Malware Detected: Reverse Shell Without JavaScript Files in npm

Malware Detected: Reverse Shell Without JavaScript Files in npm

The Hook: OX Research identified malicious npm package paperclip2 and two related packages, which conceal a reverse shell within their configuration files, effectively bypassing detection methods focused solely on JavaScript files.

Technical Breakdown:

  • Threat Type: Software supply chain attack, specifically malicious npm packages.
  • TTPs (MITRE ATT&CK):
    • T1588.006 (Obtain Capabilities: Malware): Attackers distributing malicious packages.
    • T1203 (Exploitation for Client Execution): Users installing a compromised package.
    • T1059.004 (Command and Scripting Interpreter: Unix Shell): Deployment of a reverse shell.
    • Evasion Tactic: Hiding malware in package config files rather than standard JavaScript files to avoid common scanning techniques.
  • IOCs:
    • npm Packages: paperclip2 (and two unnamed related packages).

Defense: Implement robust software supply chain security practices, including deep scanning of package contents beyond just executable JavaScript, and dependency analysis for unexpected configuration changes or non-standard file types containing malicious payloads.

Source: https://www.ox.security/blog/malware-detected-reverse-shell-without-javascript-files-in-npm/

u/falconupkid — 17 hours ago

Securing GitHub Actions Against Credential Theft With OIDC

GitHub Actions, while powerful for automation, introduce a significant risk of credential theft. This article highlights how OpenID Connect (OIDC) is a critical mechanism to mitigate this threat.

Technical Breakdown:

  • Threat: GitHub Actions workflows often require access to external cloud resources (AWS, Azure, GCP). Traditionally, this involves storing long-lived credentials (static access keys) as GitHub Secrets, which are vulnerable to leakage or misuse if the GitHub repository or runner is compromised.
  • TTPs Addressed:
    • Credential Theft (T1552): OIDC eliminates the need for long-lived, static cloud credentials directly within GitHub.
    • Impair Defenses (T1562.007): By reducing the attack surface for credential compromise, it strengthens overall CI/CD security.
  • How OIDC Mitigates: Instead of static secrets, OIDC allows GitHub Actions workflows to directly request temporary, short-lived credentials from cloud providers (e.g., AWS STS, Azure AD Workload Identity Federation) by exchanging a cryptographically signed OIDC token. This token includes verifiable claims about the workflow (e.g., repository, branch, environment). Cloud providers are configured to trust tokens only from specific GitHub organizations/repositories and grant specific roles/permissions based on these claims.

Defense: Implement OIDC-based authentication for GitHub Actions to manage access to external cloud resources, eliminating the use of long-lived static secrets and relying on ephemeral, verifiable tokens.

Source: https://www.stepsecurity.io/blog/securing-github-actions-against-credential-theft-with-oidc

reddit.com
u/falconupkid — 1 day ago

JadePuffer ransomware used AI agent to automate entire attack

JadePuffer ransomware has reportedly leveraged a large language model (LLM) agent to fully automate an entire attack, from initial reconnaissance to encryption. This represents a significant and concerning evolution in attack sophistication.

Technical Breakdown

  • Threat Actor: JadePuffer ransomware operation.
  • Novel TTP: The core innovation is the full automation of the ransomware kill chain using an LLM agent. This implies the agent dynamically performs tasks typically requiring human operators, including:
    • TA0007 (Discovery): Automated network and system reconnaissance.
    • TA0004 (Privilege Escalation) & TA0008 (Lateral Movement): Dynamic decision-making for moving through the environment.
    • TA0040 (Impact): Orchestrating data encryption and ransom note deployment.
  • Significance: This marks a shift towards more autonomous, adaptive, and potentially harder-to-predict attacks, as the LLM agent can dynamically alter its approach based on real-time system responses without human intervention.
  • IOCs: The provided summary does not include specific Indicators of Compromise (e.g., hashes, IPs) for JadePuffer.

Defense

Focus on robust behavioral analytics in EDR/XDR solutions, strong network segmentation, and continuous threat hunting to identify and interrupt these highly automated attack patterns.

Source: https://www.bleepingcomputer.com/news/security/jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack/

u/falconupkid — 1 day ago

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid $1 million to the group Kairos in a data-theft extortion case, according to a Ransom-ISAC case study. The notable aspect is that Kairos, despite the payment, shows no evidence of using traditional ransomware to encrypt files, suggesting a pure data exfiltration and extortion model.

Technical Breakdown:

  • TTPs: Data exfiltration followed by extortion, leveraging threats of public release without file encryption. This deviates from standard ransomware operations.
  • Evidence: Investigation built on a leaked negotiation chat and blockchain analysis of the payment.
  • Affected Parties: A U.S. government entity.

Defense: Prioritize robust data loss prevention (DLP) and monitoring for unusual data egress, coupled with incident response plans for extortion events, even without traditional ransomware indicators.

Source: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html

u/falconupkid — 1 day ago

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

North Korean Hackers Push 108 Malicious Packages in PolinRider Campaign

North Korean threat actors, previously linked to the "Contagious Interview" campaign, are actively deploying over a hundred malicious packages and web browser extensions across critical developer ecosystems as part of their "PolinRider" operation.

Technical Breakdown:

  • Threat Actor: North Korean state-sponsored groups (linked to the "Contagious Interview" campaign).
  • Campaign: "PolinRider"
  • TTPs:
    • Publishing 108 unique malicious packages and web browser extensions.
    • Compromising maintainer accounts on various platforms to distribute their malicious content.
  • Affected Platforms:
    • Package Managers: npm, Packagist, Go
    • Browser Extensions: Google Chrome

Defense: Implement robust supply chain security practices, including careful auditing of third-party package dependencies and strict control over browser extension deployments.

Source: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html

u/falconupkid — 1 day ago

GitHub Actions in-depth: Access to GITHUB_TOKEN

The GITHUB_TOKEN in GitHub Actions is a critical security control; misconfigurations can lead to significant supply chain risks. This deep dive outlines how attackers can leverage this token and provides actionable steps to secure your CI/CD pipelines.

Technical Breakdown

  • Default Permissions: By default, GITHUB_TOKEN grants read/write access to many repository scopes (contents, pull-requests, packages, actions, pages, deployments, statuses, security-events, id-token). This extensive access can be abused.
  • Attack Vectors (TTPs):
    • Privilege Escalation: A compromised workflow or third-party action could exploit default token permissions to modify repository contents, push malicious code, or trigger further actions.
    • Repository Compromise: Attackers can leverage the token to manipulate releases, publish malicious packages, or compromise the integrity of your codebase.
    • Supply Chain Attacks: A rogue action, if granted broad GITHUB_TOKEN permissions, can become a vector for injecting malicious code into downstream consumers.
  • Permission Scopes: The article details specific permission scopes and how to limit them (permissions block in workflow files).

Defense

Implement granular token permissions: Always apply the principle of least privilege by explicitly defining minimal permissions for GITHUB_TOKEN in your workflow files. Use id-token: write only when necessary for OIDC. Regularly audit workflow permissions for excessive access.

Source: https://www.stepsecurity.io/blog/github-actions-in-depth-access-to-github_token

reddit.com
u/falconupkid — 2 days ago

AI-powered Dev Machine Security: Protecting Your Software Supply Chain

StepSecurity has released Dev Machine Guard, a new tool designed to protect developer workstations from supply chain attacks originating from malicious AI packages.

This utility aims to safeguard developers against the rising threat of malware disguised as AI-related dependencies. It specifically targets the compromise of systems and the theft of credentials by monitoring and preventing suspicious activity from these packages on dev machines.

Who is it for: Primarily for Red Teams looking to understand and test this attack surface, and Blue Teams/SecOps professionals responsible for securing developer environments and the software supply chain.

Why it's useful: With the proliferation of AI tools and libraries, securing the developer's machine from poisoned packages is critical. This tool helps mitigate the risk of initial access and lateral movement that can stem from compromised development environments.

Source: https://www.stepsecurity.io/blog/dev-machine-guard-ai-security

reddit.com
u/falconupkid — 2 days ago

Weekly Metasploit Update: Modules for SMB-to-Meterpreter, Peyara Remote Mouse RCE exploit, and more

Metasploit has rolled out a new weekly update featuring several useful modules for offensive operations.

