CyberSecurity news

FlagThis - #supplychainattack

@Talkback Resources //
Cybersecurity researchers have recently discovered a series of malicious packages lurking within the npm registry, a popular repository for JavaScript packages. These packages are designed to mimic the legitimate "node-telegram-bot-api," a widely-used library for creating Telegram bots. However, instead of providing bot functionalities, these rogue packages install SSH backdoors on Linux systems, granting attackers persistent, passwordless remote access. The identified malicious packages include "node-telegram-utils," "node-telegram-bots-api," and "node-telegram-util," which have accumulated around 300 downloads collectively.

The packages employ a technique known as "typosquatting," where they use names similar to the legitimate library to deceive developers into installing them. They also utilize "starjacking" by linking to the genuine library's GitHub repository, further enhancing their appearance of authenticity. Once installed on a Linux system, these malicious packages inject SSH keys into the "~/.ssh/authorized_keys" file, enabling attackers to remotely access the compromised machine. They also collect system information, including the username and external IP address, and transmit it to a remote server controlled by the attackers.

Security experts warn that simply removing the malicious packages is insufficient to eliminate the threat. The injected SSH keys provide a persistent backdoor, allowing attackers to execute code and exfiltrate data even after the packages are uninstalled. This incident highlights the growing threat of supply chain attacks targeting development ecosystems like npm, underscoring the importance of rigorous dependency auditing and vigilant monitoring to safeguard systems from malicious code and unauthorized access. The researchers at Socket recommend immediate defensive actions to combat these types of threats.

Recommended read:
References :
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • The Hacker News: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems
  • Talkback Resources: Talkback.sh discusses Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems [app] [net] [mal]
  • ciso2ciso.com: Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems – Source:thehackernews.com
  • linuxsecurity.com: We Linux security administrators face a growing challenge with sophisticated supply chain attacks targeting popular development ecosystems, such as npm.
  • securityonline.info: Malicious npm Packages Backdoor Telegram Bot Developers
  • gbhackers.com: Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

Pierluigi Paganini@securityaffairs.com //
A new cybersecurity threat has emerged, with cheap Chinese Android phones being shipped with pre-installed malware disguised as popular messaging apps like WhatsApp and Telegram. These trojanized applications contain cryptocurrency clippers, malicious programs designed to replace copied wallet addresses with those controlled by the attackers. This allows the theft of cryptocurrency during transactions without the user's knowledge. The campaign, active since June 2024, targets low-end devices, often mimicking premium brands like Samsung and Huawei, with models such as "S23 Ultra," "Note 13 Pro," and "P70 Ultra." At least four of the affected models are manufactured under the SHOWJI brand.

These counterfeit phones often spoof their technical specifications, falsely displaying that they are running the latest Android version and have improved hardware to avoid detection. According to researchers at Doctor Web, the infected devices ship with modified versions of WhatsApp that operate as clippers. These malicious programs quietly swap out wallet strings for popular coins like Ethereum and Tron whenever users send or receive them through chat. Victims remain unaware as the malware displays the correct wallet address on the sender’s screen but delivers the wrong one to the receiver, and vice versa, until the money disappears.

The attackers have expanded their reach beyond WhatsApp and Telegram, with researchers identifying nearly 40 fake applications, including crypto wallets like Trust Wallet and MathWallet, and even QR code readers. The malware is injected using a tool called LSPatch, allowing modifications without altering the core app code, which helps evade detection and survive updates. Doctor Web reports that the malware hijacks the app update process to retrieve an APK file from a server under the attacker's control and searches for strings in chat conversations that match cryptocurrency wallet address patterns.

Recommended read:
References :
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp
  • securityaffairs.com: Chinese Android phones shipped with malware-laced WhatsApp, Telegram apps
  • The Hacker News: Chinese Android Phones Shipped with Fake WhatsApp, Telegram Apps Targeting Crypto Users
  • hackread.com: Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp

@www.csoonline.com //
A new cyber threat called "slopsquatting" is emerging, exploiting AI-generated code and posing a risk to software supply chains. Researchers have discovered that AI code generation tools, particularly Large Language Models (LLMs), often "hallucinate" non-existent software packages or dependencies. Attackers can capitalize on this by registering these hallucinated package names and uploading malicious code to public repositories like PyPI or npm. When developers use AI code assistants that suggest these non-existent packages, the system may inadvertently download and execute the attacker's malicious code, leading to a supply chain compromise.

