Tag: Cyber Threats

A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year.

The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025.

Of the 4,344 domains tied to the attack, 685 domains contain the name “Booking”, followed by 18 with “Expedia,” 13 with “Agoda,” and 12 with “Airbnb,” indicating an attempt to target all popular booking and rental platforms.

“The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website,” Brandt said. “The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com.”

The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy.

The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target.

“After the initial visit, the AD_CODE value is written to a cookie, which ensures that subsequent pages present the same impersonated branding appearance to the site visitor as they click through pages,” Netcraft said. This also means that changing the “AD_CODE” value in the URL produces a page targeting a different hotel on the same booking platform.

As soon as the card details, along with the expiration data and CVV number, are entered, the page attempts to process a transaction in the background, while an “support chat” window appears on the screen with steps to complete a supposed “3D Secure verification for your credit card” to secure against fake bookings.

The identity of the threat group behind the campaign remains unknown, but the use of Russian for source code comments and debugger output either alludes to their provenance or is an attempt to cater to prospective customers of the phishing kit who may be looking to customize it to suit their needs.

The disclosure comes days after Sekoia warned of a large-scale phishing campaign targeting the hospitality industry that lures hotel managers to ClickFix-style pages and harvest their credentials by deploying malware like PureRAT and then approach hotel customers via WhatsApp or emails with their reservation details and confirm their booking by clicking on a link.

In recent weeks, large-scale phishing campaigns have also impersonated multiple brands like Microsoft, Adobe, WeTransfer, FedEx, and DHL to steal credentials by distributing HTML attachments through email. The embedded HTML files, once launched, display a fake login page while JavaScript code captures credentials entered by the victim and sends them directly to attacker-controlled Telegram bots, Cyble said.

The campaign has mainly targeted a wide range of organizations across Central and Eastern Europe, particularly in the Czech Republic, Slovakia, Hungary, and Germany.

“The attackers distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations,” the company pointed out. “This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications.”

Furthermore, phishing kits have been put to use in a large-scale campaign targeting customers of Aruba S.p.A, one of Italy’s largest web hosting and IT service providers, in a similar attempt to steal sensitive data and payment information.

The phishing kit is a “fully automated, multi-stage platform designed for efficiency and stealth,” Group-IB researchers Ivan Salipur and Federico Marazzi said. “It employs CAPTCHA filtering to evade security scans, pre-fills victim data to increase credibility, and uses Telegram bots to exfiltrate stolen credentials and payment information. Every function serves a single goal: industrial-scale credential theft.”

These findings exemplify the growing demand for phishing-as-a-service (PhaaS) offerings in the underground economy, enabling threat actors with little to no technical expertise to pull off attacks at scale.

“The automation observed in this particular kit exemplifies how phishing has become systematized – faster to deploy, harder to detect, and easier to replicate,” the Singaporean company added. “What once required technical expertise can now be executed at scale through pre-built, automated frameworks.”

Nov 13, 2025Ravie LakshmananBrowser Security / Threat Intelligence

Cybersecurity researchers have uncovered a malicious Chrome extension that poses as a legitimate Ethereum wallet but harbors functionality to exfiltrate users’ seed phrases.

The name of the extension is “Safery: Ethereum Wallet,” with the threat actor describing it as a “secure wallet for managing Ethereum cryptocurrency with flexible settings.” It was uploaded to the Chrome Web Store on September 29, 2025, and was updated as recently as November 12. It’s still available for download as of writing.

“Marketed as a simple, secure Ethereum (ETH) wallet, it contains a backdoor that exfiltrates seed phrases by encoding them into Sui addresses and broadcasting microtransactions from a threat actor-controlled Sui wallet,” Socket security researcher Kirill Boychenko said.

Specifically, the malware present within the browser add-on is designed to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses and then using micro-transactions to send 0.000001 SUI to those wallets from a hard-coded threat actor-controlled wallet.

The end goal of the malware is to smuggle the seed phrase inside normal looking blockchain transactions without the need for setting up a command-and-control (C2) server to receive the information. Once the transactions are complete, the threat actor can decode the recipient addresses to reconstruct the original seed phrase and ultimately drain assets from it.

