Daily Brief

The npm package 'fezbox' was discovered using QR codes to deploy cookie-stealing malware, targeting sensitive user data like credentials. This package masqueraded as a utility library on npmjs.com, the largest open-source registry for JavaScript and Node.js developers. The package was downloaded at least 327 times before being removed by registry administrators, indicating potential exposure. Malicious code within 'fezbox' retrieves a JPG image containing a QR code, which executes a second-stage payload. The threat actor used reversed URL strings to evade detection by static analysis tools, enhancing the malware's stealth capabilities. The payload extracts cookies and credentials, sending them to a remote server via an HTTPS POST request if both username and password are present. This attack showcases a novel use of QR codes in malware delivery, bypassing traditional security measures by mimicking ordinary image traffic. The incident emphasizes the need for enhanced scrutiny and monitoring of open-source packages to prevent similar threats.

UK Chancellor Rachel Reeves attributed recent cyber incidents affecting major UK firms to Russian-backed entities, despite a lack of supporting evidence. The National Crime Agency (NCA) arrested four suspects linked to the Marks & Spencer breach, identifying them as part of the Scattered Spider group. Scattered Spider, an English-speaking social engineering crew, is believed to consist mainly of young individuals from the UK and US. The group's tactics include SIM-swapping, phishing, and manipulating call center staff, impacting companies like Co-op, Harrods, and Jaguar Land Rover. The Jaguar Land Rover attack led to factory shutdowns, resulting in significant financial losses due to halted production. Authorities and researchers have characterized Scattered Spider as a criminal gang rather than a state-sponsored entity. Reeves' claims of Russian involvement contrast with NCA findings and may undermine confidence in government messaging without concrete evidence. Businesses must distinguish between state-sponsored threats and local criminal activities to effectively address cybersecurity risks.

GitHub is enhancing npm supply chain security by mandating two-factor authentication (2FA) and introducing short-lived tokens to combat recent supply chain attacks. The Shai-Hulud attack, a recent supply chain threat, injected a self-replicating worm into npm packages, targeting developer machines to extract sensitive information. New security measures include trusted publishing from CI/CD workflows using OpenID Connect, eliminating the need for npm tokens and establishing cryptographic trust. The npm CLI will automatically generate provenance attestations, allowing users to verify the source and build environment of packages, thus boosting supply chain trust. A malicious npm package, fezbox, was discovered using a steganographic technique to harvest browser passwords via QR codes, showcasing evolving threat actor tactics. Fezbox, now removed, attracted 476 downloads and demonstrated the need for robust dependency checks to counter sophisticated obfuscation methods. GitHub's proactive measures aim to prevent future attacks and enhance the security of the npm ecosystem, safeguarding developers and users alike.

Cybersecurity experts have identified a malware campaign using BadIIS, targeting East and Southeast Asia, with Vietnam as a primary focus, through SEO poisoning tactics. The operation, named Operation Rewrite, is linked to a Chinese-speaking threat actor, sharing infrastructure with entities known as Group 9 and DragonRank. Attackers manipulate search engine results to redirect users to malicious sites, using a compromised Internet Information Services (IIS) module to intercept and modify web traffic. BadIIS employs HTTP request inspections to serve poisoned content, altering search engine indexing to mislead users into visiting compromised sites. The campaign involves creating new local user accounts and deploying web shells for persistent access, allowing source code exfiltration and BadIIS implant uploads. The operation's infrastructure and linguistic evidence suggest a high likelihood of Chinese-speaking actors behind the campaign. This disclosure follows reports of similar malicious activities, highlighting ongoing SEO fraud efforts targeting servers in Brazil, Thailand, and Vietnam.

Digital Charging Solutions (DCS) reported a security incident involving unauthorized access to customer data by a service provider, affecting names and email addresses. The breach impacts users of DCS's electric vehicle charging services, including those of Kia and BMW e-charging customers in the UK and Europe. DCS has confirmed that payment information remains secure as it is not stored or processed on the compromised databases. Immediate investigations were launched, and DCS is collaborating with the service provider to address the issue and enhance security measures. Law enforcement and data protection authorities have been notified, reflecting DCS's commitment to transparency and regulatory compliance. Affected customers have been informed out of caution, with DCS advising vigilance against potential phishing attempts. The incident currently involves a limited number of confirmed cases, with ongoing investigations to determine the full scope of the breach. DCS maintains that the charging services and billing operations continue to function without disruption.