This vulnerability arises because popular programming languages rely heavily on centralized package repositories and open-source software. The combination of this reliance with the increasing use of AI code-generating tools creates a novel attack vector. A study analyzing 16 code generation AI models found that nearly 20% of the recommended packages were non-existent. When the same prompts were repeated, a significant portion of the hallucinated packages were repeatedly suggested, making the attack vector more viable for malicious actors. This repeatability suggests that the hallucinations are not simply random errors but a persistent phenomenon, increasing the potential for exploitation.

Security experts warn that slopsquatting represents a form of typosquatting, where variations or misspellings of common terms are used to deceive users. To mitigate this threat, developers should exercise caution when using AI-generated code and verify the existence and integrity of all suggested packages. Organizations should also implement robust security measures to detect and prevent the installation of malicious packages from public repositories. As AI code generation tools become more prevalent, it is crucial to address this new vulnerability to protect the software supply chain from potential attacks.

Recommended read:
References :

lucija.valentic@reversinglabs.com (Lucija@Blog (Main) //
ReversingLabs has identified a malicious npm package named "pdf-to-office" that targeted cryptocurrency users by injecting malicious code into locally installed Atomic Wallet and Exodus software. The package, posing as a utility for converting PDF files to Microsoft Office documents, actually overwrites existing, legitimate files within the crypto wallet installations. This allowed attackers to silently hijack crypto transfers by swapping out the intended destination address with one belonging to the malicious actor. The ReversingLabs team continues to track threat actors using a variety of techniques to hijack popular crypto packages.

This attack vector involved the malicious patching of local software, a technique that allows attackers to intercept cryptocurrency transfers without raising immediate suspicion. The "pdf-to-office" package targeted specific versions of both Atomic Wallet (2.91.5 and 2.90.6) and Exodus (25.13.3 and 25.9.2), ensuring that the correct Javascript files were overwritten. Once executed, the malicious code would check for the presence of the "atomic/resources/app.asar" archive for Atomic Wallet and "src/app/ui/index.js" for Exodus.

The compromised wallets would then channel crypto funds to the attacker's address, even if the "pdf-to-office" package was subsequently removed from the system. ReversingLabs' Spectra Assure platform flagged the package as suspicious due to its behaviors mirroring previous npm-based malware campaigns. The initial release was on March 24, 2025, before being removed. The latest version, 1.1.2, was uploaded on April 8 and remains available for download.

Recommended read:
References :
  • hackread.com: ReversingLabs reveals a malicious npm package targeting Atomic and Exodus wallets, silently hijacking crypto transfers via software patching.
  • Blog (Main): Threat actors have been targeting the cryptocurrency community hard lately.
  • secure.software: Atomic and Exodus crypto wallets targeted in malicious npm campaign
  • The Hacker News: Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack.
  • www.scworld.com: Atomic, Exodus wallets subjected to malicious npm package attack Attackers have been looking to compromise users of the Atomic and Exodus cryptocurrency wallets through the new pdf-to-office npm package spoofing a PDF to Microsoft Word document converter, The Hacker News reports.
  • gbhackers.com: Threat Actors Exploit Legitimate Crypto Packages to Deliver Malicious Code
  • gbhackers.com: Threat actors exploit legitimate crypto packages to deliver malicious code
  • hackread.com: npm Malware Targets Atomic and Exodus Wallets to Hijack Crypto Transfers

Ddos@Daily CyberSecurity //
North Korean Lazarus APT group has expanded its malicious activities within the npm ecosystem, deploying eleven new packages designed to deliver the BeaverTail malware and a new remote access trojan (RAT) loader. These malicious packages have been downloaded over 5,600 times before their removal, posing a significant risk to developer systems. The threat actors are utilizing previously identified aliases, as well as newly created accounts, to distribute these packages.

The campaign, dubbed "Contagious Interview," aims to compromise developer systems, steal sensitive credentials or financial assets, and maintain access to compromised environments. To evade detection, the attackers are employing hexadecimal string encoding and other obfuscation techniques. Some of the packages, such as "events-utils" and "icloud-cod," are linked to Bitbucket repositories, while others use command-and-control (C2) addresses previously associated with Lazarus Group campaigns, indicating the scale and coordination of this operation.