“This extension steals wallet seed phrases by encoding them as fake Sui addresses and sending micro-transactions to them from an attacker-controlled wallet, allowing the attacker to monitor the blockchain, decode the addresses back to seed phrases, and drain victims’ funds,” Koi Security notes in an analysis.

To counter the risk posed by the threat, users are advised to stick to trusted wallet extensions. Defenders are recommended to scan extensions for mnemonic encoders, synthetic address generators, and hard-coded seed phrases, as well as block those that write on the chain during wallet import or creation.

“This technique lets threat actors switch chains and RPC endpoints with little effort, so detections that rely on domains, URLs, or specific extension IDs will miss it,” Boychenko said. “Treat unexpected blockchain RPC calls from the browser as high signal, especially when the product claims to be single chain.”

Nov 13, 2025Ravie LakshmananBotnet / Cybercrime

Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet have been disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust.

The activity, which is taking place between November 10 and 13, 2025, marks the latest phase of Operation Endgame, an ongoing operation designed to take down criminal infrastructures and combat ransomware enablers worldwide.

Besides dismantling the “three large cybercrime enablers,” authorities have also arrested the main suspect behind Venom RAT in Greece on November 3, more than 1,025 servers have been taken down, and 20 domains have been seized.

“The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials,” Europol said in a statement. “Many of the victims were not aware of the infection of their systems.”

It’s currently not clear if the Elysium botnet Europol refers to is the same proxy botnet service RHAD security (aka Mythical Origin Labs), the threat actor associated with Rhadamanthys, was observed advertising as recently as last month.

Europol also noted that the main suspect behind the infostealer had access to no less than 100,000 cryptocurrency wallets belonging to victims, potentially amounting to millions of euros.

A recent analysis published by Check Point revealed that the latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar.

Authorities that participated in the effort included law enforcement agencies from Australia, Canada, Denmark, France, Germany, Greece, Lithuania, the Netherlands, and the U.S.

(This is a developing story. Please check back for more updates.)

The Race for Every New CVE

Based on multiple 2025 industry reports: roughly 50 to 61 percent of newly disclosed vulnerabilities saw exploit code weaponized within 48 hours. Using the CISA Known Exploited Vulnerabilities Catalog as a reference, hundreds of software flaws are now confirmed as actively targeted within days of public disclosure. Each new announcement now triggers a global race between attackers and defenders. Both sides monitor the same feeds, but one moves at machine speed while the other moves at human speed.

Major threat actors have fully industrialized their response. The moment a new vulnerability appears in public databases, automated scripts scrape, parse, and assess it for exploitation potential, and now these efforts are getting ever more streamlined through the use of AI. Meanwhile, IT and security teams often enter triage mode, reading advisories, classifying severity, and queuing updates for the next patch cycle. That delay is precisely the gap the adversaries exploit.

The traditional cadence of quarterly or even monthly patching is no longer sustainable. Attackers now weaponize critical vulnerabilities within hours of disclosure, long before organizations have even analyzed or validated them, and usually well before they have rolled out the fix.

The Exploitation Economy of Speed

Today’s threat ecosystem is built on automation and volume. Exploit brokers and affiliate groups operate as supply chains, each specializing in one part of the attack process. They use vulnerability feeds, open-source scanners, and fingerprinting tools to match new CVEs against exposed software targets. Many of these targets have already been identified, and these systems know in advance which targets are most likely to be susceptible to the impending attack. This is a game of quick draw, the fastest gun wins.

Research from Mandiant shows that exploitation often begins within 48 hours of public disclosure, in many organizations, IT operates on 8 hours a day, leaving the 32 hours in the attackers’ favor. This efficiency in operations illustrates how attackers have stripped almost every manual step from their workflow. Once a working exploit is confirmed, it’s packaged and shared within hours across dark web forums, internal channels, and malware kits.

Failure at Scale is Acceptable

Attackers also enjoy a luxury defenders can’t afford: failure. If they crash a thousand systems on the path to compromising a hundred, the effort is still a success. Their metrics are based on yield, not uptime. Defenders, on the other hand, must achieve near-perfect stability. A single failed update or service interruption can have a widespread impact and cause loss of customer trust. This imbalance allows adversaries to take reckless risks while defenders remain constrained, and that also helps keep the operational gap wide enough for consistent exploitation.

