Malicious SSH Brute-Force Go Module Exfiltrates Credentials via Telegram Bot

A malicious npm package named 'fezbox' was discovered using QR codes to fetch and execute cookie-stealing malware. The package, disguised as a utility library, was downloaded at least 327 times before being removed from the npm registry. The malware targets user credentials and employs steganographic techniques to evade detection. The package was found to fetch a JPG image containing a QR code, which then executes a second-stage payload. The QR code is designed to be unusually dense and difficult to read with standard phone cameras, making it harder to detect. The package was published by a Chinese-speaking attacker using the alias 'janedu' and included multiple layers of obfuscation to evade detection. The malware specifically targets cookies to steal usernames and passwords, sending the stolen information via an HTTPS POST request to a command-and-control server. The package was removed and flagged as malware posing a supply-chain risk. The attacker's activity status on the npm registry remains unclear. The package's ReadMe mentioned a QR Code Module, making its existence seem legitimate. The package used reversed strings as an anti-analysis technique. The payload could read a web cookie and extract the username and password if both were present.

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The attack impacted roughly 10% of all cloud environments, but the attackers made little profit. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.

The Shai-Hulud attack, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success.

The North Korean threat group Scarcruft (APT37) has launched a campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstaller, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration.