Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
python
Banana Squad Copycat CyberCrime Cyberhackers Cybersecurity GitHub Malicious Activities malware python

Malicious Copycat Repositories Emerge in Large Numbers on GitHub

 


The researchers at the National Cyber Security Agency have identified a sophisticated campaign that involved malicious actors uploading more than 67 deceptive repositories to GitHub, masquerading as legitimate Python-based security and hacking tools. 

In truth, these repositories actually serve as a vehicle through which trojanized payloads are injected into the system, thus compromising unsuspecting developers and security professionals. In a report by ReversingLabs under the codename Banana Squad, uncovered in 2023, that an earlier wave of attacks appeared to be an extension of that earlier wave, it appears that this operation is an extension of the earlier attack wave. 

During the previous campaign, counterfeit Python packages were distributed by the Python Package Index (PyPI) and were downloaded over 75,000 times and included the information-stealing capability that targeted Windows environments in particular. With their pivotal focus on GitHub, the attackers are taking advantage of the platform’s reputation as a trusted source for open-source software to make their malicious code more likely to infiltrate, thus expanding their malicious code’s reach. 

As a result of this evolving threat, it is becoming increasingly obvious that the software supply chain is facing persistent threats, and ensuring that packages and repositories are authenticated before they are integrated into development workflows is of utmost importance. Banana Squad was responsible for orchestrating the deployment of nearly 70 malicious repositories in its most recent operation, all carefully crafted to resemble genuine Python-based hacking utilities. 

It is important to note that the counterfeit repositories were designed in such a way that their names and file structures closely resembled those of reputable open-source projects already hosted on GitHub, giving them the appearance of being trustworthy at first glance. This group of hackers cleverly exploited a relatively overlooked feature of the GitHub code display interface in order to conceal their malicious intent further. 

There is a specific issue in which GitHub does not automatically wrap code lines on the next line if they exceed the width of the viewing window; rather, when the contents extend off the right edge of the screen indefinitely, GitHub will automatically wrap them onto the next line. This subtle quirk was tapped into by the attackers, who embedded a substantial stretch of empty space at the end of seemingly benign code lines, effectively pushing the malicious payload beyond the visible area of the code. 

Even when a diligent review of the code is conducted, it may not be possible to detect the hidden threat, unless the reviewer scrolls horizontally to the very end of each line, thus creating a blind spot for the concealed threat. Using this technique of obscuring software repositories and propagating malware under the guise of legitimate tools, threat actors are using an increasingly creative approach to evading detection and highlights the fact that they are using increasingly creative methods to evade detection. 

This Banana Squad activity does not represent an isolated incident. It is an excellent example of a broader trend in which cybercriminal groups are using GitHub to distribute malicious code in an increasing number of cases. It has become increasingly clear that threat actors are utilising the platform as a convenient delivery channel to reach out to a wide range of unaware developers and hobbyists over the past several months. 

The researchers at Trend Micro, for example, have recently discovered that 76 malicious projects have been attributed to the Water Curse group over the past few months. There was careful engineering involved in crafting these repositories so that they would deliver staged payloads that would harvest passwords, browser cookies, and other session data, as well as implement stealthy tools designed to enable persistent access to compromised computers. 

Another investigation by Check Point shed light on how the Stargazer's Ghost Network operated, a complex fraud scheme that relied on creating numerous fraudulent GitHub accounts to carry out its activities. A ghost profile was constructed by using stars, forks, and frequent updates, which mimicked the activity of legitimate developers, so that it appeared genuine, so that it would appear genuine to potential victims. This sophisticated ruse arose from the attackers' attempt to manipulate the popularity of their repositories to promote Java-based malware aimed at Minecraft players.

By doing so, they pushed the repositories to the top of GitHub's search rankings and made them more credible to potential users. According to research conducted by Check Point and Checkmarx, it appears that the Stargazer's Ghost Network is a small part of a larger underground ecosystem built around distribution-as-a-service models that may be the basis of much larger underground economies. It is essentially the same as renting out delivery infrastructure in mainstream organisations as they do in a cloud-based environment. 

As a result of their own research, Sophos analysts were able to confirm this perspective, revealing 133 compromised GitHub repositories which have been active since mid-2022. The malicious projects were capable of concealing harmful code in various forms, including Visual Studio build scripts, Python files that have been manipulated and JavaScript snippets that were used to manipulate screensavers. When the implants are executed, they can gather system information, capture screenshots, and launch notorious remote access trojans like Lumma Stealer, Remcos, and AsyncRAT.

Sophos also reported that operators often use Discord channels and YouTube tutorials to spread links to their repositories, typically offering quick game hacks or easy-to-use cyberattack tools as a means of spreading the word about the repositories. It has been proven to be a highly effective method of attracting novice users, who inadvertently compile and run malware on their machines, thereby turning themselves into unsuspecting victims of the very schemes they hoped to use.

Since GitHub is regarded as the world's leading platform for collaborating on open-source software, cybercriminals are naturally going to be interested in infiltrating these environments, as it is the world's largest hosting and collaboration platform for open-source software. In contrast to package registries such as npm or PyPI, people have historically preferred to adopt code from GitHub repositories to package registries for mass compromise because they are inherently more manual and require several deliberate steps in order to adopt the code. 

In order for a developer to be able to integrate a repository into their project, they must locate that repository, evaluate its credibility, clone it locally, and often perform a cursory code review during that process. These barriers create further barriers for attackers who wish to distribute malware across an extremely large range of networks by utilising source repository tools. 

In spite of this, the recent switch by groups like Banana Squad from traditional package registries to GitHub repositories may indicate a changing threat landscape shaped by stronger defensive measures that are being implemented within those registries. In the last two years, the majority of open-source ecosystems have made substantial security improvements to prevent malicious packages from spreading throughout their ecosystems. 

It is worth mentioning that Python Package Index (PyPI) recently implemented mandatory two-factor authentication (2FA) for all users of its system. As a result of these measures, ReversingLabs researchers are already experiencing measurable results. These measures are currently raising the bar for attackers seeking to hijack or impersonate trusted maintainers. 

In the opinion of Simons, one of the firm's principal analysts, the open-source community has become progressively more vigilant about scrutinising suspicious packages and reporting them. In today's society, adversaries are increasingly aware of the risks involved in sustaining malicious campaigns. As a result, they are finding it increasingly difficult to keep the campaigns going without being rapidly detected and removed. 

