@itpro.com
//
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.
Recommended read:
References :
- Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
- Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
- Open Source Security: tj-action/changed-files GitHub action was compromised
- Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
- securityonline.info: Popular GitHub Action “tj-actions/changed-files� Compromised (CVE-2025-30066)
- Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
- www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
- : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
- Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
- The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
- BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
- www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
- Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
- gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
- hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
- www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
- bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
- Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
- unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
- Legit Security Blog: Github Actions tj-actions/changed-files Attack
- Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-files� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
- securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
- bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
- blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
- Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
- Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
- thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
- The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
- Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
- Schneier on Security: Critical GitHub Attack
- Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
- www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
- tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram
Pierluigi Paganini@Security Affairs
//
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.
US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.
Recommended read:
References :
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
- BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
- cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
- Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
- The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
- thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
- gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
- The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
- Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
- Source: Silk Typhoon targeting IT supply chain
- www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
- Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
- Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
- bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
- : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
- securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
- Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
- Blog: Silk Typhoon levels up, goes after IT supply chains
SC Staff@scmagazine.com
//
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.
Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.
Recommended read:
References :
- The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
- BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
- bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
- The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
- socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
- securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
- hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
- Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
- www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
- securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
- BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
- Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
- Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
- securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
- Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access
Rounak Jain@feeds.benzinga.com
//
Security firm SquareX exposed a significant vulnerability in the OAuth implementation of Google Chrome extensions just days before a major breach occurred. The flaw allowed malicious actors to inject harmful code into extensions using a sophisticated phishing campaign. This campaign involved emails disguised as Chrome Store notifications regarding policy violations, prompting developers to connect their Google account to a fake "Privacy Policy Extension". This fake extension, in turn, granted attackers the ability to edit, update, and publish extensions on the developer's account, effectively hijacking them.
The identified attack vector was demonstrated by SquareX researchers in a video just before a malicious version of Cyberhaven’s browser extension was found on the Chrome store. This malicious extension was available for over 30 hours and affected over 400,000 users before it was removed by Cyberhaven. The incident highlights the increasing risk that browser extensions pose, as most organizations don't monitor what extensions their employees are using, making them a common target for cybercriminals.
Recommended read:
References :
- www.techmeme.com: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December
- SiliconANGLE: Hackers compromise Chrome extensions with 400,000+ users
- techhub.social: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December (Reuters)
- www.channelnewsasia.com: Hackers hijack a wide range of companies' Chrome extensions, experts say.
- BleepingComputer: At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users.
- www.bleepingcomputer.com: Cybersecurity firm’s Chrome extension hijacked to steal user data
- siliconangle.com: Hackers have compromised several popular Chrome extensions with hundreds of thousands of users, TechCrunch reported today.
- techcrunch.com: Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens
- infosec.exchange: Data-loss prevention startup Cyberhaven said hackers took over its official Chrome extension, pushing a malicious version designed to steal passwords and session tokens.
- www.benzinga.com: Google Chrome Users Beware This Holiday Season: Cyber Security Firm's Browser Extension Hijacked By Attackers
- www.neowin.net: Cyberhaven Chrome extension targeted by hack, company admits
- gbhackers.com: Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was targeted in a malicious cyberattack on Christmas Eve 2024
- www.engadget.com: Hackers injected malicious code into several Chrome extensions in recent attack
- gbhackers.com: Cyberhaven Hacked – Chrome Extension With 400,000 users Compromised
- ciso2ciso.com: 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft – Source:thehackernews.com
- dataconomy.com: Over 600,000 users exposed in Chrome hack: Are you one of them?
- DMR News: Hackers Use Chrome Extensions to Steal User Data
- The Hacker News: When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions
- mashable.com: Mashable reports on hackers taking over Google Chrome extensions in a cyberattack.
- Alex Jimenez: Hackers take over Google Chrome extensions in cyberattack Malicious code was inserted into Chrome extensions in a phishing campaign.