Flatten the Burnout Curve

Automation also reduces fatigue and error. Instead of chasing alerts, security teams define rules once, allowing systems to enforce them continuously. This shift turns cybersecurity into an adaptive, self-sustaining process instead of a cycle of manual triage and stitches. It takes less time to audit and review processes than it does to enact them in almost all cases.

This new class of attack automation systems do not sleep, they do not get tired, they do not care about any consequences of their actions. They are singularly focused on a goal, gain access to as many systems as they can. No matter how many people you throw at this problem, the problem festers between departments, policies, personalities, and egos. If you aim to combat a tireless machine, you need a tireless machine in your corner of the ring.

Changing What Can’t Be Automated

Even the most advanced tools cannot automate everything. Some workloads are too delicate or bound by strict compliance frameworks. But those exceptions should still be examined through a single lens: How can they be made more automatable, if not, at least more efficient?

That may mean standardizing configurations, segmenting legacy systems, or streamlining dependencies that slow patch workflows. Every manual step left in place represents time lost, and time is the one resource attackers exploit most effectively.

We have to look at defense strategies in depth to determine which decisions, policies, or approval processes are creating drag. If the chain of command or change management is slowing remediation, it may be time for sweeping policy changes designed to eliminate those bottlenecks. Defense automation should operate at a pace commensurate with attacker behavior, not for administrative convenience.

Accelerated Defense in Practice

Many forward-thinking enterprises have already adopted the principle of accelerated defense, combining automation, orchestration, and controlled rollback to maintain agility without introducing chaos.

Platforms such as Action1 facilitate this approach by enabling security teams to identify, deploy, and verify patches automatically across entire enterprise environments. This eliminates the manual steps that slow patch deployment and closes the gap between awareness and action. IF your policies are sound, your automation is sound, and your decisions are sound in practice because they are all agreed upon in advance.

By automating remediation and validation, Action1 and similar solutions exemplify what security at machine speed looks like: rapid, governed, and resilient. The objective isn’t simply automation, but policy-driven automation, where human judgment defines boundaries and technology executes instantly.

The Future Is Automated Defense

Both attackers and defenders draw from the same public data, but it is the automation built atop that data that decides who wins the race. Every hour between disclosure and remediation represents a potential compromise. Defenders cannot slow the pace of discovery, but they can close the gap through hardening, orchestration, and systemic automation. The future of cybersecurity belongs to those who make instant, informed action their standard operating mode, because in this race, the slowest responder is already compromised.

Key takeaways:

• No team of humans will ever be able to outpace the sheer speed and efficiency of the automated attack systems being built. More people lead to more decisions, delays, confusion, and margins for error. This is a firefight: you must use equal force, automate or lose.
• Threat actors are building fully automated attack pipelines in which new exploit code is simply fed to the system —or even developed by it —using AI. They work 24/7/365, they do not fatigue, they do not take breaks, they seek and destroy as a reason for existence until turned off or directed otherwise.
• Most mass threat actors operate on body count, not precision shots. They are not looking “for you” as much as they are looking for “Anyone”. Your scale and value mean nothing at the initial compromise phase, which is evaluated AFTER access is gained.
• Threat actors think nothing about using large volumes of their ill-gotten gains on new tech to further their offensive capabilities; to them, it is an investment. At the same time, the industry sees it as a drain on profits. The system attacking you involved many talented devs in its construction and maintenance, and budgets beyond the wildest dream of any defender. These are not hobby crooks, they are highly organized enterprises just as capable, and more willing to invest in the resources than the business sector is.

Here comes 2026. Is your network ready for it?

Note: This article was written and contributed by Gene Moody, Field CTO at Action1.

Nov 13, 2025Ravie LakshmananCybersecurity / Hacking News

Behind every click, there’s a risk waiting to be tested. A simple ad, email, or link can now hide something dangerous. Hackers are getting smarter, using new tools to sneak past filters and turn trusted systems against us.