  • What it does: The update includes an SMB to Meterpreter session upgrade module that leverages PsExec to facilitate session elevation. This improves post-exploitation by allowing operators to seamlessly upgrade an SMB session to a full Meterpreter session. Also added is a new unauthenticated Remote Code Execution (RCE) exploit for Peyara Remote Mouse v1.0.1, and a Linux command execution payload specifically for loongarch64 architectures.
  • Who is it for: These modules are primarily for Red Teams and penetration testers looking to expand their toolkit for initial access, privilege escalation, and post-exploitation.
  • Why it's useful: The SMB to Meterpreter upgrade streamlines session management, while the Peyara Remote Mouse RCE provides a new, exploitable vulnerability for potential initial access or internal lateral movement. The new Linux payload extends Metasploit's reach to specific architectures. These additions enhance the framework's versatility for various stages of an engagement.

Source: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-07-03-2026/

reddit.com
u/falconupkid — 2 days ago

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Seven unpatched vulnerabilities have been disclosed in FatFs, a widely used open-source filesystem library. These flaws impact millions of embedded devices that rely on FatFs to read and write FAT and exFAT formats on USB drives and SD cards.

Technical Breakdown

  • Vulnerability: Seven distinct flaws in the FatFs filesystem library.
  • Affected Library: FatFs (version details not provided in summary).
  • Impacted Functionality: Reading and writing FAT and exFAT formats from USB drives and SD cards.
  • Affected Devices: Millions of embedded systems, including but not limited to:
    • Security cameras
    • Drones
    • Industrial controllers
    • Hardware crypto wallets
  • Status: All disclosed vulnerabilities are currently unpatched. The summary does not specify CVEs or detailed vulnerability types (e.g., buffer overflows, logic flaws).

Defense

Organizations should identify critical embedded devices utilizing FatFs and prepare for forthcoming vendor firmware updates, as these unpatched flaws represent a significant supply chain risk.

Source: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html

u/falconupkid — 2 days ago

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

New Linux Kernel Flaw "Bad Epoll" (CVE-2026-46242) Grants Root Privileges

A critical new Linux kernel vulnerability, dubbed Bad Epoll (CVE-2026-46242), has been disclosed, allowing any unprivileged local user to achieve full root control on affected systems. This flaw impacts a broad range of Linux environments, including desktops, servers, and Android devices.

Technical Breakdown:

  • Vulnerability ID: CVE-2026-46242 (Bad Epoll)
  • Impact: Privilege Escalation (T1068) - Unprivileged local user gains root access.
  • Affected Systems: Linux kernel on desktops, servers, and Android.
  • Root Cause: The flaw resides in a specific section of the kernel's epoll code, which coincidentally is the same area where Anthropic's Mythos AI recently identified a different vulnerability.
  • IOCs: No specific IOCs are publicly available in the disclosure details at this time, as it's a kernel vulnerability requiring exploitation.

Defense: Immediate patching is crucial. Updates containing the fix are already available and should be applied without delay to all vulnerable Linux and Android systems.

Source: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html

u/falconupkid — 2 days ago

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

New Avalon Malware Framework Identified, Delivering CrownX Ransomware Capabilities.

Security researchers have uncovered Avalon, a previously undocumented and modular malware framework. It's being distributed via sophisticated multi-stage phishing chains designed to bypass traditional security controls.

Technical Breakdown

  • Initial Access: Multi-stage phishing campaigns.
  • TTPs:
    • TA0001 (Initial Access): Phishing
    • TA0006 (Credential Access): Credential collection
    • TA0008 (Lateral Movement): Lateral movement
    • TA0003 (Persistence) / TA0004 (Privilege Escalation): Remote access
    • TA0005 (Defense Evasion): Bypassing traditional security controls
    • TA0040 (Impact): Recovery disruption, Ransomware execution (CrownX Ransomware)
  • Modularity: Combines diverse functions (credential theft, lateral movement, remote access, recovery sabotage, and ransomware) into a single framework.
  • IOCs: Not detailed in the summary provided.

