Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label GitHub. Show all posts
Supply Chain Attack
Backdoor GitHub malware Megalodon Supply Chain Attack

Megalodon Malware Backdoors 5,500+ GitHub Repos in 6-Hour Supply-Chain Attack

 

On May 18, 2026, a massive automated supply-chain attack codenamed Megalodon struck GitHub, injecting malicious CI/CD backdoors into more than 5,500 repositories in under six hours. Security firm SafeDep discovered the campaign, which pushed 5,718 malicious commits to 5,561 distinct repositories using throwaway accounts with randomized eight-character usernames, marking one of the most aggressive GitHub Actions poisoning campaigns ever recorded. 

The attackers forged bot-like author identities—build-bot, auto-ci, ci-bot, and pipeline-bot—using emails build-system@noreply.dev and ci-bot@automated.dev to mimic routine automated CI maintenance. Between approximately 11:36 and 17:48 UTC on May 18, these fake commits slipped into repositories without triggering immediate suspicion, as they appeared to be ordinary build optimization updates. 

Megalodon deployed two distinct GitHub Actions workflow variants sharing the same command-and-control server at 216.126.225.129:8443. The SysDiag variant added a new ci.yml file triggering on every push and pull_request_target, ensuring automated execution on any commit across all branches. The Optimize-Build variant replaced existing workflows with a workflow_dispatch trigger, creating a dormant backdoor that attackers can silently activate on demand via the GitHub API, producing zero visible CI runs and no failed builds. 

The base64-encoded 111-line bash payload conducted aggressive credential harvesting, exfiltrating all CI environment variables, AWS credentials, GCP access tokens, Azure credentials, SSH private keys, Docker and Kubernetes configurations, API keys, database connection strings, GitHub Actions tokens, GitLab CI/CD tokens, and dozens of other secrets while scanning source code for more than 30 secret regex patterns. 

The attack's most critical downstream impact targeted Tiledesk, an open-source live chat platform, where the attacker compromised the repository and replaced the legitimate Docker build workflow. The unsuspecting maintainer published @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 to npm, propagating the backdoor to the package registry. Organizations should immediately revert malicious commits from build-system@noreply.dev or ci-bot@automated.dev, rotate all secrets, audit cloud logs for anomalous OIDC requests, check Actions tabs for unexpected workflow_dispatch executions, and pin GitHub Actions to specific commit SHAs.
Read more »
Software security
AI GitHub Global Supply-Chain Attack malware Software security

TeamPCP’s Supply Chain Campaign Raises Fresh Concerns Over Open-Source Software Security

 



A cybercrime group known as TeamPCP has been linked to an expanding series of software supply chain attacks that researchers say have affected hundreds of organizations, with GitHub becoming the latest high-profile name connected to the campaign.

GitHub recently disclosed that it had identified thousands of repositories impacted after a developer reportedly installed a compromised extension for Visual Studio Code (VSCode), Microsoft's widely used source-code editor. TeamPCP later claimed on the cybercrime forum BreachForums that it had gained access to roughly 4,000 GitHub repositories and attempted to advertise what it described as GitHub source code and internal organizational data for sale. GitHub stated that it had identified at least 3,800 affected repositories but said its investigation indicated the exposed repositories contained the company's own code rather than customer code.

The incident highlights the growing danger of software supply chain attacks. Unlike traditional intrusions that target a company directly, these operations focus on software that developers trust and use every day. By secretly inserting malicious code into legitimate tools, attackers can potentially reach thousands of downstream users through a single compromise.

Security researchers tracking TeamPCP believe the group has transformed what was once considered an occasional cybersecurity threat into a recurring problem. According to software supply chain security firm Socket, the group has launched around 20 separate attack waves in recent months, embedding malicious code into more than 500 unique software projects. When different compromised versions are counted, that number rises to well over a thousand malicious releases.

Researchers say the group's success stems from a self-reinforcing attack cycle. TeamPCP typically begins by compromising a development environment associated with an open-source project. Malware is then inserted into software packages that are downloaded by other developers. Once installed, the malicious code can steal credentials, authentication tokens, and publishing permissions, allowing attackers to compromise additional software projects and continue spreading through the development ecosystem.

Recent investigations indicate that TeamPCP has increasingly automated this process through a worm known as Mini Shai-Hulud. The malware has been observed creating GitHub repositories containing encrypted credentials stolen from victims while leaving references to Frank Herbert's science-fiction universe Dune. Researchers note that although the name resembles an earlier worm called Shai-Hulud, there is currently no evidence linking TeamPCP to that previous campaign.

GitHub is not the only organization mentioned in connection with the operation. Researchers have previously linked TeamPCP activity to incidents involving OpenAI, Mercor, and several widely used software development projects. During a major expansion of its campaign earlier this year, the group reportedly compromised software and infrastructure associated with Trivy, LiteLLM, Checkmarx, pgserve, TanStack, and Mistral AI. The stolen credentials obtained through those attacks were allegedly used to fuel further compromises.

Security analysts describe credential theft as the group's primary enabler. Long-lived access tokens and poorly managed credentials allow attackers to move from one environment to another with relatively little effort. According to researchers, once a single trusted credential is stolen, it can provide access to additional repositories, cloud resources, and development systems.

The group's activities have also evolved beyond software tampering. Threat intelligence researchers report that TeamPCP has engaged in ransomware deployment, data extortion, and data-sale operations. In April, the group reportedly began adopting elements of a ransomware-as-a-service model through associations with cybercriminal platforms such as BreachForums and DragonForce. Researchers have additionally observed activity involving CanisterWorm, malware that targeted Kubernetes environments and reportedly deployed destructive functionality against selected Iranian targets.

The scale of the campaign has renewed debate over how organizations should safely consume open-source software. Experts recommend strengthening credential management practices, regularly rotating access tokens, limiting permissions wherever possible, and closely monitoring software dependencies. They also advise organizations to avoid automatically installing newly released software updates without first validating their integrity. In some recent cases, security teams detected malicious updates within minutes, but users who relied on automatic updates had already installed the compromised code.

The bigger lesson, researchers say, is that trust alone is no longer sufficient in modern software development. Open-source software remains a cornerstone of the global technology ecosystem, but organizations increasingly need verification processes, update review procedures, and continuous monitoring to reduce the risk posed by rapidly spreading supply chain attacks.

Read more »
TanStack
Cyber Attacks GitHub Report Breach Supply Chain Attack TanStack

GitHub Repo Breach Traced to TanStack NPM Supply-Chain Attack

 

GitHub has confirmed that a breach of its internal repositories is directly linked to the TanStack npm supply-chain attack, demonstrating how a single compromised developer tool can cascade into a major security incident. The company stated that the intrusion began when an employee installed a malicious version of the Nx Console Visual Studio Code extension, which had been poisoned during the wider TanStack compromise. This attack chain allowed threat actors to gain initial access to GitHub's internal infrastructure, ultimately exposing approximately 3,800 internal repositories to unauthorized access. 

The original TanStack attack occurred on May 11, 2026, when the TeamPCP threat group compromised 42 npm packages and published 84 malicious versions in just six minutes. The attackers exploited a sophisticated combination of GitHub Actions vulnerabilities, including a "Pwn Request" attack using pull_request_target abuse, cache poisoning across fork-to-base trust boundaries, and OIDC token extraction from runner memory. This technique produced the first npm supply-chain attack with valid SLSA Build Level 3 attestations, making the malicious packages appear completely legitimate to security scanners and developers. 

The malicious Nx Console extension version 18.95.0 was available on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for another 36 minutes before being removed. Despite the short window, the poisoned extension deployed a payload designed to steal credentials and secrets from developer environments, targeting npm, AWS, Kubernetes, GitHub, GCP, and Docker platforms. The Nx development team confirmed that one of their developers was compromised through the TanStack supply-chain leak, which exposed GitHub credentials through the GitHub CLI, allowing attackers to run workflows on their repository as a contributor. 