But security teams are fighting back. They’re building faster defenses, better ways to spot attacks, and stronger systems to keep people safe. It’s a constant race — every move by attackers sparks a new response from defenders.

In this week’s ThreatsDay Bulletin, we look at the latest moves in that race — from new malware and data leaks to AI tools, government actions, and major security updates shaping the digital world right now.

The cyber world never slows down. Every fix, every patch, every new idea brings a new risk waiting to be found. Staying alert isn’t just a choice anymore — it’s a habit we all need to build.

The good news is that defenders are learning faster than ever. Researchers, companies, and governments are sharing more knowledge, closing more gaps, and helping each other face threats head-on. Progress may be slow, but it’s steady.

As we wrap up this week’s ThreatsDay Bulletin, remember — awareness is the first line of defense. Stay curious, stay updated, and stay safe until next time.

Nov 13, 2025Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting WatchGuard Fireware to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-9242 (CVSS score: 9.3), an out-of-bounds write vulnerability affecting Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1.

“WatchGuard Firebox contains an out-of-bounds write vulnerability in the OS iked process that may allow a remote unauthenticated attacker to execute arbitrary code,” CISA said in an advisory.

Details of the vulnerability were shared by watchTowr Labs last month, with the cybersecurity company stating that the issue stems from a missing length check on an identification buffer used during the IKE handshake process.

“The server does attempt certificate validation, but that validation happens after the vulnerable code runs, allowing our vulnerable code path to be reachable pre-authentication,” security researcher McCaulay Hudson noted.

There are currently no details on how the security defect is being exploited and what’s the scale of such efforts. According to data from the Shadowserver Foundation, more than 54,300 Firebox instances remain vulnerable to the critical bug as of November 12, 2025, down from a high of 75,955 on October 19.

Roughly 18,500 of these devices are in the U.S., the scans reveal. Italy (5,400), the U.K. (4,000), Germany (3,600), and Canada (3,000) round up the top five. Federal Civilian Executive Branch (FCEB) agencies are advised to apply WatchGuard’s patches by December 3, 2025.

The development comes as CISA also added CVE-2025-62215 (CVSS score: 7.0), a recently disclosed flaw in Windows kernel, and CVE-2025-12480 (CVSS score: 9.1), an improper access control vulnerability in Gladinet Triofox, to the KEV catalog. Google’s Mandiant Threat Defense team has attributed the exploitation of CVE-2025-12480 to a threat actor it tracks as UNC6485.

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.

“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report.

The coordinated campaign has so far published as many as 67,579 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It’s designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors.

The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods. The bogus packages masquerade as Next.js projects.

“What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack,” McCarty said. “Even worse, these threat actors have been staging this for over two years.”

Some signs that point to a sustained, coordinated effort include the consistent naming patterns and the fact that the packages are published from a small network of over a dozen npm accounts.

The worm is located within a single JavaScript file (e.g., “auto.js” or “publishScript.js”) in each package, staying dormant until a user manually runs the script using a command like “node auto.js.” In other words, it does not execute automatically during installation or as part of a “postinstall” hook.

It’s not clear why someone would go to the extent of running JavaScript manually, but the existence of over 43,000 packages suggests either multiple victims executed the script – either by accident or out of curiosity – or the attackers ran it themselves to flood the registry, Henrik Plate, head of security research at Endor Labs, told The Hacker News.

“We haven’t found evidence of a coordinated social engineering campaign, but the code was written with social engineering potential, possible victim scenarios include: fake blog posts, tutorials, or README entries instructing users to run ‘node auto.js’ to ‘complete setup’ or ‘fix a build issue,’ [and] CI/CD pipeline build scripts with wildcards something like node *.js that execute all JavaScript files,” Raj added.

“The payload’s dormant design is intended to evade automated detection, by requiring manual execution instead of ‘autorun,’ the attackers reduce the chance of being flagged by security scanners and sandboxing systems.”

The manual execution causes the script to initiate a series of actions in an infinite loop, including removing <“private”: true> from the “package.json” file. This setting is typically used to prevent accidental publication of private repositories. It then proceeds to create a random package name using the internal dictionary and assign it a random version number to bypass npm’s duplicate version detection.

