Daily Brief

Several old but commonly used npm cryptocurrency packages were hijacked to exfiltrate sensitive data like API keys and SSH keys from systems. The hijacked packages, which had been on the npmjs.com registry for over nine years, were recently found to contain obfuscated malicious scripts. These scripts are designed to execute automatically post-installation, harvesting environment variable data and sending it to a remote server. It appears the attackers gained access by possibly using compromised npm maintainer accounts or exploiting expired domains, rather than through direct attacks like phishing. No alterations were found in the GitHub repositories linked to the affected packages, which suggests the malicious code was directly pushed to the npm registry. The exact motive behind stealing sensitive information remains unclear, although the data targeted suggests potential preparation for further attacks or fraud. The incident underscores the importance of two-factor authentication and enhanced monitoring to prevent similar cybersecurity threats within software supply chains.

Mozilla has patched a critical security flaw in Firefox, identified as CVE-2025-2857, which could have allowed for a sandbox escape. The vulnerability was similar to a recent zero-day flaw exploited in Google's Chrome browser, prompting rapid response from Mozilla. Firefox updates fixing the bug have been issued in versions 136.0.4, Firefox ESR 115.21.1, and Firefox ESR 128.8.1. The issue arose from an incorrectly handled process that caused a potent handle return, risking a breach of browser security confines. Unlike the Chrome flaw, there has been no evidence that CVE-2025-2857 has been actively exploited in the wild. Google had earlier addressed the Chrome zero-day, CVE-2025-2783, used in targeted attacks against various sectors in Russia. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the Chrome flaw to its Known Exploited Vulnerabilities catalog. Both Mozilla and Google advise users to update their browsers to the latest versions to protect against these vulnerabilities.

A cybercrime group named Arkana claims to have stolen data from cable company WideOpenWest (WOW!), impacting 403,000 users. Stolen data includes usernames, passwords, partial credit card details, email addresses, login histories, modem types, and security questions and answers. Arkana has produced a music video boasting of the breach and threatening to sell or leak the data if WOW! does not pay a ransom by Friday. The cybercriminals position themselves as a security firm on their website, claiming to specialize in identifying critical vulnerabilities and offering "second chances" to companies to rectify security failures. Security firm Hudson Rock confirmed that the breach likely occurred through an info-stealer malware that infected a WOW! employee’s computer. Hudson Rock further linked the breach to penetrations in WOW! backend systems such as Symphonica and Appian Cloud security tools. The incident highlights the increasing threat posed by info-stealers as a precursor to more extensive ransomware attacks. As of now, WideOpenWest has not issued any statement regarding the breach.

Microsoft Stream's classic domain was hijacked to show a fake Amazon page promoting a Thai casino. The hijack affected all SharePoint sites still using video links from the deprecated microsoftstream.com domain. Microsoft had previously announced the phasing out of Microsoft Stream classic, with a complete migration to SharePoint by April 2024. Suspicious activities were first reported by users noticing spam instead of videos on SharePoint sites. The affected domain redirected users to a phishing site designed to mimic Amazon. Microsoft responded by shutting down the hijacked domain and blocking the spam pages on SharePoint. It remains unclear how the domain was exactly compromised, whether through DNS changes or other means. Microsoft has not disclosed specifics about the security breach, nor the exact measures taken post-incident.

The China-aligned APT group FamousSparrow, after a period of inactivity, successfully breached a US financial-sector trade group and a Mexican research institute. ESET researchers uncovered the group's activities and new advancements in their SparrowDoor backdoor malware during an investigation initiated in July 2024. The group has also been linked loosely to the Chinese espionage group Salt Typhoon, though they have distinct operational methods according to the researchers. FamousSparrow deployed two newly developed versions of SparrowDoor with enhanced capabilities and architecture on compromised networks. This APT group exploited vulnerabilities in outdated Windows Server and Microsoft Exchange setups to inject malware and establish control over victims' networks. In addition to the new SparrowDoor variants, FamousSparrow employed ShadowPad, a sophisticated backdoor previously used exclusively by other China-aligned actors. The malware infiltration led to remote control, data theft, and deep network penetration, signaling a significant threat to affected organizations.