It is Simmons' contention that the combination of stricter platform policies, together with a more security-conscious user base, has resulted in a dramatic reduction in successful attacks. This trend has been supported by empirical evidence: According to ReversingLabs' report, malicious packages identified across npm, PyPI, and RubyGems declined by over 70% between 2023 and 2024. 

As a result of this decline in attacks, it is important to emphasize the progress that has been made within the package registry in regards to defensive initiatives; however, it is vital to also notice the adaptability of threat actors, who may now be shifting their focus to repositories where security controls and community vigilance aren't as robust as they used to be. 

Developers need to make sure that they exercise the same level of scrutiny when adopting code from repositories as they do when installing packages, since attackers continue to take advantage of any channel in their arsenal to spread their payloads across the Internet. In the future, the increased malicious activity against GitHub underscores an important point: as defenders strengthen security controls in one area of the software ecosystem, adversaries will invariably pivot to exploit the next weak spot in the software ecosystem. 

To achieve success in this dynamic, there needs to be a renewed commitment to embedding security as a shared responsibility rather than an afterthought across the open-source community. It is important for developers to adopt a security-in-depth approach that combines technical safeguards-such as cryptographic signatures, automated dependency scans, and sandboxed testing environments-with organisational practices emphasising the verification of sources and community trust signals in order to promote a defence-in-depth mindset. 

Platform providers must continue to invest in proactive threat hunting capabilities, improvements in detecting automated and manipulated accounts, and clearer mechanisms for users to evaluate the reputation and integrity of repositories when evaluating the provenance and integrity of data storage services. 

Educating contributors and maintaining users about the signs of tampering remains vitaltoo equip both novice contributors and experienced maintainers with the skills necessary to recognise subtle indications of tampering and deception, which remain crucial. It has become apparent that the open-source ecosystem is evolving.

Only a collaborative and adaptive approach, rooted in transparency, accountability, and constant vigilance, will be able to effectively blunt the effects of campaigns such as Banana Squad, thereby safeguarding the enormous value open-source innovation offers to individuals and organisations throughout the world.
Read more »
GitHub Advanced Security
AWS Cloud Security Critical Infrastructure Customer Data Cyberattack Data Breach Data Safety User Data data security GitHub GitHub Advanced Security

Massive Cyberattack Disrupts KiranaPro’s Operations, Erases Servers and User Data


KiranaPro, a voice-powered quick commerce startup connected with India’s Open Network for Digital Commerce (ONDC), has been hit by a devastating cyberattack that completely crippled its backend infrastructure. The breach, which occurred over the span of May 24–25, led to the deletion of key servers and customer data, effectively halting all order processing on the platform. Despite the app still being live, it is currently non-functional, unable to serve users or fulfill orders. 


Company CEO Deepak Ravindran confirmed the attack, revealing that both their Amazon Web Services (AWS) and GitHub systems had been compromised. As a result, all cloud-based virtual machines were erased, along with personally identifiable information such as customer names, payment details, and delivery addresses. The breach was only discovered on May 26, when the team found themselves locked out of AWS’s root account. Chief Technology Officer Saurav Kumar explained that while they retained access through IAM (Identity and Access Management), the primary cloud environment had already been dismantled. 

Investigations suggest that the initial access may have been gained through an account associated with a former team member, although the company has yet to confirm the source of the breach. To complicate matters, the team’s multi-factor authentication (MFA), powered by Google Authenticator, failed during recovery attempts—raising questions about whether the attackers had also tampered with MFA settings. 

Founded in late 2024, KiranaPro operates across 50 Indian cities and allows customers to order groceries from local kirana shops using voice commands in multiple languages including Hindi, Tamil, Malayalam, and English. Before the cyberattack, the platform served approximately 2,000 orders daily from a user base of over 55,000 and was preparing for a major rollout to double its footprint across 100 cities. 

Following the breach, KiranaPro has contacted GitHub for assistance in identifying IP addresses linked to the intrusion and has initiated legal action against ex-employees accused of withholding account credentials. However, no final evidence has been released to the public about the precise origin or nature of the attack. 

The startup, backed by notable investors such as Blume Ventures, Snow Leopard Ventures, and TurboStart, had recently made headlines for acquiring AR startup Likeo in a $1 million stock-based deal. High-profile individual investors include Olympic medalist P.V. Sindhu and Boston Consulting Group’s Vikas Taneja. 

Speaking recently to The Indian Dream Magazine, Ravindran had laid out ambitious plans to turn India’s millions of kirana stores into a tech-enabled delivery network powered by voice AI and ONDC. International expansion, starting with Dubai, was also on the horizon—plans now put on hold due to this security incident. 

This breach underscores how even tech-forward startups are vulnerable when cybersecurity governance doesn’t keep pace with scale. As KiranaPro works to recover, the incident serves as a wake-up call for cloud-native businesses managing sensitive data.
Read more »
Software
Data Loss GitHub Linux Servers malware Software

Linux Servers Under Attack: Hidden Malware Found in Fake Go Packages

 


Cybersecurity experts have discovered a new attack that targets Linux systems using fake programming tools. These harmful tools were shared on GitHub, a popular website where developers post and download code. Inside these fake packages was dangerous malware designed to completely erase everything on a computer's hard drive.


How the Attack Works

The attackers used a type of programming module written in Go (Golang), a language often used by developers for creating server software. They uploaded three of these modules to GitHub, pretending they were useful tools for developers. However, once someone downloaded one of these modules, it secretly contacted another server and downloaded a harmful script without the user's knowledge.

This script, once running, carried out a destructive command that wipes out all the data on the system’s main storage device. It replaces the existing information with zeroes, which makes the system completely unusable and all files impossible to recover. The attack is aimed directly at Linux computers and servers, and it checks to make sure it is running on a Linux system before carrying out the harmful actions.


What Was Affected

The three fake Go modules uploaded to GitHub had names that made them look like real software. They were:

• github[.]com/truthfulpharm/prototransform

• github[.]com/blankloggia/go-mcp

• github[.]com/steelpoor/tlsproxy

Each of these was designed to look like a normal tool. One claimed to help with data formatting, another with secure communications. Because they seemed helpful, developers could have easily included them in their projects without realizing they were dangerous.


Why This Is a Serious Threat

This type of attack is especially harmful because it wipes the entire system. It doesn't just delete files — it destroys the operating system, settings, and everything else on the main disk. Once this happens, the machine cannot be restarted, and the data cannot be brought back.

Also, since the Go programming environment allows many developers to use similar names for packages, attackers can upload fake versions that look almost like the real thing. This makes it harder for users to tell the difference.