Cybersecurity researchers are urging developers to be vigilant and carefully review all dependencies before installing them. The North Korean threat actors continue to create new npm accounts and deploy malicious code across platforms like the npm registry, GitHub, and Bitbucket, demonstrating their persistence and showing no signs of slowing down. This campaign highlights the increasing sophistication of supply chain attacks and the need for robust security measures to protect against such threats.

Recommended read:
References :
  • Security Risk Advisors: Socket Research Team's report
  • The Hacker News: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages
  • ciso2ciso.com: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages – Source:thehackernews.com
  • Talkback Resources: North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages [net] [mal]
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • securityonline.info: Lazarus Group Expands Malicious Campaign on npm, Targets Developers with New Malware
  • www.scworld.com: Malicious npm packages, BeaverTail malware leveraged in new North Korean attacks
  • Cyber Security News: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages.
  • cyberpress.org: North Korean cyber threat actors, Lazarus Group, have escalated their supply chain attack tactics by introducing a series of malicious npm (Node Package Manager) packages. Utilizing sophisticated hexadecimal encoding to camouflage their code and evade detection systems, the group aims to compromise developer systems, steal sensitive credentials, and maintain persistent access to targeted environments.
  • Chris Wysopal: Infosec.Exchange post on new supply chain NPM package malware attacks found.

info@thehackernews.com (The@The Hacker News //
A new phishing campaign called 'PoisonSeed' has emerged, posing a significant cybersecurity threat by targeting customer relationship management (CRM) platforms and bulk email service providers. The campaign leverages compromised credentials to distribute emails containing cryptocurrency seed phrases, aiming to drain victims' digital wallets. This activity forms part of a broader supply chain attack, impacting enterprise organizations and individuals outside the cryptocurrency industry, with crypto companies like Coinbase and Ledger and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho among the targeted companies.

PoisonSeed's method involves creating convincing phishing pages mimicking login portals for popular CRM and email platforms. These deceptive pages trick victims into revealing their credentials, after which the attackers automate the export of email lists and create API keys for persistent access. Compromised accounts are then used to send bulk phishing emails with urgent lures, such as fake wallet migration notices, urging recipients to set up new cryptocurrency wallets using a provided seed phrase. If entered, this seed phrase allows attackers to access the wallet and steal funds, initiating a cryptocurrency seed phrase poisoning attack.

Silent Push analysts have identified an extensive list of Indicators of Compromise (IoCs) associated with PoisonSeed's infrastructure, including phishing domains like mailchimp-sso[.]com and C2 Servers with IP addresses such as 212.224.88[.]188. While PoisonSeed shares some tactics with known groups like Scattered Spider and CryptoChameleon, it's considered a distinct entity with a focus on cryptocurrency theft rather than ransomware attacks. This malicious campaign exploits CRM credentials to spread cryptocurrency seed phrase attacks, placing many wallets at risk of compromise.

Recommended read:
References :
  • Cyber Security News: The campaign targets individuals and organizations outside the cryptocurrency industry.
  • gbhackers.com: PoisonSeed uses advanced phishing techniques.
  • www.bleepingcomputer.com: Threat actors are leveraging compromised credentials.
  • securityonline.info: SecurityOnline.info - PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • Cyber Security News: A new phishing campaign, PoisonSeed, has been targeting CRM and email providers to obtain email lists for bulk cryptocurrency spamming.
  • securityonline.info: Threat actors target email providers to provide infrastructure for cryptocurrency spam operations.
  • Security Risk Advisors: PoisonSeed Actors Hijack Bulk Email Services to Execute Cryptocurrency Seed Phrase Attacks

info@thehackernews.com (The@The Hacker News //
The PoisonSeed phishing campaign represents a new and evolving cyber threat, targeting individuals with access to critical systems like Customer Relationship Management (CRM) platforms and bulk email services. This large-scale operation compromises corporate email marketing accounts to distribute emails containing crypto seed phrases, ultimately used to drain cryptocurrency wallets. Attackers focus on high-value targets, employing detailed reconnaissance to ensure their phishing emails reach the most impactful individuals. By mimicking legitimate services through carefully crafted emails and fake login pages, PoisonSeed exemplifies the evolving nature of phishing threats, deceiving victims into believing they are from legitimate sources.

