Researchers disclosed a new iteration of the Contagious Interview campaign — tracked as StegaBin and attributed to the North Korean Famous Chollima cluster — that published 26 malicious npm packages masquerading as developer tools to deliver a developer-targeted credential stealer and remote access trojan. The packages use install.js to run a…
Search Results for: NPM
Socket detected a coordinated typosquatting npm campaign dubbed “StegaBin” that published 26 malicious packages which use Pastebin-based character-level steganography to hide Vercel C2 infrastructure and deliver a multi-stage installer that ultimately deploys a RAT and a nine-module infostealer targeting developer artifacts. The activity is consistent with the North Korean-aligned cluster tracked as FAMOUS CHOLLIMA / Contagious Interview and includes a shared loader (vendor/scrypt-js/version.js, SHA256: da1775d0…) and live C2 at 103[.]106[.]67[.]63:1244. #StegaBin #FAMOUS_CHOLLIMA
Socket’s Threat Research Team discovered a Shai-Hulud-like supply chain worm campaign tracked as SANDWORM_MODE that spread through at least 19 typosquatting npm packages and a malicious GitHub Action, harvesting developer and CI secrets, exfiltrating via HTTPS/GitHub API/DNS, and persisting via git hooks and MCP server injection targeting AI coding assistants. npm, GitHub, and Cloudflare removed related infrastructure, but defenders must treat the identified packages and injected workflows as active compromise risks and rotate/revoke affected tokens, audit global git templates, and inspect AI assistant configs for rogue MCP servers. #SANDWORM_MODE #suport-color
ReversingLabs uncovered a modular fake recruitment campaign named graphalgo that uses deceptive blockchain job tasks to distribute malicious npm and PyPI packages to JavaScript and Python developers. The operation, attributed to the North Korea-linked Lazarus Group, deploys fake companies like Veltrix Capital, staged interview repositories, and delayed malicious package updates that…
Socket Threat Research discovered a coordinated supply chain attack that published malicious versions of the dYdX client libraries to npm and PyPI, embedding wallet-stealing credential exfiltration and, in the PyPI release, a Remote Access Trojan (RAT). The malicious packages exfiltrated seed phrases and device fingerprints to a typosquatting domain and the PyPI release used a 100-iteration obfuscation to deploy a RAT capable of arbitrary code execution and persistent access. #dYdX #priceoracle.site
Zscaler ThreatLabz discovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that deploy a Node.js remote access trojan named NodeCordRAT which uses Discord for command-and-control. The malware exfiltrates Chrome credentials, .env files, and MetaMask data (including LevelDB .ldb files and seed phrases) and was distributed via postinstall scripts and PM2; #NodeCordRAT #bip40
The article explains GitHub’s guidance to harden npm package publishing by adopting Trusted Publishing (OIDC), enforcing stronger 2FA for publishing actions, and preferring WebAuthn/passkeys over TOTP while outlining benefits and trade-offs for CI/CD and account changes. It emphasizes replacing long‑lived tokens with ephemeral OIDC flows or scoped granular access tokens, tightening publishing settings, and adopting WebAuthn to reduce supply‑chain compromise risk. #ShaiHulud #npm
Trust Wallet’s web browser extension was compromised through an attack involving stolen developer secrets, resulting in over $8.5 million in crypto theft from more than 2,500 wallets. This incident is linked to the widespread Sha1-Hulud supply chain attack targeting npm packages and GitHub repositories. #TrustWallet #Sha1Hulud
Cybersecurity experts have identified a new modification of the Shai Hulud malware strain embedded in npm packages, demonstrating increased obfuscation and evasion tactics. Additionally, a malicious Maven package exploiting typosquatting techniques has been taken down, highlighting supply chain security challenges. #ShaiHulud #MavenMalware…
Cybersecurity experts have uncovered a targeted spear-phishing campaign using malicious npm packages to facilitate credential theft across critical infrastructure sectors. Attackers leveraged package hosting for resilient, embedded phishing elements that mimic secure document-sharing platforms, with a focus on organizations in manufacturing, healthcare, and industrial automation. #Evilginx #npmsecurity…
A new, more resilient strain of the Shai-Hulud worm, dubbed “The Golden Path,” has been detected by security researchers, indicating ongoing threats in the npm ecosystem. The malware now features cross-platform propagation and improved exfiltration methods, emphasizing the need for stricter security measures. #ShaiHulud #npmSupplyChain…
A malicious NPM package named ‘Lotusbail’ masquerades as a WhatsApp Web API library and steals user credentials and data. It supports message sending, intercepts all communications, and grants persistent access to attackers, posing a significant security threat. #Lotusbail #NPMmalware…
A malicious NPM package called lotusbail impersonates a legitimate WhatsApp Web API library to steal user data and maintain persistent access. Researchers warn developers to remove this package and monitor their WhatsApp accounts for unauthorized linked devices. #WhatsApp #NPMMalware
Cybersecurity researchers have uncovered a malicious npm package named “lotusbail” that masquerades as a WhatsApp API but secretly intercepts messages and links attackers to victims’ WhatsApp accounts. The package has been widely downloaded, enabling attackers to steal credentials, harvest contacts, and maintain persistent access—posing a significant threat to users. #WhatsAppSecurity #npmMalware…
Attackers exploited a GitHub Actions injection vulnerability in Nx’s workflow to steal an NPM publishing token, push malicious Nx packages, and use those packages to harvest credentials, SSH keys, and crypto wallets from developer systems. The campaign evolved into a self-replicating NPM supply-chain worm called Shai-Hulud that registers compromised hosts as self-hosted GitHub Actions runners and uses GitHub Discussions as a stealthy C2 channel. #ShaiHulud #Nx