- bgr.com: Hackers are hijacking Chrome extensions in an attempt to steal your data
- ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
- The Last Watchdog: SquareX exposes OAuth attack on Chrome extensions, days before a major breach.
- www.lastwatchdog.com: News alert: SquareX exposes OAuth attack on Chrome extensions — days before a major breach
- ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
- Pyrzout :vm:: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
- labs.sqrx.com: OAuth Identity Attack — Are your Extensions Affected?
- osint10x.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
- iHLS: Massive Ongoing Chrome Extension Hack Affects Over Two Million Users
- bsky.app: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven. https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
- www.bleepingcomputer.com: New details have emerged about a phishing campaign targeting Chrome browser extension developers
- BleepingComputer: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.
- Pyrzout :vm:: Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft – Source:thehackernews.com
- ciso2ciso.com: Hacking campaign compromised at least 16 Chrome browser extensions – Source: securityaffairs.com
- ciso2ciso.com: Dozens of Chrome Browser Extensions Hijacked by Data Thieves – Source: www.infosecurity-magazine.com
- ciso2ciso.com: ciso2ciso Article on Chrome Browser Extensions Hijacked
- Latest from TechRadar: The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider …
- securityonline.info: In a detailed report from Team Axon—led by Alon Klayman and Uri Kornitzer—researchers have revealed on a sophisticated
Jeff Burt@DevOps.com
//
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.
This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.
Recommended read:
References :
- ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
- Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
- ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
- www.infoworld.com: Malicious package found in the Go ecosystem
- ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
- ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
- heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
- www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
David Jones@cybersecuritydive.com
//
Coinbase was the initial target of a sophisticated supply chain attack on GitHub Actions, according to researchers from Palo Alto Networks and Wiz. The attack exploited the public continuous integration/continuous delivery flow of Coinbase's open-source project, agentkit. The hackers aimed to leverage agentkit for further compromises, but they did not manage to access Coinbase secrets or publish any packages.
Researchers found malicious code injected into the reviewdog/action-setup@v1 GitHub Action, a dependency of tj-actions/changed-files, which was also compromised. The attack leaked sensitive secrets from repositories that ran the workflow, assigned as CVE-2025-30066 and CVE-2025-30154. Approximately 218 repositories had secrets exposed, including credentials for DockerHub, npm, Amazon Web Services, and GitHub install access tokens.
Recommended read:
References :
- The DefendOps Diaries: Coinbase Targeted in Sophisticated GitHub Actions Supply Chain Attack
- www.bleepingcomputer.com: Coinbase was primary target of recent GitHub Actions breaches
- www.cybersecuritydive.com: Coinbase originally targeted during GitHub Action supply chain attack
- thehackernews.com: TheHackerNews reports on Coinbase initially targeted in GitHub Actions attack.
- bsky.app: Both Wiz and Palo Alto Networks have found evidence that the compromise of the Changed-Files GitHub Action might have been a complex multi-tier supply chain attack targeting tools used by Coinbase developers
- www.scworld.com: GitHub Action attack initially set sights on Coinbase
info@thehackernews.com (The Hacker News)@The Hacker News
//
SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.
The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.
Recommended read:
References :
- readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
- The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
- www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
- ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
- Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware
Pierluigi Paganini@Security Affairs
//
Multiple malicious npm packages have been discovered targeting Solana private keys, posing a significant threat to users of Solana wallets. These packages, including '@async-mutex/mutex', 'dexscreener', 'solana-transaction-toolkit', and 'solana-stable-web-huks', use techniques like typosquatting to appear legitimate while secretly stealing and exfiltrating private keys. The threat actors utilize similar code to intercept private keys during wallet interactions and then route the stolen data through Gmail's SMTP servers. This leverages Gmail’s trusted status to evade detection by security systems, making it more difficult for firewalls to identify the malicious activity.