A ransomware attack over the weekend targeted the check-in and boarding systems at major European airports, including Heathrow, Brussels, and Brandenburg, causing significant operational disruptions. The attack focused on Collins Aerospace's MUSE system, used by multiple airlines for shared check-in and boarding, resulting in over 100 flight delays or cancellations. Airports in Ireland, such as Cork and Dublin, faced minor impacts, while other affected airports advised passengers to verify flight statuses due to ongoing disruptions. The European Union Agency for Cybersecurity confirmed the ransomware nature of the attack, with Collins Aerospace actively working to restore affected systems. Law enforcement agencies, including the UK's National Cyber Security Centre, are investigating the incident, collaborating with Collins Aerospace and impacted airports. The incident underscores the critical need for robust cybersecurity measures in aviation, with the NCSC urging organizations to utilize its free security guidance and tools.

The American Archive of Public Broadcasting (AAPB) patched a vulnerability that allowed unauthorized downloading of restricted media, exploited since at least 2021. A cybersecurity researcher, who reported the flaw earlier, confirmed the fix was implemented within 48 hours of notification. The flaw involved an insecure direct object reference (IDOR), enabling access to media by altering media ID parameters, bypassing access controls. Despite the patch, the exploit method had circulated within Discord communities, leading to leaks of protected content. The incident underscores the challenges archives face in balancing public access with securing sensitive content. AAPB, operated by the WGBH Educational Foundation and the Library of Congress, is committed to preserving and securing its archival materials. This incident follows a previous breach involving PBS employee contact information, indicating ongoing security challenges in media archives.

A teenager has been arrested in Las Vegas, accused of hacking multiple casino networks as part of the Scattered Spider cybercrime group in 2023. The Las Vegas Cyber Task Force, involving local police and the FBI, led the investigation into casino attacks occurring between August and October 2023. Charges against the teen include using personal information for harm, extortion, and unlawful computer acts; authorities seek to try him as an adult. This arrest follows the detention of two UK teens linked to Scattered Spider, who are accused of attacking Transport for London in August 2024. The Scattered Spider group has been implicated in over 120 intrusions, demanding at least $115 million in ransom payments, highlighting the group's extensive reach. The recent arrests are part of broader efforts to dismantle the cybercrime group responsible for significant financial and operational damage. The Las Vegas casino attacks underscore the vulnerability of high-profile targets to sophisticated cybercriminal activities by organized groups.

Stellantis confirmed a data breach impacting North American customers, linked to unauthorized access via a third-party service provider's platform. The breach involved the theft of customer contact information, though no financial or sensitive personal data was compromised. Stellantis promptly activated incident response protocols, initiated an investigation, and notified authorities and affected customers. The breach is part of a broader wave of Salesforce data breaches claimed by the ShinyHunters extortion group, targeting high-profile companies. ShinyHunters reportedly stole over 18 million Salesforce records from Stellantis, utilizing stolen OAuth tokens for further data theft. The FBI has issued a Flash alert with indicators of compromise, warning organizations about similar threats to Salesforce environments. Stellantis advises customers to remain vigilant against phishing attempts and avoid engaging with suspicious communications.

Security researcher TwoSevenOneThree introduced EDR-Freeze, a tool leveraging Windows Error Reporting (WER) to suspend security software, bypassing the need for vulnerable drivers. The method exploits the MiniDumpWriteDump API, which suspends process threads, leaving security agents like EDR tools in a dormant state. Unlike traditional BYOVD attacks, EDR-Freeze operates entirely from user mode, using legitimate Windows components, enhancing stealth and reducing detection risk. The technique involves a race condition attack, successfully tested on Windows 11 24H2, freezing the Windows Defender process. Security measures can include monitoring WER for identifiers of sensitive processes; Microsoft is advised to harden components against such misuse. The method is considered a design flaw rather than a direct vulnerability, prompting discussions on potential security enhancements. Microsoft has been contacted for guidance on defending against this technique, with updates pending.