GitHub's Chief Information Security Officer Alexis Wales confirmed that the company secured the compromised device and rotated critical secrets, prioritizing the highest-impact credentials first. While GitHub has not officially attributed the attack to a specific group, TeamPCP claimed access to GitHub source code and approximately 4,000 repositories of private code on the Breached forum, demanding at least $50,000 for the stolen data. The incident also affected other organizations, including UiPath, Guardrails AI, OpenSearch, and Grafana Labs, which confirmed its GitHub environment breach originated from the same TanStack attack. 

This incident highlights the severe risks of modern software supply chains, where one compromised dependency can ripple across thousands of developers and organizations faster than security teams can respond. The attack demonstrates that even organizations with strong security practices, including two-factor authentication, remain vulnerable to sophisticated supply-chain attacks that exploit trust relationships between packages, build tools, and automated workflows. Developers and security teams must now prioritize hardening CI/CD pipelines,Token rotation, extension verification, and continuous monitoring of package updates as potential attack vectors.
Read more »
zealot
Artificial Intelligence Authentication ChatGPT Cisco Security Cyber Security GitHub Phishing zealot

Researchers Show How ChatGPT Summaries Could Be Used for Phishing Attacks

 


Researchers have identified a technique that could allow malicious content embedded within a web page to appear inside ChatGPT responses, creating an opportunity for phishing, tracking, and social-engineering attacks through a platform users generally regard as trustworthy.

The attack method, named "ChatGPhish" by cybersecurity firm Permiso Security, focuses on how ChatGPT handles Markdown-formatted content when summarizing information from external websites. Markdown is a commonly used formatting language that allows web content to include elements such as hyperlinks and images.

According to Permiso Security researcher Andi Ahmeti, ChatGPT's web interface trusts Markdown links and image URLs originating from third-party pages that users ask the assistant to summarize. When a response is generated, the platform can automatically retrieve those images and present hyperlinks as active, clickable elements within the chatbot's interface.

In a scenario outlined by the researchers, an attacker could place a small hidden payload within a web page. If a user later asks ChatGPT to summarize that page, the embedded content may become part of the model's processing context. During response rendering, attacker-controlled images could be automatically requested, potentially exposing information such as the visitor's IP address, browser User-Agent string, and Referer data.

The researchers also found that links embedded in a manipulated page could appear as legitimate clickable items inside the AI-generated summary. Beyond directing users to phishing destinations, attackers could display fabricated security notifications, account-warning messages designed to imitate system alerts, or QR codes hosted on attacker-controlled infrastructure such as an Amazon S3 bucket. A victim scanning such a code with a mobile device could be redirected to a malicious destination, bypassing certain desktop-based URL filtering mechanisms and enterprise security controls.

The research adds to a growing body of evidence showing that AI-powered summarization tools can become unintended delivery channels for attacker instructions. Earlier this year, Permiso Security disclosed a separate attack involving Microsoft Copilot, where specially crafted instructions hidden inside an email influenced the output generated by the AI assistant. That technique was classified as a cross-prompt injection attack, also known as indirect prompt injection.

According to the researchers, the primary issue is not simply that prompt injection is possible. The more significant concern is how the manipulated content is ultimately presented to the user. A standard web page summarized by ChatGPT can cause phishing links, deceptive warnings, QR codes, and remotely hosted content to be displayed directly inside the assistant's interface, giving attacker-controlled material an appearance of legitimacy.

As AI assistants become common tools for workplace research, document review, and information gathering, this behavior introduces a new risk. Any web page processed by an employee could potentially contain hidden instructions or malicious content capable of influencing both the generated summary and the way that information is displayed.

Permiso Security noted that this shifts phishing activity beyond traditional delivery methods. Users no longer need to open a suspicious attachment or interact with an obviously fraudulent email. In some cases, simply asking an AI assistant to summarize a webpage may expose them to attacker-controlled content.

The disclosure arrives alongside research from Adversa AI detailing two attack techniques aimed at AI coding assistants and agentic development tools. The first, known as SymJack, allows a malicious code repository to achieve remote code execution through an AI-powered coding assistant.

According to Adversa AI researcher Rony Utevsky, the attack relies on convincing the AI assistant to perform what appears to be a harmless file-copy operation. The destination, however, is a symbolic link pointing to the assistant's own configuration file. As a result, attacker-controlled content is written into the configuration. When the assistant is restarted, a malicious Model Context Protocol (MCP) server is launched and executes arbitrary code using the victim's privileges.

The second technique, called TrustFall, uses a repository containing a malicious MCP server together with configuration settings that automatically approve its execution. A developer only needs to clone or open the repository in an AI coding environment and accept a folder-trust prompt. Once that action is taken, the attacker-controlled MCP server can start automatically without requiring additional tool approval, running with the same operating-system permissions as the developer.

Adversa AI explained that a victim who clones the repository, launches Claude, and accepts the generic trust prompt effectively allows the malicious MCP server to start as a native process on the machine. The payload executes immediately when the server starts, before additional prompts or tool requests occur.

The ChatGPhish findings emerge amid a steady stream of research examining weaknesses in modern AI systems, coding agents, and autonomous workflows.

Researchers recently described a jailbreak method called Involuntary In-Context Learning (IICL), which exploits the tension between a model's contextual learning behavior and its safety mechanisms to bypass protections in GPT-5.4.

Separate research from Cisco found that many AI security evaluations fail to reflect how real-world attackers operate. Rather than relying on a single prompt, attackers often use multiple interactions, gradually changing their wording, adopting different personas, and breaking objectives into smaller steps. Cisco argued that single-turn testing overlooks these techniques because real attacks frequently unfold across extended conversations.

Additional research has uncovered a vulnerability affecting Anthropic Claude Code in which a user-level configuration file, "~/.claude.json," can be altered through a rogue npm package. The attack enables modification of MCP endpoints and can place an attacker between Claude Code and an OAuth-protected MCP server, creating an opportunity to capture authentication tokens used to access downstream software-as-a-service platforms.

Researchers have also documented a technique involving OpenClaw skills that appear harmless during installation but later retrieve remote updates. In one scenario, attackers can influence an AI agent through workspace files after instructing users to append specific content to a file called HEARTBEAT.md during setup.

Another study demonstrated how hidden text embedded inside phishing emails can manipulate AI-based email security products. Attackers concealed text taken from legitimate newsletters and romance novels to make malicious messages appear benign to automated filtering systems.

LayerX researchers separately disclosed a flaw known as ClaudeBleed affecting Claude's Chrome extension. According to the company, any browser extension, including one without elevated permissions, could communicate with Claude's language model through the extension's content script because the code does not adequately verify the source of incoming instructions. This could allow another extension to issue commands and trigger actions through the AI assistant.

Cisco researchers also examined typographic prompt injection attacks against vision-language models. In these attacks, adversarial text is embedded inside images. The manipulated image may appear unreadable or resemble visual noise to humans and OCR-based filters while remaining interpretable to the target AI model.

Other recently disclosed vulnerabilities include flaws in Microsoft Semantic Kernel, tracked as CVE-2026-25592 and CVE-2026-26030, which researchers said could allow prompt-injection attacks to progress into host-level remote code execution.

Researchers additionally described the Neural Exec attack and abuse of the Unicode right-to-left-override function to bypass safety mechanisms protecting Apple's local AI models. The issue has since been addressed in iOS 26.4 and macOS 26.4.

A separate indirect prompt-injection vulnerability known as WebPromptTrap affected BrowserOS, an open-source agentic browser. The technique relied on hidden instructions embedded in an otherwise legitimate article to influence an AI-generated summary and persuade users to approve an authorization request. The issue was patched in BrowserOS version 0.32.0.

