All news with #supply chain compromise tag

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.

🔔 A newly disclosed MongoDB memory-exposure flaw (CVE-2025-14847, "MongoBleed") and a wave of supply-chain and update-channel compromises defined the final week of 2025. Active exploitation of MongoDB affected tens of thousands of instances worldwide while extension- and package-based attacks, including a compromised Trust Wallet Chrome extension and a malicious npm package, led to immediate thefts and account takeovers. The recap stresses rapid attacker tempo, the abuse of trusted update/support channels, and persistent impacts that can surface months or years after an initial compromise.

🔓 Korean Air warned employees that personal information, including names and bank account numbers, was compromised after its former in-flight catering supplier, Korean Air Catering & Duty-Free (KC&D), notified the carrier it had been hacked. Local outlets report about 30,000 records were exfiltrated, and the Clop ransomware gang has claimed responsibility and posted the alleged data on its leak site. Korean Air reported the incident to authorities, is investigating the scope, and urged staff to remain vigilant for phishing and impersonation attempts.

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.

🔐 Outsourcing critical IT and cybersecurity has shifted from a cost-saving tactic to a systemic fragility driver. The article explains how single-vendor failures — highlighted by SolarWinds and MOVEit — can cascade across industries, amplified by cloud adoption, talent shortages and subcontractor opacity. It warns that AI-driven agents, regulatory fragmentation, and geopolitical exposures turn vendor compromises into national and economic security risks. Boards, CISOs and regulators must adopt trust-by-design, stress tests and AI resilience measures.

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.

🔒 Koi Security disclosed a malicious npm package, lotusbail, masquerading as a WhatsApp API and designed to intercept authentication tokens, messages, contacts and media. Uploaded in May 2025 by the account "seiren_primrose", it has been downloaded over 56,000 times and remained available at the time of reporting. The library wraps the WebSocket client and contains a hard-coded pairing code that links the attacker's device to a victim's WhatsApp account, creating a persistent backdoor even after uninstallation. It also implements anti-debugging traps to freeze execution and hinder analysis.

🔒 A malicious NPM package published as lotusbail and masquerading as a WhatsApp Web API library was found to exfiltrate authentication tokens, session keys, messages, contacts and media. Researchers at Koi Security report the package wraps the legitimate WebSocket client from the Baileys project so all traffic is intercepted and recorded. The malware encrypts captured data with layered obfuscation (Unicode tricks, LZString, AES and custom RSA) and establishes persistent access by pairing the attacker’s device to victims' WhatsApp accounts. Developers should remove the package, inspect linked devices, and monitor runtime behavior for unexpected outbound connections.

🛡️ CISA's addition of CVE-2025-59374 to the KEV catalog documents a historical ASUS Live Update supply‑chain compromise rather than a new, active campaign. The CVE formalizes the 2018–2019 'ShadowHammer' incident in which maliciously modified Live Update binaries were selectively delivered to targeted systems, and the client reached End‑of‑Support in October 2021. ASUS's December 2025 FAQ appears to be a documentation update clarifying upgrade paths to the last Live Update release (3.6.15), and CISA emphasized that KEV inclusion does not necessarily indicate ongoing exploitation. Security teams should apply context‑aware triage and ensure supported software is up to date.

📌 The CVE-2025-59374 record documents the 2018–2019 ShadowHammer supply‑chain compromise of ASUS Live Update, a client that reached End‑of‑Support in October 2021. The entry, now rated 9.3, formalizes a historical incident and does not indicate current active exploitation for supported devices. Security teams should verify systems are running the latest supported software but avoid treating the KEV listing as an immediate, new threat.

⚠️ CISA has added a critical vulnerability (CVE-2025-59374, CVSS 9.3) in ASUS Live Update to its Known Exploited Vulnerabilities catalog after identifying evidence of active exploitation tied to a supply-chain compromise. The flaw stems from trojanized installer builds distributed during the 2018 Operation ShadowHammer campaign that could make targeted devices perform unintended actions. ASUS previously remediated the issue in v3.6.8, but the vendor has since declared the client end-of-support; federal agencies are urged to discontinue use by January 7, 2026.