The malicious packages not only steal private keys but also actively drain victims' wallets. Packages such as 'solana-transaction-toolkit' and 'solana-stable-web-huks' have been found to transfer up to 98% of funds from the user's wallet to attacker-controlled addresses. Additionally, the threat actors have created fake GitHub repositories designed to look like helpful Solana development tools in order to further spread the malicious code. Security researchers have urged users to be cautious when downloading packages, especially those with unusual names or low download counts. While these packages are active, efforts are underway to remove them and associated GitHub repositories.
Recommended read:
References :
- gbhackers.com: Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail
- securityaffairs.com: Malicious npm and PyPI target Solana Private keys to steal funds from victims’ wallets
- The Hacker News: Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP
- gbhackers.com: Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail
info@thehackernews.com (The Hacker News)@The Hacker News
//
Ethereum developers are being targeted by a supply chain attack involving malicious npm packages designed to look like legitimate Hardhat plugins. These fake packages, with names closely resembling real ones, are being used to steal sensitive data, including private keys and mnemonics. Researchers have identified at least 20 of these malicious packages, which have collectively been downloaded over 1,000 times. The attack exploits trust in the open-source ecosystem, specifically within the npm registry. Once installed, the malicious packages use Hardhat runtime functions to collect sensitive information and transmit it to attacker-controlled endpoints.
The attackers are using Ethereum smart contracts to store and distribute Command & Control (C2) server addresses, making it more difficult to disrupt their infrastructure. This strategy, combined with using hardcoded keys and Ethereum addresses, enables efficient data exfiltration. The campaign is attributed to a Russian-speaking threat actor known as "_lain." The compromised development environments could lead to backdoors in production systems and significant financial losses for affected developers. Developers are urged to verify package authenticity, inspect source code, and exercise caution when using package names.
Recommended read:
References :
- ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
- securityaffairs.com: Malicious npm packages target Ethereum developers
- The Hacker News: Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages
- ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
- gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
- osint10x.com: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
- Osint10x: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
- gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
@gbhackers.com
//
A massive cyberattack has compromised over 10,000 WordPress websites, using them to distribute malware to both macOS and Windows users. The attackers exploited vulnerabilities in outdated WordPress versions and plugins, injecting malicious JavaScript code into the sites. This code redirects visitors to fake browser update pages, which then trick users into downloading malicious software. The campaign represents a significant escalation in threat sophistication, with the malware being delivered through client-side attacks via iframes. The malicious JavaScript dynamically injects the fake update pages, and also uses DNS prefetching to enhance the speed of loading these malicious domains.
The malware distributed includes AMOS (Atomic macOS Stealer), which targets macOS users by stealing sensitive data such as passwords and cryptocurrency wallet information. Windows users are targeted by SocGholish, a malware strain that acts as a downloader for additional malicious payloads. This coordinated approach on two operating systems suggests a sophisticated attack group or collaboration. Security experts warn that this is one of the first known cases of these specific malware strains being delivered through client-side attacks, and are urging website administrators to immediately update their WordPress installations and plugins, remove unused components, and review server logs for signs of compromise.
Recommended read:
References :
- cyberpress.org: Hackers Compromised 10,000 WordPress Websites to Drop macOS and Microsoft Malware
- gbhackers.com: 10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware
- cside.dev: 10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware
- cybersecuritynews.com: Hackers Use 10,000 WordPress Sites To Deliver Malware To macOS and Microsoft Systems
- gbhackers.com: 10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware
@socket.dev
//
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.
Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.
Recommended read:
References :
- cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
- gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
- socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
- Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
- gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
- : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
- mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
CISO2CISO Editor 2@ciso2ciso.com
//
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.
ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.
Recommended read:
References :
- ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
- BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
- : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
- ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
- www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
- ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
- www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
- discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
- therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
- ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
- go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions
|
|
FlagThis - #supplychainattack