Research into the broader AI-agent ecosystem has uncovered persistent security weaknesses. An audit covering 3,984 skills published through ClawHub and skills.sh found that 534 skills, representing 13.4% of the total, contained at least one critical security issue. Researchers also identified 1,467 skills with broader weaknesses, including malware distribution risks, prompt-injection opportunities, exposed secrets, hard-coded API credentials, insecure handling of authentication data, and unsafe exposure to third-party content.

Additional studies identified attacks against NemoClaw, NVIDIA's reference framework for securing OpenClaw agents. Researchers demonstrated methods for extracting OpenClaw data through the platform's default sandbox configuration using either a malicious GitHub repository or a compromised npm package.

Security researchers are increasingly examining how advances in AI capability could affect offensive cyber operations. According to researchers at Palo Alto Networks Unit 42, more capable AI models could allow attackers to exploit both newly discovered and previously known vulnerabilities at a scale, speed, and level of automation that has traditionally required specialized expertise.

Last month, Unit 42 presented a proof-of-concept AI agent called Zealot that was capable of carrying out cloud attack operations with limited human involvement. The system chained together reconnaissance, exploitation, privilege escalation, and data-exfiltration activities by leveraging known weaknesses and misconfigurations.

Researchers argue that cloud environments are particularly susceptible to this type of automation because most administrative functions are accessible through APIs, multiple discovery mechanisms exist for identifying resources, configuration errors remain common, and access control often depends heavily on credentials.

According to Unit 42 researchers Yahav Festinger and Chen Doytshman, current large language models are already capable of coordinating reconnaissance, exploitation, privilege escalation, and data theft activities with relatively little human guidance. The techniques themselves are not necessarily new. What is changing is the speed and scale at which those established attack patterns can now be executed through AI-assisted automation.

Read more »
technology
Artificial Intelligence Claude GitHub Opencode technology

OpenCode’s Rapid Growth Reflects Rising Developer Concerns Over AI Vendor Dependence

 





A glaring divide is emerging in the AI coding industry as developers increasingly weigh the convenience of fully managed coding platforms against the flexibility of open-source alternatives designed to avoid dependence on a single provider.

The debate intensified this week after Anthropic used its first “Code with Claude” developer conference to showcase major upgrades across its Claude Code ecosystem. The company announced that rate limits for Claude Code users on Pro, Max, Team, and Enterprise plans would be significantly expanded, while peak-hour usage restrictions were removed entirely. Anthropic also raised usage limits for its Opus API and disclosed a major infrastructure agreement with SpaceX involving the Colossus 1 data center.

According to the company, the agreement will provide access to more than 300 megawatts of computing power and approximately 220,000 Nvidia GPUs expected to come online within weeks. The move reflects the broader AI industry race to secure high-performance computing infrastructure as demand for generative AI services continues to increase.

Anthropic also introduced several updates aimed at turning Claude Code into a more advanced managed development environment. These included expanded Managed Agents capabilities, support for coordinating multiple AI agents simultaneously, a public beta feature called Outcomes, and an experimental memory system internally referred to as “dreaming,” which is intended to help AI systems retain and improve contextual understanding over time.

During the event, Anthropic executive Boris Cherny demonstrated remote agents and automated routines capable of running coding tasks asynchronously, effectively allowing Claude Code to function more like a workflow orchestration platform rather than a traditional coding assistant.

At the same time, a separate trend has been accelerating across the open-source community. OpenCode, an independent coding harness project associated with SST, has experienced a dramatic rise in popularity after positioning itself as an alternative to vendor-controlled AI development environments.

The project’s GitHub repository has now surpassed 157,000 stars, overtaking the roughly 122,000 stars associated with Anthropic’s own Claude Code repository at the time of reporting. While GitHub stars do not necessarily represent active users or production deployments, they are often viewed as indicators of developer awareness, interest, and community support.

The roots of OpenCode’s instant growth trace back to January 2026, when Anthropic introduced server-side authentication checks that prevented third-party tools from accessing Claude Pro and Max subscriptions through OAuth-based authentication methods.

Several projects, including OpenCode, Cline, and RooCode, were affected by the policy change. Prior to the restrictions, these tools allowed developers to run autonomous coding workflows through fixed-price Claude subscriptions rather than paying significantly higher API-based usage fees tied to token consumption.

From Anthropic’s perspective, the restriction addressed a business and infrastructure problem. Subscription plans were designed to support usage within the company’s own ecosystem, while third-party tools were effectively redirecting high-volume workloads through pricing structures never intended for external automation platforms.

Discussions across developer forums, including lengthy conversations on Hacker News, showed that many users understood Anthropic’s reasoning. However, criticism quickly emerged over the manner in which the restrictions were enforced. Developers reported that the changes were introduced without advance notice, disrupting workflows in active sessions. Some users also claimed that automated abuse-detection systems temporarily restricted accounts during the transition period.

OpenCode responded rapidly after the restrictions took effect. The project added support for ChatGPT Plus integrations within hours and began expanding compatibility across multiple AI providers. Anthropic later formalized its position in updated Terms of Service published in February, clarifying that subscription OAuth tokens were not intended for third-party routing or automation tools.

The dispute escalated further in March after OpenCode reportedly received legal requests related to Claude subscription authentication. Shortly afterward, the project merged an update removing references to Claude Pro and Max authentication from its codebase. By April 4, Anthropic’s enforcement measures had expanded to additional third-party harnesses, including OpenClaw and NanoClaw, pushing developers toward pay-as-you-go API billing structures.

Interest in OpenCode accelerated during this period. On March 21, a Hacker News discussion surrounding the project gained more than 1,200 points and hundreds of comments, driving additional visibility across the developer community. By early April, the repository had already crossed 120,000 GitHub stars.

As of May 8, project activity data showed approximately 156,904 stars, 18,259 forks, 4,788 issues, and more than 1,600 open pull requests. OpenCode’s website also claimed participation from over 850 contributors and estimated usage among roughly 6.5 million monthly developers.

Industry observers note that the OAuth dispute alone likely does not explain OpenCode’s growth. Instead, the incident appears to have accelerated an existing movement toward model-agnostic development tools. OpenCode gradually shifted its messaging away from low-cost Claude access and toward provider neutrality, emphasizing that developers should be able to switch between AI models as pricing, performance, and capabilities evolve.

That distinction is increasingly important as competition intensifies between major AI providers. A developer using a model-agnostic harness can move between Anthropic, OpenAI, or other models with relatively minor configuration changes. In contrast, developers operating entirely within a vertically integrated ecosystem may face higher switching costs if pricing structures, usage limits, or platform policies change unexpectedly.

The debate mirrors earlier divisions within the software infrastructure industry. Some analysts have compared the current situation to Docker and Podman, where one platform focused heavily on integrated services and managed workflows while the other prioritized portability, operational control, and independence from platform lock-in.

OpenCode’s rise has also drawn criticism from parts of the developer community. Users in public discussions have raised concerns about high memory usage, the growing complexity of the project’s TypeScript codebase, inconsistent release stability, and the broader security implications of integrating multiple AI providers into a single framework.

Security considerations remain particularly relevant because every additional provider connection potentially expands the software’s attack surface. OpenCode also faced backlash after removing Claude subscription authentication support following reported legal pressure, with some developers expressing frustration over how the project handled the situation.

Still, the overall ndustry direction appears increasingly clear. Anthropic is investing heavily in a future built around tightly managed AI coding ecosystems that combine infrastructure, orchestration, memory systems, and coding assistance within a single platform.

At the same time, open-source projects such as OpenCode, Cline, Aider, and OpenClaw continue to attract developers seeking portability and reduced dependency on individual AI vendors.

For many software teams, the central issue is no longer choosing between Claude Code and OpenCode alone. Instead, developers are beginning to decide whether critical AI-assisted workflows should remain under the control of a single provider or operate through more flexible systems capable of adapting as the AI landscape continues to shift.

