ReversingLabs | Breaking Cybersecurity News | The Hacker News

Threat hunters have identified a suspicious package in the  NuGet package manager  that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is  SqzrFramework480 , which ReversingLabs said was first published on January 24, 2024. It has been  downloaded  2,999 times as of writing. The software supply chain security firm said it did not find any other package that exhibited similar behavior. It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms. The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called " zhaoyushun1999 ." Present within the...

Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called  DLL side-loading  to circumvent detection by security software and run malicious code. The packages, named  NP6HelperHttptest  and  NP6HelperHttper , were each downloaded  537  and  166 times , respectively, before they were taken down. "The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding," ReversingLabs researcher Petar Kirhmajer  said  in a report shared with The Hacker News. The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision's employees to PyPI. In other words, the goal is to tr...

Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a  host of rogue NuGet packages  that were observed delivering a remote access trojan called SeroXen RAT . "The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs,  said  in a report shared with The Hacker News. The names of some of the packages are below - Pathoschild.Stardew.Mod.Build.Config KucoinExchange.Net Kraken.Exchange DiscordsRpc SolanaWallet Monero Modern.Winform.UI MinecraftPocket.Server IAmRoot ZendeskApi.Client.V2 Betalgo.Open.AI Forge.Open.AI Pathoschild.Stardew.Mod.BuildConfig CData.NetS...

Is Managing Customer Logins and Data Giving You Headaches? You're Not Alone! Today, we all expect super-fast, secure, and personalized online experiences. But let's be honest, we're also more careful about how our data is used. If something feels off, trust can vanish in an instant. Add to that the lightning-fast changes AI is bringing to everything from how we log in to spotting online fraud, and it's a whole new ball game! If you're dealing with logins, data privacy, bringing new users on board, or building digital trust, this webinar is for you . Join us for " Navigating Customer Identity in the AI Era ," where we'll dive into the Auth0 2025 Customer Identity Trends Report . We'll show you what's working, what's not, and how to tweak your strategy for the year ahead. In just one session, you'll get practical answers to real-world challenges like: How AI is changing what users expect – and where they're starting to push ba...

A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77 , marking the first time a rogue package has delivered rootkit functionality. The package in question is  node-hide-console-windows , which mimics the legitimate npm package  node-hide-console-window  in what's an instance of a typosquatting campaign. It was  downloaded 704 times  over the past two months before it was taken down. ReversingLabs, which  first detected  the activity in August 2023, said the package "downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77," adding it "suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware." The malicious code, per the software supply chain security firm, is contained within the package's index.js file that, upon execution, fetches an executable that's automatically run. The executable in question ...

Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called  VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The  findings  come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype,  VMConnect  refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically ...

Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki  said  in a report shared with The Hacker News. The package in question is  fshec2 , which was removed from the third-party software registry on April 17, 2023, following responsible disclosure on the same day. PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed. "When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file,"  explains  the Python documentation. Th...