What Can Be Done

Developers should be careful when downloading code or tools from the internet. They should only use software from trusted and verified sources. Before adding a new module to a project, it's important to research it and check whether it comes from a reliable developer.

This attack is a reminder that even trusted platforms like GitHub can be misused, and that one wrong download can lead to total data loss. Staying alert and verifying software before use is the best way to stay safe.

Read more »
python
Blockchain cryptocurrency Cyber Attacks Cybersecurity GitHub Hacker JavaScript Linkedin malware python

North Korean Hacker Group Targets Cryptocurrency Developers via LinkedIn

 

A North Korean threat group known as Slow Pisces has launched a sophisticated cyberattack campaign, focusing on developers in the cryptocurrency industry through LinkedIn. Also referred to as TraderTraitor or Jade Sleet, the group impersonates recruiters offering legitimate job opportunities and coding challenges to deceive their targets. In reality, they deliver malicious Python and JavaScript code designed to compromise victims' systems.

This ongoing operation has led to massive cryptocurrency thefts. In 2023 alone, Slow Pisces was tied to cyber heists exceeding $1 billion. Notable incidents include a $1.5 billion breach at a Dubai exchange and a $308 million theft from a Japanese firm. The attackers typically initiate contact by sending PDFs containing job descriptions and later provide coding tasks hosted on GitHub. Although these repositories mimic authentic open-source projects, they are secretly altered to carry hidden malware.

As victims work on these assignments, they unknowingly execute malicious programs like RN Loader and RN Stealer on their devices. These infected projects resemble legitimate developer tools—for instance, Python repositories that claim to analyze stock market data but are actually designed to communicate with attacker-controlled servers.

The malware cleverly evades detection by using YAML deserialization techniques instead of commonly flagged functions like eval or exec. Once triggered, the loader fetches and runs additional malicious payloads directly in memory, making the infection harder to detect and eliminate.

One key malware component, RN Stealer, is built to extract sensitive information, including credentials, cloud configuration files, and SSH keys, especially from macOS systems. JavaScript-based versions of the malware behave similarly, leveraging the Embedded JavaScript templating engine to conceal harmful code. This code activates selectively based on IP addresses or browser signatures, targeting specific victims.

Forensic investigations revealed that the malware stores its code in hidden folders and uses HTTPS channels secured with custom tokens to communicate. However, experts were unable to fully recover the malicious JavaScript payload.

Both GitHub and LinkedIn have taken action against the threat.

"GitHub and LinkedIn removed these malicious accounts for violating our respective terms of service. Across our products, we use automated technology, combined with teams of investigation experts and member reporting, to combat bad actors and enforce terms of service. We continue to evolve and improve our processes and encourage our customers and members to report any suspicious activity," the companies said in a joint statement.

Given the increasing sophistication of these attacks, developers are urged to exercise caution when approached with remote job offers or coding tests. It is recommended to use robust antivirus solutions and execute unknown code within secure, sandboxed environments, particularly when working in the high-risk cryptocurrency sector.

Security experts advise using trusted integrated development environments (IDEs) equipped with built-in security features. Maintaining a vigilant and secure working setup can significantly lower the chances of falling victim to these state-sponsored cyberattacks.
Read more »
Malicious Campaign
Cyber Fraud Fake Hiring GitHub Infostealer Malicious Campaign

Developers Face a Challenge with Fake Hiring That Steals Private Data

 

Cyble threat intelligence researchers discovered a GitHub repository posing as a hiring coding challenge, tricking developers into downloading a backdoor that steals private data. The campaign employs a variety of novel approaches, including leveraging a social media profile for command and control (C&C) activities rather than C&C servers. Cyble Research and Intelligence Labs (CRIL) researchers discovered invoice-themed lures, suggesting that the campaign may be moving beyond a fake hiring challenge for developers. 

According to a blog post by Cyble researchers, 
the campaign appears to target Polish-speaking developers, and the malware exploits geofencing to restrict execution. The researchers believed that the campaign is disseminated through career sites such as LinkedIn or regional development forums. 

The fake recruitment test, dubbed "FizzBuzz," dupes users into downloading an ISO file containing a JavaScript exercise and a malicious LNK shortcut. When executed, the LNK file ("README.lnk") invokes a PowerShell script that installs a stealthy backdoor known as "FogDoor" by the researchers. 

Instead of employing C&C servers, FogDoor communicates with a social media platform using a Dead Drop Resolver (DDR) mechanism to retrieve attack directives from a profile, according to the researchers. The malware employs geofencing to limit execution to Polish victims. 

When it becomes operational, "it systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces," Cyble told reporters. The malware employs remote debugging to collect Chrome cookies and can work in the background, while Firefox credentials are obtained from profile directories. 

PowerShell script establishes persistence 

The PowerShell script also opens a "README.txt" file "to trick consumers into believing they are interacting with a harmless file," Cyble stated. This paper includes instructions for a code bug patch task, "making it appear innocuous while ensuring the PowerShell script executes only once on the victim's machine to carry out malicious activities." 

The PowerShell script also downloads an executable file and saves it as "SkyWatchWeather.exe" in the "C:\Users\Public\Downloads" folder. It then creates a scheduled task called "Weather Widget," which executes the downloaded file using mshta.exe and VBScript and is set to run every two minutes indefinitely. 

SkyWatchWeather.exe serves as a backdoor by utilising a social networking platform (bark.lgbt) and a temporary webhook service (webhookbin.net) as its command and control infrastructure. After authenticating its location, the malware attempts to connect to "bark.lgbt/api" in order to get further orders embedded in a social media platform's profile information. Cyble added that this setup complicates identification and removal operations.
Read more »
Vulnerabiliies
Cyber Security Cyberattacks GitHub Security Breach Supply Chain. CI/CD Vulnerabiliies

GitHub Action Security Breach Raises Concerns Over Supply Chain Risks

 


An attack of a cascading supply chain was recently triggered by the compromise of the GitHub action "reviewdog/action-setup@v1", which ultimately led to the security breach of the "tj-actions/changed-files" repository. As a result of this breach, unintended secrets about continuous integration and delivery were exposed, raising concerns about the integrity of software supply chains. 

There was a malicious code in the tj-actions/changed-files application last week, which introduced malicious code that was capable of extracting CI/CD secrets from the workflow logs and logging them within the log files. This incident affected approximately 23,000 repositories. Even though these logs were not accessible to the public, this exposure highlights significant security risks. In the case that the logs had become public, the attacker would have been able to gain unauthorized access to vital credentials.