Read more »
Omnistealer
Developers GitHub malware North Korea Omnistealer

Malware Hidden in Blockchain Networks Is Quietly Targeting Developers Worldwide



A new investigation has uncovered a cyberattack method that uses blockchain networks to quietly distribute malware, raising concerns among security researchers about how difficult it may be to stop once it spreads further.

The threat first surfaced when a senior engineering executive at Crystal Intelligence received a freelance opportunity through LinkedIn. The message appeared routine, asking him to review and run code hosted on GitHub. However, the request resembled a known tactic used by a North Korean-linked group often referred to as Contagious Interview, which relies on fake job offers to target developers.

Instead of proceeding, the executive examined the code and found something unusual. Hidden within it was the beginning of a multi-step attack designed to look harmless. A developer following normal instructions would likely execute it without noticing anything suspicious.

Once activated, the code connects to blockchain networks such as TRON and Aptos, which are commonly used because of their low transaction costs. These networks do not contain the malware itself but instead store information that directs the program to another blockchain, Binance Smart Chain. From there, the final malicious payload is retrieved and executed.

Researchers say this last stage installs a powerful data-stealing tool known as “Omnistealer.” According to analysts working with Ransom-ISAC, the malware is designed to extract a wide range of sensitive data. It can access more than 60 cryptocurrency wallet extensions, including MetaMask and Coinbase Wallet, as well as over 10 password managers such as LastPass. It also targets major browsers like Chrome and Firefox and can pull data from cloud storage services like Google Drive. This means attackers are not just stealing cryptocurrency, but also login credentials and internal access to company systems.

What initially looked like a simple phishing attempt turned out to be far more layered. By placing parts of the attack inside blockchain transactions, the attackers have created a system that is extremely difficult to dismantle. Data stored on blockchains cannot easily be removed, which means parts of this malware infrastructure could remain accessible for years.

Researchers believe the scale of this operation could grow rapidly. Some have compared its potential reach to the WannaCry ransomware attack, which disrupted hundreds of thousands of systems worldwide. In this case, however, the method is quieter and more flexible, which may allow it to spread further before being detected. At the same time, investigators are still unsure what the attackers ultimately intend to do with the access they gain.

Further analysis has revealed possible links to North Korean cyber actors. Investigators traced parts of the activity to an IP address in Vladivostok, a location that has previously appeared in investigations involving North Korean operations. Research cited by NATO has noted that North Korea expanded its internet routing through Russia several years ago. Additional findings from Trend Micro connect similar infrastructure to earlier campaigns involving fake recruiters.

The number of affected victims is already significant. Researchers estimate that around 300,000 credentials have been exposed so far, although they believe the real figure could be much higher. Impacted organizations include cybersecurity firms, defense contractors, financial companies, and government entities in countries such as the United States and Bangladesh.

The attackers rely heavily on deception to gain access. In some cases, they pose as recruiters and convince developers to run infected code as part of a hiring process. In others, they present themselves as freelance developers and introduce malicious code directly into company systems through platforms like GitHub.

Developers in rapidly growing tech ecosystems appear to be a key focus. India, for example, has seen a surge in new contributors on GitHub and ranks among the top countries for cryptocurrency adoption. Researchers suggest that a combination of high developer activity and economic incentives may make such regions more vulnerable to these tactics.

Initial contact is typically made through platforms such as LinkedIn, Upwork, Telegram, and Discord. Representatives from these platforms have advised users to be cautious, particularly when asked to download files or execute unfamiliar code outside controlled environments.

Not all targeted organizations appear strategically important, which suggests the attackers may be casting a wide net. However, the presence of defense and security-related entities among the victims raises more serious concerns about potential intelligence-gathering objectives.

Security experts say this campaign reflects a broader shift in how attacks are being designed. Instead of relying on a single point of failure, attackers are combining social engineering, publicly accessible code platforms, and decentralized infrastructure. The use of blockchain in particular adds a layer of persistence that traditional security tools are not designed to handle.

As investigations continue, researchers warn that this may only be an early stage of a much larger problem. The combination of hidden delivery methods, long-term persistence, and unclear intent makes this campaign especially difficult to predict and contain.

Read more »
South Korea
Cloud Cyber Attacks Data GitHub phishing South Korea

Threat Actors Exploit GitHub as C2 in Multi-Stage Attacks Attacking Organizations in South Korea


GitHub attacked by state-sponsored hackers 

Cyber criminals possibly linked with the Democratic People's Republic of Korea (DPRK) have been found using GitHub as a C2 infrastructure in multi-stage campaigns attacking organizations in South Korea. 

The operation chain involves hidden Windows shortcut (LNK) files that work as a beginning point to deploy a fake PDF document and a PowerShell script that triggers another attack. Experts believe that these LNK files are circulated through phishing emails.

Payload execution 

Once the payloads are downloaded, the victim is shown as the PDF document, while the harmful PowerShell script operates covertly in the background. 

The PowerShell script does checks to avoid analysis by looking for running processes associated with machines, forensic tools, and debuggers. 

Successful exploit scenario 

If successful, it retrieves a Visual Basic Script (VBScript) and builds persistence through a scheduled task that activates the PowerShell payload every 30 minutes in a covert window to escape security. 

This allows the PowerShell script to deploy automatically after every system reboot. “Unlike previous attack chains that progressed from LNK-dropped BAT scripts to shellcode, this case confirms the use of newly developed dropper and downloader malware to deliver shellcode and the ROKRAT payload,” S2W reported. 

The PowerShell script then classifies the attacked host, saves the response to a log file, and extracts it to a GitHub repository made under the account “motoralis” via a hard-coded access token. Few of the GitHub accounts made as part of the campaign consist of “Pigresy80,” "pandora0009”, “brandonleeodd93-blip” and “God0808RAMA.”

After this, the script parses a particular file in the same GitHub repository to get more instructions or modules, therefore letting the threat actor to exploit the trust built with a platform such as GitHub to gain trust and build persistence over the compromised host. 

Campaign history 

According to Fortnet, LNK files were used in previous campaign iterations to propagate malware families such as Xeno RAT. Notably, last year, ENKI and Trellix demonstrated the usage of GitHub C2 to distribute Xeno RAT and its version MoonPeak. 

Kimsuky, a North Korean state-sponsored organization, was blamed for these assaults. Instead of depending on complex custom malware, the threat actor uses native Windows tools for deployment, evasion, and persistence. By minimizing the use of dropped PE files and leveraging LolBins, the attacker can target a broad audience with a low detection rate,” said researcher Cara Lin. 


Read more »
Vulnerabilities and Exploits
GitHub Supply Chain Attack Trivy Scanner Vulnerabilities and Exploits

Trivy Scanner Hit by Major Supply Chain Attack

 

Aqua Security's popular open-source vulnerability scanner, Trivy, has been compromised in an ongoing supply chain attack that began in late February 2026 and escalated dramatically by mid-March. Threat actors exploited misconfigurations in Trivy's GitHub Actions workflows, stealing privileged tokens to gain persistent access to repositories and release processes. 

This breach turned a trusted DevSecOps tool—boasting over 32,000 GitHub stars—into a vector for credential theft across countless CI/CD pipelines worldwide. The attack unfolded in phases, starting with a token theft from a misconfigured GitHub Action on February 28, allowing initial foothold establishment. By March 19, attackers force-pushed malicious code to 76 of 77 tags in aquasecurity/trivy-action and all 7 in setup-trivy, repointing versions like v0.69.4 to infostealer payloads.

The malware executed stealthily: it harvested GitHub tokens, cloud credentials, and SSH keys, encrypted them in tpcp.tar.gz archives, exfiltrated to scan.aquasecurtiy[.]org, then ran legitimate Trivy scans to avoid detection. Malicious Docker images under tags like latest, 0.69.5, and 0.69.6 further spread the threat via container registries. Despite Aqua Security's credential rotations after the initial incident, incomplete measures let attackers reestablish access, leading to repository tampering detected on March 22. This persistence mirrors trends in SaaS supply chain attacks, from SolarWinds to recent exploits, where upstream compromises cascade downstream.

