CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens

First reported
Last updated
πŸ“° 2 unique sources, 3 articles

Summary

Hide β–²

GitHub has announced upcoming changes to its authentication and publishing options in response to recent supply chain attacks targeting the npm ecosystem. These changes aim to mitigate threats posed by token abuse and self-replicating malware. The updates include mandatory two-factor authentication (2FA), short-lived tokens, and trusted publishing via OpenID Connect (OIDC). The Shai-Hulud attack, which injected a self-replicating worm into hundreds of npm packages, highlighted the need for these security enhancements. Additionally, a malicious npm package named fezbox was discovered, which used a QR code-based technique to steal browser credentials. The fezbox package was downloaded at least 327 times before being removed from the npm registry, and it employed advanced obfuscation techniques to evade detection. Recent attacks, including the s1ngularity and GhostAction campaigns, have further underscored the need for these security measures. Ruby Central has also announced tighter governance of the RubyGems package manager to improve supply-chain protections.

Timeline

  1. 23.09.2025 15:05 πŸ“° 1 articles Β· ⏱ 1h ago

    Ruby Central Announces Tighter Governance of RubyGems

    Ruby Central has announced tighter governance of the RubyGems package manager to improve supply-chain protections. This follows recent incidents involving malicious Ruby gems. Until new governance policies are finalized, only Ruby Central staff will hold admin access. The community is awaiting further details on the new governance model and policies.

    Show sources
    Open in new tab
  2. 23.09.2025 12:20 πŸ“° 3 articles Β· ⏱ 3h ago

    GitHub Announces Enhanced npm Security Measures

    GitHub has announced upcoming changes to its authentication and publishing options in response to recent supply chain attacks, including the s1ngularity attack in late August, the GhostAction campaign in early September, and the Shai-Hulud attack last week. These changes include mandatory 2FA, short-lived tokens, and trusted publishing via OIDC. The attacks led to the compromise of thousands of accounts and private repositories, the theft of sensitive data, and significant remediation costs. Additionally, a malicious npm package named fezbox was discovered, which used a QR code-based technique to steal browser credentials. The fezbox package was downloaded at least 327 times before being removed from the npm registry, and it employed advanced obfuscation techniques to evade detection. GitHub will gradually implement these changes, including removing the option to bypass 2FA for local publishing and defaulting publishing access to disallow tokens.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

BadIIS Malware SEO Poisoning Campaign Targets East and Southeast Asia

A Chinese-speaking threat actor, dubbed CL-UNK-1037, is conducting an SEO poisoning campaign using the BadIIS malware. The campaign targets East and Southeast Asia, particularly Vietnam, to redirect web traffic and plant web shells on compromised servers. The malware manipulates search engine results to direct users to malicious sites, leveraging compromised legitimate servers. The actor shares infrastructure and architectural overlaps with Group 9 and has been active since at least 2025. The BadIIS malware intercepts and modifies HTTP traffic to serve malicious content, using compromised IIS servers to alter search engine indexing. The campaign involves creating new user accounts, dropping web shells, and exfiltrating source code to maintain persistent access. The threat actor employs multiple variants of BadIIS, including ASP.NET page handlers, .NET IIS modules, and PHP scripts, to achieve SEO poisoning and traffic manipulation.

Open in new tab

GPT-4-Powered MalTerminal Malware Demonstrates LLM-Embedded Capabilities

Cybersecurity researchers have identified MalTerminal, a malware that leverages OpenAI's GPT-4 to generate ransomware code or reverse shells dynamically. This discovery marks the earliest known example of LLM-embedded malware. MalTerminal was presented at the LABScon 2025 security conference and has not been observed in the wild, suggesting it may be a proof-of-concept or red team tool. The malware includes a deprecated OpenAI API endpoint, indicating it was created before November 2023. Accompanying Python scripts and a defensive tool, FalconShield, were also found. The incorporation of LLMs into malware represents a significant shift in adversary tactics, introducing new challenges for defenders. Additionally, threat actors are using LLMs to bypass email security layers by injecting hidden prompts in phishing emails, exploiting AI-powered security scanners. This technique, combined with LLM Poisoning, allows malicious emails to evade detection and execute attack chains.

Open in new tab

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

Open in new tab

Microsoft 365 targeted due to its market dominance and complex attack surface

Microsoft 365's widespread adoption has made it a prime target for cybercriminals. Its integrated suite of applications and over 400 million paid seats globally present a rich target environment. Attackers exploit its interconnected services to maximize impact, often using phishing and zero-day vulnerabilities. Recent vulnerabilities in SharePoint highlight the cascading risks, while backup systems often preserve malicious content, posing additional threats. Organizations must implement robust security measures to protect against these risks.

Open in new tab

SilentSync RAT delivered via malicious PyPI packages targeting Python developers

Two malicious packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages deliver the SilentSync remote access trojan (RAT) to Windows systems. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI. The sisaws package mimics the legitimate sisa package, while secmeasure masquerades as a security library. The trojan is designed to infect Windows systems but also supports Linux and macOS. It communicates with a command and control (C2) server to receive commands and exfiltrate data. The discovery highlights the risk of supply chain attacks within public software repositories.

Open in new tab