Ten npm packages were compromised with malicious code aimed at stealing environment variables from developers’ systems. The affected packages included several cryptocurrency-related ones and the popular 'country-currency-map'. Two obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," were added to the packages to execute upon installation. Stolen data, primarily environment variables containing sensitive information such as API keys and credentials, were transmitted to a remote server. The malicious updates are suspected to have resulted from npm maintainer accounts being compromised due to credential stuffing or expired domain takeovers. Except for 'country-currency-map', the compromised packages are still available on npm, and their latest versions are infected with the info-stealer malware. The hypothesis of account takeover is supported as the repositories on GitHub were not correspondingly updated with the malicious code. Despite npm's mandatory two-factor authentication for popular projects, older packages maintained by less active developers were impacted by this malicious campaign.

The Chinese cyberespionage group FamousSparrow deployed an advanced version of its SparrowDoor malware against a US trade organization. Security firm ESET revealed the upgraded malware features parallel command execution, enhancing efficiency and effectiveness in operations. Recent targets include a Mexican research institute and a Honduran government institution, with initial infiltrations via compromised Microsoft Exchange and Windows Server systems. The new versions of the malware demonstrate significant improvements in code quality, encryption, and architecture, indicating a sophisticated development approach. The malware's recent iteration introduces a modular structure, allowing it to load new, memory-resident plugins from its command and control (C2) server during runtime. FamousSparrow is also utilizing ShadowPad, a high-tier remote access trojan linked to multiple Chinese advanced persistent threat (APT) groups, suggesting access to shared sophisticated cyberespionage tools. ESET categorizes FamousSparrow separately from similar groups due to distinct operational techniques and despite some shared infrastructure, hinting at a possible common third-party supplier.

A new phishing-as-a-service platform called Morphing Meerkat uses DNS MX records to mimic approximately 114 global brands. The phishing kit dynamically serves fake login pages based on the victim's email service provider to steal credentials. Phishing campaigns often exploit open redirects and compromised domains to distribute phishing links, which are shared through platforms like Telegram. Morphing Meerkat has been involved in sending thousands of spam emails, which leverage compromised websites and advertising platforms to avoid detection. The phishing pages can translate content into multiple languages, enabling attacks on a global scale and include features that prevent analysis by disabling right-click and certain keyboard functions. Infoblox highlighted the natural feel of the fake pages as they closely replicate the design of the targeted service providers, increasing the chances of deceiving victims. The use of DNS MX records to identify and attack specific email platforms like Gmail, Microsoft Outlook, or Yahoo makes this technique particularly effective for targeted phishing attacks.

A cybersecurity firm, Resecurity, infiltrated the BlackLock ransomware gang's operations and passed crucial data to law enforcement agencies. By exploiting a misconfiguration and an LFI vulnerability on BlackLock's TOR-based leak site, Resecurity accessed server configurations and operator credentials. Resecurity's intervention enabled the closure of BlackLock's data leak site and helped preempt data leaks for several victims. The firm’s proactive measures allowed them to alert victims in France and Canada of impending data leaks, helping them prepare in advance. Attribution of the BlackLock operations suggested ties to Russia and China, with operational behaviors indicating a no-target policy on BRICS and CIS countries. Overlapping victim lists suggested that BlackLock may be connected or a rebrand of other ransomware entities like El Dorado and Mamona. Late in the article, a potential silent exit strategy for BlackLock suggested by Resecurity highlighted a possible coordinated effort with another ransomware brand, DragonForce.

A new Patchstack report identifies the four most exploited WordPress plugin vulnerabilities in the first quarter of 2025. The targeted flaws, all classified as critical in severity, were initially discovered and patched in 2024, yet many remain unpatched. Hackers utilized these vulnerabilities to potentially execute arbitrary code or steal sensitive data from websites. Two of the vulnerabilities were reported as actively exploited for the first time in this quarter. Despite numerous exploitation attempts, not all lead to successful compromises due to preventive measures like security blocks. The report stresses the importance for website administrators to update security on all WordPress components and enforce strong access controls, including multi-factor authentication. The wider WordPress community remains at risk as not all sites use effective security measures such as Patchstack, increasing the possibility of successful hacker exploitations.

