Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub Actions vulnerability. Show all posts
Malwares
Cyber Attacks cyber theft data security GitHub GitHub Actions vulnerability GitHub malware Malware attacks Malwares

WebRAT Malware Spreads Through Fake GitHub Exploit Repositories

 

The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed security vulnerabilities. This marks a shift in the malware’s delivery strategy, as earlier campaigns relied on pirated software and cheats for popular games such as Roblox, Counter-Strike, and Rust. First identified at the beginning of the year, WebRAT operates as a backdoor that allows attackers to gain unauthorized access to infected systems and steal sensitive information, while also monitoring user activity. 

A report published by cybersecurity firm Solar 4RAYS in May detailed the scope of WebRAT’s capabilities. According to the findings, the malware can harvest login credentials for platforms including Steam, Discord, and Telegram, along with extracting data from cryptocurrency wallets. Beyond credential theft, WebRAT poses a serious privacy threat by enabling attackers to activate webcams and capture screenshots, exposing victims to covert surveillance. 

Since at least September, the threat actors behind WebRAT have expanded their tactics by creating GitHub repositories designed to appear legitimate. These repositories present themselves as exploit code for high-profile vulnerabilities that have received widespread media attention. Among the issues referenced are a Windows flaw that allows remote code execution, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and a Windows privilege escalation vulnerability that enables attackers to gain elevated system access. By exploiting public awareness of these vulnerabilities, the attackers increase the likelihood that developers and security researchers will trust and download the malicious files. 

Security researchers at Kaspersky identified 15 GitHub repositories linked to the WebRAT campaign. Each repository contained detailed descriptions of the vulnerability, explanations of the supposed exploit behavior, and guidance on mitigation. Based on the structure and writing style of the content, Kaspersky assessed that much of the material was likely generated using artificial intelligence tools, adding to the appearance of legitimacy. The fake exploits are distributed as password-protected ZIP archives containing a mix of decoy and malicious components. 

These include empty files, corrupted DLLs intended to mislead analysis, batch scripts that form part of the execution chain, and a dropper executable named rasmanesc.exe. Once launched, the dropper elevates system privileges, disables Windows Defender, and downloads the WebRAT payload from a hardcoded remote server, enabling full compromise of the system.  

Kaspersky noted that the WebRAT variant used in this campaign does not introduce new features and closely resembles previously documented samples. Although all identified malicious repositories have been removed from GitHub, researchers warn that similar lures could resurface under different names or accounts. 

Security experts continue to advise that exploit code from unverified sources should only be tested in isolated, controlled environments to reduce the risk of infection.
Read more »
Malwares
AI cybersecurity AI tools Cyber Security Cyber Security Tool GitHub GitHub Actions vulnerability GitHub Bug Malware Attack Malwares

Webrat Malware Targets Students and Junior Security Researchers Through Fake Exploits

 

In early 2025, security researchers uncovered a new malware family dubbed Webrat, which at that time was predominantly targeting ordinary users through fake distribution methods. The first propagation involved masking malware as cheats for online games-like Rust, Counter-Strike, and Roblox-but also as cracked versions of some commercial software. By the second half of that year, though, the Webrat operators had indeed widened their horizons, shifting toward a new target group that covered students and young professionals seeking careers in information security. 

This evolution started to surface in September and October 2025, when researchers discovered a campaign spreading Webrat through open GitHub repositories. The attackers embedded the malicious payloads as proof-of-concept exploits of highly publicized software vulnerabilities. Those vulnerabilities were chosen due to their resonance in security advisories and high severity ratings, making the repositories look relevant and credible for people searching for hands-on learning materials.  

Each of the GitHub repositories was crafted to closely resemble legitimate exploit releases. They all had detailed descriptions outlining the background of the vulnerability, affected systems, steps to install it, usage, and the most recommended ways of mitigation. Many of the repository descriptions have a similar or almost identical structure; the defensive advice offered is often strikingly similar, adding strong evidence that they were generated through automated or AI-assisted tools rather than various independent researchers. Inside each repository, users were instructed to fetch an archive with a password, labeled as the exploit package. 