The "Team PCP" actors have struck Trivy three times in under a month, highlighting eviction challenges in automated environments. Trivy's vast adoption amplifies the blast radius, potentially exposing secrets in thousands of organizations' pipelines. Microsoft and others urge auditing workflows using compromised tags, as successful scans masked the theft. This incident underscores vulnerabilities in mutable tags and over-privileged runners, eroding trust in open-source security tools. 

To mitigate, pin GitHub Actions to immutable commit SHAs instead of tags, rotate all exposed secrets, and adopt OIDC for short-lived credentials. Harden CI/CD privileges, monitor SaaS integrations continuously, and audit Trivy executions since March 1. Aqua Security continues remediation with partners like Sygnia, but organizations must proactively secure their supply chains against such "side door" threats.
Read more »
Trojan
coding GitHub JavaScript macOS malware Microsoft Node.js North Korean Hackers Trojan

North Korean Hackers Turn VS Code Projects Into Silent Malware Triggers

 


Opening a project in a code editor is supposed to be routine. In this case, it is enough to trigger a full malware infection.

Security researchers have linked an ongoing campaign associated with North Korean actors, tracked as Contagious Interview or WaterPlum, to a malware family known as StoatWaffle. Instead of relying on software vulnerabilities, the group is embedding malicious logic directly into Microsoft Visual Studio Code (VS Code) projects, turning a trusted development tool into the starting point of an attack.

The entire mechanism is hidden inside a file developers rarely question: tasks.json. This file is typically used to automate workflows. In these attacks, it has been configured with a setting that forces execution the moment a project folder is opened. No manual action is required beyond opening the workspace.

Research from NTT Security shows that the embedded task connects to an external web application, previously hosted on Vercel, to retrieve additional data. The same task operates consistently regardless of the operating system, meaning the behavior does not change between environments even though most observed cases involve Windows systems.

Once triggered, the malware checks whether Node.js is installed. If it is not present, it downloads and installs it from official sources. This ensures the system can execute the rest of the attack chain without interruption.

What follows is a staged infection process. A downloader repeatedly contacts a remote server to fetch additional payloads. Each stage behaves in the same way, reaching out to new endpoints and executing the returned code as Node.js scripts. This creates a recursive chain where one payload continuously pulls in the next.

StoatWaffle is built as a modular framework. One component is designed for data theft, extracting saved credentials and browser extension data from Chromium-based browsers and Mozilla Firefox. On macOS systems, it also targets the iCloud Keychain database. The collected information is then sent to a command-and-control server.

A second module functions as a remote access trojan, allowing attackers to operate the infected system. It supports commands to navigate directories, list and search files, execute scripts, upload data, run shell commands, and terminate itself when required.

Researchers note that the malware is not static. The operators are actively refining it, introducing new variants and updating existing functionality.

The VS Code-based delivery method is only one part of a broader campaign aimed at developers and the open-source ecosystem. In one instance, attackers distributed malicious npm packages carrying a Python-based backdoor called PylangGhost, marking its first known propagation through npm.

Another campaign, known as PolinRider, involved injecting obfuscated JavaScript into hundreds of public GitHub repositories. That code ultimately led to the deployment of an updated version of BeaverTail, a malware strain already linked to the same threat activity.

A more targeted compromise affected four repositories within the Neutralinojs GitHub organization. Attackers gained access by hijacking a contributor account with elevated permissions and force-pushed malicious code. This code retrieved encrypted payloads hidden within blockchain transactions across networks such as Tron, Aptos, and Binance Smart Chain, which were then used to download and execute BeaverTail. Victims are believed to have been exposed through malicious VS Code extensions or compromised npm packages.

According to analysis from Microsoft, the initial compromise often begins with social engineering rather than technical exploitation. Attackers stage convincing recruitment processes that closely resemble legitimate technical interviews. Targets are instructed to run code hosted on platforms such as GitHub, GitLab, or Bitbucket, unknowingly executing malicious components as part of the assessment.

The individuals targeted are typically experienced professionals, including founders, CTOs, and senior engineers in cryptocurrency and Web3 sectors. Their level of access to infrastructure and digital assets makes them especially valuable. In one recent case, attackers unsuccessfully attempted to compromise the founder of AllSecure.io using this approach.

Multiple malware families are used across these attack chains, including OtterCookie, InvisibleFerret, and FlexibleFerret. InvisibleFerret is commonly delivered through BeaverTail, although recent intrusions show it being deployed after initial access is established through OtterCookie. FlexibleFerret, also known as WeaselStore, exists in both Go and Python variants, referred to as GolangGhost and PylangGhost.

The attackers continue to adjust their techniques. Newer versions of the malicious VS Code projects have moved away from earlier infrastructure and now rely on scripts hosted on GitHub Gist to retrieve additional payloads. These ultimately lead to the deployment of FlexibleFerret. The infected projects themselves are distributed through GitHub repositories.

Security analysts warn that placing malware inside tools developers already trust significantly lowers suspicion. When the code is presented as part of a hiring task or technical assessment, it is more likely to be executed, especially under time pressure.

Microsoft has responded to the misuse of VS Code tasks with security updates. In the January 2026 release (version 1.109), a new setting disables automatic task execution by default, preventing tasks defined in tasks.json from running without user awareness. This setting cannot be overridden at the workspace level, limiting the ability of malicious repositories to bypass protections.

Additional safeguards were introduced in February 2026 (version 1.110), including a second prompt that alerts users when an auto-run task is detected after workspace trust is granted.

Beyond development environments, North Korean-linked operations have expanded into broader social engineering campaigns targeting cryptocurrency professionals. These include outreach through LinkedIn, impersonation of venture capital firms, and fake video conferencing links. Some attacks lead to deceptive CAPTCHA pages that trick victims into executing hidden commands in their terminal, enabling cross-platform infections on macOS and Windows. These activities overlap with clusters tracked as GhostCall and UNC1069.

Separately, the U.S. Department of Justice has taken action against individuals involved in supporting North Korea’s fraudulent IT worker operations. Audricus Phagnasay, Jason Salazar, and Alexander Paul Travis were sentenced after pleading guilty in November 2025. Two received probation and fines, while one was sentenced to prison and ordered to forfeit more than $193,000 obtained through identity misuse.

Officials stated that such schemes enable North Korean operatives to generate revenue, access corporate systems, steal proprietary data, and support broader cyber operations. Separate research from Flare and IBM X-Force indicates that individuals involved in these programs undergo rigorous training and are considered highly skilled, forming a key part of the country’s strategic cyber efforts.


What this means

This attack does not depend on exploiting a flaw in software. It depends on exploiting trust.

By embedding malicious behavior into tools, workflows, and hiring processes that developers rely on every day, attackers are shifting the point of compromise. In this environment, opening a project can be just as risky as running an unknown program.

Read more »
Passwords
Crypto Cyber Security Cybersecurity GitHub Linux Passwords

Fake Go Crypto Package Caught Stealing Passwords and Spreading Linux Backdoor

 



Cybersecurity investigators have revealed a rogue Go module engineered to capture passwords, establish long-term SSH access, and deploy a Linux backdoor known as Rekoobe.

The package, published as github[.]com/xinfeisoft/crypto, imitates the legitimate Go cryptography repository widely imported by developers. Instead of delivering standard encryption utilities, the altered version embeds hidden instructions that intercept sensitive input entered in terminal password prompts. The stolen credentials are transmitted to a remote server, which then responds by delivering a shell script that the compromised system executes.

Researchers at Socket explained that the attack relies on namespace confusion. The authentic cryptography project identifies its canonical source as go.googlesource.com/crypto, while GitHub merely hosts a mirror copy. By exploiting this distinction, the threat actor made the counterfeit repository appear routine in dependency graphs, increasing the likelihood that developers would mistake it for the genuine library.