Even though there has been an ongoing investigation into tj-actions/changed files, its developers have been unable to determine exactly how the attackers compromised GitHub's Personal Access Token (PAT) to gain access to critical data. For the unauthorized changes to be made, this token, which was used by an automated bot to modify code, appears to have played a pivotal role in the process. GitHub Actions and CI/CD pipelines need to be enhanced to prevent the spread of software supply chain vulnerabilities. This incident underscores the increasing threat of software supply chain vulnerabilities. 

A critical security breach has been identified in the widely used third-party GitHub Action, tj-actions/changed-files, that has been assigned the CVE-2025-30066 vulnerability. When a supply chain attack compromises the action that tracks file changes in pull requests and commits, it results in unauthorized disclosure of sensitive credentials since this action tracks file modifications. Among the secrets that were exposed were valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys. 

A security patch was implemented in version 46.0.1 as a response to the incident to mitigate the risk associated with it. As a result of an updated analysis from March 19, 2025, security researchers have suggested that this breach may have been the result of a similar compromise of another GitHub action, reviewdog/action-setup@v1, identified as CVE-2025-30154 by security researchers. Considering the timing of both incidents and the growing threat landscape surrounding software supply chains, there is a strong likelihood that there is a connection between them. 

The developments highlighted in this article underscore the importance of conducting rigorous security audits and maintaining enhanced monitoring practices within the GitHub ecosystem to prevent future threats. In the recent past, there was a security breach affecting GitHub Action tj-actions/changed-files that exposed critical security vulnerabilities in software supply chains, emphasizing the risks associated with third-party dependencies in continuous integration/continuous delivery. 

Through GitHub Actions, a widely used automation platform, developers can optimize their workflows through reusable components, allowing them to save time and money. However, due to the compromise of tj-actions/changed-files—a tool that detects changes in files in pull requests and commits—over 23,000 repositories were accessed unauthorized, resulting in the theft of sensitive workflow secrets. A security researcher first noticed unusual activity related to the repository on March 14, 2025, which led to the discovery of the breach. 

A malicious payload has been injected into CI/CD runners in an attempt to extract CI/CD runner memory, which exposed critical environment variables and workflow secrets within logs, which were discovered to have been injected by the attackers. An exploit like this could result in unauthorized access to confidential credentials, thereby posing a significant security risk to the organization. Having been provided with a critical lead by security researcher Adnan Khan, it has been confirmed that the root cause of this compromise stems from another GitHub Action called reviewdog/action-setup, which an independent organization maintains. 

The investigation revealed that the tj-actions/changed-files action was compromised because it was dependent on the tj-actions/eslint-changed-files action, which was itself dependent on the reviewdog/action-setup action. In addition to the attack on the review dog organization, multiple activities were also affected within that organization, indicating that the attack was more widespread than that. Maintainers of TJ-actions and Review Dog quickly mitigated this incident by implementing security patches and reducing further risks. 

To counteract growing threats within software supply chains, continuous security monitoring, dependency validation, and rapid mitigation strategies must be implemented to protect continuous integration/continuous delivery pipelines from future attacks. Wiz, one of the leading security firms, recommended that developers evaluate their potential exposure by performing a GitHub query to determine if any references to reviewdog/action-setup@v1 were found in their repositories. 

As part of this process, it is important to determine if any of the projects might have been compromised by the recent supply chain compromise. It would be prudent to treat the detection of double-encoded base64 payloads within workflow logs as a confirmation of the leakage of sensitive information. If this happens, immediate remediation measures are required to prevent further security incidents. 

To reduce the risks associated with compromised actions, developers are advised to remove all references to these actions across branches, remove workflow logs that might contain exposed credentials, and rotate any potentially compromised secrets so that unauthorized access cannot occur. There is a need to take proactive security measures, such as pin GitHub Actions to specific commit hashes rather than version tags to reduce the probability that similar breaches will occur in the future. Furthermore, by utilizing GitHub's allow-listing feature, we can restrict unauthorized actions and enhance the security of our repositories. 

One must respond quickly to supply chain attacks, which may have far-reaching consequences as well as leak CI/CD secrets. Immediately following the breach, organizations must take steps to contain the breach, and they must develop long-term security strategies to protect themselves against future threats as well. The companies that are potentially impacted by this GitHub Actions supply chain attack should take immediate measures to protect their systems from further harm. To effectively counteract unauthorized access and further exploitation, all exposed secrets must be rotated. This is especially true for those secrets that were used between March 14 and March 15, 2025. 

Failure to replace compromised credentials could result in further exploitation. Further, security teams need to thoroughly review CI/CD workflows, paying close attention to unexpected outputs, particularly within the section on "changed files". There is a good chance that any anomalies may indicate an unauthorized modification or possible data leak. All workflow references should be updated to point to specific commit hashes rather than mutable tags so that they can be used to enhance security and mitigate the risk of a similar incident in the future. This will reduce the risk that attackers may inject malicious code into widely used GitHub Actions in the future. 

A robust security policy is also crucial for organizations. For this reason, organizations must utilize GitHub's allow-listing feature to restrict access to unauthorized actions, and they should conduct regular security audits of their third-party dependencies before integrating them into workflows. This kind of prevention measure can greatly reduce the chances of an attack on the supply chain or an unauthorized change in the source code. As a result of the recent breach, it has been highlighted how widely used automation tools are prone to vulnerabilities, which emphasizes the need to maintain continuous security monitoring and develop proactive defence strategies. 

Although some organizations, like Coinbase, successfully mitigated the impact of this incident, it serves as a reaffirmation that all organizations should continue strengthening their security postures and remain vigilant when it comes to evolving threats in the software industry. Recent information about a security breach with GitHub Actions confirms that the threats associated with supply chain attacks are continuing to grow in the modern software development industry. It has become increasingly important for organizations to enforce strong security frameworks for the sake of preventing cyber threats by implementing continuous monitoring mechanisms, thorough dependency audits, and enhanced access controls as cyber threats become more sophisticated. 

CI/CD pipelines need to be protected against unauthorized intrusions at all costs, and this incident highlights the urgency for proactive defense strategies to prevent this type of activity. Teams can mitigate vulnerabilities and ensure their workflows are protected by adopting secure coding best practices, enforcing strict authentication policies, and utilizing GitHub's security features, if they implement secure coding practices and enforce strict authentication policies. As software supply chain security has become a world-wide concern, maintaining vigilance and immediate response to incidents is crucial to ensuring operational integrity and resilience against evolving threats in an era when it has become paramount.
Read more »
Microsoft
Cyber Attacks GitHub Infostealer Malvertising Microsoft

Microsoft Warns of Malvertising Campaign Impacting Over 1 Million Devices Worldwide

 

Microsoft has revealed details of a large-scale malvertising campaign that is believed to have impacted over one million devices worldwide as part of an opportunistic attack aimed at stealing sensitive information. 

The tech giant, which discovered the activity in early December 2024, is tracking it under the broader Storm-0408 umbrella, which refers to a group of attackers known for distributing remote access or information-stealing malware via phishing, search engine optimisation (SEO), or malvertising.

"The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms," the Microsoft Threat Intelligence team stated. "The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack.”

The campaign relied on GitHub to deliver initial access payloads, but payloads were also detected on Discord and Dropbox. The GitHub repositories were removed, but the number of such repositories was not disclosed. The Microsoft-owned code hosting service serves as a staging ground for dropper malware, which deploys a series of ads.

The Microsoft-owned code hosting site serves as a staging ground for dropper malware, which is in charge of launching a number of further programs such as Lumma Stealer and Doenerium, which can then collect system information. The assault also uses a sophisticated redirection chain with four to five layers, with the first redirector embedded in an iframe element on unlawful streaming websites that serve pirated content.

The entire infection sequence consists of several stages, including system discovery, information collecting, and the employment of follow-on payloads like NetSupport RAT and AutoIT scripts to assist more data theft. The remote access trojan also acts as a gateway for stealer malware. 

  • First stage: Establish a footing on target devices.
  • Second stage: system reconnaissance, collection, exfiltration, and payload delivery. 
  • Third stage: It involves command execution, payload delivery, defence evasion, persistence, command-and-control communications, and data exfiltration. 
  • Fourth stage: PowerShell script for configuring Microsoft Defender exclusions and running commands to download data from a remote server. 

Another feature of the assaults is the use of numerous PowerShell scripts to download NetSupport RAT, identify installed apps and security software, and scan for the presence of cryptocurrency wallets, which indicates possible financial data theft.

"Besides the information stealers, PowerShell, JavaScript, VBScript, and AutoIT scripts were run on the host," Microsoft said. "The threat actors incorporated use of living-off-the-land binaries and scripts (LOLBAS) like PowerShell.exe, MSBuild.exe, and RegAsm.exe for C2 and data exfiltration of user data and browser credentials.” 

The disclosure comes after Kaspersky reported that fake websites masquerading as DeepSeek and Grok artificial intelligence (AI) chatbots are being used to lure users into installing a previously unknown Python information stealer.

DeekSeek-themed decoy sites promoted by verified accounts on X (e.g., @ColeAddisonTech, @gaurdevang2, and @saduq5) have also been used to run a PowerShell script that leverages SSH to enable attackers remote access to the machine. 

"Cybercriminals use various schemes to lure victims to malicious resources,' the Russian cybersecurity company noted. "Typically, links to such sites are distributed through messengers and social networks. Attackers may also use typosquatting or purchase ad traffic to malicious sites through numerous affiliate programs.”
Read more »
Social Engineering
Bots Gaming GitHub malware Redox Stealer Social Engineering

GitHub Scam: Fake Game Mods Steal User Credentials and Data


An advanced malware campaign exploiting GitHub repositories masked as game mods (and cracked software) has been found, revealing a risky blend of automated credential harvesting and social engineering tactics. 

While going through articles on social engineering, cybersecurity expert Tim found “a relatively new scam scheme” that shocked him. “People create thousands of GitHub repositories with all sorts of things - from Roblox and Fortnite mods to "cracked" FL Studio and Photoshop,” says Tim. 

About Redox stealer

Experts have found more than 1,100 dangerous repositories spreading versions of Redox stealer, a python-based malware built to extract important data, browser cookies, gaming platform credentials, and cryptocurrency wallet keys.

When we download and run this software, the data collected from our systems is sent to some Discord server, according to Tim, where “hundreds of people crawl through the data searching for crypto wallet private keys, bank accounts and social media credentials, and even Steam and Riot Games accounts.” 

Redox Stealer Details

Redox runs via a multi-stage data harvesting process that starts with system surveillance. Talking about the technical architecture of the redox stealer, cybersecurity news portal GB Hackers says, “Initial execution triggers a globalInfo() function that collects the victim’s IP address, geolocation via the geolocation-db.com API, and Windows username using os.getenv(‘USERNAME’).”

Issues with Mitigation and GitHub’s Response

Even with GitHub’s malware detection systems, repositories stay functional because:

  1. Activities look real: Accounts with star counts and realistic commit histories escape heuristic analysis. 
  2. Encrypted Payloads: RAR passwords like “cheats4u” stop static code analysis. 
  3. Slow Takedowns: Threat actors rebuild banned repositories via automated topic permutations. 

According to GB Hackers, “The researcher’s spreadsheet of confirmed malicious repos has not yet triggered bulk takedowns, highlighting gaps in proactive monitoring.” 

Conclusion

The GitHub campaign has exposed a significant rise in exploitation of open-source forums for large-scale social engineering. “It's been a long journey and it's barely over - but I think it's more than enough to summarise and discuss the problem,” says Tim. He finds it shocking how easily the information can be accessed online for free “without Tor, without invite, without anyone's approval.”

The information is cleverly disguised as something such as “telegram bot” that sends us offers (scams) or other lucrative baits. 

Read more »
Technology
Artificial Intelligence ChatGPT CyberCrime CyberThreat Cyersecurity GitHub Shadow AI Technology

Ensuring Governance and Control Over Shadow AI

 


AI has become almost ubiquitous in software development, as a GitHub survey shows, 92 per cent of developers in the United States use artificial intelligence as part of their everyday coding. This has led many individuals to participate in what is termed “shadow AI,” which involves leveraging the technology without the knowledge or approval of their organization’s Information Technology department and/or Chief Information Security Officer (CISO). 

This has increased their productivity. In light of this, it should not come as a surprise to learn that motivated employees will seek out the technology that can maximize their value potential as well as minimize repetitive tasks that interfere with more creative, challenging endeavours. It is not uncommon for companies to be curious about new technologies, especially those that can be used to make work easier and more efficient, such as artificial intelligence (AI) and automation tools. 

Despite the increasing amount of ingenuity, some companies remain reluctant to adopt technology at their first, or even second, glances. Nevertheless, resisting change does not necessarily mean employees will stop secretly using AI in a non-technical way, especially since tools such as Microsoft Copilot, ChatGPT, and Claude make these technologies more accessible to non-technical employees.