The password was hidden in the name of one of the files inside the archive, a move intended to lure users into unzipping the file and researching its contents. Once unpacked, the archive contains a set of files meant to masquerade or divert attention from the actual payload. Among those is a corrupted dynamic-link library file meant as a decoy, along with a batch file whose purpose was to instruct execution of the main malicious executable file. The main executable, when run, executed several high-risk actions: It tried to elevate its privileges to administrator level, disabled the inbuilt security protections such as Windows Defender, and then downloaded the Webrat backdoor from a remote server and started it.

The Webrat backdoor provides a way to attackers for persistent access to infected systems, allowing them to conduct widespread surveillance and data theft activities. Webrat can steal credentials and other sensitive information from cryptocurrency wallets and applications like Telegram, Discord, and Steam. In addition to credential theft, it also supports spyware functionalities such as screen capture, keylogging, and audio and video surveillance via connected microphones and webcams. The functionality seen in this campaign is very similar to versions of Webrat described in previous incidents. 

It seems that the move to dressing the malware up as vulnerability exploits represents an effort to affect hobbyists rather than professionals. Professional analysts normally analyze such untrusted code in a sandbox or isolated environment, where such attacks have limited consequences. 

Consequently, researchers believe the attack focuses on students and beginners with lax operational security discipline. It ranges in topic from the risks in running unverified code downloaded from open-source sites to the need to perform malware analysis and exploit testing in a sandbox or virtual machine environment. 

Security professionals and students are encouraged to be keen in their practices, to trust only known and reputable security tools, and to bypass protection mechanisms only when this is needed with a clear and well-justified reason.
Read more »
telemetry.js malware
GitHub Actions vulnerability NPM malware Nx supply chain attack telemetry.js malware

Nx "s1ngularity" Supply Chain Attack Exposes Thousands of Secrets

 

The recent Nx "s1ngularity" NPM supply chain attack has led to a massive security fallout, exposing thousands of account tokens and repository secrets, according to Wiz researchers.

A post-incident analysis revealed that the breach compromised 2,180 accounts and 7,200 repositories in three distinct attack phases. Wiz emphasized that the impact is still unfolding, as many of the leaked secrets remain valid.

Nx, a widely used open-source build system and monorepo management tool in enterprise-scale JavaScript/TypeScript projects, has over 5.5 million weekly downloads on the NPM registry.

How the Attack Happened

On August 26, 2025, threat actors exploited a flawed GitHub Actions workflow in the Nx repository. This enabled them to publish a malicious version of Nx on NPM containing a post-install malware script called telemetry.js.

The telemetry.js malware targeted Linux and macOS systems, attempting to steal sensitive data such as GitHub tokens, npm tokens, SSH keys, .env files, and even crypto wallets. The stolen data was then uploaded to public repositories under the name "s1ngularity-repository."

What made this breach particularly unique was the attacker’s use of AI command-line tools like Claude, Q, and Gemini. These tools were leveraged with changing LLM prompts to hunt for and extract secrets.

"The evolution of the prompt shows the attacker exploring prompt tuning rapidly throughout the attack. We can see the introduction of role-prompting, as well as varying levels of specificity on techniques," explained Wiz.

"These changes had a concrete impact on the success of the malware. The introduction of the phrase ‘penetration testing’, for example, was concretely reflected in LLM refusals to engage in such activity."

Three Phases of the Attack

Phase 1 (Aug 26–27): Backdoored Nx packages impacted around 1,700 users, leaking more than 2,000 unique secrets and exposing 20,000 files from infected systems. GitHub removed attacker-created repositories within eight hours, but the stolen data had already been duplicated.

Phase 2 (Aug 28–29): Using stolen GitHub tokens, attackers flipped private repositories to public, renaming them with the “s1ngularity” tag. This compromised 480 more accounts (mostly organizations) and exposed 6,700 private repositories.

Phase 3 (from Aug 31): The attackers focused on a single organization, using two compromised accounts to publish another 500 private repositories.

Root Cause & Response

The Nx team later confirmed that the breach stemmed from a pull request title injection combined with insecure use of pull_request_target. This flaw allowed attackers to execute arbitrary code with elevated permissions, triggering Nx’s publish pipeline and stealing the npm publishing token.

In response, Nx revoked compromised tokens, adopted two-factor authentication, and migrated to NPM’s Trusted Publisher model, which eliminates token-based publishing. Additionally, manual approvals are now required for pull request-triggered workflows.
Read more »
Subscribe to: Comments (Atom)