The malicious modification is embedded inside the ssh/terminal/terminal.go file. Each time an application calls the ReadPassword() function, which is designed to securely capture hidden input from a user, the manipulated code silently records the data. What should have been a secure input mechanism becomes a covert data collection point.

Once credentials are exfiltrated, the downloaded script functions as a Linux stager. It appends the attacker’s SSH public key to the /home/ubuntu/.ssh/authorized_keys file, enabling passwordless remote logins. It also changes default iptables policies to ACCEPT, reducing firewall restrictions and increasing exposure. The script proceeds to fetch further payloads from an external server, disguising them with a misleading .mp5 file extension to avoid suspicion.

Two additional components are retrieved. The first acts as a helper utility that checks internet connectivity and attempts to communicate with the IP address 154.84.63[.]184 over TCP port 443, commonly used for encrypted web traffic. Researchers believe this tool likely serves as reconnaissance or as a loader preparing the system for subsequent stages.

The second payload has been identified as Rekoobe, a Linux trojan active in the wild since at least 2015. Rekoobe allows remote operators to receive commands from a control server, download additional malware, extract files, and open reverse shell sessions that grant interactive system control. Security reporting as recently as August 2023 has linked the malware’s use to advanced threat groups, including APT31.

While the malicious module remained listed on the Go package index at the time of analysis, the Go security team has since taken measures to block it as harmful.

Researchers caution that this operation reflects a repeatable, low-effort strategy with glaring impact. By targeting high-value functions such as ReadPassword() and hosting staged payloads through commonly trusted platforms, attackers can rotate infrastructure without republishing code. Defenders are advised to anticipate similar supply chain campaigns aimed at credential-handling libraries, including SSH utilities, command-line authentication tools, and database connectors, with increased use of layered hosting services to conceal corrupted infrastructure.


Read more »
Technology
AI AI prompt injection attack Copilot GitHub GitHub repositories breach Microsoft Technology

GitHub Fixes AI Flaw That Could Have Exposed Private Repository Tokens

 



A now-patched security weakness in GitHub Codespaces revealed how artificial intelligence tools embedded in developer environments can be manipulated to expose sensitive credentials. The issue, discovered by cloud security firm Orca Security and named RoguePilot, involved GitHub Copilot, the AI coding assistant integrated into Codespaces. The flaw was responsibly disclosed and later fixed by Microsoft, which owns GitHub.

According to researchers, the attack could begin with a malicious GitHub issue. An attacker could insert concealed instructions within the issue description, specifically crafted to influence Copilot rather than a human reader. When a developer launched a Codespace directly from that issue, Copilot automatically processed the issue text as contextual input. This created an opportunity for hidden instructions to silently control the AI agent operating within the development environment.

Security experts classify this method as indirect or passive prompt injection. In such attacks, harmful instructions are embedded inside content that a large language model later interprets. Because the model treats that content as legitimate context, it may generate unintended responses or perform actions aligned with the attacker’s objective.

Researchers also described RoguePilot as a form of AI-mediated supply chain attack. Instead of exploiting external software libraries, the attacker leverages the AI system integrated into the workflow. GitHub allows Codespaces to be launched from repositories, commits, pull requests, templates, and issues. The exposure occurred specifically when a Codespace was opened from an issue, since Copilot automatically received the issue description as part of its prompt.

The manipulation could be hidden using HTML comment tags, which are invisible in rendered content but still readable by automated systems. Within those hidden segments, an attacker could instruct Copilot to extract the repository’s GITHUB_TOKEN, a credential that provides elevated permissions. In one demonstrated scenario, Copilot could be influenced to check out a specially prepared pull request containing a symbolic link to an internal file. Through techniques such as referencing a remote JSON schema, the AI assistant could read that internal file and transmit the privileged token to an external server.

The RoguePilot disclosure comes amid broader concerns about AI model alignment. Separate research from Microsoft examined a reinforcement learning method called Group Relative Policy Optimization, or GRPO. While typically used to fine-tune large language models after deployment, researchers found it could also weaken safety safeguards, a process they labeled GRP-Obliteration. Notably, training on even a single mildly problematic prompt was enough to make multiple language models more permissive across harmful categories they had never explicitly encountered.

Additional findings stress upon side-channel risks tied to speculative decoding, an optimization technique that allows models to generate multiple candidate tokens simultaneously to improve speed. Researchers found this process could potentially reveal conversation topics or identify user queries with significant accuracy.

Further concerns were raised by AI security firm HiddenLayer, which documented a technique called ShadowLogic. When applied to agent-based systems, the concept evolves into Agentic ShadowLogic. This approach involves embedding backdoors at the computational graph level of a model, enabling silent modification of tool calls. An attacker could intercept and reroute requests through infrastructure under their control, monitor internal endpoints, and log data flows without disrupting normal user experience.

Meanwhile, Neural Trust demonstrated an image-based jailbreak method known as Semantic Chaining. This attack exploits limited reasoning depth in image-generation models by guiding them through a sequence of individually harmless edits that gradually produce restricted or offensive content. Because each step appears safe in isolation, safety systems may fail to detect the evolving harmful intent.

Researchers have also introduced the term Promptware to describe a new category of malicious inputs designed to function like malware. Instead of exploiting traditional code vulnerabilities, promptware manipulates large language models during inference to carry out stages of a cyberattack lifecycle, including reconnaissance, privilege escalation, persistence, command-and-control communication, lateral movement, and data exfiltration.

Collectively, these findings demonstrate that AI systems embedded in development platforms are becoming a new attack surface. As organizations increasingly rely on intelligent automation, safeguarding the interaction between user input, AI interpretation, and system permissions is critical to preventing misuse within trusted workflows.

Read more »
StealC
AI infostealer malware API Data Stealer GitHub malware MCP security vulnerability StealC

Hackers Use Fake Oura AI Server to Spread StealC Malware

 



Cybersecurity analysts have uncovered a fresh wave of malicious activity involving the SmartLoader malware framework. In this campaign, attackers circulated a compromised version of an Oura Model Context Protocol server in order to deploy a data-stealing program known as StealC.

Researchers from Straiker’s AI Research team, also referred to as STAR Labs, reported that the perpetrators replicated a legitimate Oura MCP server. This genuine tool is designed to connect artificial intelligence assistants with health metrics collected from the Oura Ring through Oura’s official API. To make their fraudulent version appear authentic, the attackers built a network of fabricated GitHub forks and staged contributor activity, creating the illusion of a credible open-source project.

The ultimate objective was to use the altered MCP server as a delivery vehicle for StealC. Once installed, StealC is capable of harvesting usernames, saved browser passwords, cryptocurrency wallet information, and other valuable credentials from infected systems.

SmartLoader itself was initially documented by OALABS Research in early 2024. It functions as a loader, meaning it prepares and installs additional malicious components after gaining a foothold. Previous investigations showed that SmartLoader was commonly distributed through deceptive GitHub repositories that relied on AI-generated descriptions and branding to appear legitimate.

In March 2025, Trend Micro published findings explaining that these repositories frequently masqueraded as gaming cheats, cracked software tools, or cryptocurrency utilities. Victims were enticed with promises of free premium functionality and encouraged to download compressed ZIP files, which ultimately executed SmartLoader on their devices.

Straiker’s latest analysis reveals an evolution of that tactic. Instead of merely posting suspicious repositories, the threat actors established multiple counterfeit GitHub profiles and interconnected projects that hosted weaponized MCP servers. They then submitted the malicious server to a recognized MCP registry called MCP Market. According to the researchers, the listing remains visible within the MCP directory, increasing the risk that developers searching for integration tools may encounter it.

By infiltrating trusted directories and leveraging reputable platforms such as GitHub, the attackers exploited the inherent trust developers place in established ecosystems. Unlike rapid, high-volume malware campaigns, this operation progressed slowly. Straiker noted that the group spent months cultivating legitimacy before activating the malicious payload, demonstrating a calculated effort to gain access to valuable developer environments.