🚨 Koi Security uncovered the GhostPoster campaign that hid malicious JavaScript inside PNG logo files used by 17 Firefox add‑ons, collectively downloaded more than 50,000 times. The steganographic loader fetches secondary payloads from attacker-controlled servers only intermittently and uses long delays to avoid detection. Affected extensions — advertised as VPNs, ad blockers, translators, and utilities — have been removed from distribution.

🕵️ Koi Security identified the GhostPoster campaign that hides JavaScript inside PNG logo images of malicious Firefox extensions, impacting more than 50,000 downloads. The dormant loader waits 48 hours, contacts hardcoded attacker domains and only fetches its payload about 10% of the time to evade detection. The decoded payload provides persistent, high-privilege access and enables affiliate hijacks, analytics injection, header stripping, CAPTCHA bypass and ad/click fraud. Users of flagged extensions should remove them and consider resetting critical account passwords.

🔒 A malicious NuGet package named "Tracer.Fody.NLog" was published on February 26, 2020 and impersonates the legitimate Tracer.Fody maintainer to deliver a cryptocurrency wallet stealer. The embedded Tracer.Fody.dll scans the default Stratis wallet directory (%APPDATA%\StratisNode\stratis\StratisMain), reads *.wallet.json files and in-memory passwords, and exfiltrates data to 176.113.82[.]163. Socket researcher Kirill Boychenko highlighted multiple evasion tactics — a typosquatted publisher name, Cyrillic lookalikes in code, and a hidden routine inside a helper method that runs during normal execution while suppressing exceptions.

🔒AWS Security details its incident response to multiple high-scale npm supply chain campaigns, including the compromised Nx package, the Shai-Hulud worm, and a token-farming operation detected by Amazon Inspector. Teams enacted rapid containment (repository blocklisting, OpenSSF registration), performed deep analysis using AI-assisted detonation in sandboxes, and automated disclosures to protect customers. The effort produced improved behavioral detections, GenAI prompt guardrails for Amazon Q, and strengthened collaboration with the security community to reduce future exposure.

🔒 The UK National Cyber Security Centre (NCSC) has published a practical playbook urging businesses to embed Cyber Essentials across supply chains and to use its new Supplier Check tool to verify supplier certification (CE or CE Plus). It highlights that firms with turnover under £20m qualify for free cyber‑liability insurance and incident response support when certified. The seven-step guidance covers risk mapping, defining security profiles, setting and enforcing minimum security requirements, incentivizing CE, embedding adoption into procurement and monitoring uptake.

🔍 ReversingLabs discovered a stealthy campaign of 19 malicious VSCode Marketplace extensions that bundled dependencies to run a trojan hidden inside a faux PNG file. The packages included modified 'path-is-absolute' or '@actions/io' modules which auto-execute code via an added class in index.js, decoding an obfuscated JavaScript dropper stored in a file named 'lock'. A fake 'banner.png' archive contained two payloads — a living-off-the-land binary 'cmstp.exe' and a Rust-based trojan — and Microsoft removed the extensions after being notified.

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.

🔔 This week's ThreatsDay Bulletin highlights a packed week of cross-cutting threats: a Mirai variant dubbed Broadside exploiting TBK DVRs (CVE-2024-3721), widespread exploitation of React2Shell (CVE-2025-55182), and the leak of a ValleyRAT builder that includes a signed kernel-mode rootkit. Law enforcement actions ranged from Europol's 193 arrests in a VaaS crackdown to multiple national detentions, while Apple and Google issued broad spyware alerts. Researchers flagged >10,000 Docker Hub images leaking secrets and 19 malicious VS Code extensions that used a PNG disguise to deliver trojans, underscoring persistent supply-chain and user-facing risks.