CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

First reported
Last updated
πŸ“° 3 unique sources, 3 articles

Summary

Hide β–²

A supply chain attack targeting the npm registry has compromised over 700 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

Timeline

  1. 16.09.2025 23:02 πŸ“° 1 articles Β· ⏱ 22h ago

    Shai-hulud worm first detected and spreads rapidly

    The self-replicating worm Shai-hulud was first detected on September 15, 2025. It targets secrets, tokens, and credentials within the user's environment, installs the open-source secret-finding tool Trufflehog, and attempts to create public copies of private repositories to steal source code. The most likely 'patient zero' for the campaign is the 'rxnt-authentication' package. The worm's campaign has impacted a wide range of parties, including tech company founders, CTOs, developers, and security vendors.

    Show sources
    Open in new tab
  2. 16.09.2025 19:46 πŸ“° 2 articles Β· ⏱ 1d ago

    Attack linked to s1ngularity and phishing campaign

    The attack has been linked to the 's1ngularity' attack targeting the nx build system. It follows a phishing campaign targeting maintainers of popular npm packages, such as chalk and debug. The ripple effects of these attacks extend deep into the dependency chain, potentially impacting widely used projects. The worm's campaign has impacted a wide range of parties, including tech company founders, CTOs, developers, and security vendors.

    Show sources
    Open in new tab
  3. 16.09.2025 08:00 πŸ“° 3 articles Β· ⏱ 1d ago

    Supply Chain Attack Targeting npm Registry Compromises 40 Packages

    The attack has expanded significantly, now affecting at least 700 npm packages. The compromised packages include those published under CrowdStrike's npm namespace. The campaign began with the compromise of the @ctrl/tinycolor package, which receives over 2 million weekly downloads. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, creating unauthorized GitHub Actions workflows within repositories.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

SEO Poisoning Campaign Targets Chinese Users with HiddenGh0st, Winos, and kkRAT

A sophisticated SEO poisoning campaign targets Chinese-speaking users with malware, including HiddenGh0st, Winos, and kkRAT. The attackers manipulate search rankings to distribute trojanized installers for popular software, leading to the deployment of remote access trojans (RATs). The malware employs various techniques to evade detection and achieve persistence, including anti-analysis checks, DLL side-loading, and TypeLib COM hijacking. The campaign aims to establish command-and-control communication, monitor user activity, and steal sensitive information. The attackers use fake software sites and GitHub Pages to distribute malware. The malware is designed to disable antivirus software and achieve persistence through scheduled tasks and registry modifications. The campaign has been active since at least May 2025 and involves multiple malware families, including kkRAT, which shares code similarities with Gh0st RAT and Big Bad Wolf.

Open in new tab

Active exploitation of CVE-2025-5086 in DELMIA Apriso

CVE-2025-5086, a critical deserialization flaw in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software, is being actively exploited. The vulnerability, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. Exploitation attempts have been observed, targeting the /apriso/WebServices/FlexNetOperationsService.svc/Invoke endpoint with a Base64-encoded payload. The payload decodes to a GZIP-compressed Windows executable that deploys a malicious program designed to spy on user activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, advising Federal Civilian Executive Branch (FCEB) agencies to apply updates by October 2, 2025. The malware, identified as Trojan.MSIL.Zapchast.gen, captures keyboard input, takes screenshots, and gathers information about active applications. This information is then sent to the attacker via various means, including email, FTP, and HTTP. The exploit involves sending a malicious SOAP request to vulnerable endpoints. The malicious requests were observed originating from the IP 156.244.33[.]162.

Open in new tab

EvilAI Malware Campaign Targets Multiple Sectors Globally

A threat actor, tracked as EvilAI, is using AI-enhanced malware disguised as legitimate productivity and AI-enhanced apps to target organizations in various sectors worldwide. The malware is spread rapidly across multiple regions, including the US, India, the UK, Germany, France, and Brazil. The malware features realistic functionality and stealthy payload delivery, making it difficult to detect with traditional antivirus tools. The campaign uses digital signatures from newly registered entities to lend authenticity to the malicious apps. Once installed, the malware performs extensive reconnaissance, disables security products, and sets the stage for future exploit activities. The malware is likely being used by an initial access broker (IAB) to gain initial access and establish persistence.

Open in new tab

Microsoft's RC4 Encryption Vulnerability Exploited in Black Basta Ransomware Attack on Ascension

U.S. Senator Ron Wyden has called for an FTC investigation into Microsoft's cybersecurity practices, citing the company's support for RC4 encryption and insecure default settings that facilitated a ransomware attack on the Ascension healthcare network. The attack, attributed to the Black Basta ransomware group, compromised nearly 5.6 million individuals' personal and medical information. The breach occurred when a contractor's system was infected via a malicious link on Microsoft's Bing search engine. Attackers exploited insecure default settings and Kerberoasting techniques to gain elevated access to Ascension's network. Microsoft has acknowledged the vulnerabilities and plans to deprecate RC4 support in future updates. Wyden has criticized Microsoft for not clearly warning customers about the risks associated with RC4 encryption and for not taking decisive action to mitigate security risks.

Open in new tab