All news with #supply chain backdoor tag

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

Merged BeaverTail and OtterCookie Tooling Observed in Attacks

🔍 Talos uncovered a campaign linked to the DPRK-aligned cluster Famous Chollima that used a trojanized Node.js package and a malicious VS Code extension to deliver merged BeaverTail and OtterCookie tooling. The combined JavaScript payloads include a newly observed keylogger and screenshot module alongside clipboard theft, targeted file exfiltration, remote shell access, and cryptocurrency extension stealing. Indicators, C2 addresses, Snort/ClamAV detections, and mitigation guidance are provided.

Minecraft mods — how malicious mods put players at risk

🛡️ Minecraft mods can enhance gameplay but also serve as vectors for malware. This article explains how threat actors disguise Trojans, infostealers, ransomware and cryptominers as mods or cheat tools and distribute them via GitHub, mod repositories and forums. It outlines practical precautions — sourcing mods from trusted repositories, checking developer reputation and file types, using non-admin accounts, backups and security software — and steps to take if a mod is suspected malicious.

Jewelbug Expands Operations into Russia, Symantec Finds

🔎 Symantec attributes a five‑month intrusion (Jan–May 2025) against a Russian IT service provider to a China‑linked group tracked as Jewelbug, connecting it with clusters CL‑STA‑0049/REF7707 and Earth Alux. Attackers accessed code repositories and build systems and exfiltrated data to Yandex Cloud, creating supply‑chain concerns. The campaign used a renamed cdb.exe to run shellcode, bypass allowlisting, dump credentials, establish persistence, and clear event logs. Symantec also ties Jewelbug to recent intrusions in South America, South Asia, and Taiwan that leverage cloud services, DLL side‑loading, ShadowPad, BYOVD techniques, and novel OneDrive/Graph API C2.

Over 100 VS Code Extensions Leaked Access Tokens Exposed

🔒 Wiz researchers found that publishers of over 100 Visual Studio Code extensions leaked personal access tokens and other secrets that could allow attackers to push malicious extension updates across large install bases. The team validated more than 550 secrets across 500+ extensions spanning 67 types, including AI provider keys, cloud credentials, database and payment secrets. Over 100 extensions exposed Marketplace PATs (≈85,000 installs) and ~30 exposed Open VSX tokens (≈100,000 installs); many flagged packages were themes and hard-coded secrets in .vsix files were often discoverable. Microsoft revoked leaked tokens after disclosure and is adding secret-scanning; users and organizations were advised to limit extensions, vet packages, maintain inventories, and consider centralized allowlists.

MAESTRO Framework: Securing Generative and Agentic AI

🔒 MAESTRO, introduced by the Cloud Security Alliance in 2025, is a layered framework to secure generative and agentic AI in regulated environments such as banking. It defines seven interdependent layers—from Foundation Models to the Agent Ecosystem—and prescribes minimum viable controls, operational responsibilities and observability practices to mitigate systemic risks. MAESTRO is intended to complement existing standards like MITRE, OWASP, NIST and ISO while focusing on outcomes and cross-agent interactions.

TigerJack's Malicious VSCode Extensions Steal and Mine

⚠️ Koi Security disclosed a coordinated campaign by a group dubbed TigerJack that published malicious extensions to the Visual Studio Code Marketplace and the OpenVSX registry to exfiltrate source code, deploy cryptominers, and maintain remote access. Two popular packages — C++ Payground and HTTP Format — accumulated over 17,000 downloads before removal from Microsoft's store, yet variants remain active on OpenVSX. Researchers warn that the most advanced builds fetch and execute remote JavaScript, allowing attackers to push new payloads without republishing and evading static scanners.

Malicious VSCode Extensions Resurface on OpenVSX Registry

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.

Aisuru IoT Botnet Cripples Major US ISPs at 29.6 Tbps

⚠️ Aisuru, an IoT botnet derived from Mirai, generated a nearly 29.6 Tbps DDoS surge on Oct. 8, 2025, briefly disrupting major US ISPs and online gaming platforms. Logs show most attack traffic originated from compromised home routers, IP cameras and DVRs on networks operated by AT&T, Comcast, Verizon, T‑Mobile and Charter. TCPShield reported over 15 Tbps of junk traffic, and researchers warn Aisuru now operates as both a DDoS engine and a residential proxy network.

Unmonitored JavaScript: The Holiday Shopping Risk 2025

⚠️ The article warns that unmonitored JavaScript on e-commerce sites is the single biggest holiday security risk, enabling attackers to steal payment data while server-side defenses like WAFs and intrusion detection systems remain blind. It reviews major 2024 incidents, including the Polyfill.io and Cisco Magecart campaigns, and highlights a dramatic uptick in attacks during peak shopping windows. Recommended mitigations emphasize closing visibility gaps with real-time client-side monitoring, maintaining strict third-party script inventories, and deploying Content Security Policy (initially in report-only mode) using nonces rather than weakening directives.

