Malicious PyPI and npm packages target software supply chain

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Microsoft released updates for 80 vulnerabilities on September 2025 Patch Tuesday. None of these vulnerabilities were zero-days. The updates address eight critical flaws, including five remote code execution vulnerabilities, one information disclosure, and two elevation of privilege vulnerabilities. The vulnerabilities span various categories: 38 elevation of privilege, 2 security feature bypass, 22 remote code execution, 14 information disclosure, 3 denial of service, and 1 spoofing. One zero-day vulnerability was fixed in Windows SMB Server. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing. The patch includes 38 elevation of privilege vulnerabilities, the highest number among all categories. CVE-2025-54918 is an EoP vulnerability in Windows NT LAN Manager (NTLM) marked as critical. CVE-2025-54111 and CVE-2025-54913 are EoP flaws in Windows UI XAML, allowing privilege escalation via phished credentials or malicious Microsoft Store apps. CVE-2025-55232 is an RCE vulnerability in the Microsoft High Performance Compute (HPC) Pack with a CVSS score of 9.8. CVE-2025-54916 is an RCE vulnerability in Windows NTFS that can be triggered by authenticated users. Microsoft's patch update includes recommendations for preparing for the end-of-life of Windows 10 and mandatory multifactor authentication (MFA) for Azure in October 2025.

SAP has fixed 21 vulnerabilities, including three critical flaws in its NetWeaver software. The most severe, CVE-2025-42944, is an insecure deserialization flaw allowing unauthenticated remote code execution. The second critical flaw, CVE-2025-42922, enables arbitrary file uploads by authenticated users. The third, CVE-2025-42958, allows unauthorized access to sensitive data and administrative functions. The vulnerabilities affect various SAP products, including ERP, CRM, SRM, and SCM, which are widely used in large enterprise networks. The flaws could lead to full system compromise and unauthorized data manipulation. SAP products are frequently targeted by threat actors due to their handling of mission-critical data. A high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) could allow an attacker with high privilege access to delete the content of arbitrary database tables. A critical security defect in SAP S/4HANA (CVE-2025-42957) has come under active exploitation in the wild.

A supply chain attack compromised multiple npm packages with over 2.6 billion weekly downloads. Attackers injected malicious code into these packages after hijacking a maintainer's account via phishing. The malware targets web-based cryptocurrency transactions, redirecting them to attacker-controlled wallets. The attack was detected and mitigated by the NPM team, who removed the malicious versions within two hours. The phishing campaign targeted multiple maintainers, using a fake domain to trick them into updating their 2FA credentials. The malicious code operates by hooking into JavaScript functions and wallet APIs, intercepting and altering cryptocurrency transactions. The attack impacts users who installed the compromised packages during a specific time window and have vulnerable dependencies. The attack targeted Josh Junon, also known as Qix, who received a phishing email mimicking npm. The phishing email prompted the maintainer to enter their username, password, and 2FA token, which were stolen via an adversary-in-the-middle (AitM) attack. The attack affected 20 packages, including ansi-regex, chalk, debug, and others, with over 2 billion weekly downloads. The malware intercepts cryptocurrency transaction requests by computing the Levenshtein distance to swap the destination wallet address. The payload hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs. The attack also compromised another maintainer, duckdb_admin, to distribute the same wallet-drainer malware. The affected packages from the second maintainer include @coveops/abi, @duckdb/duckdb-wasm, and prebid, among others. The attack impacted roughly 10% of all cloud environments. The attackers diverted five cents worth of ETH and $20 worth of a virtually unknown memecoin. The attacker’s wallet addresses holding significant amounts have been flagged, limiting their ability to convert or use the funds.