PoisonSeed's attack methodology is distinguished by its sophisticated approach, targeting individuals with access to CRM systems and bulk email platforms. The first stage involves meticulous target identification, focusing on those with access to CRM systems and bulk email platforms, as these targets provide significant leverage for further attacks. The reconnaissance process includes analyzing the email services used by companies and identifying employees in relevant positions. Once targets are identified, the attackers craft professional phishing emails designed to deceive recipients, sending them from spoofed addresses to enhance their authenticity, often containing links to fake login pages hosted on carefully named domains.

The phishing pages deployed by PoisonSeed are designed to capture sensitive information, particularly cryptocurrency wallet seed phrases. Victims are tricked into entering attacker-provided seed phrases while setting up new cryptocurrency wallets, allowing the attackers to monitor and eventually take control of these wallets once funds are deposited. Compromised accounts are then used to send bulk phishing emails, employing urgent lures, such as notifications about "restricted sending privileges" or fake wallet migration notices. Domains such as mail-chimpservices[.]com have been used to deceive MailChimp users, showcasing the campaign's attention to detail.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the PoisonSeed Phishing Campaign: A New Cyber Threat
  • www.bleepingcomputer.com: PoisonSeed phishing campaign distributing emails with wallet seed phrases.
  • bsky.app: PoisonSeed phishing campaign behind emails with wallet seed phrases
  • Cyber Security News: PoisonSeed Launches Supply Chain Phishing Attacks on CRM and Bulk Email Services
  • gbhackers.com: PoisonSeed Targets CRM and Bulk Email Providers in New Supply Chain Phishing Attack
  • securityonline.info: PoisonSeed Campaign: Uncovering a Web of Cryptocurrency and Email Provider Attacks
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • securityaffairs.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets
  • securityonline.info: Silent Push Threat Analysts have uncovered a sophisticated campaign targeting enterprise organizations, VIP individuals, and cryptocurrency holders, dubbed “PoisonSeed.â€
  • ciso2ciso.com: PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets – Source: securityaffairs.com
  • www.silentpush.com: Silent Push blog about PoisonSeed campaign.
  • The Hacker News: PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks
  • Security Risk Advisors: #PoisonSeed campaign compromises email providers to launch crypto seed phrase poisoning attacks. Targets include #Mailchimp #SendGrid and #Coinbase users.

David Jones@cybersecuritydive.com //
Coinbase was the initial target of a sophisticated supply chain attack on GitHub Actions, according to researchers from Palo Alto Networks and Wiz. The attack exploited the public continuous integration/continuous delivery flow of Coinbase's open-source project, agentkit. The hackers aimed to leverage agentkit for further compromises, but they did not manage to access Coinbase secrets or publish any packages.

Researchers found malicious code injected into the reviewdog/action-setup@v1 GitHub Action, a dependency of tj-actions/changed-files, which was also compromised. The attack leaked sensitive secrets from repositories that ran the workflow, assigned as CVE-2025-30066 and CVE-2025-30154. Approximately 218 repositories had secrets exposed, including credentials for DockerHub, npm, Amazon Web Services, and GitHub install access tokens.

Recommended read:
References :
  • The DefendOps Diaries: Coinbase Targeted in Sophisticated GitHub Actions Supply Chain Attack
  • www.bleepingcomputer.com: Coinbase was primary target of recent GitHub Actions breaches
  • www.cybersecuritydive.com: Coinbase originally targeted during GitHub Action supply chain attack
  • thehackernews.com: TheHackerNews reports on Coinbase initially targeted in GitHub Actions attack.
  • bsky.app: Both Wiz and Palo Alto Networks have found evidence that the compromise of the Changed-Files GitHub Action might have been a complex multi-tier supply chain attack targeting tools used by Coinbase developers
  • www.scworld.com: GitHub Action attack initially set sights on Coinbase

@itpro.com //
References: Rescana , Wiz Blog | RSS feed , Dan Goodin ...
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.

This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.

