • Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
  • www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
  • Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
  • Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
  • : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
  • www.scworld.com: New Sosano malware attacks target UAE
  • securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
  • securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
  • www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.

Jessica Lyons@theregister.com //
Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

Recommended read:
References :
  • The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
  • : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
  • www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
  • www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
  • www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
  • www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
  • SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
  • Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
  • darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.

Field Effect@Blog //
References: Blog , Malware ? Graham Cluley , ...
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/

https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/

This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands.

Recommended read:
References :
  • Blog: Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
  • Malware ? Graham Cluley: A security researcher has discovered that the websites of over 100 car dealerships have been compromised in a supply-chain attack that attempted to infect the PCs of internet visitors.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • : Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
  • www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware

Jeff Burt@DevOps.com //
References: ciso2ciso.com , Lobsters , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered

info@thehackernews.com (The Hacker News)@The Hacker News //
The cybercrime group XE Group has shifted its tactics from credit card skimming to exploiting zero-day vulnerabilities, with a recent focus on VeraCore software. This involves deploying reverse shells and web shells to maintain persistent remote access to compromised systems, targeting supply chains in the manufacturing and distribution sectors. The group has been active since at least 2010, marking a significant shift in their operational priorities towards targeted information theft.

The vulnerabilities exploited include CVE-2024-57968, an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. These shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, enabling file system enumeration, data exfiltration, and the execution of SQL queries. The exploitation activity was discovered in November 2024, with evidence suggesting the group leveraged CVE-2025-25181 as early as 2020.

Recommended read:
References :
  • securityaffairs.com: XE Group shifts from credit card skimming to exploiting zero-days
  • The Hacker News: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • Blog: Article about the XE group exploiting Veracore zero-day to deploy persistent web shells.
  • www.scworld.com: Report details how XE Group exploited a VeraCore zero-day to deploy reverse shells and web shells.
  • SOC Prime Blog: SOCRadar: Detect XE Group Attacks
  • intezer.com: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • socprime.com: XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities.
  • Virus Bulletin: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • securityaffairs.com: The cybercrime group XE Group exploited a VeraCore zero-day to deploy reverse shells, web shells in recent attacks.
  • securityaffairs.com: Analysis of the XE Group's recent operations and their use of VeraCore zero-day vulnerabilities to deploy reverse shells and web shells.

MalBot@malware.news //
Researchers at Eclypsium have uncovered critical security flaws in the Illumina iSeq 100 DNA gene sequencer. The device utilizes an outdated BIOS firmware implementation, employing Compatibility Support Mode (CSM) without Secure Boot or standard firmware write protections. This vulnerability allows an attacker with system access to overwrite the firmware. This could potentially disable the device entirely or install persistent malware.

The identified security gaps underscore the substantial risks associated with reusing commodity hardware and neglecting regular firmware updates. The lack of modern security measures in the iSeq 100 presents a major supply chain vulnerability. This also highlights the need for stringent security protocols and configuration management to protect devices that handle sensitive genomic data, as outlined by NIST guidelines published in 2023.

Recommended read:
References :
  • malware.news: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • eclypsium.com: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • : Eclypsium identified BIOS/UEFI vulnerabilities in a popular DNA gene sequencer by healthcare technology vendor Illumina.
  • The Hacker News: Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers
  • BleepingComputer: BIOS/UEFI vulnerabilities in the iSeq 100 DNA sequencer from U.S. biotechnology company Illumina could let attackers disable devices used for detecting illnesses and developing vaccines.
  • gbhackers.com: Critical BIOS/UEFI Vulnerabilities Allow Attackers To Overwrite System Firmware
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • ciso2ciso.com: Insecure Medical Devices — Illumina DNA Sequencer Illuminates Risks

@itpro.com //
A critical security incident has been detected involving the widely-used GitHub Action "tj-actions/changed-files," resulting in CVE-2025-30066. The compromise involved attackers modifying the action's code and retroactively updating multiple version tags to point to the malicious commit. This allowed the malicious code to print CI/CD secrets in GitHub Actions build logs, potentially exposing them in public repositories. The "tj-actions/changed-files" GitHub Action is used in over 23,000 repositories, making the scale of this compromise significant. GitHub has removed the "tj-actions/changed-files" Action, preventing it from being used in GitHub Actions workflows.

The malicious commit, identified as 0e58ed8 ("chore(deps): lock file maintenance (#2460)"), was added to all 361 tagged versions of the GitHub action. This commit resulted in a script that can leak CI/CD secrets from runner memory. The anomaly was detected by StepSecurity's Harden-Runner, which identified suspicious outbound network requests directed at gist.githubusercontent.com. Immediate actions are necessary to mitigate the risk of credential theft and CI pipeline compromise. Step Security has urged maintainers of public repositories using the compromised Action to review recovery steps immediately, as multiple public repositories have been found to have leaked secrets in build logs.

Recommended read:
References :
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know

@socket.dev //
References: Help Net Security , Tenable Blog , OpenSSF ...
The Open Source Security Foundation (OpenSSF), a Linux Foundation cross-industry initiative, has launched the Open Source Project Security Baseline (OSPS Baseline), a tiered framework designed to standardize security practices for open source projects. This initiative aims to provide practical and impactful security best practices, enhancing software development and consumption security for projects of all sizes. The OSPS Baseline compiles existing guidance from OpenSSF and other expert groups, offering actionable steps to improve the security posture of open source software.

The OSPS Baseline organizes controls into three maturity levels, catering to projects with varying numbers of maintainers and users. These levels address crucial areas such as access control, documentation, governance, build and release processes, security assessment, and vulnerability management. By adhering to the Baseline, developers can build a foundation that supports compliance with global cybersecurity regulations, including the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF). OpenSSF invites open source developers, maintainers, and organizations to utilize the OSPS Baseline to refine the framework and promote the adoption of security best practices in the open source community.

Recommended read:
References :
  • Help Net Security: OSPS Baseline: Practical security best practices for open source software projects
  • Tenable Blog: Check out a new framework for better securing open source projects. Plus, learn how AI is making ransomware harder to detect and mitigate.
  • socket.dev: OpenSSF Launches Open Source Project Security Baseline to Strengthen Software Supply Chain
  • OpenSSF: The February 2025 Newsletter is out! Get the latest on: Community Days 2025 – Register for Denver & Amsterdam OSPS Baseline – New framework to secure open source projects

CISO2CISO Editor 2@ciso2ciso.com //
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.

Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat.

Recommended read:
References :
  • ciso2ciso.com: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • SOC Prime Blog: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • Virus Bulletin: Trend Micro researchers dissect the tactics, techniques and procedures (TTPs) employed by a campaign distributing Lumma Stealer through GitHub.
  • ciso2ciso.com: Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware – Source: socprime.com
  • www.trendmicro.com: Trend Micro : Trend Micro reports on a campaign distributing Lumma stealer through GitHub.
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer

CISO2CISO Editor 2@ciso2ciso.com //
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.

ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.

Recommended read:
References :
  • ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
  • BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
  • : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
  • www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
  • www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
  • discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
  • therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
  • ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
  • go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions