CyberSecurity news

FlagThis - #supplychainattack

Rounak Jain@feeds.benzinga.com - 62d

Zero Day Chrome Extension OAuth Attack - A zero-day exploit in Google Chrome extensions' OAuth implementation allowed malicious actors to inject code via phishing, leading to the hijacking of multiple extensions.
Security firm SquareX exposed a significant vulnerability in the OAuth implementation of Google Chrome extensions just days before a major breach occurred. The flaw allowed malicious actors to inject harmful code into extensions using a sophisticated phishing campaign. This campaign involved emails disguised as Chrome Store notifications regarding policy violations, prompting developers to connect their Google account to a fake "Privacy Policy Extension". This fake extension, in turn, granted attackers the ability to edit, update, and publish extensions on the developer's account, effectively hijacking them.

The identified attack vector was demonstrated by SquareX researchers in a video just before a malicious version of Cyberhaven’s browser extension was found on the Chrome store. This malicious extension was available for over 30 hours and affected over 400,000 users before it was removed by Cyberhaven. The incident highlights the increasing risk that browser extensions pose, as most organizations don't monitor what extensions their employees are using, making them a common target for cybercriminals.

Recommended read:
References :
  • www.techmeme.com: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December
  • SiliconANGLE: Hackers compromise Chrome extensions with 400,000+ users
  • Techmeme: Experts say hackers compromised several companies' Chrome browser extensions, including Cyberhaven's, in a series of intrusions dating back to mid-December (Reuters)
  • www.channelnewsasia.com: Hackers hijack a wide range of companies' Chrome extensions, experts say.
  • BleepingComputer: At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users.
  • www.bleepingcomputer.com: Cybersecurity firm’s Chrome extension hijacked to steal user data
  • siliconangle.com: Hackers have compromised several popular Chrome extensions with hundreds of thousands of users, TechCrunch reported today.
  • techcrunch.com: Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens
  • infosec.exchange: Data-loss prevention startup Cyberhaven said hackers took over its official Chrome extension, pushing a malicious version designed to steal passwords and session tokens.
  • www.benzinga.com: Google Chrome Users Beware This Holiday Season: Cyber Security Firm's Browser Extension Hijacked By Attackers
  • www.neowin.net: Cyberhaven Chrome extension targeted by hack, company admits
  • gbhackers.com: Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was targeted in a malicious cyberattack on Christmas Eve 2024
  • www.engadget.com: Hackers injected malicious code into several Chrome extensions in recent attack
  • gbhackers.com: Cyberhaven Hacked – Chrome Extension With 400,000 users Compromised
  • ciso2ciso.com: 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft – Source:thehackernews.com
  • Dataconomy: Over 600,000 users exposed in Chrome hack: Are you one of them?
  • DMR News: Hackers Use Chrome Extensions to Steal User Data
  • The Hacker News: When Good Extensions Go Bad: Takeaways from the Campaign Targeting Browser Extensions
  • Mashable: Mashable reports on hackers taking over Google Chrome extensions in a cyberattack.
  • Alex Jimenez: Hackers take over Google Chrome extensions in cyberattack Malicious code was inserted into Chrome extensions in a phishing campaign.
  • bgr.com: Hackers are hijacking Chrome extensions in an attempt to steal your data
  • ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
  • The Last Watchdog: SquareX exposes OAuth attack on Chrome extensions, days before a major breach.
  • www.lastwatchdog.com: News alert: SquareX exposes OAuth attack on Chrome extensions — days before a major breach
  • ciso2ciso.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach – Source:hackread.com
  • Pyrzout :vm:: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
  • labs.sqrx.com: OAuth Identity Attack — Are your Extensions Affected?
  • osint10x.com: SquareX Researchers Expose OAuth Attack on Chrome Extensions Days Before Major Breach
  • iHLS: Massive Ongoing Chrome Extension Hack Affects Over Two Million Users
  • bsky.app: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven. https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/
  • www.bleepingcomputer.com: New details have emerged about a phishing campaign targeting Chrome browser extension developers
  • BleepingComputer: New details have emerged about a phishing campaign targeting Chrome browser extension developers that led to the compromise of at least thirty-five extensions to inject data-stealing code, including those from cybersecurity firm Cyberhaven.
  • Pyrzout :vm:: Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft – Source:thehackernews.com
  • ciso2ciso.com: Hacking campaign compromised at least 16 Chrome browser extensions – Source: securityaffairs.com
  • ciso2ciso.com: Dozens of Chrome Browser Extensions Hijacked by Data Thieves – Source: www.infosecurity-magazine.com
  • ciso2ciso.com: ciso2ciso Article on Chrome Browser Extensions Hijacked
  • Latest from TechRadar: The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider …
  • securityonline.info: In a detailed report from Team Axon—led by Alon Klayman and Uri Kornitzer—researchers have revealed on a sophisticated
MalBot@malware.news - 69d

Supply Chain Attack on Open Source Packages - Multiple open-source packages on npm were compromised with cryptomining malware via compromised maintainer accounts and stolen API tokens.
A supply chain attack has compromised open-source packages associated with rspack and vant, injecting cryptomining malware. The compromised packages had hundreds of thousands of weekly downloads, posing a significant threat to users of these projects. The affected version is 1.1.7. This event underscores the growing threat of supply chain attacks targeting open-source software projects. The vulnerability emphasizes the need for stronger security protocols in open-source ecosystems and for better vetting of dependencies.

Recommended read:
References :
  • malware.news: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • The Hacker News: TheHackerNews article about Rspack npm packages compromised with crypto mining malware.
  • AAKL: Socket, from yesterday: Supply Chain Attack on Rspack npm Packages Injects Cryptojacking Malware More:
  • Security Risk Advisors: Supply Chain Attack on Rspack npm Packages Deploys Cryptojacking Malware
  • Blog (Main): ReversingLabs reports on cryptomining hacks in open source projects.
  • socket.dev: Open source in the crosshairs: New cryptomining hacks highlight key threat
  • www.bleepingcomputer.com: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Osint10x: Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack
  • Osint10x: OSINT10X reports on cryptomining hacks on open source packages.
  • BleepingComputer: Three popular npm packages, @rspack/core, @rspack/cli, and Vant, were compromised through stolen npm account tokens, allowing threat actors to publish malicious versions that installed cryptominers.
  • Security Boulevard: OSS in the crosshairs: Cryptomining hacks highlight key new threat
  • 2024 Sonatype Blog: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • www.npmjs.com: npm packages from Rspack, Vant compromised, blocked by Sonatype
  • malware.news: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • www.scworld.com: Supply chain attack compromises rspack, Vant packages with XMRig cryptominer
  • osint10x.com: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • securityonline.info: Rspack Supply Chain Attack Injects Cryptojacking Malware Into npm Ecosystem
  • Osint10x: Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner
  • hackread.com: Supply Chain Attack Hits Popular Rspack and Vant npm Packages with Monero Miner
Jeff Burt@DevOps.com - 23d

Typosquatting in the Go Ecosystem - A malicious package imitating BoltDB in the Go ecosystem contains a backdoor for remote code execution, exploiting the Go Module Mirror's caching mechanism.
References: ciso2ciso.com , lobste.rs , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • lobste.rs: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
@feeds.feedburner.com - 81d

Malicious Code Found in Solana's Popular web3.js npm Library - A supply chain attack compromised the @solana/web3.js npm library, stealing private keys.
A critical security flaw has been discovered in versions 1.95.6 and 1.95.7 of the widely used @solana/web3.js npm library, a JavaScript tool crucial for Solana blockchain applications. This supply chain attack, affecting over 350,000 weekly downloads, injected malicious code designed to steal private keys. The compromised code, concealed within legitimate code paths, exfiltrated private keys to a hardcoded Solana address (FnvLGtucz4E1ppJHRTev6Qv4X7g8Pw6WPStHCcbAKbfx) via Cloudflare headers, potentially leading to cryptocurrency theft from both developers and end-users. The attack, believed to stem from a phishing or social engineering campaign against library maintainers, underscores the vulnerability of software supply chains in the crypto space.

Developers are strongly urged to immediately update to version 1.95.8 or downgrade to version 1.95.5 of the @solana/web3.js library. Those who suspect their keys may be compromised are advised to rotate their authority keys. The compromised versions are no longer available for download. While non-custodial wallets are not affected, this incident highlights the serious risks associated with compromised open-source libraries and the importance of vigilant security practices within the development ecosystem. The compromised versions, which attracted over 50 million downloads, were identified and reported across several cybersecurity news outlets including Malware News, BleepingComputer, Cyber Insider, and The Hacker News.

Recommended read:
References :
  • The Hacker News: The Hacker News discusses the backdoor discovered in Solana's Web3.js npm library.
  • Help Net Security: Solana’s popular web3.js library backdoored in supply chain compromise
  • CyberInsider: Supply chain attack on Solana core library
  • www.bleepingcomputer.com: Solana's web3.js library was backdoored to steal secret private keys via a supply chain attack, affecting cryptocurrency wallets.
  • socket.dev: Supply chain attack: Solana web3.js library
  • bsky.app: The legitimate Solana JavaScript SDK was temporarily compromised by a supply chain attack, resulting in malicious code stealing cryptocurrency private keys.
  • malware.news: Malware News reports on the malware found in Solana's npm library with 50M downloads.
  • www.bleepingcomputer.com: BleepingComputer reports on the malicious Solana packages found on npm.
  • bsky.app: Analysis of the Solana package revealed malicious URLs designed to exfiltrate private keys.
  • Security Risk Advisors: Supply Chain Attack Compromises Solana’s web3.js Library, Targets Private Keys
  • sra.io: SRA.io article mentioning the Solana vulnerability.
  • arstechnica.com: Backdoor slipped into popular code library, drains ~$155k from digital wallets | Ars Technica "The backdoor came in the form of code that collected private keys and wallet addresses when apps that directly handled private keys incorporated solana-web3.js versions 1.95.6 and 1.95.7. These backdoored versions were available for download during a five-hour window between 3:20 pm UTC and 8:25 pm UTC on Tuesday"
  • www.heise.de: Supply chain attack: Solana web3.js library was infected with malicious code Unknown attackers have equipped Solana's JavaScript SDK with malicious code to steal private keys.
info@thehackernews.com (The Hacker News)@The Hacker News - 12d

Lazarus Group's Supply Chain Attack with marstech1 Malware - North Korea's Lazarus Group launched a supply chain attack using marstech1 malware, targeting cryptocurrency wallets and infiltrating software supply chains, impacting at least 233 victims.
SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.

The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.

Recommended read:
References :
  • readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
  • The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
  • www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
  • ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
  • Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware
Pierluigi Paganini@Security Affairs - 37d

Malicious npm Packages Steal Solana Keys - Malicious npm packages are targeting Solana private keys by stealing them and exfiltrating via Gmail SMTP.
Multiple malicious npm packages have been discovered targeting Solana private keys, posing a significant threat to users of Solana wallets. These packages, including '@async-mutex/mutex', 'dexscreener', 'solana-transaction-toolkit', and 'solana-stable-web-huks', use techniques like typosquatting to appear legitimate while secretly stealing and exfiltrating private keys. The threat actors utilize similar code to intercept private keys during wallet interactions and then route the stolen data through Gmail's SMTP servers. This leverages Gmail’s trusted status to evade detection by security systems, making it more difficult for firewalls to identify the malicious activity.