The staged operation unfolded in four key phases. First, at least five fabricated GitHub accounts, identified as YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112, were created to generate convincing forks of the authentic Oura MCP project. Second, a separate repository containing the harmful payload was introduced under another account named SiddhiBagul. Third, these fabricated accounts were listed as contributors to reinforce the appearance of collaboration, while the original project author was intentionally omitted. Finally, the altered MCP server was submitted to MCP Market for broader visibility.

If downloaded and executed, the malicious package runs an obfuscated Lua script. This script installs SmartLoader, which then deploys StealC. The campaign signals a shift from targeting individuals seeking pirated content to focusing on developers, whose systems often store API keys, cloud credentials, cryptocurrency wallets, and access to production infrastructure. Stolen information could facilitate subsequent intrusions into larger networks.

To mitigate the threat, organizations are advised to catalogue all installed MCP servers, implement formal security reviews before adopting such tools, confirm the authenticity and source of repositories, and monitor network traffic for unusual outbound communications or persistence behavior.

Straiker concluded that the incident exposes weaknesses in how companies assess developing AI tools. The attackers capitalized on outdated trust assumptions applied to a rapidly expanding attack surface, underscoring the need for stricter validation practices in modern development environments.

Read more »
Malicious Codes
AWS AWS Hijacking Cyber Attacks Cyber flaws cybersecurity risks GitHub Hacker attack Malicious Codes

AWS CodeBuild Misconfiguration Could Have Enabled Full GitHub Repository Takeover

 

One mistake in how Amazon Web Services set up its CodeBuild tool might have let hackers grab control of official AWS GitHub accounts. That access could spill into more parts of AWS, opening doors for wide-reaching attacks on software supplies. Cloud security team Wiz found the weak spot and called it CodeBreach. They told AWS about it on August 25, 2025. Fixes arrived by September that year. Experts say key pieces inside AWS were at stake - like the popular JavaScript SDK developers rely on every day. 

Into trusted repositories, attackers might have slipped harmful code thanks to CodeBreach, said Wiz team members Yuval Avrahami and Nir Ohfeld. If exploited, many apps using AWS SDKs could face consequences - possibly even disruptions in how the AWS Console functions or risks within user setups. Not a bug inside CodeBuild caused this, but gaps found deeper in automated build processes. These weak spots lived where tools merge and deploy code automatically. 

Something went wrong because the webhook filters had been set up incorrectly. They’re supposed to decide which GitHub actions get permission to start CodeBuild tasks. Only certain people or selected branches should be allowed through, keeping unsafe code changes out of high-access areas. But in a few open-source projects run by AWS, the rules meant to check user IDs didn’t work right. The patterns written to match those users failed at their job. 

Notably, some repositories used regex patterns missing boundary markers at beginning or end, leading to incomplete matches rather than full validation. This gap meant a GitHub user identifier only needed to include an authorized maintainer's number within a larger sequence to slip through. Because GitHub hands out IDs in order, those at Wiz showed how likely it became for upcoming identifiers to accidentally align with known legitimate ones. 

Ahead of any manual effort, bots made it possible to spam GitHub App setups nonstop. One after another, these fake apps rolled out - just waiting for a specific ID pattern to slip through broken checks. When the right match appeared, everything changed quietly. A hidden workflow fired up inside CodeBuild, pulled from what should have stayed locked down. Secrets spilled into logs nobody monitored closely. For aws-sdk-js-v3, that leak handed total control away - tied straight to a powerful token meant to stay private. If hackers gained that much control, they might slip harmful code into secure branches without warning. 

Malicious changes could get approved through rigged pull requests, while hidden data stored in the repo gets quietly pulled out. Once inside, corrupted updates might travel unnoticed through trusted AWS libraries to users relying on them. AWS eventually confirmed some repos lacked tight webhook checks. Still, they noted only certain setups were exposed. 

Now fixed, Amazon says it adjusted those flawed settings. Exposed keys were swapped out, safeguards tightened around building software. Evidence shows CodeBreach wasn’t used by attackers, the firm added. Yet specialists warn - small gaps in automated pipelines might lead to big problems down the line. Now worries grow around CI/CD safety, a new report adds fuel. 

Lately, studies have revealed that poorly set up GitHub Actions might spill sensitive tokens. This mistake lets hackers gain higher permissions in large open-source efforts. What we’re seeing shows tighter checks matter. Running on minimal needed access helps too. How unknown data is processed in builds turns out to be critical. Each step shapes whether systems stay secure.
Read more »
Malwares
Cyber Attacks cyber theft data security GitHub GitHub Actions vulnerability GitHub malware Malware attacks Malwares

WebRAT Malware Spreads Through Fake GitHub Exploit Repositories

 

The WebRAT malware is being distributed through GitHub repositories that falsely claim to host proof-of-concept exploits for recently disclosed security vulnerabilities. This marks a shift in the malware’s delivery strategy, as earlier campaigns relied on pirated software and cheats for popular games such as Roblox, Counter-Strike, and Rust. First identified at the beginning of the year, WebRAT operates as a backdoor that allows attackers to gain unauthorized access to infected systems and steal sensitive information, while also monitoring user activity. 

A report published by cybersecurity firm Solar 4RAYS in May detailed the scope of WebRAT’s capabilities. According to the findings, the malware can harvest login credentials for platforms including Steam, Discord, and Telegram, along with extracting data from cryptocurrency wallets. Beyond credential theft, WebRAT poses a serious privacy threat by enabling attackers to activate webcams and capture screenshots, exposing victims to covert surveillance. 

Since at least September, the threat actors behind WebRAT have expanded their tactics by creating GitHub repositories designed to appear legitimate. These repositories present themselves as exploit code for high-profile vulnerabilities that have received widespread media attention. Among the issues referenced are a Windows flaw that allows remote code execution, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress, and a Windows privilege escalation vulnerability that enables attackers to gain elevated system access. By exploiting public awareness of these vulnerabilities, the attackers increase the likelihood that developers and security researchers will trust and download the malicious files. 

Security researchers at Kaspersky identified 15 GitHub repositories linked to the WebRAT campaign. Each repository contained detailed descriptions of the vulnerability, explanations of the supposed exploit behavior, and guidance on mitigation. Based on the structure and writing style of the content, Kaspersky assessed that much of the material was likely generated using artificial intelligence tools, adding to the appearance of legitimacy. The fake exploits are distributed as password-protected ZIP archives containing a mix of decoy and malicious components. 

These include empty files, corrupted DLLs intended to mislead analysis, batch scripts that form part of the execution chain, and a dropper executable named rasmanesc.exe. Once launched, the dropper elevates system privileges, disables Windows Defender, and downloads the WebRAT payload from a hardcoded remote server, enabling full compromise of the system.  

Kaspersky noted that the WebRAT variant used in this campaign does not introduce new features and closely resembles previously documented samples. Although all identified malicious repositories have been removed from GitHub, researchers warn that similar lures could resurface under different names or accounts. 

Security experts continue to advise that exploit code from unverified sources should only be tested in isolated, controlled environments to reduce the risk of infection.
Read more »
Malwares
AI cybersecurity AI tools Cyber Security Cyber Security Tool GitHub GitHub Actions vulnerability GitHub Bug Malware Attack Malwares

Webrat Malware Targets Students and Junior Security Researchers Through Fake Exploits

 

In early 2025, security researchers uncovered a new malware family dubbed Webrat, which at that time was predominantly targeting ordinary users through fake distribution methods. The first propagation involved masking malware as cheats for online games-like Rust, Counter-Strike, and Roblox-but also as cracked versions of some commercial software. By the second half of that year, though, the Webrat operators had indeed widened their horizons, shifting toward a new target group that covered students and young professionals seeking careers in information security. 

