#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

ReversingLabs | Breaking Cybersecurity News | The Hacker News

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers
Mar 26, 2024 Industrial Espionage / Threat Intelligence
Threat hunters have identified a suspicious package in the  NuGet package manager  that's likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing. The package in question is  SqzrFramework480 , which ReversingLabs said was first published on January 24, 2024. It has been  downloaded  2,999 times as of writing. The software supply chain security firm said it did not find any other package that exhibited similar behavior. It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms. The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company's logo for the package's icon. It was uploaded by a Nuget user account called " zhaoyushun1999 ." Present within the l

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics

New Malicious PyPI Packages Caught Using Covert Side-Loading Tactics
Feb 20, 2024 Malware / Supply Chain Security
Cybersecurity researchers have discovered two malicious packages on the Python Package Index (PyPI) repository that were found leveraging a technique called  DLL side-loading  to circumvent detection by security software and run malicious code. The packages, named  NP6HelperHttptest  and  NP6HelperHttper , were each downloaded  537  and  166 times , respectively, before they were taken down. "The latest discovery is an example of DLL sideloading executed by an open-source package that suggests the scope of software supply chain threats is expanding," ReversingLabs researcher Petar Kirhmajer  said  in a report shared with The Hacker News. The name NP6 is notable as it refers to a legitimate marketing automation solution made by ChapsVision. In particular, the fake packages are typosquats of NP6HelperHttp and NP6HelperConfig, which are helper tools published by one of ChapsVision's employees to PyPI. In other words, the goal is to trick developers searching for NP6Hel

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution

Timing is Everything: The Role of Just-in-Time Privileged Access in Security Evolution
Apr 15, 2024Active Directory / Attack Surface
To minimize the risk of privilege misuse, a trend in the privileged access management (PAM) solution market involves implementing just-in-time (JIT) privileged access. This approach to  privileged identity management  aims to mitigate the risks associated with prolonged high-level access by granting privileges temporarily and only when necessary, rather than providing users with continuous high-level privileges. By adopting this strategy, organizations can enhance security, minimize the window of opportunity for potential attackers and ensure that users access privileged resources only when necessary.  What is JIT and why is it important?   JIT privileged access provisioning  involves granting privileged access to users on a temporary basis, aligning with the concept of least privilege. This principle provides users with only the minimum level of access required to perform their tasks, and only for the amount of time required to do so. One of the key advantages of JIT provisioning

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware

Malicious NuGet Packages Caught Distributing SeroXen RAT Malware
Oct 31, 2023 Software Security / Malware
Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a  host of rogue NuGet packages  that were observed delivering a remote access trojan called SeroXen RAT . "The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs,  said  in a report shared with The Hacker News. The names of some of the packages are below - Pathoschild.Stardew.Mod.Build.Config KucoinExchange.Net Kraken.Exchange DiscordsRpc SolanaWallet Monero Modern.Winform.UI MinecraftPocket.Server IAmRoot ZendeskApi.Client.V2 Betalgo.Open.AI Forge.Open.AI Pathoschild.Stardew.Mod.BuildConfig CData.NetSuite.Net.

Today's Top 4 Identity Threat Exposures: Where To Find Them and How To Stop Them

cyber security
websiteSilverfort Identity Protection / Attack Surface
Explore the first ever threat report 100% focused on the prevalence of identity security gaps you may not be aware of.

Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack

Rogue npm Package Deploys Open-Source Rootkit in New Supply Chain Attack
Oct 04, 2023 Supply Chain / Malware
A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77 , marking the first time a rogue package has delivered rootkit functionality. The package in question is  node-hide-console-windows , which mimics the legitimate npm package  node-hide-console-window  in what's an instance of a typosquatting campaign. It was  downloaded 704 times  over the past two months before it was taken down. ReversingLabs, which  first detected  the activity in August 2023, said the package "downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77," adding it "suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware." The malicious code, per the software supply chain security firm, is contained within the package's index.js file that, upon execution, fetches an executable that's automatically run. The executable in question is

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository
Aug 31, 2023 Malware/ Supply Chain
Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called  VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The  findings  come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype,  VMConnect  refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically to retrieve and execute

Malicious PyPI Packages Using Compiled Python Code to Bypass Detection

Malicious PyPI Packages Using Compiled Python Code to Bypass Detection
Jun 01, 2023 Programming / Supply Chain
Researchers have discovered a novel attack on the Python Package Index (PyPI) repository that employs compiled Python code to sidestep detection by application security tools. "It may be the first supply chain attack to take advantage of the fact that Python bytecode (PYC) files can be directly executed," ReversingLabs analyst Karlo Zanki  said  in a report shared with The Hacker News. The package in question is  fshec2 , which was removed from the third-party software registry on April 17, 2023, following responsible disclosure on the same day. PYC files are compiled bytecode files that are generated by the Python interpreter when a Python program is executed. "When a module is imported for the first time (or when the source file has changed since the current compiled file was created) a .pyc file containing the compiled code should be created in a __pycache__ subdirectory of the directory containing the .py file,"  explains  the Python documentation. The pa
Cybersecurity Resources