In the final stage, the spam package is uploaded to npm using the “npm publish” command. The entire process is repeated in an endless loop, causing a new package to be pushed out every 7 to 10 seconds. This translates to about 12 packages per minute, 720 per hour, or 17,000 per day.

“This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages,” McCarty said.

According to Endor Labs, the campaign is part of an attack that was first flagged by Phylum (now part of Veracode) and Sonatype in April 2024 that involved the publication of thousands of spam packages to conduct a “massive automated crypto farming campaign” by abusing the Tea protocol.

“What makes this campaign particularly insidious is its worm-like spreading mechanism,” the researchers said. “Analysis of the ‘package.json’ files reveals that these spam packages do not exist in isolation; they reference each other as dependencies, creating a self-replicating network.”

Thus, when a user installs one of the spam packages, it causes npm to fetch the entire dependency tree, straining registry bandwidth as more dependencies are fetched exponentially.

Endor Labs said some of the attacker-controlled packages, such as arts-dao and gula-dao, include a tea.yaml file listing five different TEA accounts. The Tea protocol is a decentralized framework that allows open-source developers to be rewarded for their software contributions.

This likely indicates that the threat actors are using this campaign as a monetization vector by earning TEA tokens by artificially inflating their impact scores. It’s not clear who is behind the activity, but source code and infrastructure clues suggest it could be someone operating out of Indonesia.

The application security company has also flagged a second variant that employs a different package naming scheme comprising random English words (e.g., able_crocodile-notthedevs).

The findings also serve to highlight a security blind spot in security scanners, which are known to flag packages that execute malicious code during installation by monitoring lifecycle hooks or detecting suspicious system calls.

“In this case, they found nothing because there was nothing to find at the time of installation,” Endor Labs said. “The sheer number of packages flagged in the current campaign shows that security scanners must analyze these signals in the future.”

Garrett Calpouzos, principal security researcher at software supply chain security firm Sonatype, characterized IndonesianFoods as a self-publishing worm operating at a massive scale, overwhelming security data systems in the process.

“The technical sophistication isn’t necessarily higher — interestingly, these packages do not appear to even try to infiltrate developer machines — it’s the automation and scale that are escalating at an alarming rate,” Calpouzos said.

“Each wave of these attacks weaponizes npm’s open nature in slightly new ways. This one may not steal credentials or inject code, but it still strains the ecosystem and proves how trivial it is to disrupt the world’s largest software supply chain. While the motivation is unclear, the implications are striking.”

When reached for comment, a GitHub spokesperson said it has removed the packages in question from npm, and that it’s committed to detecting, analyzing, and taking down packages and accounts that go against its policies.

“We have disabled malicious npm packages in accordance with GitHub’s Acceptable Use Policies which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” the spokesperson added.

“We employ manual reviews and at-scale detections that use machine learning and constantly evolve to mitigate malicious usage of the platform. We also encourage customers and community members to report abuse and spam.”

Cybersecurity researchers are calling attention to a large-scale spam campaign that has flooded the npm registry with thousands of fake packages since early 2024 as part of a likely financially motivated effort.

“The packages were systematically published over an extended period, flooding the npm registry with junk packages that survived in the ecosystem for almost two years,” Endor Labs researchers Cris Staicu and Kiran Raj said in a Tuesday report.

The coordinated campaign has so far published as many as 46,484 packages, according to SourceCodeRED security researcher Paul McCarty, who first flagged the activity. The end goal is quite unusual – It’s designed to inundate the npm registry with random packages rather than focusing on data theft or other malicious behaviors.

The worm-life propagation mechanism and the use of a distinctive naming scheme that relies on Indonesian names and food terms for the newly created packages have lent it the moniker IndonesianFoods. The bogus packages masquerade as Next.js projects.

“What makes this threat particularly concerning is that the attackers took the time to craft an NPM worm, rather than a singular attack,” McCarty said. “Even worse, these threat actors have been staging this for over two years.”

Some signs that point to a sustained, coordinated effort include the consistent naming patterns and the fact that the packages are published from a small network of over a dozen npm accounts.