This evolution started to surface in September and October 2025, when researchers discovered a campaign spreading Webrat through open GitHub repositories. The attackers embedded the malicious payloads as proof-of-concept exploits of highly publicized software vulnerabilities. Those vulnerabilities were chosen due to their resonance in security advisories and high severity ratings, making the repositories look relevant and credible for people searching for hands-on learning materials.  

Each of the GitHub repositories was crafted to closely resemble legitimate exploit releases. They all had detailed descriptions outlining the background of the vulnerability, affected systems, steps to install it, usage, and the most recommended ways of mitigation. Many of the repository descriptions have a similar or almost identical structure; the defensive advice offered is often strikingly similar, adding strong evidence that they were generated through automated or AI-assisted tools rather than various independent researchers. Inside each repository, users were instructed to fetch an archive with a password, labeled as the exploit package. 

The password was hidden in the name of one of the files inside the archive, a move intended to lure users into unzipping the file and researching its contents. Once unpacked, the archive contains a set of files meant to masquerade or divert attention from the actual payload. Among those is a corrupted dynamic-link library file meant as a decoy, along with a batch file whose purpose was to instruct execution of the main malicious executable file. The main executable, when run, executed several high-risk actions: It tried to elevate its privileges to administrator level, disabled the inbuilt security protections such as Windows Defender, and then downloaded the Webrat backdoor from a remote server and started it.

The Webrat backdoor provides a way to attackers for persistent access to infected systems, allowing them to conduct widespread surveillance and data theft activities. Webrat can steal credentials and other sensitive information from cryptocurrency wallets and applications like Telegram, Discord, and Steam. In addition to credential theft, it also supports spyware functionalities such as screen capture, keylogging, and audio and video surveillance via connected microphones and webcams. The functionality seen in this campaign is very similar to versions of Webrat described in previous incidents. 

It seems that the move to dressing the malware up as vulnerability exploits represents an effort to affect hobbyists rather than professionals. Professional analysts normally analyze such untrusted code in a sandbox or isolated environment, where such attacks have limited consequences. 

Consequently, researchers believe the attack focuses on students and beginners with lax operational security discipline. It ranges in topic from the risks in running unverified code downloaded from open-source sites to the need to perform malware analysis and exploit testing in a sandbox or virtual machine environment. 

Security professionals and students are encouraged to be keen in their practices, to trust only known and reputable security tools, and to bypass protection mechanisms only when this is needed with a clear and well-justified reason.
Read more »
Software
GitHub malware PyStoreRAT Remote Access Trojan Software

PyStoreRAT Campaign Uses Fake GitHub Projects to Target OSINT and IT Professionals

 


Cybersecurity researchers have identified a previously undocumented malware operation that leverages GitHub to distribute a threat known as PyStoreRAT. The campaign primarily targets individuals working in information technology, cybersecurity, and open-source intelligence research, exploiting their reliance on open-source tools.

The findings were published by Morphisec Threat Labs, which described the operation as a coordinated and deliberate effort rather than random malware distribution. The attackers focused on blending into legitimate developer activity, making the threat difficult to detect during its early stages.

PyStoreRAT functions as a Remote Access Trojan, a type of malware that enables attackers to maintain hidden and persistent access to an infected system. Once deployed, it can gather detailed system information, execute commands remotely, and act as a delivery mechanism for additional malicious software.

According to the research, the attackers began by reviving dormant GitHub accounts that had shown no activity for extended periods. These accounts were then used to upload software projects that appeared polished, functional, and credible. Many of the repositories were created with the help of artificial intelligence, allowing them to closely resemble genuine open-source tools.

The fake projects included OSINT utilities, decentralized finance trading bots, and AI-based applications such as chatbot wrappers. Several of these repositories gained visibility and user trust, with some rising through GitHub’s trending rankings. Only after achieving engagement did the attackers introduce subtle updates that quietly embedded the PyStoreRAT backdoor under the guise of routine maintenance.

Once active, PyStoreRAT demonstrates a high degree of adaptability. Morphisec researchers found that it profiles infected systems and can deploy additional payloads, including known data-stealing malware families and Python-based loaders. The malware also modifies its execution behavior when it detects certain endpoint protection products, reducing its exposure to security monitoring.

The threat is not limited to a single delivery method. PyStoreRAT can propagate through removable storage devices such as USB drives and continuously retrieves updated components from its operators. Its command-and-control infrastructure relies on a rotating network of servers, allowing attackers to issue new instructions quickly while complicating takedown efforts.

Researchers also identified non-English language elements within the malware code, including Russian-language terms. While this does not confirm attribution, Morphisec noted that the level of planning and operational maturity places the campaign well beyond low-effort GitHub-based malware activity.

GitHub has removed the majority of the malicious repositories linked to the campaign, though a small number were still accessible at the time of analysis. Security experts stress that developers and researchers should remain cautious when downloading tools, carefully review code changes, and avoid running projects that cannot be independently verified.

Morphisec concluded that the campaign surfaces a vastly growing trend, where attackers combine AI-generated content, social engineering, and resilient cloud infrastructure to bypass traditional security defenses, making awareness and verification more critical than ever.



Read more »
PyStoreRAT
GitHub Malicious Campaign malware OSINT PyStoreRAT

Fake GitHub OSINT Tools Spread PyStoreRAT Malware

 

Attackers are using GitHub as part of a campaign to spread a novel JavaScript-based RAT called PyStoreRAT, masquerading as widely used OSINT, GPT, and security utilities targeting developers and analysts. The malware campaign leverages small pieces of Python or JavaScript loader code hosted on fake GitHub repositories, which silently fetch and execute remote HTML Application (HTA) files via mshta.exe, initiating a multi-stage infection chain. 

PyStoreRAT is said to be a modular, multi-stage implant that can load and execute a wide range of payload formats, including EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules, making it highly versatile once a breach has been established. One of the most prominent follow-on payloads is the Rhadamanthys information stealer, which specializes in the exfiltration of sensitive information, including credentials and financial data. The loaders arrive embedded in repositories branded as OSINT frameworks, DeFi trading bots, GPT wrappers, or security tools; many of these hardly work past statically showing menus or other placeholder behavior to appear legitimate.

It is believed the campaign started at around mid-June 2025, with the attackers publishing new repositories at a steady pace, and then artificially inflating stars and forks by promoting those on YouTube, X, and other platforms. When these tools started gaining traction and hit GitHub's trending lists, the threat actors slipped in malicious "maintenance" commits in October and November, quietly swapping or augmenting the code to insert the loader logic. This factor of abusing GitHub's trust model and popularity signals echoes a trend seen in supply chain-like gimmicks such as Stargazers Ghost Network tactic.

Subsequently, the loader retrieves a distant HTA, which installs PyStoreRAT, a tool that profiles the system, identifies whether it has administrator privileges, and searches for cryptocurrency wallet artifacts involving services such as Ledger Live, Trezor, Exodus, Atomic, Guarda, and BitBox02. It also identifies installed anti-virus software and searches for strings such as “Falcon” and “Reason,” which are attributed to CrowdStrike and Cybereason/ReasonLabs, with what appears to be a modification of the path used to execute mshta.exe to avoid detection. 

It uses a scheduled task, which is disguised as an NVIDIA self-update, with the RAT communicating with a distant server for command execution, which includes but is not limited to downloading and executing EXE payloads, delivering Rhadamanthys, unzip archives, loading malicious DLLs via rundll32.exe, unpacking MSI packages, executing PowerShell payloads within a suspended process, instantiating additional mshta.exe, and propagate via portable storage devices by embedding armed LNK documents. 

Additionally, it has the capacity to eliminate its own scheduled tasks, which is attributed to making reverse-engineering even more complicated. The Python-based weapons have revealed Russian language artifacts as well as programming conventions that indicate a probable Eastern European adversary, who has described PyStoreRAT as part of a growth toward adaptable, script-based implants that avoid common detection on a targeted environment until a very late stage in the fight.
Read more »
Subscribe to: Posts (Atom)