Tag: malicious
-
60 Malicious npm Packages Exfiltrate Hostnames, IP Addresses, and DNS Server Details
A Socket’s Threat Research Team has revealed a sophisticated and ongoing campaign targeting the npm ecosystem, involving 60 malicious packages published under three distinct accounts: bbbb335656, cdsfdfafd49Group2436437, and sdsds656565. First detected just eleven days ago, with the latest package appearing mere hours before this report, these packages embed a covert script that activates during the…
-
Over 70 Malicious npm and VS Code Packages Found Stealing Data and Crypto
As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.The packages, published under three different accounts, come with an install”‘time script that’s triggered during npm install, Socket security researcher Kirill Boychenko said in a…
-
Over 40 Malicious Chrome Extensions Impersonate Popular Brands to Steal Sensitive Data
Tags: browser, chrome, cyber, cybersecurity, data, google, intelligence, malicious, phishing, tacticsCybersecurity firm LayerX has uncovered over 40 malicious Chrome browser extensions, many of which are still available on the Google Chrome Web Store. These extensions, part of three distinct phishing campaigns, were designed to impersonate well-known and trusted applications and brands. Detailed Analysis Reveals Impersonation Tactics LayerX, building off initial research by the DomainTools Intelligence…
-
Bitwarden Flaw Allows Upload of Malicious PDFs, Posing Security Risk
A serious security vulnerability has been identified in Bitwarden, the popular password management platform, affecting versions up to 2.25.1. The flaw, designated CVE-2025-5138, allows attackers to execute cross-site scripting (XSS) attacks through malicious PDF files uploaded to the platform’s file handling system. Vulnerability Details and Technical Analysis The vulnerability stems from insufficient file type restrictions…
-
Apache Tomcat RCE Vulnerability Exposed with PoC Released
Tags: apache, container, control, cve, cyber, data-breach, flaw, malicious, open-source, rce, remote-code-execution, vulnerabilityA critical security vulnerability, tracked as CVE-2025-24813, has been discovered in Apache Tomcat, a widely used open-source Java servlet container and web server. This flaw, stemming from improper handling of file paths, particularly those containing internal dots (e.g., file.Name)”, can allow attackers to bypass security controls, leading to remote code execution (RCE), information disclosure, and…
-
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 46
Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Sarcoma Ransomware Unveiled: Anatomy of a Double Extortion Gang RVTools Bumblebee Malware Attack How a Trusted IT Tool Became a Malware Delivery Vector Malicious ‘Checker’ Packages on PyPI Probe TikTok and Instagram for Valid Accounts […]…
-
Reconnaissance Campaign Active on NPM Repository
Malicious Packages Hide Scripts for Mapping Enterprise Networks. A hacking campaign is spreading malicious reconnaissance scripts downloaded more than 3,000 times from the JavaScript runtime environment npm repository, warn researchers. The reconnaissance script is likely a harbinger of worse things to come. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/reconnaissance-campaign-active-on-npm-repository-a-28475
-
How Hunters International Used the Browser to Breach Enterprises”Š”, “ŠAnd Why They Didn’t See It”¦
How Hunters International Used the Browser to Breach Enterprises”Š”, “ŠAnd Why They Didn’t See It Coming At RSAC 2025, Cato Networks delivered a presentation that SOC teams and CISOs will want to pay attention to: “Suspicious Minds”Š”, “ŠHunting Threats That Don’t Trigger Security Alerts.” The session showcased ransomware campaigns that bypassed traditional detection. In some cases,…
-
Researchers cause GitLab AI developer assistant to turn safe code malicious
AI assistants can’t be trusted to produce safe code. First seen on arstechnica.com Jump to article: arstechnica.com/security/2025/05/researchers-cause-gitlab-ai-developer-assistant-to-turn-safe-code-malicious/
-
Dozens of malicious packages on NPM collect host and network data
60 packages have been discovered in the NPM index that attempt to collect sensitive host and network data and send it to a Discord webhook controlled by the threat actor. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/dozens-of-malicious-packages-on-npm-collect-host-and-network-data/
-
Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000
A threat actor known as #LongNight has reportedly put up for sale remote code execution (RCE) access to Burger King Spain’s backup system, leveraging vulnerabilities in the AhsayCBS platform. Priced at $4,000, this exploit offers malicious actors a potential gateway to compromise a critical infrastructural component of the fast-food giant’s operations in Spain. 4 The…
-
Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application for managing crypto assets via Ledger cold wallets. Since August 2024, Moonlock Lab has been tracking a malware campaign that initially focused on stealing passwords and wallet details but has now evolved to extract seed phrases, enabling attackers to drain…
-
GitLab Duo Vulnerability Exploited to Inject Malicious Links and Steal Source Code
A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into GitLab and based on Anthropic’s Claude models. Security researchers from Legit Security revealed that attackers could exploit an indirect prompt injection flaw to exfiltrate private source code, manipulate AI-generated code suggestions, and even leak confidential zero-day vulnerabilities”, all through seemingly…
-
TAG-110 Hackers Deploy Malicious Word Templates in Targeted Attacks
The Russia-aligned threat actor TAG-110, also linked to UAC-0063 and APT28 (BlueDelta) with medium confidence by CERT-UA, has shifted tactics to target government, educational, and research entities in Tajikistan. According to analysis by Insikt Group from Recorded Future Report, TAG-110 has moved away from its traditional use of HTA-based payloads like HATVIBE, which it has…
-
Scarcity signals: Are rare activities red flags?