The worm is located within a single JavaScript file (e.g., “auto.js” or “publishScript.js”) in each package, staying dormant until a user manually runs the script using a command like “node auto.js.” In other words, it does not execute automatically during installation or as part of a “postinstall” hook.

It’s not clear why someone would go to the extent of running JavaScript manually, but the existence of over 43,000 packages suggests either multiple victims executed the script – either by accident or out of curiosity – or the attackers ran it themselves to flood the registry, Henrik Plate, head of security research at Endor Labs, told The Hacker News.

“We haven’t found evidence of a coordinated social engineering campaign, but the code was written with social engineering potential, possible victim scenarios include: fake blog posts, tutorials, or README entries instructing users to run ‘node auto.js’ to ‘complete setup’ or ‘fix a build issue,’ [and] CI/CD pipeline build scripts with wildcards something like node *.js that execute all JavaScript files,” Raj added.

“The payload’s dormant design is intended to evade automated detection, by requiring manual execution instead of ‘autorun,’ the attackers reduce the chance of being flagged by security scanners and sandboxing systems.”

The manual execution causes the script to initiate a series of actions in an infinite loop, including removing <“private”: true> from the “package.json” file. This setting is typically used to prevent accidental publication of private repositories. It then proceeds to create a random package name using the internal dictionary and assign it a random version number to bypass npm’s duplicate version detection.

In the final stage, the spam package is uploaded to npm using the “npm publish” command. This step is repeated in an infinite loop, causing a new package to be pushed out every 7 to 10 seconds. This translates to about 12 packages per minute, 720 per hour, or 17,000 per day.

“This floods the NPM registry with junk packages, wastes infrastructure resources, pollutes search results, and creates supply chain risks if developers accidentally install these malicious packages,” McCarty said.

According to Endor Labs, the campaign is part of an attack that was first flagged by Phylum (now part of Veracode) and Sonatype in April 2024 that involved the publication of thousands of spam packages to conduct a “massive automated crypto farming campaign” by abusing the Tea protocol.

“What makes this campaign particularly insidious is its worm-like spreading mechanism,” the researchers said. “Analysis of the ‘package.json’ files reveals that these spam packages do not exist in isolation; they reference each other as dependencies, creating a self-replicating network.”

Thus, when a user installs one of the spam packages, it causes npm to fetch the entire dependency tree, straining registry bandwidth as more dependencies are fetched exponentially.

Endor Labs said some of the attacker-controlled packages, such as arts-dao and gula-dao, include a tea.yaml file listing five different TEA accounts. The Tea protocol is a decentralized framework that allows open-source developers to be rewarded for their software contributions.

This likely indicates that the threat actors are using this campaign as a monetization vector by earning TEA tokens by artificially inflating their impact score. It’s not clear who is behind the activity, but source code and infrastructure clues suggest it could be someone operating out of Indonesia.

The application security company has also flagged a second variant that employs a different naming scheme comprising random English words (e.g., able_crocodile-notthedevs).

The findings also serve to highlight a security blind spot in security scanners, which are known to flag packages that execute malicious code during installation by monitoring lifecycle hooks or detecting suspicious system calls.

“In this case, they found nothing because there was nothing to find at the time of installation,” Endor Labs said. “The sheer number of packages flagged in the current campaign shows that security scanners must analyze these signals in the future.”

Garrett Calpouzos, principal security researcher at software supply chain security firm Sonatype, characterized IndonesianFoods as a self-publishing worm operating at a massive scale, overwhelming security data systems in the process.

“The technical sophistication isn’t necessarily higher — interestingly, these packages do not appear to even try to infiltrate developer machines — it’s the automation and scale that are escalating at an alarming rate,” Calpouzos said.

“Each wave of these attacks weaponizes npm’s open nature in slightly new ways. This one may not steal credentials or inject code, but it still strains the ecosystem and proves how trivial it is to disrupt the world’s largest software supply chain. While the motivation is unclear, the implications are striking.”

When reached for comment, a GitHub spokesperson said it has removed the packages in question from npm, and that it’s committed to detecting, analyzing, and taking down packages and accounts that go against its policies.