Recommended read:
References :
  • Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
  • Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
  • Open Source Security: tj-action/changed-files GitHub action was compromised
  • Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
  • securityonline.info: Popular GitHub Action “tj-actions/changed-filesâ€� Compromised (CVE-2025-30066)
  • Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
  • www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
  • : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
  • Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
  • The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
  • BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
  • www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
  • Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
  • gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
  • hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
  • www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
  • bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
  • Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
  • unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
  • Legit Security Blog: Github Actions tj-actions/changed-files Attack
  • Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-filesâ€� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
  • securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
  • bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
  • blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
  • Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
  • Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
  • thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
  • The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
  • Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
  • Schneier on Security: Critical GitHub Attack
  • Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
  • www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
  • tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram

SC Staff@scmagazine.com //
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Recommended read:
References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • Threats | CyberScoop: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages
  • securityonline.info: Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
  • BleepingComputer: Six malicious packages have been identified on npm (Node package manager) linked to the notorious North Korean hacking group Lazarus.
  • Security Risk Advisors: The Lazarus Group, North Korea’s notorious state-backed cyber threat actor, has infiltrated the npm ecosystem once again, deploying
  • Security Risk Advisors: Lazarus Group Deploys Malicious npm Packages to Target Developers and Exfiltrate Data
  • securityonline.info: The notorious North Korean threat actor Lazarus Group has been identified breaching Windows web servers to establish command-and-control The post appeared first on .
  • Datadog Security Labs: Stressed Pungsan: DPRK-aligned threat actor leverages npm for initial access

Pierluigi Paganini@Security Affairs //
The Chinese espionage group Silk Typhoon is expanding its cyberattacks to target the global IT supply chain. Microsoft has warned that this group, backed by the Chinese state, has shifted its tactics to focus on remote management tools and cloud services. These supply chain attacks provide access to downstream customers, enabling the group to move laterally within networks and compromise various organizations.

US government agencies have announced criminal charges against alleged members of the Silk Typhoon gang, along with the seizure of internet domains linked to their long-term espionage campaign. The group is accused of compromising US government agencies and other major organizations. The Justice Department has stated that the Chinese government, including its Ministries of State and Public Security, has encouraged and supported private contractors and technology companies to hack and steal information, providing a form of plausible deniability.

Recommended read:
References :
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • The Register - Security: They're good at zero-day exploits, too Silk Typhoon, the Chinese government crew believed to be behind the December US Treasury intrusions, has been abusing stolen API keys and cloud credentials in ongoing attacks targeting IT companies and state and local government agencies since late 2024, according to Microsoft Threat Intelligence.
  • BleepingComputer: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • securityaffairs.com: Microsoft warns that China-backed APT Silk Typhoon linked to US Treasury hack, is now targeting global IT supply chains, using IT firms to spy and move laterally.
  • cyberinsider.com: Microsoft Threat Intelligence has identified a shift in tactics by Silk Typhoon, a Chinese state-sponsored cyber-espionage group, which is now targeting IT supply chain providers, including remote management tools and cloud applications.
  • Information Security Buzz: China-linked APT Silk Typhoon targets IT Supply Chain
  • The Hacker News: China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access
  • thecyberexpress.com: The Chinese espionage group known as Silk Typhoon has expanded the cyberattacks to target the global IT supply chain. Microsoft Threat Intelligence has identified a shift in the group’s tactics, highlighting a new focus on commonly used IT solutions such as remote management tools and cloud applications.
  • gbhackers.com: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • Cyber Security News: Microsoft Warns Silk Typhoon Hackers Exploit Cloud Services to Attack IT Supply Chain
  • The Register - Security: Feds name and charge alleged Silk Typhoon spies behind years of China-on-US attacks
  • Virus Bulletin: Microsoft Threat Intelligence has identified a shift in tactics used by Silk Typhoon. The espionage group is now targeting common IT solutions like remote management tools and cloud applications to gain initial access.
  • Source: Silk Typhoon targeting IT supply chain
  • www.scworld.com: Google's Threat Intelligence Group report on Silk Typhoon's new tactic highlights the group's shift towards IT supply chain attacks.
  • Threats | CyberScoop: Silk Typhoon shifted to specifically targeting IT management companies
  • Vulnerable U: Microsoft Details Silk Typhoon’s IT Supply Chain Attacks
  • bsky.app: Microsoft warns that Chinese cyber-espionage threat group "Silk Typhoon" has shifted its tactics, now targeting remote management tools and cloud services in supply chain attacks that give them access to downstream customers.
  • : Microsoft warns that Chinese espionage group Silk Typhoon is increasingly exploiting common IT solutions to infiltrate networks and exfiltrate data.
  • securityonline.info: Zero-Day Attacks & Stolen Keys: Silk Typhoon Breaches Networks
  • Security Risk Advisors: Chinese Silk Typhoon threat actor targets global IT supply chains. Consider patching vulnerabilities, enforce MFA, audit cloud access. #CyberThreat #CloudSecurity
  • Blog: Silk Typhoon levels up, goes after IT supply chains

