Explore

Rapid Read Rapid Read
Axios npm Hack Exploits Fake Teams Error to Compromise Maintainer Account

Axios npm Hack Exploits Fake Teams Error to Compromise Maintainer Account

The maintainers of the popular Axios HTTP client have reported a security breach involving a social engineering attack linked to North Korean hackers. The attackers compromised a maintainer account to publish two malicious versions of Axios to the npm package registry, initiating a supply chain attack. These versions included a dependency that installed a remote access trojan (RAT) on various operating systems. The malicious versions were available for a short period before removal, but systems that installed them are considered compromised. The Google Threat Intelligence Group has attributed this attack to North Korean threat actors known as UNC1069. The attack began with a targeted social engineering campaign against the project's lead maintainer, involving impersonation and a fake Microsoft Teams update that installed malware.
Rapid Read Rapid Read
North Korean Hackers Exploit LNK Files and GitHub Repositories in New Cyber Campaign Targeting South Korea

North Korean Hackers Exploit LNK Files and GitHub Repositories in New Cyber Campaign Targeting South Korea

North Korean state-sponsored hackers have been identified using weaponized Windows shortcut (.LNK) files and GitHub-based command-and-control (C2) channels in a sophisticated cyber campaign targeting South Korean organizations. According to Fortinet researchers, this campaign, which began in 2024, employs a multi-stage scripting process to evade detection. The hackers have improved their obfuscation techniques over time, embedding decoding functions within LNK arguments and encoding payloads directly inside the files. This strategy is part of a broader effort by North Korea to expand its surveillance capabilities within South Korea. The campaign has been linked to previous attacks involving the XenoRAT malware, characterized by lesser obfuscation and heavier metadata.
Rapid Read Rapid Read
Guardarian Users Targeted in Malicious NPM Package Attack

Guardarian Users Targeted in Malicious NPM Package Attack

A recent supply chain attack has targeted the Strapi ecosystem, involving 36 malicious NPM packages. These packages, published across four accounts, deliver various payloads capable of executing Redis code, escaping Docker containers, harvesting credentials, and deploying reverse shells. The attack specifically targets the cryptocurrency payment gateway Guardarian, using a Guardarian API module and targeting wallet files. The campaign appears tailored for Strapi users, focusing on Linux systems and exploiting Redis instances used as Strapi cache backends. Users who installed these packages are advised to rotate all credentials, including database passwords and API keys, to mitigate potential security breaches.
Rapid Read Rapid Read
Guardarian Users Targeted by Malicious NPM Packages in Strapi Ecosystem Attack

Guardarian Users Targeted by Malicious NPM Packages in Strapi Ecosystem Attack

A recent supply chain attack has targeted the Strapi ecosystem, involving 36 malicious NPM packages, as reported by supply chain security firm SafeDep. Strapi, an open-source headless CMS built on Node.js, is used by developers to create websites, mobile applications, and APIs. The attack, which was discovered on Friday, involves packages published across four accounts, delivering various malicious payloads. These payloads are capable of Redis code execution, Docker container escape, credential harvesting, and reverse shell deployment. One specific payload exploits Redis instances to inject crontab entries, deploy PHP webshells, and Node.js reverse shells, inject SSH keys, and exfiltrate a Guardarian API module. Another payload is designed to escape Docker containers, write shells to host directories, launch a reverse shell, and read Elasticsearch and wallet credentials. The campaign specifically targets the cryptocurrency payment gateway Guardarian, as evidenced by the direct probing of databases associat...
Trendline Trendline
Meta Halts AI Data Collaboration After Breach Exposes Training Secrets

Meta Halts AI Data Collaboration After Breach Exposes Training Secrets

Meta Halts AI Data Collaboration After Breach Exposes Training Secrets
Rapid Read Rapid Read
European Commission Data Breach Exposes Vulnerabilities in Trivy Supply Chain Attack

European Commission Data Breach Exposes Vulnerabilities in Trivy Supply Chain Attack