“We have disabled malicious npm packages in accordance with GitHub’s Acceptable Use Policies which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms,” the spokesperson added.

“We employ manual reviews and at-scale detections that use machine learning and constantly evolve to mitigate malicious usage of the platform. We also encourage customers and community members to report abuse and spam.”

Nov 12, 2025Ravie LakshmananCybercrime / Malware

Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries.

The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to steal people’s financial information by prompting them to click on a link using lures related to fake toll fees or package deliveries. While the scam in itself is fairly simple, it’s the industrial scale of the operation that has allowed it to illegally make more than a billion dollars over the past three years.

“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” Halimah DeLaine Prado, General Counsel at Google, said. “We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”

The company said it’s taking legal action to dismantle the underlying infrastructure under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act.

Lighthouse, along with other PhaaS platforms like Darcula and Lucid, is part of an interconnected cybercrime ecosystem operating out of China that is known to send thousands of smishing messages via Apple iMessage and Google Messages’ RCS capabilities to users in the U.S. and beyond in hopes of stealing sensitive data. These kits have been put to use by a smishing syndicate tracked as Smishing Triad.

In a report published in September, Netcraft revealed that Lighthouse and Lucid have been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. Phishing templates associated with Lighthouse are licensed from anywhere between $88 for a week to $1,588 for a yearly subscription.

“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” Swiss cybersecurity company PRODAFT said in a report published in April.

It’s estimated that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. In recent years, cybercrime groups from China have also evolved to develop new tools like Ghost Tap to add stolen card details to digital wallets on iPhones and Android phones.

As recently as last month, Palo Alto Networks Unit 42 said the threat actors behind Smishing Triad have used more than 194,000 malicious domains since January 1, 2024, mimicking a wide range of services, including banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, and electronic tolls, among others.

Nov 12, 2025Ravie LakshmananCybercrime / Malware

Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries.

The PhaaS kit is used to conduct large-scale SMS phishing attacks that exploit trusted brands like E-ZPass and USPS to steal people’s financial information by prompting them to click on a link using lures related to fake toll fees or package deliveries. While the scam in itself is fairly simple, it’s the industrial scale of the operation that has allowed it to illegally make more than a billion dollars over the past three years.

“They exploit the reputations of Google and other brands by illegally displaying our trademarks and services on fraudulent websites,” Halimah DeLaine Prado, General Counsel at Google, said. “We found at least 107 website templates featuring Google’s branding on sign-in screens specifically designed to trick people into believing the sites are legitimate.”

The company said it’s taking legal action to dismantle the underlying infrastructure under the Racketeer Influenced and Corrupt Organizations (RICO) Act, the Lanham Act, and the Computer Fraud and Abuse Act.

Lighthouse, along with other PhaaS platforms like Darcula and Lucid, is part of an interconnected cybercrime ecosystem operating out of China that is known to send thousands of smishing messages via Apple iMessage and Google Messages’ RCS capabilities to users in the U.S. and beyond in hopes of stealing sensitive data. These kits have been put to use by a smishing syndicate tracked as Smishing Triad.

In a report published in September, Netcraft revealed that Lighthouse and Lucid have been linked to more than 17,500 phishing domains targeting 316 brands from 74 countries. Phishing templates associated with Lighthouse are licensed from anywhere between $88 for a week to $1,588 for a yearly subscription.

“While Lighthouse operates independently of the XinXin group, its alignment with Lucid in terms of infrastructure and targeting patterns highlights the broader trend of collaboration and innovation within the PhaaS ecosystem,” Swiss cybersecurity company PRODAFT said in a report published in April.

It’s estimated that Chinese smishing syndicates may have compromised between 12.7 million and 115 million payment cards in the U.S. alone between July 2023 and October 2024. In recent years, cybercrime groups from China have also evolved to develop new tools like Ghost Tap to add stolen card details to digital wallets on iPhones and Android phones.

As recently as last month, Palo Alto Networks Unit 42 said the threat actors behind Smishing Triad have used more than 194,000 malicious domains since January 1, 2024, mimicking a wide range of services, including banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, and electronic tolls, among others.