Bitdefender researchers describe opportunistic threat actors abusing CVE-2021-21974 to target VMware ESXi, leveraging OpenSLP (port 427) for pre-auth remote code execution and deploying ESXiArgs ransomware against VM files. The advisory covers attack patterns,…
Tag: SUPPLY CHAIN
ReversingLabs identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package. This incident highlights growing open source supply chain risks in npm, PyPi, and GitHub…
The advisory outlines ongoing DPRK state-sponsored ransomware activity targeting Healthcare and Public Health Sector organizations and other critical infrastructure, detailing TTPs, IOCs, and cryptocurrency ransom payments. It also describes how actors acquire…
FortiGuard Labs detected a zero-day in a PyPI package named “web3-essential,” published by a newly joined user known as ‘Trexon’ on January 26, 2023. The package downloads and executes a Go-based binary to steal sensitive data and exfiltrate it via a Discord w…
Checkmarx researchers tracked a persistent threat actor they named PYTA27 who distributed multiple malicious Python packages to PyPI and GitHub, evolving from plain-text payloads to obfuscated and multi-stage stealers that target Discord and crypto-wallets. Th…
An attacker exploited a PyTorch-nightly dependency confusion by uploading a malicious Torchtriton package to PyPI, causing users to pull a counterfeit binary. The malware exfiltrates data via DNS to a domain controlled by the attacker, and the post explains th…
Two researchers uncovered a malicious PyPI package masquerading as a SentinelOne SDK client, named “SentinelSneak,” which actually implements a backdoor and data-exfiltration capabilities. The campaign highlights open-source software supply-chain risks, especi…
Checkmarx and Illustria uncovered a large-scale phishing operation that polluted NuGet, NPM, and PyPi with automated packages containing links to phishing campaigns. The effort involved tens of thousands of package names, phishing sites, and referral rewards, …
Phylum reports an ongoing typosquatting campaign targeting Python and JavaScript developers on PyPI and NPM, delivering a ransomware payload when executed. The attacker publishes typosquatted packages (notably around the Python requests package) that fetch a l…
Trend Micro’s report reveals a supply-chain campaign that trojanized Comm100 and LiveHelp100 installers to deploy a JavaScript backdoor and multiple modules within Electron-based chat apps. The attackers used HTTP and WebSocket C2 channels to exfiltrate data, …
Researchers identify the WASP threat actor behind a Python package campaign that delivers a polymorphic WASP Stealer via PyPI and uses steganography to hide its payload. The malware targets Discord accounts, wallets, and other files, exfiltrating data through …
Checkmarx identified roughly 200 malicious NPM packages linked to the crime group LofyGang that abused typosquatting, sub-dependencies, and legitimate cloud services to distribute credential-stealing and Discord-targeted malware. The actors used Discord bots a…
CrowdStrike Falcon platform identified a supply chain attack tied to a trojanized Comm100 Live Chat installer, delivering a backdoor via a signed installer. The activity, with a suspected China nexus, involved a second-stage script, loader DLL, and multiple C2…
EvilProxy is a productized phishing service on the dark web that enables MFA bypass via reverse proxy and session cookie theft, expanding attacks against mainstream online services and software supply chains. It targets developers and end-users with campaigns …
Proofpoint’s Threat Research Team links a long-running TA423/Red Ladon espionage operation to a 2022 ScanBox phishing campaign targeting Australian government, offshore energy, and international entities in the South China Sea. The operation impersonates Austr…