github (17)

13326327653?profile=RESIZE_400xThreat intelligence experts at ClearSky Cyber Security have reported the details of an Iranian social engineering campaign using fake LinkedIn identities to trick people into downloading malware with fake job offers. ClearSky has identified a campaign named “Iranian Dream Job,” in which the Iranian threat actor TA455 has targeted the aerospace industry by offering fake jobs.

See: https://redskyalliance.org/xindustry/iran-targeting-aerospace-through-fake-jobs

The campaign distributed the so-calle

12959741680?profile=RESIZE_400xCybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments.  "The new samples were tracked to GitHub projects that have been linked to previous, targeted attacks in which developers are lured using fake job interviews," ReversingLabs researcher Karlo Zanki said.  The activity has been assessed to be part of an ongoing VMConnect campaign that first came to light in August 2023.  There are indications that i

12754173661?profile=RESIZE_400xGitHub’s extensive community and features make it a continued target for threat actors.  This week, security researchers identified a network of 3000 fake GitHub accounts pushing infostealing malware through the platform’s repositories as well as compromised WordPress sites.  The malware Distribution-as-a-Service (DaaS), dubbed ‘Stargazers Ghost Network’, delivers variants of RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer, all packaged in password-protected archives.

Attrib

12740413073?profile=RESIZE_400xBetween April and June 2024, the NullBulge group emerged, targeting users in AI-centric applications and gaming communities.  The NullBulge persona has showcased creative methods of distributing malware targeting said tools and platforms.  Though the group projects an image of activism claiming to be “protecting artists around the world” and claims to be motivated by a pro-art, anti-AI cause rather than profit, other activities tied to this threat actor may indicate otherwise.

12740413882?profile=RESIZE_710xNullBulge’s servic

12621693076?profile=RESIZE_400xA "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro.  Multiple malware variants suggest a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup, possibly increasing the efficiency of

12404722692?profile=RESIZE_400xThe Checkmarx Research team recently discovered an attack campaign targeting the software supply chain, with evidence of successful exploitation of multiple victims.  These include the Top.gg GitHub organization (a community of over 170k users) and several individual developers.  The threat actors used multiple TTPs in this attack, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing malicious

12402052463?profile=RESIZE_400xA new phishing campaign has been observed delivering Remote Access Trojans (RAT) such as VCURMS and STRRAT using a malicious Java-based downloader.  The attackers stored malware on public services like Amazon Web Services (AWS) and GitHub, employing a commercial protector to avoid detection of the malware, an unusual aspect of the campaign is VCURMS' use of a Proton Mail email address ("sacriliage@proton[.]me") for communicating with a command-and-control (C2) server.

The attack chain commences

12366120476?profile=RESIZE_400xGoogle continues to struggle with cybercriminals running malicious ads on its search platform to trick people into downloading booby-trapped copies of popular free software applications.  The malicious ads, which appear above organic search results and often precede links to legitimate sources of the same software, can make searching for software on Google a dicey affair.

Google says keeping users safe is a top priority, and that the company has a team of thousands working around the clock to cr

12293629454?profile=RESIZE_400xRecently, security researchers have uncovered close to 4,000 unique secrets inside nearly 3,000 PyPI packages https://pypi.org   and says that more than 760 of these secrets were found to be valid.  Overall, the researchers identified 151 individual types of secrets, including AWS, Azure AD, GitHub, Dropbox, and Auth0 keys, credentials for MongoDB, MySQL, and PostgreSQL, and SSH, Coinbase, and Twilio Master credentials.

Valid credentials pose a critical and immediate threat to organizations, as

12258181264?profile=RESIZE_400xA new deceptive campaign has been observed hijacking GitHub accounts and committing malicious code disguised as Dependabot contributions with an aim to steal passwords from developers.  The malicious code exfiltrates the GitHub project's defined secrets to a malicious C2 server and modify any existing javascript files in the attacked project with a web-form password-stealer malware code effecting any end-user submitting its password in a web form.  The malware is also designed to capture GitHub

12219035090?profile=RESIZE_192XDoDo ransomware was first reported last February of 2023.  It is a variant of the widely reported and observed Chaos ransomware.  Because it is a derivative, the DoDo ransomware is not considered new and recent.  However, a slightly different version of the DoDo ransomware has recently emerged, described below.[1]

Infection Vector - DoDo ransomware samples have the “Mercurial Grabber” file icon, which indicates the ransomware was likely distributed as such.  Mercurial Grabber is an open-source m

12187383682?profile=RESIZE_400xCybersecurity researchers have discovered new malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information.  The npm registry is a public database of JavaScript packages that developers use to contribute packages to the community or download packages for their own projects.  The default npm public registry is found at https://registry.npmjs.org. npm is configured to use this registry by default, but it can be configured to use any compatible regi

12167935268?profile=RESIZE_400xThe Lazarus Group is North Korean state sponsored cybercrime group and they have been credited, in one way or another, with a recent social engineering campaign targeting developers on GitHub.  They are said to have been created by the North Korean government as early as 2007 and they are a part of the RGB, which is North Korea’s primary foreign intelligence agency.  “Lazarus Group” would appear to be the primary identity of the group, but they do have several aliases such as Appleworm, Group 77

12128282279?profile=RESIZE_400xExploit and vulnerability intelligence provider VulnCheck  https://vulncheck.com  has issued a warning over fake security researcher accounts distributing malware disguised as zero-day exploits for popular software.  The campaign was discovered in early May 2023, when researchers found a GitHub repository hosting code that its author claimed to be a zero-day for the Signal messaging application.  The cybersecurity firm continued finding such accounts on GitHub, offering what they claimed to be z

10952854294?profile=RESIZE_400xGitHub states that hackers gained access to its code repositories and stole code-signing certificates for two of its desktop apps: Desktop and Atom.  Although attackers exfiltrated a set of encrypted code-signing certificates, these were password-protected, so there is no possibility of malicious use.

GitHub revealed that on 7 December 2022, hackers gained unauthorized access to several of its code repositories and stolen code-signing certificates for two of its desktop apps: Atom and Desktop.  

10908522863?profile=RESIZE_400xA newly discovered web skimming campaign running for the past year has already compromised over 40 e-commerce sites, according to researchers.  The JavaScript protection vendor revealed that “Group X,” which exfiltrated card data to a server in Russia, used a novel supply-chain technique to compromise its victims.  The cyber-criminals exploited a third-party software named Cockpit, a free web marketing and analytics service that was discontinued in December 2014.   Cockpit is a JavaScript librar

10828243262?profile=RESIZE_400xThe Svalbard Seed Vault in Norway safeguards duplicates of 1,165,041 seed varieties from almost every country, with room for millions more.  Its purpose is to back up gene bank collections to secure the foundation of our future food supply.   The Seed Vault is the ultimate insurance policy for the world’s food supply, securing millions of seeds representing every important crop variety available today and offering options for future generations to overcome the challenges of climate change and po