Talos analyzed six months of PowerShell network telemetry and found that rare domains are over three times more likely to be malicious compared to frequently contacted ones. First seen on blog.talosintelligence.com Jump to article: blog.talosintelligence.com/scarcity-signals-are-rare-activities-red-flags/
-
Operation Endgame 2.0: DanaBusted
Tags: access, attack, backup, banking, breach, business, cloud, communications, control, crypto, cybercrime, data, defense, detection, email, espionage, firewall, fraud, government, group, Hardware, infection, intelligence, international, law, malicious, malware, middle-east, network, programming, ransomware, russia, service, supply-chain, switch, threat, tool, ukraine, update, windowsIntroductionOn May 22, 2025, international law enforcement agencies released information about additional actions that were taken in conjunction with Operation Endgame, an ongoing, coordinated effort to dismantle and prosecute cybercriminal organizations, including those behind DanaBot. This action mirrors the original Operation Endgame, launched in May 2024, which disrupted SmokeLoader, IcedID, SystemBC, Pikabot, and Bumblebee. Zscaler…
-
GitLab Duo Vulnerability Enabled Attackers to Hijack AI Responses with Hidden Prompts
Cybersecurity researchers have discovered an indirect prompt injection flaw in GitLab’s artificial intelligence (AI) assistant Duo that could have allowed attackers to steal source code and inject untrusted HTML into its responses, which could then be used to direct victims to malicious websites.GitLab Duo is an artificial intelligence (AI)-powered coding assistant that enables users to…
-
Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
Tags: access, advisory, api, authentication, cctv, cloud, computer, container, credentials, cve, cybersecurity, data, detection, email, exploit, flaw, government, hacker, identity, infrastructure, Internet, login, malicious, malware, mfa, military, network, ntlm, office, open-source, password, phishing, powershell, russia, service, software, threat, tool, ukraine, vulnerabilityCredential guessing and spearphishing: The attackers used brute-force credential guessing techniques, also known as password spraying, to gain initial access to accounts. This was complemented with targeted phishing emails that directed recipients to fake login pages for government entities or Western cloud email providers. These phishing pages were stored on free web hosting services or…
-
How Identity Plays a Part in 5 Stages of a Cyber Attack
Tags: access, attack, authentication, breach, cloud, computer, container, control, credentials, cyber, data, data-breach, detection, endpoint, exploit, group, iam, identity, intelligence, malicious, malware, mfa, microsoft, monitoring, password, powershell, ransomware, risk, technology, threat, tool, vulnerabilityWhile credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know, and how Tenable can help. Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector,…
-
Hackers Deploy Weaponized npm Packages to Target React and Node.js JavaScript Frameworks
Socket’s Threat Research Team, a series of malicious npm packages have been found lurking in the JavaScript ecosystem for over two years, amassing more than 6,200 downloads. These weaponized packages, targeting popular frameworks like React, Vue.js, Vite, Node.js, and the Quill Editor, were crafted by a threat actor under the npm alias >>xuxingfeng
-
Malicious VS Code Extensions Target Windows Solidity Developers to Steal Login Credentials
Datadog Security Research has uncovered a targeted malware campaign aimed at Solidity developers on Windows systems, using malicious Visual Studio Code (VS Code) extensions as the initial attack vector. Identified as the work of a single threat actor tracked as MUT-9332, this operation deployed three trojanized extensions solaibot, among-eth, and blankebesxstnion disguised as legitimate tools…
-
Cybercriminals Using Trusted Google Domains to Spread Malicious Code
A sophisticated new malvertising scheme has emerged, transforming trusted e-commerce websites into phishing traps without the knowledge of site owners or advertisers. Cybercriminals are exploiting integrations with Google APIs, specifically through JSONP (JSON with Padding) calls, to inject malicious scripts into legitimate online stores. These scripts operate covertly, redirecting unsuspecting shoppers to fraudulent payment pages…
-
Attackers Abuse TikTok and Instagram APIs
It must be the season for API security incidents. Hot on the heels of a developer leaking an API key for private Tesla and SpaceX LLMs, researchers have now discovered a set of tools for validating account information via API abuse, leveraging undocumented TikTok and Instagram APIs. The tools, and assumed exploitation, involve malicious Python…
-
Grafana Zero-Day Vulnerability Allows Attackers to Redirect Users to Malicious Sites
The High-severity cross-site scripting (XSS) vulnerability has been discovered in Grafana, prompting the immediate release of security patches across all supported versions. The vulnerability (CVE-2025-4123) enables attackers to redirect users to malicious websites where arbitrary JavaScript code can be executed. Grafana Labs has released patches ahead of schedule after discovering the vulnerability had been publicly…
-
Attackers Exploit BIND DNS Server Vulnerability to Crash Servers Using Malicious Packets
The vulnerability in BIND DNS server software allowed attackers to crash DNS servers by sending specifically crafted malicious packets. This flaw, identified as CVE-2023-5517, could cause named (the BIND DNS server process) to terminate unexpectedly with an assertion failure when specific queries were processed with certain features enabled. The vulnerability, disclosed in BIND 9.18.24 release…
-
New Process Injection Technique Evades EDR by Injecting Malicious Code into Windows Processes
Researchers revealed this method exploits shared memory regions and thread context manipulation to execute malicious payloads without triggering standard detection heuristics. Novel process injection technique leveraging execution-only primitives has demonstrated the ability to bypass leading Endpoint Detection and Response (EDR) systems by avoiding traditional memory allocation and modification patterns. Modern EDR solutions typically monitor for…