#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
DevSecOps

GitHub | Breaking Cybersecurity News | The Hacker News

Category — GitHub
Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access

Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access

Feb 04, 2025 Vulnerability / Threat Intelligence
Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems. The package, named github.com/boltdb-go/bolt , is a typosquat of the legitimate BoltDB database module ( github.com/boltdb/bolt ), per Socket. The malicious version (1.3.1) was published to GitHub in November 2021, following which it was cached indefinitely by the Go Module Mirror service. "Once installed, the backdoored package grants the threat actor remote access to the infected system, allowing them to execute arbitrary commands," security researcher Kirill Boychenko said in an analysis. Socket said the development marks one of the earliest instances of a malicious actor abusing the Go Module Mirror's indefinite caching of modules to trick users into downloading the package. Subsequently, the attacker is said to have modified the Git tags in the source r...
North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS

North Korean Hackers Deploy FERRET Malware via Fake Job Interviews on macOS

Feb 04, 2025 Malware / Cryptocurrency
The North Korean threat actors behind the Contagious Interview campaign have been observed delivering a collection of Apple macOS malware strains dubbed FERRET as part of a supposed job interview process. "Targets are typically asked to communicate with an interviewer through a link that throws an error message and a request to install or update some required piece of software such as VCam or CameraAccess for virtual meetings," SentinelOne researchers Phil Stokes and Tom Hegel said in a new report. Contagious Interview, first uncovered in late 2023, is a persistent effort undertaken by the hacking crew to deliver malware to prospective targets through bogus npm packages and native apps masquerading as videoconferencing software. It's also tracked as DeceptiveDevelopment and DEV#POPPER. These attack chains are designed to drop a JavaScript-based malware known as BeaverTail, which, besides harvesting sensitive data from web browsers and crypto wallets, is capable of d...
Navigating the Future: Key IT Vulnerability Management Trends

Navigating the Future: Key IT Vulnerability Management Trends 

Feb 11, 2025Vulnerability / Threat Detection
As the cybersecurity landscape continues to evolve, proactive vulnerability management has become a critical priority for managed service providers (MSPs) and IT teams. Recent trends indicate that organizations increasingly prioritize more frequent IT security vulnerability assessments to identify and address potential security flaws. Staying informed on these trends can help MSPs and IT teams remain one step ahead of potential cyber-risks. The Kaseya Cybersecurity Survey Report 2024 navigates this new frontier of cyber challenges. The data is clear: Organizations are becoming increasingly reliant on vulnerability assessments and plan to prioritize these investments in 2025. Companies are increasing the frequency of vulnerability assessments  In 2024, 24% of respondents said they conduct vulnerability assessments more than four times per year, up from 15% in 2023. This shift highlights a growing recognition of the need for continuous monitoring and quick response to emerging t...
Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware

Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware

Feb 03, 2025 Cybercrime / Cryptocurrency
A Russian-speaking cybercrime gang known as Crazy Evil has been linked to over 10 active social media scams that leverage a wide range of tailored lures to deceive victims and trick them into installing malware such as StealC , Atomic macOS Stealer (aka AMOS ), and Angel Drainer . "Specializing in identity fraud, cryptocurrency theft, and information-stealing malware, Crazy Evil employs a well-coordinated network of traffers — social engineering experts tasked with redirecting legitimate traffic to malicious phishing pages," Recorded Future's Insikt Group said in an analysis. The use of a diverse malware arsenal cryptoscam group is a sign that the threat actor is targeting users of both Windows and macOS systems, posing a risk to the decentralized finance ecosystem. Crazy Evil has been assessed to be active since at least 2021, functioning primarily as a traffer team tasked with redirecting legitimate traffic to malicious landing pages operated by other criminal cre...
cyber security

Webinar: 5 Ways New AI Agents Can Automate Identity Attacks | Register Now

websitePush SecurityAI Agents / Identity Security
Watch how Computer-Using Agents can be used by attackers to automate account takeover and exploitation.
GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs

Jan 27, 2025 Vulnerability / Software Security
Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a user's Git credentials. "Git implements a protocol called Git Credential Protocol to retrieve credentials from the credential helper ," GMO Flatt Security researcher Ry0taK, who discovered the flaws, said in an analysis published Sunday. "Because of improper handling of messages, many projects were vulnerable to credential leakage in various ways." The list of identified vulnerabilities, dubbed Clone2Leak, is as follows - CVE-2025-23040 (CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop  CVE-2024-50338 (CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager CVE-2024-53263 (CVSS score: 8.5) - Git LFS permits retrieval of cre...
Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

Hackers Deploy Malicious npm Packages to Steal Solana Wallet Keys via Gmail SMTP

Jan 20, 2025 Supply Chain Attack / Solana
Cybersecurity researchers have identified three sets of malicious packages across the npm and Python Package Index (PyPI) repository that come with capabilities to steal data and even delete sensitive data from infected systems. The list of identified packages is below - @async-mutex/mutex, a typosquat of async-mute (npm) dexscreener, which masquerades as a library for accessing liquidity pool data from decentralized exchanges (DEXs) and interacting with the DEX Screener platform (npm) solana-transaction-toolkit (npm) solana-stable-web-huks (npm) cschokidar-next, a typosquat of chokidar (npm) achokidar-next, a typosquat of chokidar (npm) achalk-next, a typosquat of chalk (npm) csbchalk-next, a typosquat of chalk (npm) cschalk, a typosquat of chalk (npm) pycord-self, a typosquat of discord.py-self (PyPI) Supply chain security company Socket, which discovered the packages, said the first four packages are designed to intercept Solana private keys and transmit them throug...
CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer

CrowdStrike Warns of Phishing Scam Targeting Job Seekers with XMRig Cryptominer

Jan 10, 2025 Cryptomining / Malware
Cybersecurity company CrowdStrike is alerting of a phishing campaign that exploits its own branding to distribute a cryptocurrency miner that's disguised as an employee CRM application as part of a supposed recruitment process. "The attack begins with a phishing email impersonating CrowdStrike recruitment, directing recipients to a malicious website," the company said . "Victims are prompted to download and run a fake application, which serves as a downloader for the cryptominer XMRig." The Texas-based company said it discovered the malicious campaign on January 7, 2025, and that it's "aware of scams involving false offers of employment with CrowdStrike." The phishing email lures recipients by claiming that they have been shortlisted for the next stage of the hiring process for a junior developer role, and that they need to join a call with the recruitment team by downloading a customer relationship management (CRM) tool provided in the embedd...
Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Jan 02, 2025 Open Source / Malware
Cybersecurity researchers have discovered a malicious package on the npm package registry that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but, in reality, drops an open-source remote access trojan called Quasar RAT onto developer systems. The heavily obfuscated package, named ethereumvulncontracthandler , was published to npm on December 18, 2024, by a user named "solidit-dev-416." As of writing, it continues to be available for download. It has been downloaded 66 times to date. "Upon installation, it retrieves a malicious script from a remote server, executing it silently to deploy the RAT on Windows systems," Socket security researcher Kirill Boychenko said in an analysis published last month. The malicious code embedded into ethereumvulncontracthandler is obscured with multiple layers of obfuscation, leveraging techniques like Base64- and XOR-encoding, as well as minification to resist analysis and detection efforts. ...
Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Rspack npm Packages Compromised with Crypto Mining Malware in Supply Chain Attack

Dec 20, 2024 Malware / Supply Chain Attack
The developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli , were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware. Following the discovery , versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8. "They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts," software supply chain security firm Socket said in an analysis. Rspack is billed as an alternative to the webpack , offering a "high performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others. The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145...
390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

390,000+ WordPress Credentials Stolen via Malicious GitHub Repository Hosting PoC Exploits

