All news with #supply chain compromise tag

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.

🛡️ A Kaspersky GReAT analysis describes two BlueNoroff campaigns—GhostCall and GhostHire—linked to the Lazarus threat actor and focused on the cryptocurrency sector. GhostCall targets executives, often on macOS, using investor-themed social engineering and fake meeting portals that prompt malicious updates and downloads. GhostHire lures blockchain developers with job offers and Telegram bots that point to GitHub test tasks or archived files with tight deadlines; performing the tasks leads to infection. The campaigns share a common management infrastructure and multiple infection chains; technical details and indicators of compromise are published on Securelist.

🛡️ In early September 2025 attackers published malicious releases to 18 widely used npm packages, enabling crypto‑stealing and token exfiltration. Cloudflare's Page Shield static analysis and ML pipeline — including an MPGCN on JavaScript ASTs — inspects 3.5 billion scripts per day and would have detected these compromised packages. Inference completes in under 0.3s and ensemble review reduces false positives, protecting customers from similar supply‑chain threats.

📡 ESET researchers have uncovered a new Lazarus Group espionage campaign targeting European defense contractors, with a focus on companies involved in unmanned aerial vehicle (UAV) development since March 2025. The attackers used spear-phishing with fake job offers and trojanized open-source tools such as WinMerge and Notepad++ to deliver loaders and the custom RAT ScoringMathTea. The intrusion chain relied on DLL side-loading, reflective loading, and process injection to maintain persistence and exfiltrate design and supply-chain data. ESET has published IoCs and MITRE ATT&CK mappings to help defenders respond.

🪲 Researchers have uncovered GlassWorm, a self-propagating worm that spreads through Visual Studio Code extensions on the Open VSX Registry and the Microsoft Extension Marketplace. First seen on October 17, 2025, the campaign uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback and hides malicious code using invisible Unicode variation selectors. Infected extensions harvest developer credentials, drain cryptocurrency wallets, install SOCKS proxies and hidden VNC servers, and deliver a JavaScript payload named Zombi to escalate and propagate.

🔒 This ThreatsDay bulletin highlights a series of recent incidents where attackers favored the easiest paths in: tricking users, abusing trusted services, and exploiting stale or misconfigured components. Notable items include a malicious npm package with a post-install backdoor, a CA$176M FINTRAC penalty for missed crypto reporting, session hijacking via MCP (CVE-2025-6515), and OAuth-based persistent backdoors. Practical defenses emphasized are rapid patching, disabling risky install hooks, auditing OAuth apps and advertisers, and hardening agent and deserialization boundaries.

⚠️ F5 disclosed a major intrusion in which a sophisticated, likely nation-state threat actor maintained long-term access to its internal network. During the compromise the attackers gained control of the build and distribution environment for BIG-IP updates and exfiltrated proprietary source code, documentation of unpatched vulnerabilities, and customer configuration files. F5 warned this data could enable widespread supply-chain and targeted attacks against many sensitive networks.

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

🔒 A European telecommunications organization was targeted in the first week of July 2025, according to Darktrace, with a threat actor linked to the China-associated group Salt Typhoon gaining initial access via a vulnerable Citrix NetScaler Gateway. The intruders pivoted to Citrix VDA hosts in an MCS subnet and used SoftEther VPN to mask their origin. They deployed Snappybee (aka Deed RAT) via DLL side-loading alongside legitimate antivirus executables; the backdoor called home to aar.gandhibludtric[.]com. Darktrace says the activity was detected and remediated before significant escalation.

🔒 Muji has temporarily taken its Japan online store offline after a ransomware attack disrupted logistics systems at its delivery partner, Askul. The outage affects browsing, purchases, order histories in the Muji app, and some web content; Muji is investigating which shipments and pre-attack orders were impacted and will notify affected customers by email. Askul confirmed a ransomware infection suspended orders, shipping, and several customer services while it investigates potential data exposure; international Muji stores remain operational.

🛡️ A sophisticated supply-chain campaign called GlassWorm is propagating through OpenVSX and Microsoft VS Code extensions and is estimated to have about 35,800 active installs. The malware conceals malicious scripts using invisible Unicode characters, then steals developer credentials and cryptocurrency wallet data while deploying SOCKS proxies and hidden VNC clients for covert access. Operators rely on the Solana blockchain for resilient C2, with Google Calendar and direct-IP fallbacks.

🔐 British officials briefly considered physically destroying a government data hub after uncovering a decade-long intrusion attributed to China-aligned actors. The breach reportedly exposed official-sensitive and secret material on government servers, though no top secret data was taken. Rather than demolish the facility, the government implemented alternative protections and commissioned a classified review. Cybersecurity experts say the episode underscores the critical need to secure supply chains and hunt long-term APT presence.

🛡️ Google Threat Intelligence Group (GTIG) reports that North Korean-linked UNC5342 is using a method called EtherHiding to deliver malware and facilitate cryptocurrency theft by embedding encrypted payloads in smart contracts on Ethereum and BNB Smart Chain. The technique turns immutable contracts into resilient, hard-to-takedown command-and-control infrastructure. Initial lures include fake recruiter messages, poisoned npm packages and malicious GitHub repositories; a JavaScript downloader named JADESNOW fetches and decrypts subsequent backdoors such as INVISIBLEFERRET.

🔐 Cisco Talos reports that a North Korean-linked threat cluster has blended features of its BeaverTail and OtterCookie JavaScript malware families, with recent OtterCookie variants adding keylogging, screenshot capture, and clipboard monitoring. The intrusion chain observed involved a trojanized Node.js application called Chessfi and a malicious npm dependency published on August 20, 2025 that executed postinstall hooks to launch multi-stage payloads. Talos tied the activity to the Contagious Interview recruitment scam and highlighted continued modularization and abuse of legitimate open-source packages and public Git hosting to distribute malicious code.

🔍 Hidden blocks of links embedded on corporate websites can quietly erode search rankings and damage reputation by pointing to dubious domains such as pornography or gambling. Invisible to users but parsed by search engines and security tools, these links divert link equity and often trigger algorithmic penalties. Attackers inject them via compromised admin credentials, vulnerable CMS components, infected templates, or breached hosting. Regular updates, strict access controls, routine audits, backups, and mandatory 2FA help prevent and limit impact.

🔒 On Oct. 15, 2025, F5 disclosed a nation-state compromise that exfiltrated source code and undisclosed vulnerability information from the BIG-IP product development and engineering knowledge platforms. F5 reports no evidence of modification to its software supply chain or access to CRM, financial, support case management, iHealth, NGINX or distributed cloud products. Unit 42 warns the theft could accelerate exploit development and recommends immediate patching, hardening, and targeted threat hunting for anomalous admin activity and configuration changes.

🔐 Google Threat Intelligence has linked a campaign to UNC5342, a cluster tied to North Korea, that now uses EtherHiding to distribute malware via smart contracts on public blockchains such as BNB Smart Chain and Ethereum. The attackers lure developers through LinkedIn recruitment ruses, move conversations to Telegram or Discord, and deliver npm-package downloaders that chain into BeaverTail, JADESNOW, and the Python backdoor InvisibleFerret. By embedding payloads in on-chain contracts, the group turns blockchains into tamper-resistant dead-drops that are hard to takedown and easy to update, enabling sustained cryptocurrency theft and long-term espionage.