Known as shadow AI, shadow AI is a growing phenomenon that has gained popularity across many different sectors. There is a concept known as shadow AI, which is the use of artificial intelligence tools or systems without the official approval or oversight of the organization's information technology or security department. These tools are often adopted to solve immediate problems or boost efficiency within an organization. 

If these tools are not properly governed, they can lead to data breaches, legal violations, or regulatory non-compliance, which could pose significant risks to businesses. When Shadow AI is not properly managed, it can introduce vulnerabilities into users' infrastructure that can lead to unauthorized access to sensitive data. In a world where artificial intelligence is becoming increasingly ubiquitous, organizations should take proactive measures to make sure their operations are protected. 

Shadow generative AI poses specific and substantial risks to an organization's integrity and security, and poses significant threats to both of them. A non-regulated use of artificial intelligence can lead to decisions and actions that could undermine regulatory and corporate compliance. Particularly in industries with very strict data handling protocols, such as finance and healthcare, where strict data handling protocols are essential. 

As a result of the bias inherent in the training data, generative AI models can perpetuate these biases, generate outputs that breach copyrights, or generate code that violates licensing agreements. The untested code may cause the software to become unstable or error-prone, which can increase maintenance costs and cause operational disruptions. In addition, such code may contain undetected malicious elements, which increases the risk of data breach and system downtime, as well.

It is important to recognize that the mismanagement of Artificial Intelligence interactions in customer-facing applications can result in regulatory non-compliance, reputational damage, as well as ethical concerns, particularly when the outputs adversely impact the customer experience. Consequently, organization leaders must ensure that their organizations are protected from unintended and adverse consequences when utilizing generative AI by implementing robust governance measures to mitigate these risks. 

In recent years, AI technology, including generative and conversational AI, has seen incredible growth in popularity, leading to widespread grassroots adoption of these technologies. The accessibility of consumer-facing AI tools, which require little to no technical expertise, combined with a lack of formal AI governance, has enabled employees to utilize unvetted AI solutions, The 2025 CX Trends Report highlights a 250% year-over-year increase in shadow AI usage in some industries, exposing organizations to heightened risks related to data security, compliance, and business ethics. 

There are many reasons why employees turn to shadow AI for personal or team productivity enhancement because they are dissatisfied with their existing tools, because of the ease of access, and because they want to enhance the ability to accomplish specific tasks. In the future, this gap will grow as CX Traditionalists delay the development of AI solutions due to limitations in budget, a lack of knowledge, or an inability to get internal support from their teams. 

As a result, CX Trendsetters are taking steps to address this challenge by adopting approved artificial intelligence solutions like AI agents and customer experience automation, as well as ensuring the appropriate oversight and governance are in place. Identifying AI Implementations: CISOs and security teams, must determine who will be introducing AI throughout the software development lifecycle (SDLC), assess their security expertise, and evaluate the steps taken to minimize risks associated with AI deployment. 

In training programs, it is important to raise awareness among developers of the importance and potential of AI-assisted code as well as develop their skills to address these vulnerabilities. To identify vulnerable phases of the software development life cycle, the security team needs to analyze each phase of the SDLC and identify if any are vulnerable to unauthorized uses of AI. 

Fostering a Security-First Culture: By promoting a proactive protection mindset, organizations can reduce the need for reactive fixes by emphasizing the importance of securing their systems from the onset, thereby saving time and money. In addition to encouraging developers to prioritize safety and transparency over convenience, a robust security-first culture, backed by regular training, encourages a commitment to security. 

CISOs are responsible for identifying and managing risks associated with new tools and respecting decisions made based on thorough evaluations. This approach builds trust, ensures tools are properly vetted before deployment, and safeguards the company's reputation. Incentivizing Success: There is great value in having developers who contribute to bringing AI usage into compliance with their organizations. 

For this reason, these individuals should be promoted, challenged, and given measurable benchmarks to demonstrate their security skills and practices. As organizations reward these efforts, they create a culture in which AI deployment is considered a critical, marketable skill that can be acquired and maintained. If these strategies are implemented effectively, a CISO and development teams can collaborate to manage AI risks the right way, ensuring faster, safer, and more effective software production while avoiding the pitfalls caused by shadow AI. 

As an alternative to setting up sensitive alerts to make sure that confidential data isn't accidentally leaked, it is also possible to set up tools using artificial intelligence, for example, to help detect when a model of artificial intelligence incorrectly inputs or processes personal data, financial information, or other proprietary information. 

It is possible to identify and mitigate security breaches in real-time by providing real-time alerts in real-time, and by enabling management to reduce these breaches before they escalate into a full-blown security incident, adding a layer of security protection, in this way. 

When an API strategy is executed well, it is possible to give employees the freedom to use GenAI tools productively while safeguarding the company's data, ensuring that AI usage is aligned with internal policies, and protecting the company from fraud. To increase innovation and productivity, one must strike a balance between securing control and ensuring that security is not compromised.
Read more »
Web3
Bitcoin Bull Market Crypto GitHub Technology Trading Web3

Crypto Bull Market Targeted: The Lottie-Player Security Breach


In an alarming development for the tech community, especially for those immersed in the Web3 ecosystem, a supply chain attack has targeted the popular animation library, Lottie-Player. If users fall for this prompt, it could enable attackers to drain cryptocurrency wallets. 

Given Lottie-Player's impressive tally of over 4 million downloads and its significant presence on many prominent websites for animation embedding, this incident underscores the security vulnerabilities associated with open-source libraries.

Understanding the Attack

The breach initially came to light on GitHub when a user noticed an unusual Web3 wallet prompt while integrating Lottie-Player on their website. Upon closer examination, it was discovered that versions 2.0.5, 2.0.6, and 2.0.7 of Lottie-Player, released between 8:12 PM and 9:57 PM GMT on October 30, 2024, had been tampered with and compromised.

The attack involved the introduction of malicious code into three new versions of the Lottie-Player library, a widely used tool for rendering animations on websites and applications. Threat actors infiltrated the distribution chain, embedding code designed to steal cryptocurrencies from users' wallets. This method of attack is particularly insidious because it leverages the trust developers place in the libraries they use.

The Broader Implications

Once the compromised versions were released, they were integrated into numerous high-profile projects, unknowingly exposing countless users to the threat—the malicious code activated during transactions, redirecting funds to wallets controlled by the attackers. In one notable case, a user reportedly lost 10 Bitcoin (BTC), worth hundreds of thousands of dollars, due to a phishing transaction triggered by the malicious script.

Following the discovery of the attack, the Lottie-Player team swiftly released a clean version, 2.0.8, which developers can use to replace the compromised files. To further contain the breach and limit exposure, versions 2.0.5 through 2.0.7 were promptly removed from npm and CDN providers like unpkg and jsdelivr.

Moving Forward

The attack occurred during a pivotal phase of the crypto bull market, intensifying efforts to steal increasingly valuable tokens. To mitigate risks, it's advisable to connect a wallet only for specific purposes rather than granting full-time permissions for signing transactions. Additionally, being prompted to connect a wallet immediately upon entering a website can serve as a potential warning sign.

Read more »
Sophos report
BYOVD Attack Cyber Attacks EDR GitHub Malware Attack RansomHub Sophos Sophos report

RansomHub Deploys EDRKillShifter Malware to Disable Endpoint Detection Using BYOVD Attacks

 

Sophos security researchers have identified a new malware, dubbed EDRKillShifter, used by the RansomHub ransomware group to disable Endpoint Detection and Response (EDR) systems in attacks leveraging Bring Your Own Vulnerable Driver (BYOVD) techniques. This method involves deploying a legitimate but vulnerable driver on a target device to gain escalated privileges, disable security measures, and take control of the system. 

The technique has gained popularity among various threat actors, including both financially motivated ransomware groups and state-sponsored hackers. The EDRKillShifter malware was discovered during an investigation of a ransomware incident in May 2024. The attackers tried to use this tool to disable Sophos protection on a targeted computer but were unsuccessful due to the endpoint agent’s CryptoGuard feature, which prevented the ransomware executable from running. Sophos’ investigation revealed two different malware samples, both exploiting vulnerable drivers with proof-of-concept code available on GitHub. These drivers include RentDrv2 and ThreatFireMonitor, the latter being part of an obsolete system-monitoring package. 

The malware’s loader execution process follows a three-step procedure. Initially, the attacker launches the EDRKillShifter binary with a password string to decrypt and execute an embedded resource named BIN in memory. This code then unpacks and executes the final payload, which installs and exploits a vulnerable driver to elevate privileges and disable active EDR processes. Once the driver is loaded, the malware creates a service and enters an endless loop that continuously monitors and terminates processes matching names on a hardcoded target list. Interestingly, the EDRKillShifter variants discovered were compiled on computers with Russian localization, and they exploit legitimate but vulnerable drivers, using modified proof-of-concept exploits found on GitHub. 

Sophos suspects that the attackers adapted portions of these proofs-of-concept and ported the code to the Go programming language. To mitigate such threats, Sophos advises enabling tamper protection in endpoint security products, separating user and admin privileges to prevent the loading of vulnerable drivers, and keeping systems updated. Notably, Microsoft continually de-certifies signed drivers known to have been misused in previous attacks. Last year, Sophos identified another EDR-disabling malware, AuKill, which similarly exploited a vulnerable Process Explorer driver in Medusa Locker and LockBit ransomware attacks.
Read more »
Ransomware
Data Breach DevSecOps GitHub GitLab Ransomware

DevSecOps Teams Face Regular Outages, Cyberattacks, and Data Breaches



The past year has seen a sharp rise in cyber attacks targeting popular DevOps platforms like GitHub, Bitbucket, GitLab, and Jira. These platforms, which are crucial for developers and IT operations teams, have faced growing threats that disrupt their services and put users at risk. The importance of securing the software development process at every stage cannot be emphasised enough. 

What is DevSecOps?

In response to the increasing complexity of cyber threats, many organisations are adopting a practice known as DevSecOps. This approach involves integrating security measures directly into the development process, rather than treating them as an afterthought. By doing so, security becomes a fundamental part of the software development lifecycle, ensuring that potential vulnerabilities are addressed early on. However, this shift also comes with challenges, as teams must be agile and proactive in adapting to new threats.

Cyber Incidents in 2023

In 2023, there was a noticeable increase in incidents that negatively affected the operation of DevOps services. GitHub, the largest of these platforms, experienced 13.94% of the reported incidents, while Bitbucket accounted for 8.33%, GitLab for 7.89%, and Jira for 4%. Most of these issues involved problems with key components that led to degraded performance and service disruptions.

One of the most alarming threats to GitHub in 2023 was the rise of a hacking method called "RepoJacking." This type of attack exposed millions of repositories to potential risks. Research indicated that as many as 9 million repositories on GitHub could be vulnerable to this kind of attack. Moreover, it was discovered that over 4,000 software packages were at risk, along with more than 15,000 Go module repositories.

Hackers also used GitHub as a platform to host malicious software. By taking advantage of GitHub's public services, attackers could create a cost-effective and reliable infrastructure for their activities, making it difficult for users to detect and respond to these threats. This method allowed hackers to retrieve malicious commands through seemingly legitimate interactions on GitHub, posing a significant risk to users' data.

Challenges Faced by Bitbucket, Jira, and GitLab

While Bitbucket saw a slight decrease in incidents in 2023, the difference was minimal, with only a 2.04% reduction compared to the previous year. Unfortunately, Jira experienced a 50% increase in incidents, with 75 recorded events, meaning users encountered an incident roughly every five days. Many of these issues were severe, involving vulnerabilities that could have serious consequences for users.

GitLab also faced challenges, with 32% of reported incidents impacting the platform's performance. This hindered users' ability to fully utilise the service. June and August were particularly problematic months for GitLab, with several events that disrupted services. In one instance, a sophisticated attack exploited a critical vulnerability (CVE-2021-22205), which could have led to ransomware attacks and data theft. GitLab's response highlighted the need for organisations to be prepared with robust security and disaster recovery plans.

The Importance of DevOps Security

One of the biggest challenges in DevOps security is ensuring that development and security teams work together effectively. Developers often focus on quickly pushing new software updates, while security teams prioritise finding and fixing vulnerabilities. Without a well-integrated security approach throughout the development process, organisations are at greater risk of cyberattacks, data breaches, and operational disruptions.

The increasing number of incidents affecting platforms like GitHub, GitLab, Bitbucket, and Jira serves as a wake-up call for organisations to strengthen their security practices. By embedding security into every stage of the development process and fostering collaboration among all teams, organisations can better protect their systems and data from cyber threats.

It’s crucial for organisations to prioritise security at every stage of software development. The challenges faced by major DevOps platforms in 2023 highlight the need for vigilance, collaboration, and proactive security measures to safeguard our digital infrastructure. By adopting a DevSecOps approach and integrating security from the start, organisations can better brace themselves.


