All news with #cryptojacking tag

⚠️ Patches for the React2Shell vulnerability should be prioritized: researchers report active, largely automated exploitation attempts targeting React Server Components and Next.js. Public proof-of-concept code has been reused by attackers, with initial payloads performing lightweight proof-of-execution checks and staged PowerShell download-and-execute stagers. Vendors including JFrog, Wiz and Greynoise warn of fake PoCs on GitHub, cryptojacking, credential theft attempts, and Mirai-style kit integration, while AWS reports state-linked groups targeting exposed apps — making immediate remediation and verification essential.

🪲 Oligo Security warns of an active campaign, codenamed ShadowRay 2.0, that exploits a two-year-old authentication flaw in the Ray AI framework (CVE-2023-48022, CVSS 9.8) to convert exposed clusters with NVIDIA GPUs into a self-replicating cryptomining botnet using XMRig. Operators submit malicious jobs to the unauthenticated Job Submission API (/api/jobs/), stage payloads on GitLab and GitHub, and abuse Ray’s orchestration to pivot laterally, establish persistence via cron jobs, and propagate to other dashboards. Oligo recommends restricting access, enabling authentication on the Ray Dashboard (default port 8265) and using Anyscale’s Ray Open Ports Checker plus firewall rules to reduce accidental exposure.

⚠ A global campaign named ShadowRay 2.0 is exploiting an unpatched code-execution flaw (CVE-2023-48022) in Ray clusters to deploy a self-propagating cryptomining botnet. Researchers at Oligo attribute the activity to an actor tracked as IronErn440, which uses AI-generated payloads submitted to Ray’s unauthenticated Jobs API. The malware deploys XMRig to mine Monero, establishes persistence via cron and systemd, and opens reverse shells for interactive control. Operators also throttle CPU use and conceal miners with deceptive names to evade detection.

🚨 The UK's National Crime Agency (NCA) has launched the "Crypto Dream Scam Nightmare" campaign to warn men under 45 about crypto investment fraud that lures victims with professional sites, apps and romance baiting. The initiative, part of the Home Office's Stop! Think Fraud programme, includes a short video and a 10-tip info sheet to help people recognise and avoid scams. The NCA noted Action Fraud logged over 17,000 investment fraud reports last year.

⚠️ CISA and researchers report active exploitation of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki, including code injection, missing authorization, and eval injection flaws. Dassault addressed CVE-2025-6204 and CVE-2025-6205 for 2020–2025 releases in August and these issues were added to CISA’s Known Exploited Vulnerabilities catalog. The XWiki flaw (CVE-2025-24893) is being abused in a two-stage chain that stages and later executes a downloader to deliver a cryptocurrency miner. Organizations should apply vendor updates immediately and meet federal remediation deadlines where applicable.

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

🛡️ Minecraft mods can enhance gameplay but also serve as vectors for malware. This article explains how threat actors disguise Trojans, infostealers, ransomware and cryptominers as mods or cheat tools and distribute them via GitHub, mod repositories and forums. It outlines practical precautions — sourcing mods from trusted repositories, checking developer reputation and file types, using non-admin accounts, backups and security software — and steps to take if a mod is suspected malicious.

🔒 Akamai researchers reported a June–August 2025 variant that no longer drops a cryptominer but instead leverages exposed Docker APIs to gain persistent host access. The campaign launches lightweight containers that mount the host filesystem and fetch Base64-encoded scripts over Tor to install tools such as curl and tor. Once inside, the malware appends SSH keys, creates cron jobs, and attempts to modify firewall rules to deny others access to port 2375. Akamai also observed dormant logic to probe Telnet and Chrome remote debugging (9222), suggesting future botnet expansion.

🔒 Security researchers uncovered a variant of a campaign that abuses the TOR network and exposed Docker APIs to deploy cryptojacking and reconnaissance tooling. Akamai, which identified the activity last month, says attackers create Alpine containers, mount the host filesystem, and execute a Base64 payload that downloads a shell script from a .onion domain. The downloader alters SSH for persistence and installs utilities like masscan, torsocks and zstd while a Go-based dropper and compressed binary enable scanning and propagation.

⚠️ Several widely used npm packages were trojanized after attackers phished maintainers, injecting obfuscated JavaScript that turns affected web applications into cryptodrainers. The malicious code executes in visitors' browsers, intercepting network traffic and API requests to rewrite cryptocurrency wallet addresses for Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash and Tron and redirect funds to attacker-controlled wallets. npm removed infected packages about three hours after the attack began, but total downloads during that window remain unknown. Developers are advised to audit dependencies, pin safe versions with overrides in package.json, and use anti-phishing protections.

⚠️ A maintainer of widely used npm packages was phished, allowing attackers to publish malicious updates to 20 modules that together exceed two billion weekly downloads. Researchers from Aikido Security and Socket found the injected payload hooks browser APIs (window.fetch, XMLHttpRequest, window.ethereum.request) to intercept and rewrite cryptocurrency transactions. The malware substitutes recipient addresses by computing Levenshtein distance to closely match intended wallets, putting end users and developers who connect wallets at risk. The incident highlights the persistent supply-chain threat to package ecosystems.

🔒 ShadowCaptcha is a large-scale campaign abusing over 100 compromised WordPress sites to push visitors to fake Cloudflare or Google CAPTCHA pages using the ClickFix social‑engineering lure. Injected JavaScript initiates redirection chains, employs anti‑debug techniques, and silently copies commands to the clipboard to coerce users into running built‑in Windows tools or saving and executing HTA files. Attackers weaponize LOLBins and DLL side‑loading to deliver installers and payloads — observed outcomes include credential stealers (Lumma, Rhadamanthys), Epsilon Red ransomware, and XMRig cryptocurrency miners — with some miner variants fetching configs from Pastebin and dropping a vulnerable driver (WinRing0x64.sys) to seek kernel access. Affected sites span multiple countries and sectors, underscoring the importance of timely WordPress hardening, network segmentation, user training, and MFA.

🛡️ Cybersecurity teams report coordinated campaigns exploiting exposed infrastructure and known flaws to monetize or weaponize compromised devices. Attackers have abused CVE-2024-36401 in GeoServer to drop lightweight Dart binaries that monetize bandwidth via legitimate passive-income services, while the PolarEdge botnet and Mirai-derived gayfemboy expand relay and DDoS capabilities across consumer and enterprise devices. Separately, TA-NATALSTATUS targets unauthenticated Redis instances to install stealthy cryptominers and persistence tooling.

🛡️ In episode 431 of the Smashing Security podcast, Graham Cluley and guest Allan Liska examine a high-profile cloud-billing fraud in which a crypto influencer calling himself CP3O racked up millions in unpaid cloud costs through cryptomining schemes. They also highlight the growing threat of EDR‑killer tools that can silently disable endpoint protection to aid attackers. The show includes lighter segments on the Internet Archive’s Wayforward Machine and a visit to Mary Shelley’s grave, and carries a content warning for mature language and themes.