The malicious packages not only steal private keys but also actively drain victims' wallets. Packages such as 'solana-transaction-toolkit' and 'solana-stable-web-huks' have been found to transfer up to 98% of funds from the user's wallet to attacker-controlled addresses. Additionally, the threat actors have created fake GitHub repositories designed to look like helpful Solana development tools in order to further spread the malicious code. Security researchers have urged users to be cautious when downloading packages, especially those with unusual names or low download counts. While these packages are active, efforts are underway to remove them and associated GitHub repositories.

Recommended read:
References :
  • gbhackers.com: Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail
  • securityaffairs.com: Malicious npm and PyPI target Solana Private keys to steal funds from victims’ wallets
  • The Hacker News: Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP
  • gbhackers.com: Hackers Weaponize npm Packages To Steal Solana Private Keys Via Gmail
info@thehackernews.com (The Hacker News)@The Hacker News - 52d

Malicious NPM Packages Target Ethereum Devs - Malicious npm packages impersonating Hardhat plugins are targeting Ethereum developers to steal private keys and sensitive data using a supply chain vulnerability.
Ethereum developers are being targeted by a supply chain attack involving malicious npm packages designed to look like legitimate Hardhat plugins. These fake packages, with names closely resembling real ones, are being used to steal sensitive data, including private keys and mnemonics. Researchers have identified at least 20 of these malicious packages, which have collectively been downloaded over 1,000 times. The attack exploits trust in the open-source ecosystem, specifically within the npm registry. Once installed, the malicious packages use Hardhat runtime functions to collect sensitive information and transmit it to attacker-controlled endpoints.

The attackers are using Ethereum smart contracts to store and distribute Command & Control (C2) server addresses, making it more difficult to disrupt their infrastructure. This strategy, combined with using hardcoded keys and Ethereum addresses, enables efficient data exfiltration. The campaign is attributed to a Russian-speaking threat actor known as "_lain." The compromised development environments could lead to backdoors in production systems and significant financial losses for affected developers. Developers are urged to verify package authenticity, inspect source code, and exercise caution when using package names.

Recommended read:
References :
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • securityaffairs.com: Malicious npm packages target Ethereum developers
  • The Hacker News: Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages
  • ciso2ciso.com: Malicious npm packages target Ethereum developers – Source: securityaffairs.com
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
  • osint10x.com: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • Osint10x: Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages
  • gbhackers.com: Malicious npm Packages Stealing Developers’ Sensitive Data
do son@securityonline.info - 72d

Critical OpenWrt Firmware Update Vulnerability - A critical vulnerability in OpenWrt’s ASU service allows attackers to inject malicious firmware images.
A critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server allowed attackers to inject malicious firmware images during updates. The vulnerability exploited a truncated SHA-256 hash collision and a command injection flaw, putting many routers at risk. OpenWrt developers quickly addressed the vulnerability in updated releases. This attack highlights the criticality of securing the firmware update process and the risk of supply chain attacks affecting embedded devices.

Recommended read:
References :
  • Cyber Security News: Information about the OpenWrt supply chain attack that uses a SHA-256 collision and command injection.
  • malware.news: Details about a critical OpenWrt vulnerability enabling malicious firmware installation.
  • securityonline.info: Report on the vulnerability in OpenWrt's Attended SysUpgrade (ASU) server that allows for firmware poisoning.
  • socradar.io: Details about the critical vulnerability (CVE-2024-54143) in OpenWrt’s Attended SysUpgrade (ASU) server, allowing attackers to compromise firmware integrity.
  • www.bleepingcomputer.com: Security researcher RyotaK discovered a vulnerability in OpenWrt's sysupgrade mechanism that allows for command injection.
  • www.scworld.com: Critical OpenWrt bug enabling malicious firmware image installation addressed
@gbhackers.com - 28d

10000 WordPress Sites Delivering Malware - A cyberattack compromised over 10,000 WordPress websites, injecting malicious JavaScript to redirect visitors to fake browser update pages delivering malware for macOS and Windows.
A massive cyberattack has compromised over 10,000 WordPress websites, using them to distribute malware to both macOS and Windows users. The attackers exploited vulnerabilities in outdated WordPress versions and plugins, injecting malicious JavaScript code into the sites. This code redirects visitors to fake browser update pages, which then trick users into downloading malicious software. The campaign represents a significant escalation in threat sophistication, with the malware being delivered through client-side attacks via iframes. The malicious JavaScript dynamically injects the fake update pages, and also uses DNS prefetching to enhance the speed of loading these malicious domains.