Mozilla has issued an update for Firefox, version 136.0.4, to rectify a critical vulnerability that allowed attackers to bypass the browser's sandbox security on Windows platforms. The flaw, identified as CVE-2025-2857, was reported internally by Mozilla developer Andrew McCreight and affects both standard and extended support release (ESR) versions. This security issue bears similarities to a recent Chrome vulnerability (CVE-2025-2783) that was exploited in cyber-espionage operations targeting Russian government and media entities. Mozilla's quick response with a patch follows the discovery of a similar exploit pattern used against Google's Chrome, involving sophisticated malware deployment via deceptive emails. Alongside the primary sandbox escape vulnerability, Mozilla previously addressed another Firefox zero-day exploited by a Russian cybercrime group that paired it with a Windows privilege escalation flaw. CVE-2025-2857 specifically impacts Firefox on Windows, with no current threats identified to other operating systems.

A newly discovered analysis reveals that RansomHub affiliates are utilizing the same EDR killing tool, EDRKillShifter, in coordination with other ransomware groups including Medusa, BianLian, and Play. EDRKillShifter uses the BYOVD tactic with a legitimate yet vulnerable driver to disable security solutions before deploying ransomware. The use of EDRKillShifter by multiple ransomware operations suggests a rare trend of sharing specialized tools among different ransomware groups. This practice is particularly notable as Play and BianLian, both operating under a restricted RaaS model, are typically guarded about their affiliate networks and tools, indicating a high level of trust and collaboration. The research links these activities to a single threat actor known as QuadSwitcher, primarily associated with Play and its operational tactics. Recent trends in ransomware attacks include the increased use of BYOVD techniques to compromise security software, emphasizing the tactical shift towards pre-emptive security disruption. Recommendations for organizations include enhancing the detection of potentially unsafe applications to prevent the implementation of vulnerable drivers, thereby mitigating the risk of such attacks.

Vivaldi has incorporated Proton VPN into its browser, enabling encrypted browsing and IP address obfuscation directly within the platform. This integration is designed to offer users enhanced protection against web tracking and 'Big Tech' surveillance without requiring additional downloads or plugins. Proton VPN was chosen for its status as a non-profit Swiss organization, noted for its independence and proven integrity. The collaboration aims to provide a European alternative to U.S. tech giants, emphasizing privacy and user control over personal data. Vivaldi users need to update their browser and create a Vivaldi account to activate the VPN function, accessible via a new toolbar button. The VPN service is free in its basic form, offering unlimited time and bandwidth but with limitations on speed and server access. Users seeking full functionality from Proton VPN, including higher speeds and expanded server options, have the option to subscribe to a paid plan. While the in-browser VPN protects user privacy during web sessions, it does not cover network traffic from other applications or background services not running through Vivaldi.

CrushFTP CEO Ben Spink expressed dissatisfaction with VulnCheck's assignment of an unofficial CVE ID for a critical vulnerability in CrushFTP's software. Spink asserts that the VulnCheck-assigned CVE is a duplicate and lacks detailed knowledge of the vulnerability. CrushFTP had previously informed customers of the vulnerability and urged an immediate update to newer software versions. The disclosed vulnerability provides unauthenticated access via specially crafted HTTP requests, making it particularly severe. CrushFTP’s communication and details provided to customers reportedly contain inconsistencies regarding the affected versions. Rapid7 highlighted past incidents where a CVE was not issued by CrushFTP for a critical vulnerability that was exploited as a zero-day. The CEO's assertive demand to VulnCheck to retract their CVE suggests a tense relationship between vendor and CNA, with potential impacts on CrushFTP's reputation and customer trust.

APT36, linked to Pakistan, created a counterfeit India Post website to distribute malware targeting Windows and Android users in India. The cybersecurity firm CYFIRMA attributed this malicious campaign to APT36 with medium confidence, identifying the group by its alternate name, Transparent Tribe. When accessed from a Windows system, the fraudulent site prompts users to download a PDF that instructs them to execute a PowerShell script, potentially compromising the system. Android users are tricked into downloading a malicious app that requests extensive permissions to access and exfiltrate sensitive data, like contact lists and location. The Android malware changes its icon to resemble a Google Accounts icon to evade detection and prevent easy uninstallation. The malicious PDF and app are designed to persist in their actions, including evading battery optimization and restarting after rebooting the device. The domain used for the fake site was registered in November 2024, and the PowerShell script connects to an inactive server, indicating ongoing or future malicious activities. The tactic, dubbed "ClickFix," used in the campaign is noted for its increasing prevalence among cybercriminals, targeting both less tech-savvy and knowledgeable users.