All news with #malware tag

🐛 A self-replicating worm dubbed Shai-Hulud has infected at least 187 NPM packages, stealing developer credentials and publishing them to public GitHub repositories that include the string 'Shai-Hulud'. The malware searches for NPM tokens, uses them to inject itself into the top 20 packages accessible to the token and auto-publishes new versions, and leverages tools such as TruffleHog to locate secrets. The campaign briefly affected multiple packages linked to CrowdStrike and was first observed being modified on Sept. 14.

🚨 Security researchers say a new software supply chain campaign has compromised more than 40 npm packages by injecting a malicious bundle.js into republished releases. The trojan installs a downloader that executes TruffleHog to scan hosts for secrets and cloud credentials, targeting both Windows and Linux developer environments. Vendors warn maintainers to audit environments, rotate tokens, and remove affected versions to prevent ongoing exfiltration.

🐍 IBM X-Force reports that China-aligned Mustang Panda is deploying a new USB worm, SnakeDisk, to propagate the Yokai backdoor against machines geolocated to Thailand. The actor also introduced updated TONESHELL variants (TONESHELL8/9) with proxy-aware C2 and parallel reverse shells. SnakeDisk abuses DLL side-loading and USB volume masquerading—moving user files into a subfolder and presenting a deceptive 'USB.exe' lure before restoring originals—to spread selectively on Thailand-based public IPs.

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.

🔍 Security researchers at FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search results to steer Chinese-speaking Microsoft Windows users to spoofed download sites. Attackers registered lookalike domains and used subtle character substitutions to present compromised installers that bundled legitimate apps with hidden malware such as Hiddengh0st and Winos. The operation used a redirection script known as nice.js, anti-analysis checks in components like EnumW.dll, and persistence mechanisms including registry changes and TypeLib hijacking. FortiGuard warns the final payloads supported monitoring, keystroke and clipboard capture, Telegram interception, and cryptocurrency wallet theft.

⚡ This weekly recap synthesizes critical cyber events and trends, highlighting a new bootkit, AI-enhanced attack tooling, and persistent supply-chain intrusions. HybridPetya samples demonstrate techniques to bypass UEFI Secure Boot, enabling bootkit persistence that can evade AV and survive OS reinstalls. The briefing also covers vendor emergency patches, novel Android RATs, fileless frameworks, and practical patch priorities for defenders.

🔒 New phishing campaigns are delivering remote monitoring and management (RMM) software by using multiple realistic lures, security firms warn. Attackers spoof browser updates, meeting software installers, party e-invites and government forms to trick victims into running installers for ITarian (Comodo), Atera, PDQ, SimpleHelp and ScreenConnect. Some campaigns host payloads on trusted services such as Cloudflare R2 and may install multiple RMM tools in quick succession. Analysts caution RMM compromise can lead to ransomware and data theft and recommend endpoint detection, approved-tool enforcement and enhanced network controls such as browser isolation.

🚨 Fortinet and Zscaler researchers describe an SEO poisoning campaign that targets Chinese-speaking users by surfacing spoofed download pages and GitHub Pages that host trojanized installers. Attackers manipulated search rankings and registered lookalike domains to trick victims into downloading installers bundling legitimate applications with hidden malware such as HiddenGh0st and Winos. Delivery chains use scripts (for example, nice.js), multi-stage JSON redirects, malicious DLLs and DLL sideloading to evade detection and establish persistence.

⚠️ A threat actor known as WhiteCobra has been publishing malicious VSIX extensions across VS Code Marketplace and OpenVSX, targeting users of VSCode, Cursor, and Windsurf with professionally crafted listings. The campaign comprises at least 24 identified extensions and remains active as the actor quickly re-uploads packages after takedown. Installed extensions execute a small loader that fetches platform-specific payloads; on Windows this chain leads to deployment of LummaStealer, while macOS builds execute a malicious Mach-O. Researchers warn that polished icons, forged descriptions, and inflated download counts were used to lend credibility and trick developers into installing the packages.

🛡️ In August 2025, FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search rankings to lure Chinese-speaking users to lookalike download sites mimicking legitimate software, notably a DeepL spoof. Victims downloaded a bundled MSI installer that combined genuine application installers with malicious components (EnumW.dll, fragmented ZIPs and a packed vstdlib.dll) and used anti-analysis, timing checks and parent-process validation to evade sandboxes. The in-memory payload implements Heartbeat, Monitor and C2 modules, exfiltrates system and user data, and supports plugins for screen capture, keylogging, Telegram proxy removal and crypto wallet targeting. Fortinet detections and network protections are updated; organizations are advised to apply patches, scan affected systems, and contact incident response if compromise is suspected.

