supply chain attack | Breaking Cybersecurity News | The Hacker News

The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users. Lookout, which shared details of the malware campaign, said the earliest versions date back to March 2022. The most recent samples were flagged in March 2024. It's not clear how successful these efforts were. "KoSpy can collect extensive data, such as SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins," the company said in an analysis. The malicious artifacts masquerade as utility applications on the official Google Play Store, using the names File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security to trick unsuspecting users into infecting their own devices. All the identified apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the backg...

Cyber threats today don't just evolve—they mutate rapidly, testing the resilience of everything from global financial systems to critical infrastructure. As cybersecurity confronts new battlegrounds—ranging from nation-state espionage and ransomware to manipulated AI chatbots—the landscape becomes increasingly complex, prompting vital questions: How secure are our cloud environments? Can our IoT devices be weaponized unnoticed? What happens when cybercriminals leverage traditional mail for digital ransom? This week's events reveal a sobering reality: state-sponsored groups are infiltrating IT supply chains, new ransomware connections are emerging, and attackers are creatively targeting industries previously untouched. Moreover, global law enforcement actions highlight both progress and persistent challenges in countering cybercrime networks. Dive into this edition to understand the deeper context behind these developments and stay informed about threats that continue reshap...

Are you tired of dealing with outdated security tools that never seem to give you the full picture? You're not alone. Many organizations struggle with piecing together scattered information, leaving your apps vulnerable to modern threats. That's why we're excited to introduce a smarter, unified approach: Application Security Posture Management (ASPM). ASPM brings together the best of both worlds by connecting your code insights with real-time runtime data. This means you get a clear, holistic view of your application's security. Instead of reacting to threats, ASPM helps you prevent them. Imagine reducing costly retrofits and emergency patches with a proactive, shift-left strategy—saving you time, money, and stress. Join Amir Kaushansky, Director of Product Management at Palo Alto Networks, as he walks you through how ASPM is changing the game. In this free webinar , you'll learn to: Close the Security Gaps: Understand why traditional AppSec tools fall short and how ASPM fills ...

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils , which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads)," software supply chain security company Socket said . "This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets." The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account. Besides embedding the attacker's RSA public key to...

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems. "The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers," Socket researcher Kirill Boychenko said in a new report. "These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly." While all of them continue to be available on the official package repository, their corresponding GitHub repositories barring "github[.]com/ornatedoctrin/layout" are no longer accessible. The list of offending Go packages is below - shallowmulti/hypert (github.com/shallowmulti/hypert) shadowybulk/hypert (github.com/shadowybulk/hypert) belate...

The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus." The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster it tracks as TraderTraitor, which is also referred to as Jade Sleet, Slow Pisces, and UNC4899. "TraderTraitor actors are proceeding rapidly and have converted some of the stolen assets to Bitcoin and other virtual assets dispersed across thousands of addresses on multiple blockchains," the FBI said . "It is expected these assets will be further laundered and eventually converted to fiat currency." It's worth noting that the TraderTraitor cluster was previously implicated by Japanese and U.S. authorities in the theft of cryptocurrency worth $308 mil...

Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image ( AMI ) with a specific name to gain code execution within the Amazon Web Services (AWS) account. "If executed at scale, this attack could be used to gain access to thousands of accounts," Datadog Security Labs researcher Seth Art said in a report shared with The Hacker News. "The vulnerable pattern can be found in many private and open source code repositories." At its heart, the technique is a subset of a supply chain attack that involves publishing a malicious resource and tricking misconfigured software into using it instead of the legitimate counterpart. The attack exploits the fact that anyone can AMI, which refers to a virtual machine image that's used to boot up Elastic Compute Cloud (EC2) instances in AWS, to the community catalog and the fact that developers could omit to mention the "--owners...

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." The profile, active since July 2024, is no longer accessible on the code hosting platform. The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. "The profile mentioned web dev skills and learning blockchain which is in alignment to the interests of Lazarus," SecurityScorecard said . "The threat actor was committing both pre-o...

Imagine you're considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before integrating them into an organization's environment. Just as you wouldn't buy a car without knowing its safety features, you shouldn't deploy software without understanding the risks it introduces. The Rising Threat of Supply Chain Attacks Cybercriminals have recognized that instead of attacking an organization head-on, they can infiltrate through the software supply chain—like slipping counterfeit parts into an assembly line. According to the 2024 Sonatype State of the Software Supply Chain report , attackers are infiltrating open-source ecosystems at an alarming rate, with over 512,847 malicious packages detected last year alone—a 156% increase from the previous year. Traditional sec...

Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems. The zero-day exploitation of security flaws in VeraCore has been attributed to a threat actor known as XE Group , a cybercrime group likely of Vietnamese origin that's known to be active since at least 2010. "XE Group transitioned from credit card skimming to targeted information theft, marking a significant shift in their operational priorities," cybersecurity firm Intezer said in a report published in collaboration with Solis Security. "Their attacks now target supply chains in the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics." The vulnerabilities in question are listed below - CVE-2024-57968 (CVSS score: 9.9) - An unrestricted upload of f...

The North Korean threat actor known as the Lazarus Group has been observed leveraging a "web-based administrative platform" to oversee its command-and-control (C2) infrastructure, giving the adversary the ability to centrally supervise all aspects of their campaigns. "Each C2 server hosted a web-based administrative platform, built with a React application and a Node.js API," SecurityScorecard's STRIKE team said in a new report shared with The Hacker News. "This administrative layer was consistent across all the C2 servers analyzed, even as the attackers varied their payloads and obfuscation techniques to evade detection." The hidden framework has been described as a comprehensive system and a hub that allows attackers to organize and manage exfiltrated data, maintain oversight of their compromised hosts, and handle payload delivery. The web-based admin panel has been identified in connection with a supply chain attack campaign dubbed Operation ...

Google has launched a new feature called Identity Check for supported Android devices that locks sensitive settings behind biometric authentication when outside of trusted locations. "When you turn on Identity Check, your device will require explicit biometric authentication to access certain sensitive resources when you're outside of trusted locations," Google said in a post announcing the move. In doing so, biometric authentication will be required for the following actions - Access saved passwords and passkeys with Google Password Manager Autofill passwords in apps from Google Password Manager, except in Chrome Change screen lock, like PIN, pattern, and password Change biometrics, like Fingerprint or Face Unlock Run a factory reset Turn off Find My Device Turn off any theft protection features View trusted places Turn off Identity Check Set up a new device with your current device Add or remove a Google Account Access Developer options Identity C...