Dec 13, 2024 Cyber Attack / Malware
A now-removed GitHub repository that advertised a WordPress tool to publish posts to the online content management system (CMS) is estimated to have enabled the exfiltration of over 390,000 credentials. The malicious activity is part of a broader attack campaign undertaken by a threat actor, dubbed MUT-1244 (where MUT refers to "mysterious unattributed threat") by Datadog Security Labs, that involves phishing and several trojanized GitHub repositories hosting proof-of-concept (PoC) code for exploiting known security flaws. "Victims are believed to be offensive actors – including pentesters and security researchers, as well as malicious threat actors – and had sensitive data such as SSH private keys and AWS access keys exfiltrated," researchers Christophe Tafani-Dereeper, Matt Muir, and Adrian Korn said in an analysis shared with The Hacker News. It's no surprise that security researchers have been an attractive target for threat actors, including nation-sta...
Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

Dec 07, 2024 Supply Chain Attack / Cryptocurrency
In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence (AI) library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index (PyPI) repository. A subsequently released version has introduced a security fix that "ensures secure publication workflow for the Ultralytics package." The project maintainer, Glenn Jocher, confirmed on GitHub that the two versions were infected by malicious code injection in the PyPI deployment workflow after reports emerged that installing the library led to a drastic spike in CPU usage , a telltale sign of cryptocurrency mining. The most notable aspect of the attack is that bad actors managed to compromise the build environment related to the project to insert unauthorized modifications after the completion of the code review step, thus leading to a discrepancy in the so...
XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

XML-RPC npm Library Turns Malicious, Steals Data, Deploys Crypto Miner

Nov 28, 2024 Software Security / Data Breach
Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc , was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository. Checkmarx , which discovered the package, said the malicious code was strategically introduced in version 1.3.4 a day later, harboring functionality to harvest valuable information such as SSH keys, bash history, system metadata, and environment variables every 12 hours, and exfiltrate it via services like Dropbox and file.io. "The attack achieved distribution through multiple vectors: direct npm installation and as a hidden dependency in a legitimate-looking ...
Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Cybercriminals Exploit Popular Game Engine Godot to Distribute Cross-Platform Malware

Nov 28, 2024 Windows Security / Cryptomining
A popular open-source game engine called Godot Engine is being misused as part of a new GodLoader malware campaign, infecting over 17,000 systems since at least June 2024. "Cybercriminals have been taking advantage of Godot Engine to execute crafted GDScript code which triggers malicious commands and delivers malware," Check Point said in a new analysis published Wednesday. "The technique remains undetected by almost all antivirus engines in VirusTotal." It's no surprise that threat actors are constantly on the lookout for new tools and techniques that can help them deliver malware while sidestepping detection by security controls, even as defenders continue to erect new guardrails. The newest addition is Godot Engine , a game development platform that allows users to design 2D and 3D games across platforms , including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. The multi-platform support also makes it an attract...
The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think

The Problem of Permissions and Non-Human Identities - Why Remediating Credentials Takes Longer Than You Think

Nov 18, 2024 DevOps / Identity Security
According to research from GitGuardian and CyberArk, 79% of IT decision-makers reported having experienced a secrets leak , up from 75% in the previous year's report. At the same time, the number of leaked credentials has never been higher, with over 12.7 million hardcoded credentials in public GitHub repositories alone . One of the more troubling aspects of this report is that over 90% of valid secrets found and reported remained valid for more than 5 days. According to the same research, on average, it takes organizations 27 days to remediate leaked credentials. Combine that with the fact that non-human identities outnumber human identities by at least 45:1 , and it is easy to see why many organizations are realizing stopping secrets sprawl means finding a way to deal with this machine identity crisis. Unfortunately, the research also shows that many teams are confused about who owns the security of these identities. It is a perfect storm of risk.  Why Does Rotation Take So L...
New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Nov 12, 2024 Email Security / Threat Intelligence
Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub profiles and send bulk emails directly to user inboxes. "Whether you're aiming to reach a specific audience or expand your outreach, GoIssue offers the precision and power you need," the threat actor claimed in their post. "GoIssue can send bulk emails to GitHub users, directly to their inboxes, targeting any recipient." SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials. "Armed with this inform...
Expert Insights / Articles Videos
Cybersecurity Resources