🔍 Security researchers at LevelBlue Labs identified an open-source Remote Access Trojan, AsyncRAT, being deployed via a multi-stage, fileless in-memory loader that avoids writing executables to disk. Attackers gained initial access through a compromised ConnectWise ScreenConnect client, executing a VBScript which invoked PowerShell to fetch two staged .NET assemblies. The first-stage assembly decodes payloads into byte arrays and uses reflection to run the secondary assembly directly in memory, while operators disabled AMSI and tampered with ETW to evade runtime detection. Persistence was achieved with a scheduled task disguised as "Skype Update," and the RAT used an AES-256 encrypted configuration to connect to a DuckDNS-based C2.

🛡️ ESET researchers identified HybridPetya in late July 2025 after suspicious samples were uploaded to VirusTotal. The malware resembles Petya/NotPetya and encrypts the NTFS Master File Table (MFT), while also capable of installing a malicious EFI application on the EFI System Partition to persist on UEFI systems. One analyzed variant exploits CVE-2024-7344 using a crafted cloak.dat to bypass UEFI Secure Boot on outdated systems. ESET telemetry shows no evidence of active, widespread deployments.

🔒 Akamai researchers reported a June–August 2025 variant that no longer drops a cryptominer but instead leverages exposed Docker APIs to gain persistent host access. The campaign launches lightweight containers that mount the host filesystem and fetch Base64-encoded scripts over Tor to install tools such as curl and tor. Once inside, the malware appends SSH keys, creates cron jobs, and attempts to modify firewall rules to deny others access to port 2375. Akamai also observed dormant logic to probe Telnet and Chrome remote debugging (9222), suggesting future botnet expansion.

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.

🔍 Researchers have identified two malware strains: a modular macOS backdoor named CHILLYHELL and a Go-based cross-platform RAT called ZynorRAT. Jamf Threat Labs links CHILLYHELL to UNC4487, noting extensive host profiling, multiple persistence techniques, timestomping, and multi-protocol C2 over HTTP and DNS. The notarized CHILLYHELL sample (uploaded to VirusTotal on May 2, 2025) underscores that signed binaries can be malicious. Sysdig analysis shows ZynorRAT is managed via a Telegram bot and supports file exfiltration, screenshots, system enumeration, and persistence on Linux and Windows.

⚠️ Security researchers warn a supply‑chain attack on npm briefly propagated trojanized versions of widely used packages after the developer account qix was hijacked via social engineering. The malicious updates contained crypto‑stealing payloads that could rewrite wallet recipients in browsers if bundled into frontend builds. Vendor Wiz reports the code was present in about 10% of cloud environments during a two‑hour window, and JFrog says additional accounts, including DuckDB, were impacted. Organizations are advised to blocklist affected versions, rebuild from clean caches, invalidate CDN assets, and hunt for affected bundles and anomalous signing activity.

🛡️ Attackers are exploiting exposed Docker APIs (port 2375) by launching containers that install Tor and retrieve secondary payloads from hidden services. Researchers at Trend Micro and Akamai observed the activity evolve from opportunistic cryptomining into a more capable dropper that establishes persistent SSH access, creates cron jobs to block API access, and executes a Go-based agent that scans and propagates to additional hosts. The agent also removes competitor containers and contains dormant logic for Telnet and Chrome remote debugging exploitation.

🔒 Arctic Wolf researchers uncovered a targeted campaign, GPUGate, that uses malicious GitHub Desktop installers promoted via Google Ads to distribute evasive malware. The attack leverages commit‑specific links and lookalike domains to mimic legitimate GitHub downloads and trick users, particularly IT personnel, into installing a large MSI payload. A GPU‑gated decryption routine keeps the malware dormant in virtualized or low‑power environments, while PowerShell execution with policy bypasses and scheduled‑task persistence provide elevated privileges and long‑term access.

🔒 A rapid open source response contained a supply-chain compromise after maintainer Josh Junon (known as 'qix') reported his npm account was hijacked on September 8. Malicious versions of widely used packages including chalk, strip-ansi and color-convert were published embedding an crypto-clipper that swaps wallet addresses and hijacks transactions. The community and npm removed tainted releases within hours, limiting financial impact and exposure.

🔓 Security firm Aikido uncovered a coordinated supply chain attack that injected obfuscated, browser-based malware into 18 popular npm packages — including chalk, debug, and ansi-styles — collectively receiving two billion weekly downloads. The malicious updates, pushed beginning September 8, intercept and manipulate web3 and crypto interactions in the browser to silently rewrite payment destinations and approvals. The campaign originated from a phishing operation that abused a typosquatted domain (npmjs.help) to compromise maintainer accounts, and although the attacker demonstrated web3 knowledge, tracked losses were modest (~$970). Researchers warn enterprise defenses are largely blind to this API-level interceptor and call for stronger attestation and signed publication workflows.