Aisuru Botnet Floods U.S. ISPs in Record DDoS Attack

🛰️ Aisuru, now the world’s largest IoT botnet, is drawing the majority of its attack volume from compromised consumer devices hosted by U.S. ISPs such as AT&T, Comcast and Verizon. In early October the botnet briefly generated a near‑30 terabit-per-second traffic flood, underscoring its rapidly expanding scale and destructive reach. The attacks have targeted gaming-focused networks and protection providers, causing widespread collateral congestion and forcing providers to reassess outbound mitigation. Built on Mirai-derived code, Aisuru is also being marketed as a residential proxy service, complicating attribution and remediation.

175 Malicious npm Packages Used in Large-Scale Phishing

⚠️ Researchers have identified 175 malicious packages on the npm registry used as infrastructure for a widespread phishing campaign called Beamglea. The packages, collectively downloaded about 26,000 times, host redirect scripts served via unpkg.com that route victims to credential-harvesting pages. Attackers automated package publication and embedded victim-specific emails into generated HTML, pre-filling login fields to increase the likelihood of successful credential capture.

Cloudflare Launches REACT: Unified Incident Response

🔒 Cloudflare today introduces REACT, a new incident response and advisory service from Cloudforce One designed to bridge the gap between edge defenses and in‑network remediation. REACT combines proactive advisory work—threat hunting, tabletop exercises, and readiness assessments—with emergency incident response and retainer options for guaranteed availability. As a network‑native, vendor‑agnostic service, REACT can deploy mitigations at the Cloudflare edge and coordinate investigations across on‑premise, cloud, and hybrid environments.

Salesforce Refuses Ransom After Massive Data Theft

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

Microsoft SFI Patterns and Practices: New Security Guides

🔐 Microsoft published a second installment of the Secure Future Initiative (SFI) patterns and practices, delivering six practical, practitioner-built guides that address network isolation, tenant hardening, Entra ID app security, Zero Trust for source code access, software supply chain protection, and centralized log collection. Each article outlines the problem, Microsoft’s internal solution, actionable customer guidance, and trade-offs to help teams apply scalable controls across complex, multi-cloud environments.

Defending Against npm Supply Chain Threats and Worms

🔒 In September, attackers used stolen maintainer credentials to inject malicious payloads into widely used npm packages such as chalk and debug, followed by the self‑propagating Shai‑Hulud worm that harvested npm tokens, GitHub PATs, and cloud credentials. The compromised packages and postinstall scripts allowed silent interception of cryptocurrency activity and automated propagation across developer environments. AWS recommends immediate actions: audit dependencies, rotate secrets, inspect CI/CD pipelines for unauthorized workflows or injected scripts, and use Amazon Inspector to detect malicious packages and share validated intelligence with OpenSSF.

Malicious PyPI soopsocks package abused to install backdoor

⚠️ Cybersecurity researchers flagged a malicious PyPI package named soopsocks that claimed to provide a SOCKS5 proxy while delivering stealthy backdoor functionality on Windows. The package, uploaded by user 'soodalpie' on September 26, 2025, had 2,653 downloads before removal and used VBScript or an executable (_AUTORUN.VBS/_AUTORUN.EXE) to bootstrap additional payloads. Analysts at JFrog reported the executable is a compiled Go binary that runs PowerShell, adjusts firewall rules, elevates privileges, performs reconnaissance and exfiltrates data to a hard-coded Discord webhook.

Researchers Find Physical Interposer Attacks on Intel, AMD

🔓 Researchers disclosed two physical interposer attacks—Battering RAM and Wiretrap—that bypass Trusted Execution Enclaves on Intel (SGX) and AMD (SEV‑SNP) platforms. Both attacks exploit deterministic memory encryption by inserting an interposer between CPU and DRAM to capture ciphertext in transit. Battering RAM can replay ciphertext and create memory aliases to expose plaintext and implant backdoors, while Wiretrap enables ciphertext-based key recovery. Practical mitigation today is limited to preventing physical access and strengthening supply‑chain and data‑center controls such as those in ISO/IEC 27001.

WireTap Attack Extracts Intel SGX ECDSA Key via DDR4

🔬 Researchers from Georgia Institute of Technology and Purdue University describe WireTap, a physical memory-bus interposer attack that passively inspects DDR4 traffic to recover secrets from Intel SGX enclaves. By exploiting deterministic memory encryption, the team built an oracle enabling a full key-recovery of an SGX ECDSA attestation key from the Quoting Enclave. The prototype uses inexpensive, off-the-shelf equipment (roughly $1,000) and can be introduced via supply-chain compromise or local physical access. Intel says the scenario requires physical access and falls outside its memory-encryption threat model.

Battering RAM: DDR4 Interposer Breaks Cloud Memory

🔒 Researchers at KU Leuven and the University of Birmingham disclosed Battering RAM, a low-cost DDR4 interposer attack that can undermine hardware memory encryption used in cloud environments. The $50 interposer sits transparently in the memory path, passes boot-time trust checks, and can be toggled to redirect physical addresses to attacker-controlled locations to corrupt or replay encrypted memory. The team says the technique can bypass protections such as SGX and SEV-SNP, and that meaningful mitigation would require architectural redesign of memory encryption.