The malware distributed includes AMOS (Atomic macOS Stealer), which targets macOS users by stealing sensitive data such as passwords and cryptocurrency wallet information. Windows users are targeted by SocGholish, a malware strain that acts as a downloader for additional malicious payloads. This coordinated approach on two operating systems suggests a sophisticated attack group or collaboration. Security experts warn that this is one of the first known cases of these specific malware strains being delivered through client-side attacks, and are urging website administrators to immediately update their WordPress installations and plugins, remove unused components, and review server logs for signs of compromise.

Recommended read:
References :
  • cyberpress.org: Hackers Compromised 10,000 WordPress Websites to Drop macOS and Microsoft Malware
  • gbhackers.com: 10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware
  • cside.dev: 10,000 WordPress Websites Found Delivering MacOS and Microsoft Malware
  • cybersecuritynews.com: Hackers Use 10,000 WordPress Sites To Deliver Malware To macOS and Microsoft Systems
  • gbhackers.com: 10,000 WordPress Websites Hacked to Distributing MacOS and Microsoft Malware
@socket.dev - 27d

Lazarus Group Uses Malicious NPM Packages - The Lazarus hacking group is using malicious NPM packages such as postcss-optimizer to deliver BeaverTail malware, targeting developers and stealing sensitive information.
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.

Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.

Recommended read:
References :
  • cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
  • Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,â€� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
  • mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
CISO2CISO Editor 2@ciso2ciso.com - 36d

PlushDaemon APT Hits VPN Provider Via Supply Chain - A China-aligned APT group, PlushDaemon, is conducting cyber espionage using a supply chain attack by replacing legitimate software installers with malicious ones deploying the SlowStepper malware.
A new China-aligned cyber espionage group named PlushDaemon has been discovered conducting a supply chain attack against a South Korean VPN provider, IPany. The group compromised the VPN provider's software installer, replacing it with a malicious version that deploys the custom SlowStepper malware. This malware is a sophisticated backdoor with a large toolkit composed of around 30 modules, programmed in C++, Python, and Go, designed for espionage activities. The initial access vector for the group is typically by hijacking legitimate software updates of Chinese applications, but this supply chain attack marks a significant departure from their usual tactics.

ESET Research identified the attack after detecting malicious code in a Windows NSIS installer downloaded from the IPany website in May 2024. The compromised installer included both the legitimate VPN software and the SlowStepper backdoor. ESET researchers notified IPany, and the malicious installer has since been removed. PlushDaemon, active since at least 2019, is believed to be the exclusive user of the SlowStepper malware and has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand. The group is also known to gain access via vulnerabilities in legitimate web servers.

Recommended read:
References :
  • ciso2ciso.com: PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack.
  • BleepingComputer: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group
  • : ESET Research : A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Details about the Chinese threat group PlushDaemon.
  • www.welivesecurity.com: A previously unknown China-aligned APT dubbed PlushDaemon conducts cyberespionage and is responsible for a supply-chain attack against a VPN provider in South Korea.
  • ciso2ciso.com: Chinese cyberspies target South Korean VPN in supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.
  • www.bleepingcomputer.com: South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the company's VPN installer to deploy the custom 'SlowStepper' malware.
  • discuss.privacyguides.net: The attackers replaced the legitimate installer with one that also deployed the group’s signature backdoor.
  • therecord.media: Chinese hackers target Korean VPN provider by placing backdoored installer on website
  • ciso2ciso.com: ESET researchers discovered a previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon, which has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023.
  • go.theregister.com: Supply chain attack hits Chrome extensions, could expose millions

Blogs

Research Tools