The European Commission (EC) has confirmed a significant data breach involving the theft of over 300GB of data from its AWS environment. This breach was facilitated by a compromised API key in a supply chain attack on the Trivy vulnerability scanner, a tool developed by Aqua Security. The breach, which occurred on March 24, was initially disclosed on March 27. Hackers, identified as the TeamPCP group, exploited the compromised API key to gain unauthorized access to the EC's AWS cloud account, which supports the Europa.eu platform. This platform hosts public websites for the EC and other European Union entities. The attackers used the compromised key to create new access credentials, allowing them to conduct reconnaissance and exfiltrate data. The stolen data, which includes personal information such as names, email addresses, and usernames, was later published by the ShinyHunters extortion group on their Tor-based leak site.
Trendline Trendline
Meta Suspends AI Data Collaboration with Mercor Following Security Breach

Meta Suspends AI Data Collaboration with Mercor Following Security Breach

Meta Suspends AI Data Collaboration with Mercor Following Security Breach
Rapid Read Rapid Read
North Korean Hackers Exploit Axios Maintainer in npm Supply Chain Attack

North Korean Hackers Exploit Axios Maintainer in npm Supply Chain Attack

The maintainer of the popular Axios npm package, Jason Saayman, has confirmed a supply chain compromise resulting from a sophisticated social engineering campaign by North Korean threat actors known as UNC1069. The attackers impersonated a legitimate company's founder to gain Saayman's trust, eventually leading him to a fake Microsoft Teams call. During the call, a fake error message prompted him to update his system, which triggered the deployment of a remote access trojan. This allowed the attackers to steal npm account credentials and publish two compromised versions of the Axios package, containing a malicious implant named WAVESHAPER.V2. The attack shares similarities with previous campaigns by UNC1069 and BlueNoroff, targeting open-source software maintainers to infiltrate downstream users.
Rapid Read Rapid Read
UNC1069 Social Engineering Attack Compromises Axios npm Package, Threatens JavaScript Ecosystem

UNC1069 Social Engineering Attack Compromises Axios npm Package, Threatens JavaScript Ecosystem

The Axios npm package maintainer, Jason Saayman, confirmed a supply chain compromise due to a sophisticated social engineering attack by North Korean threat actors known as UNC1069. The attackers impersonated a legitimate company's founder, inviting Saayman to a fake Slack workspace and a Microsoft Teams meeting. During the meeting, a fake error message prompted an update that deployed a remote access trojan, allowing the attackers to steal npm account credentials. This led to the publication of two trojanized Axios package versions containing the WAVESHAPER.V2 implant. The attack shares similarities with tactics used by UNC1069 and BlueNoroff, previously targeting crypto founders and public figures. Saayman has since implemented preventive measures, including resetting devices and credentials and updating GitHub Actions.
Rapid Read Rapid Read
North Korean Hackers Execute $285 Million Heist on DeFi Platform Drift

North Korean Hackers Execute $285 Million Heist on DeFi Platform Drift

A sophisticated cyberattack attributed to North Korean hackers resulted in the theft of $285 million from the decentralized finance (DeFi) platform Drift. The attack was meticulously planned, involving the use of durable nonce accounts to pre-sign transactions and the compromise of multisig signers’ approvals. Drift is collaborating with security firms, exchanges, and law enforcement to trace and freeze the stolen assets. The attack was executed with precision, with hackers setting up infrastructure eight days prior, gaining admin control, and draining funds from five vaults within seconds. The attackers used a durable nonce to create a transaction on the Solana blockchain, pre-signing every transaction to ensure rapid execution. They gained control of a Drift admin key, allowing them to modify protocol settings, and created a fake collateral market to facilitate the heist.
Trendline Trendline
AI Recruiting Firm Mercor Suffers Data Breach in LiteLLM Supply Chain Attack

AI Recruiting Firm Mercor Suffers Data Breach in LiteLLM Supply Chain Attack

AI Recruiting Firm Mercor Suffers Data Breach in LiteLLM Supply Chain Attack
Rapid Read Rapid Read
FBI Classifies Wiretap Infrastructure Breach as Major Incident, Suspects Chinese Hackers

FBI Classifies Wiretap Infrastructure Breach as Major Incident, Suspects Chinese Hackers

The FBI has officially classified a breach of its lawful wiretap infrastructure as a major incident, highlighting significant national security risks. The breach, reportedly carried out by state-sponsored Chinese hackers, involved accessing the FBI's infrastructure through a commercial ISP. The compromised system contained sensitive information, including returns from legal processes such as pen register and trap and trace surveillance returns, as well as personally identifiable information related to FBI investigations. This breach underscores the vulnerabilities in critical law enforcement infrastructure and the ongoing threat posed by sophisticated cyberattacks.