info@thehackernews.com (The Hacker News)@The Hacker News //
SecurityScorecard has uncovered a stealthy malware campaign orchestrated by North Korea's Lazarus Group, dubbed "Marstech Mayhem." The campaign involves the deployment of an advanced malware implant named "marstech1," designed to target cryptocurrency wallets and infiltrate the software supply chain. The implant first emerged in late December 2024, spreading through open-source software via GitHub and NPM packages, putting unsuspecting developers and their projects at risk. The group has been injecting JavaScript implants into repositories, blending malicious code with legitimate code to avoid detection.

The marstech1 implant targets Exodus and Atomic cryptocurrency wallets on Linux, macOS, and Windows. Once installed, the malware scans systems for crypto wallets, attempting to steal sensitive information. SecurityScorecard confirmed at least 233 victims across the U.S., Europe, and Asia. According to SecurityScorecard’s analysis, the threat actors have established a command and control server hosted on Stark Industries LLC infrastructure. Ryan Sherstobitoff, SecurityScorecard’s SVP of threat research and intelligence, noted that the malware uses layered obfuscation techniques, highlighting the group's sophisticated approach to evading static and dynamic analysis.

Recommended read:
References :
  • readwrite.com: Details of marstech1 implant used by Lazarus group in supply chain attacks.
  • The Hacker News: Article describing Lazarus Group's attack campaign targeting developers using marstech1 implant.
  • www.developer-tech.com: Report on Lazarus Group's use of marstech1 malware.
  • ReadWrite: North Korea’s Lazarus Group spreads crypto-stealing malware through open-source software
  • Developer Tech News: Lazarus Group infiltrates supply chain with stealthy malware

Jeff Burt@DevOps.com //
References: ciso2ciso.com , Lobsters , bsky.app ...
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.

This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.

Recommended read:
References :
  • ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
  • Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
  • ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
  • fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
  • DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
  • securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
  • www.infoworld.com: Malicious package found in the Go ecosystem
  • ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
  • ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
  • heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
  • www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered

@socket.dev //
The North Korean state-sponsored hacking group Lazarus has been identified as the source of a sophisticated supply chain attack that targets software developers. The group employed a malicious Node Package Manager (NPM) package named "postcss-optimizer" to deliver malware. This package deceptively mimics the widely used postcss libraries. Security researchers at Socket discovered the malicious package and linked it directly to Lazarus Group, noting its code-level similarities to previous campaigns. The "postcss-optimizer" package has been downloaded 477 times and serves as a vector for deploying BeaverTail malware.

Once installed, BeaverTail functions as both an infostealer and a malware loader. It is designed to compromise systems across Windows, macOS, and Linux. The malware's targets include browser cookies, credentials, and cryptocurrency wallet files. The information is exfiltrated to a command-and-control server. It is suspected to deliver secondary payloads such as InvisibleFerret, a known backdoor associated with Lazarus. The attackers used the deceptive npm registry alias "yolorabbit" to further confuse developers, who might have believed they were downloading legitimate software.

Recommended read:
References :
  • cyberpress.org: Lazarus Hackers Deploy Malicious NPM Packages on Software Developers Systems
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • socket.dev: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t:
  • Cyber Security News: In a detailed investigation by Socket security researchers, a new malicious npm package, “postcss-optimizer,â€� has been linked to the notorious North Korean Advanced Persistent Threat (APT) group Lazarus.
  • gbhackers.com: Lazarus Group Drop Malicious NPM Packages in Developers Systems Remotely
  • : Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems.
  • mastodon.social: Socket : This looks potentially related to SecurityScorecard's blog post about Lazarus Group (see parent toot above). A malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems. Socket researchers note that the package contains code linked to North Korean state-sponsored campaigns known as Contagious Interview. Indicators of compromise are shared. h/t: