CyberSecurity news
FlagThis - #supplychainattack
|
Aman Mishra@gbhackers.com
//
Hackers have successfully compromised the popular WordPress plugin Gravity Forms, embedding malicious code into versions downloaded directly from the official gravityforms.com website. This sophisticated supply chain attack targets a significant portion of WordPress websites relying on Gravity Forms for form creation and data collection. The attackers are reportedly exploiting a vulnerability within the plugin, specifically targeting the gf_api_token parameter. This allows them to inject malicious PHP code into core plugin files, such as gravityforms/common.php and includes/settings/class-settings.php, creating backdoors that can lead to remote code execution and unauthorized access.
The malicious campaign was first detected when security researchers observed suspicious HTTP POST requests to a newly registered domain, gravityapi.org, which served as a command-and-control server. The injected malware is capable of exfiltrating sensitive WordPress site data, including URLs, plugin lists, user counts, and environment details, transmitting this information to the attacker-controlled domain. Upon receiving a response, the malware can deploy further payloads, such as writing a backdoored PHP file to the server that masquerades as legitimate content management tools. This backdoor enables attackers to execute arbitrary code, create new administrator accounts, upload files, and manipulate site content with devastating effects. In response to the discovered vulnerability, Gravity Forms has swiftly released version 2.9.13 of the plugin, which is confirmed to be free of the backdoor. Additionally, the registrar Namecheap has suspended the malicious gravityapi.org domain to disrupt ongoing exploitation efforts. Website administrators are strongly advised to update their Gravity Forms plugin to the latest version immediately to mitigate the risk of compromise. Monitoring network traffic for suspicious activity, particularly POST requests to the identified malicious domain, is also a crucial step in preventing unauthorized access and code execution on affected WordPress sites. Recommended read:
References :
@securebulletin.com
//
A concerning trend of hackers exploiting open-source software supply chains has been identified, with malicious backdoors being planted in Python and NPM packages. Security researchers at Checkmarx Zero have uncovered a sophisticated campaign where attackers are using typosquatting and name-confusion tactics to trick users into downloading harmful software. This cross-ecosystem approach targets both Windows and Linux systems, deploying multi-platform payloads with the capability to steal data and establish remote control. These findings highlight the growing need for enhanced security measures within open-source ecosystems to combat supply chain attacks.
This campaign leverages the Python Package Index (PyPI) and Node Package Manager (NPM) by mimicking legitimate software. Specifically, the attack targeted users of "colorama," a popular Python tool, and "colorizr," a similar JavaScript package, by uploading packages with names like "coloramapkgs" and "colorizator". The malicious packages carry dangerous payloads designed to give attackers remote access and control, allowing them to harvest and exfiltrate sensitive data. On Windows systems, the malware attempts to bypass antivirus software, while on Linux, it establishes encrypted connections, steals information, and maintains a hidden presence. Fortunately, the identified malicious packages have been removed from public software repositories, limiting their immediate potential for damage. However, the lack of clear attribution data makes it difficult to trace the campaign back to a known adversary. Vet, an open-source tool designed to help developers and security engineers spot risks in their software supply chains, goes beyond traditional software composition analysis by detecting known vulnerabilities and flagging malicious packages. It supports ecosystems like npm, PyPI, Maven, Go, Docker, and GitHub Actions, assisting in the detection of supply chain attacks. Recommended read:
References :
Bill Toulas@BleepingComputer
//
Printer maker Procolored has been distributing malware-laced drivers to its users for at least six months. Security researcher Karsten Hahn from G Data discovered that the official software supplied with Procolored printers contained a remote access trojan (XRed) and a cryptocurrency stealer (SnipVex). These malicious files were available through the company's website, putting users at risk of having their Windows PCs compromised and cryptocurrency wallets stolen. The discovery began when YouTuber Cameron Coward, known as Serial Hobbyism, received a printer from Procolored and encountered malware alerts during setup.
Hahn's investigation revealed that 39 files on Procolored's Mega.nz account triggered malware detections, indicating a widespread issue. The XRed backdoor allows for keylogging, remote shell access, file deletion, and directory listing, while the SnipVex virus, a .NET-based clipbanker, replaces Bitcoin addresses in the clipboard, potentially redirecting cryptocurrency transactions to the attacker's wallet. Hahn traced the attacker's wallet to approximately 9.3 BTC, or $100,000 USD, accumulated before transactions stopped. Procolored acknowledged the issue, stating that the software was initially transferred via USB drives and that a virus might have been introduced during this process. The company has temporarily removed all software from its official website and is conducting a comprehensive malware scan. This incident highlights the critical importance of supply chain security within the digital printing industry and emphasizes the need for rigorous security measures during software development, testing, and distribution. Recommended read:
References :
lucija.valentic@reversinglabs.com (Lucija@Blog (Main)
//
A malicious Python package named `solana-token` has been discovered on the Python Package Index (PyPI) targeting Solana developers. This rogue package, posing as a utility for the Solana blockchain, was designed to exfiltrate source code and developer secrets from compromised machines to a hard-coded IP address. The ReversingLabs research team uncovered this supply chain attack, highlighting the increasing trend of malicious actors targeting cryptocurrency projects. Before being taken down, the `solana-token` package was downloaded over 600 times, potentially distributed through developer-focused platforms.
The malicious package contained telltale signs of compromise, including hardcoded IP addresses, outbound communications to non-standard network ports, and code that reads local files, typical of information stealers. One insidious method employed by the package scanned the Python execution stack, copied, and exfiltrated source code contained in all the files in the execution chain to a remote server. The objective was to steal sensitive information such as developer secrets and hardcoded crypto credentials, which could grant attackers unauthorized access to cryptocurrency wallets and critical infrastructure. This incident is not isolated, a previous package with the same name was published and removed in 2024, suggesting that the same malicious actors may be behind the new malicious version, said the report. Cybersecurity experts recommend that organizations respond to address the increasing number of supply chain threats targeting cryptocurrency projects by aggressively monitoring for suspicious activity and unexplained changes within open source and commercial, third-party software modules. By stopping malicious code before it is allowed to penetrate secure development environments, teams can prevent destructive supply chain attacks. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
A supply chain attack has successfully compromised the 'rand-user-agent' npm package, injecting obfuscated code designed to activate a remote access trojan (RAT) on unsuspecting users' systems. This JavaScript library, used for generating randomized user-agent strings beneficial for web scraping and automated testing, has been averaging 45,000 weekly downloads despite being deprecated. The malicious activity was detected by an automated malware analysis pipeline on May 5, 2025, which flagged the [email protected] version for containing unusual code indicative of a supply chain attack.
The injected RAT was designed to establish a persistent connection with a command and control (C2) server at http://85.239.62[.]36:3306. Upon activation, the RAT transmits critical machine identification data, including hostname, username, operating system type, and a generated UUID, enabling attackers to uniquely identify and manage compromised systems. Once connected, the RAT listens for commands from the C2 server, allowing attackers to manipulate the file system, execute arbitrary shell commands, and exfiltrate data from affected systems. Researchers at Aikido noted that threat actors exploited the package's semi-abandoned but still popular status to inject malicious code into unauthorized releases. The compromised versions of the package were promptly removed from the npm repository. Users are advised to check their systems for any installations of the compromised package and implement robust security practices to mitigate the risk of similar supply chain attacks. This incident underscores the critical importance of vigilant monitoring and dependency management in software development to protect against supply chain vulnerabilities. Recommended read:
References :
@securityonline.info
//
Security researchers are raising alarms about the open-source library 'easyjson,' a Golang package used extensively across cloud-native technologies. A new investigation by cybersecurity firm Hunted Labs has revealed that easyjson is maintained and controlled by developers associated with VK Group, a major Russian internet conglomerate based in Moscow. VK Group's ties to the Kremlin, including its leadership being under U.S. and E.U. sanctions, have ignited concerns about potential supply chain risks for organizations relying on this library. Easyjson is used by the US government and American companies.
The 'easyjson' library is deeply embedded in the software ecosystem, particularly in cloud-native applications, distributed systems, and real-time analytics platforms. It's found to be widely used in projects like Helm, Istio, Kubernetes, ArgoCD, Grafana, Sigstore, and across many US Government and Fortune 500 organizations. This widespread integration makes it difficult to monitor, remove, or replace, according to Hunted Labs. The firm's report warns that "Any compromise of a serializer is extremely dangerous because they are: invisible, deeply integrated, hard to remove, and trusted by default.” Researchers fear that Russia could alter easyjson to steal data or otherwise be abused. Hunted Labs outlines alarming possibilities if easyjson were to be compromised or weaponized, including supply chain backdoors enabling mass compromise, remote code execution via crafted JSON inputs, espionage and covert data exfiltration, and even kill switch activation across critical systems. As Hayden Smith, a cofounder at Hunted Labs, stated, the package is "basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history." Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting the Go programming language ecosystem, revealing three malicious Go modules designed to wipe Linux systems. These modules, named github.com/truthfulpharm/prototransform, github.com/blankloggia/go-mcp, and github.com/steelpoor/tlsproxy, contain obfuscated code that fetches next-stage payloads capable of irrevocably overwriting a Linux system's primary disk, rendering it unbootable. The attack, discovered in April 2025, highlights the dangers of direct dependency imports from public repositories and the effectiveness of code obfuscation in evading detection.
The malicious modules are designed to specifically target Linux environments. Upon execution, they retrieve a destructive shell script from a remote server using wget. This script, known as "done.sh," employs the Unix utility 'dd' to overwrite the entire primary disk ("/dev/sda") with zeroes. This process effectively eliminates the file system, operating system, and all user data, leaving affected systems crippled and data unrecoverable. According to Socket researcher Kush Pandya, this destructive method ensures no data recovery tool or forensic process can restore the data, emphasizing the extreme danger posed by modern supply-chain attacks. This incident underscores the escalating risks present in open-source supply chains and the potential for seemingly trusted code to become devastating threats. The impact of such an attack includes complete data loss, prolonged operational downtime, and severe financial and reputational damage for affected organizations. Security experts recommend thorough dependency audits, the implementation of automated code scanning tools, and continuous monitoring solutions to detect obfuscated or suspicious behaviors in third-party packages as crucial mitigation steps. Recommended read:
References :
|