supply chain attack | Breaking Cybersecurity News | The Hacker News

Multiple threat activity clusters with ties to North Korea (aka Democratic People's Republic of Korea or DPRK) have been linked to attacks targeting organizations and individuals in the Web3 and cryptocurrency space. "The focus on Web3 and cryptocurrency appears to be primarily financially motivated due to the heavy sanctions that have been placed on North Korea," Google-owned Mandiant said in its M-Trends report for 2025 shared with The Hacker News. "These activities aim to generate financial gains, reportedly funding North Korea's weapons of mass destruction (WMD) program and other strategic assets." The cybersecurity firm said DPRK-nexus threat actors have developed custom tools written in a variety of languages such as Golang, C++, and Rust, and are capable of infecting Windows, Linux, and macOS operating systems. At least three threat activity clusters it tracks as UNC1069, UNC4899, and UNC5342 have been found to target members of the cryptocurren...

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to significant escalation where threat actors are directly targeting the supply chain of various Chinese manufacturers to preload brand new devices with malicious apps. "Fraudulent applications were detected directly in the software pre-installed on the phone," the company said . "In this case, the malicious code was added to the WhatsApp messenger." A majority of the compromised devices are said to be low-end phones that mimic well-known premium models from Samsung and Huawei with names like S23 Ultra, S24 Ultra, Note 13 Pro, and P70 Ultra. At least four of the affected mod...

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and credential misconfigurations caused 80% of security exposures. Subtle signs of a compromise get lost in the noise, and then multi-stage attacks unfold undetected due to siloed solutions. Think of an account takeover in Entra ID, then privilege escalation in GitHub, along with data exfiltration from Slack. Each seems unrelated when viewed in isolation, but in a connected timeline of events, it's a dangerous breach. Wing Security's SaaS platform is a multi-layered solution that combines posture management with real-time identity threat detection and response. This allows organizations to get a ...

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading), which is used to connect and trade with several cryptocurrency exchanges and facilitate payment processing services. The malicious package is no longer available on PyPI, but statistics on pepy.tech shows that it has been downloaded at least 1,065 times . "The authors of the malicious ccxt-mexc-futures package, claim in its README file that it extends the CCXT package to support 'futures' trade on MEXC," JFrog researcher Guy Korolevski said in a report shared with The Hacker News. However, a deeper examination of the library has revealed that it specifically overr...

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office , masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus. "Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the a...

The North Korean threat actors behind the ongoing Contagious Interview campaign are spreading their tentacles on the npm ecosystem by publishing more malicious packages that deliver the BeaverTail malware, as well as a new remote access trojan (RAT) loader. "These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors' obfuscation techniques," Socket security researcher Kirill Boychenko said in a report. The packages in question, which were collectively downloaded more than 5,600 times prior to their removal, are listed below - empty-array-validator twitterapis dev-debugger-vite snore-log core-pino events-utils icloud-cod cln-logger node-clog consolidate-log consolidate-logger The disclosure comes nearly a month after a set of six npm packages were discovered distributing BeaverTail , a JavaScript stealer that's also capable of delivering a Python-b...

Cybersecurity researchers have uncovered malicious libraries in the Python Package Index (PyPI) repository that are designed to steal sensitive information and test stolen credit card data. Two of the packages, bitcoinlibdbfix and bitcoinlib-dev, masquerade as fixes for recent issues detected in a legitimate Python module called bitcoinlib, according to ReversingLabs . A third package discovered by Socket, disgrasya, contained a fully automated carding script targeting WooCommerce stores. The packages attracted hundreds of downloads before being taken down, according to statistics from pepy.tech - bitcoinlibdbfix - 1,101 downloads bitcoinlib-dev - 735 downloads disgrasya - 37,217 downloads "The malicious libraries both attempt a similar attack, overwriting the legitimate 'clw cli' command with malicious code that attempts to exfiltrate sensitive database files," ReversingLabs said. In an interesting twist, the authors of the counterfeit libraries are s...

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token ( PAT ) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code," Palo Alto Networks Unit 42 said in an update this week. "This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog." There is evidence to suggest that the malicious activity began as far back as late November 2024, although the attack against Coinbase did not take place until March 2025. Unit 42 said its investigation began with the knowledge that reviewdog's GitHub Action was compromised due to a leaked PAT associated with the project's maintainer. This subsequen...

Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada . "More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.  Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities. While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vec...

Cybersecurity researchers have discovered two malicious packages on the npm registry that are designed to infect another locally installed package, underscoring the continued evolution of software supply chain attacks targeting the open-source ecosystem. The packages in question are ethers-provider2 and ethers-providerz , with the former downloaded 73 times to date since it was published on March 15, 2025. The second package, likely removed by the malware author themselves, did not attract any downloads. "They were simple downloaders whose malicious payload was cleverly hidden," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. "The interesting part lay in their second stage, which would 'patch' the legitimate npm package ethers , installed locally, with a new file containing the malicious payload. That patched file would ultimately serve a reverse shell." The development marks a new escalation of threat actors...

Cybersecurity researchers have uncovered two malicious extensions in the Visual Studio Code (VSCode) Marketplace that are designed to deploy ransomware that's under development to its users. The extensions, named "ahban.shiba" and "ahban.cychelloworld," have since been taken down by the marketplace maintainers. Both the extensions, per ReversingLabs , incorporate code that's designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it. The payload is suspected to be ransomware in early-stage development, only encrypting files in a folder called "testShiba" on the victim's Windows desktop. Once the files are encrypted, the PowerShell payload displays a message, stating "Your files have been encrypted. Pay 1 ShibaCoin to ShibaWallet to recover them." However, no other instructions or cryptocurrency wallet addresses are provided to the victims, anothe...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a vulnerability linked to the supply chain compromise of the GitHub Action, tj-actions/changed-files, to its Known Exploited Vulnerabilities (KEV) catalog. The high-severity flaw, tracked as CVE-2025-30066 (CVSS score: 8.6), involves the breach of the GitHub Action to inject malicious code that enables a remote attacker to access sensitive data via actions logs. "The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs," CISA said in an alert. "These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys." Cloud security company Wiz has since revealed that the attack may have been an instance of a cascading supply chain attack, with unidentified threat actors first compromising the re...

Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious code. "This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot," Pillar security's Co-Founder and CTO Ziv Karliner said in a technical report shared with The Hacker News. "By exploiting hidden unicode characters and sophisticated evasion techniques in the model facing instruction payload, threat actors can manipulate the AI to insert malicious code that bypasses typical code reviews." The attack vector is notable for the fact that it allows malicious code to silently propagate across projects, posing a supply chain risk. The crux of the attack hinges on the rules files that are used ...

At least four different threat actors have been identified as involved in an updated version of a massive ad fraud and residential proxy scheme called BADBOX , painting a picture of an interconnected cybercrime ecosystem. This includes SalesTracker Group, MoYu Group, Lemon Group, and LongTV, according to new findings from the HUMAN Satori Threat Intelligence and Research team, published in collaboration with Google, Trend Micro, Shadowserver, and other partners. The "complex and expansive fraud operation" has been codenamed BADBOX 2.0. It has been described as the largest botnet of infected connected TV (CTV) devices ever uncovered. "BADBOX 2.0, like its predecessor, begins with backdoors on low-cost consumer devices that enable threat actors to load fraud modules remotely," the company said . "These devices communicate with command-and-control (C2) servers owned and operated by a series of distinct but cooperative threat actors." The threat actors ar...

Cybersecurity researchers are calling attention to an incident in which the popular GitHub Action tj-actions/changed-files was compromised to leak secrets from repositories using the continuous integration and continuous delivery (CI/CD) workflow. The incident involved the tj-actions/changed-files GitHub Action, which is used in over 23,000 repositories. It's used to track and retrieve all changed files and directories. The supply chain compromise has been assigned the CVE identifier CVE-2025-30066 (CVSS score: 8.6). The incident is said to have taken place sometime before March 14, 2025. "In this attack, the attackers modified the action's code and retroactively updated multiple version tags to reference the malicious commit," StepSecurity said . "The compromised Action prints CI/CD secrets in GitHub Actions build logs." The net result of this behavior is that should the workflow logs be publicly accessible, they could lead to the unauthorized expo...

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...