Mozilla now allows Firefox extension developers to revert to previous versions, enhancing the ability to quickly address critical bugs and issues in extensions. This rollback feature ensures that users with automatic updates will see extensions revert to stable versions within 24 hours if a problematic update is detected. Developers can use the "Rollback to a previous version" option via the Developer Hub or Add-on Submission API, provided there are at least two approved versions. This capability applies to extensions distributed on addons.mozilla.org, while self-distributed extensions can revert to any approved version. Mozilla's ongoing security measures include blocking malicious extensions, with recent efforts removing hundreds of scam crypto wallet extensions. The introduction of this rollback feature represents Mozilla's commitment to maintaining the integrity and security of its extension ecosystem. Extension developers are encouraged to leverage this feature to maintain user trust and ensure a smooth user experience.

A new hacking group, ComicForm, has targeted organizations in Belarus, Kazakhstan, and Russia since April 2025, focusing on sectors like industrial, financial, and biotechnology. The attack involves phishing emails with misleading subject lines, urging recipients to open a disguised Windows executable that deploys Formbook malware. The phishing emails are sent from domains registered in Russia, Belarus, and Kazakhstan, using Russian or English language to broaden their target reach. ComicForm's infrastructure analysis revealed phishing attempts against a Kazakh company and a Belarusian bank, aiming to steal credentials via fake login pages. SectorJ149, a pro-Russian group, has targeted South Korean sectors such as manufacturing and energy, using spear-phishing emails to deploy malware like Lumma Stealer and Remcos RAT. SectorJ149's attacks involve Visual Basic Scripts that execute PowerShell commands to download and run malware, indicating a shift towards hacktivist motives. The incidents highlight the persistent threat of phishing campaigns and the need for robust email security measures to protect against credential theft and malware infections.

LastPass alerts users to a campaign targeting macOS users with fake password managers, delivering the Atomic (AMOS) info-stealing malware. The malware is distributed through fraudulent GitHub repositories, using SEO tactics to appear in Google and Bing search results. AMOS, a malware-as-a-service, costs $1,000/month and now includes a backdoor for persistent access to compromised systems. Attackers impersonate over 100 software products, including 1Password, Dropbox, and Adobe After Effects, to deceive users. The campaign uses ClickFix attacks, tricking users into executing terminal commands that download malware to their systems. LastPass actively monitors and reports fake repositories to GitHub, though attackers can rapidly create new ones. Users are advised to download software only from official vendor websites to avoid falling victim to such attacks.

Cyber attackers are expanding phishing tactics beyond email, utilizing social media, instant messaging, and search engine ads to reach targets, complicating detection and response efforts. The decentralization of modern work environments has increased exposure to phishing, with employees accessing multiple communication platforms on corporate devices. Non-email phishing incidents often go unreported, as traditional email security tools do not capture these attacks, leaving organizations reliant on user reports. Advanced phishing kits employ obfuscation techniques, bypassing web proxies and other detection methods, making technical controls less effective. Attackers exploit personal and corporate account overlaps, as seen in the Okta breach, where personal device compromise led to corporate credential theft. Recent campaigns include LinkedIn spear-phishing targeting executives and Google Search malvertising, both utilizing sophisticated evasion and targeting strategies. Organizations are urged to adopt comprehensive solutions like Push Security to detect and block phishing across all platforms, responding in real-time as threats emerge.

The European Union Agency for Cybersecurity confirmed a ransomware attack affecting airport operations across Europe, including London Heathrow, Berlin Brandenburg, Brussels, Dublin, and Cork. Collins Aerospace, a U.S.-based company providing critical check-in software, is at the center of the disruption, impacting traveler processing systems at multiple airports. Airport staff have switched to manual operations, urging travelers to use self-service check-in and bag drop systems to mitigate delays. Heathrow and other affected airports have implemented contingency plans, maintaining near-normal flight operations despite the cyberattack's impact. Brussels Airport experienced significant disruptions, cancelling nearly half of its flights on Monday, while Heathrow reported minimal cancellations and delays. Airlines and airport authorities are actively working with Collins Aerospace to resolve the issue, though a timeline for full recovery remains uncertain. This incident underscores the vulnerability of critical infrastructure to cyberattacks and the importance of robust cybersecurity measures and contingency planning.