 

Read more »
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
TRANSLATEXT
Cyberattacks CyberCrime Cyberhackers Cybersecurity CyberThreat GitHub JavaScript malware TRANSLATEXT

Kimsuky Unleashes TRANSLATEXT Malware on South Korean Academic Institutions

 


An investigation has found that a North Korea-linked threat actor, known as Kimsuky, has been involved in the use of a malicious Google Chrome extension to steal sensitive information to collect information as part of an ongoing intelligence collection effort. Observing the activity in early March 2024, Zscaler ThreatLabz has codenamed the extension TRANSLATEXT, emphasizing its ability to gather email addresses, usernames, passwords, cookies, and screenshots as well as its ability to gather this information. 

This targeted campaign is said to have targeted South Korean academia, specifically those focused on North Korean politics. There is a notorious North Korean hacker group known as Kimsuky that has been active since 2012, perpetrating cyber espionage and financial-motivated attacks against South Korean businesses. Kimsuky is widely known as a notorious hacker crew. In the remote server's PowerShell script, general information about the victim is uploaded as well as creating a Windows shortcut that enables a user to retrieve another script from the remote server through a PowerShell script. TRANSLATEXT's exact delivery method remains unclear, which makes it even more difficult for defenders to protect themselves from it. 

Despite this, Kimsuky is well known for utilizing sophisticated spear-phishing and social engineering attacks to trick the target into initiating the infection process. Two files appear to be connected to Korean military history when the attack begins, a ZIP archive that appears to contain two files, a Hangul Word Processor document and an executable file. Once the executable file has been launched, it retrieves a PowerShell script from the attacker's server. In addition to exporting the victim's information to a GitHub repository, this script also downloads additional PowerShell code via a Windows shortcut (LNK) file and executes it. 

It is clear from this multi-stage attack process that Kimsuky is an extremely sophisticated and well-planned operation. By using a familiar and seemingly legitimate document, the attackers decrease the chances of the targets being suspicious. As well as displaying an innovative method of blending malicious activities into regular internet traffic, GitHub is also utilized in the initial data export process, resulting in a much harder time finding and blocking malicious actions for traditional security systems. There are a few groups that are also associated with the Lazarus cluster or part of the Reconnaissance General Bureau (RGB). 

For instance, APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima are groups that are affiliated with the Lazarus cluster. There have been several incidents in the last few weeks in which the group has weaponized a vulnerability in Microsoft Office (CVE-2017-11882), distributed a keylogger, and used job-themed lures in attacks aiming at the aerospace and defence industries to drop an espionage tool that gathers data and executes secondary payloads. "The backdoor is unknown to the public and the attacker can conduct basic reconnaissance, drop additional payloads, and then take over or remotely control the computer." 

CyberArmor said. Despite Kimsuky's recent involvement in cyber espionage, it has given this campaign the name Niki. It is no secret that Kimsuky is not a new player. Since at least 2012, the group has been active and has developed a reputation for orchestrating cyber-espionage and financial-motivated attacks primarily on South Korean institutions, which has earned them a reputation as a notorious group. It has been reported that the group has stolen classified information, and committed financial fraud, and ransomware attacks. Throughout history, they have been one of the most formidable cyber threat actors associated with North Korea due to their adaptability and persistence. 

There is no doubt that Kimsuky is capable of blending cyber espionage with financially motivated operations, indicating a versatile approach to achieving the North Korean regime's objectives, whether they are to gather intelligence or generate revenue to support it. As of right now, it is not clear what is the exact mechanism for accessing the newly discovered activity, although it is known that the group is known for utilizing spear-phishing and social engineering attacks to launch the infection cycle. 

It is believed that the attack began with the delivery of a ZIP archive with the intent of containing Korean military history at the time, which contains two files: a word processor document in Hangul and an executable at the time of the attack. As soon as the executable is launched, a PowerShell script is extracted from a server controlled by the attacker that downloads additional PowerShell code with the aid of a Windows shortcut file (LNK) and creates a GitHub repository where the compromised victim's information is periodically uploaded. 

After the GitHub repository has been created, the attacker deletes the LNK file in question. This is the statement posted by Zscaler, a security company that found a GitHub account, created on February 13, 2024, that briefly hosted the TRANSLATEXT extension under the name "GoogleTranslate.crx," regardless of how it is distributed at the moment. TRANSLATEXT, which masquerades as Google Translate, incorporates JavaScript code to bypass security measures for services like Google, Kakao, and Naver; siphon email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It's also designed to fetch commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser, among others.
Read more »
Source Code
Data Breach GitHub New York Times Repository Source Code

New York Times Source Code Leaked Online


 

In January 2024, an exposed GitHub token led to a significant breach of The New York Times' repositories. The incident was initially identified and addressed swiftly by the company, but details have only recently emerged. The breach came to light after the stolen data was posted on the 4chan message board. An anonymous user shared a torrent link to a 273GB archive containing the pilfered data, marking one of the most substantial leaks in recent memory.

The leaked data includes around 5,000 repositories, comprising 3.6 million files. A notable portion of this data contains IT documentation, infrastructure tools, and a variety of source code. Among the stolen information is the source code for the popular game Wordle, which The New York Times acquired in 2022. The leak was first noticed by VX-Underground, a group known for monitoring and documenting malware samples and cybersecurity incidents.

The threat actor responsible for the leak reportedly accessed the repositories using an exposed GitHub token. This token granted them unauthorised access to the company’s code, enabling them to download and leak a vast amount of data. The breach's details were confirmed by The New York Times, which clarified that the exposed credentials were for a cloud-based third-party code platform, specifically GitHub.

The New York Times assured that the breach did not affect its internal corporate systems or its operations. In an official statement, the company highlighted that continuous monitoring for anomalous activity is part of their security measures. They emphasised that there was no indication of unauthorised access to Times-owned systems, underscoring their proactive approach in identifying and mitigating the breach promptly.

This leak is the second pressing incident disclosed on 4chan within the same week. Earlier, a leak involving 415MB of internal documents for Disney's Club Penguin game was reported. Sources indicate that this leak was part of a larger breach of Disney’s Confluence server, resulting in the theft of 2.5 GB of internal corporate data. It remains unclear if the same individual or group is responsible for both the New York Times and Disney breaches.

The breach of The New York Times' GitHub repositories stresses upon the importance of stringent digital security measures. As companies increasingly rely on cloud-based platforms for their operations, ensuring the security of access credentials and continuous monitoring for unauthorised activities are crucial steps in safeguarding sensitive information.


Read more »
Subscribe to: Posts (Atom)