Defense

Strengthen email security, implement robust EDR solutions, and ensure regular, isolated backups to mitigate the impact of ransomware. Focus on user education for phishing awareness.

Source: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html

u/falconupkid — 2 days ago

GRU: military unit 67606

The GRU has established a sophisticated, decentralized Psychological Operations (PSYOP) framework operating within Russian Military Districts, indicating a structured approach to information warfare.

Technical Breakdown

  • Threat Actor: GRU (Russian Military Intelligence), specifically highlighting an organizational structure likely tied to military unit 67606.
  • TTPs (Tactics, Techniques, Procedures):
    • Tactic: PSYOPs, performed regionally to advance specific military district interests.
    • Structure: A hierarchical command under military unit 55111, overseeing dedicated regional PSYOP units.
  • Identifying Units (Organizational "IOCs"):
    • Central Command: GRU Military Unit 55111
    • Regional PSYOP Units:
      • Military Unit 03126 (Leningrad Military District)
      • Military Unit 03138 (Central Military District)
      • Military Unit 03128 (Southern Military District)
      • Military Unit 03134 (Eastern Military District)

Defense

Understanding adversary organizational structures and operational mandates is crucial for effective threat intelligence. For PSYOPs, this translates to enhanced media analysis, social media monitoring, and internal awareness programs to detect and counter disinformation campaigns and influence operations.

Source: https://lab52.io/blog/gru-military-unit-67606/

reddit.com
u/falconupkid — 2 days ago

NetNut proxy network disrupted, 2 million infected devices cut off

NetNut Residential Proxy Network Disrupted, Millions of Compromised Android Devices Cut Off

A joint operation, with Google's involvement, has successfully disrupted NetNut, a significant residential proxy network. This network exploited millions of compromised Android devices, including smart TVs and streaming boxes, turning them into unwitting proxy nodes.

Technical Breakdown:

  • Threat Actor/Infrastructure: NetNut, a large-scale residential proxy network.
  • TTPs:
    • Compromised Devices: Relied on malware-infected Android devices (smart TVs, streaming boxes) to form its proxy network.
    • Anonymity as a Service: Offered proxy services, allowing clients to route traffic through these compromised residential IPs, thereby evading detection and geographic restrictions. While the summary doesn't detail specific illicit uses, such networks are commonly abused for credential stuffing, ad fraud, data scraping, and obfuscating attack origins.
    • Scale: Enabled access to approximately 2 million infected devices.
  • IOCs: No specific IPs or hashes were disclosed in the provided summary.
  • Affected Systems: Millions of Android-based smart TVs and streaming boxes.

Defense: The disruption effectively cuts off the access threat actors had to these compromised devices, severely impacting the NetNut service and its users. This highlights the effectiveness of collaborative industry efforts against cybercrime infrastructure.

Source: https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/

u/falconupkid — 2 days ago

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-Linked Threat Actors Target Devs with Malicious npm Packages

Threat actors tied to North Korea are actively deploying malicious npm packages, "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core," which mimic legitimate Rollup polyfill tooling. These packages are designed to steal developer secrets and establish remote access, posing a direct supply chain risk for development teams.

Technical Breakdown:

  • TTPs:
    • Initial Access: Software Supply Chain Compromise (malicious npm packages).
    • Defense Evasion/Obfuscation: Mimicry of legitimate packages (e.g., rollup-plugin-polyfill-node), including descriptions and repository metadata, to appear benign.
    • Impact: Data Theft (developer secrets), Remote Access.
    • Threat Actor: Linked to North Korean state-sponsored groups.
  • IOCs:
    • Malicious npm packages: rollup-packages-polyfill-core, rollup-runtime-polyfill-core.

Defense: Developers and organizations should audit their package.json dependencies, leverage internal package registries with robust vetting, and implement Software Supply Chain security tools to detect malicious or spoofed packages.

Source: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html

u/falconupkid — 3 days ago

Kairos Ransomware: Data-Extortion Case Study Involving a U.S. Government Entity

Kairos Data-Extortion Targets U.S. Government Entity, Securing $1M Ransom Payment

A recent case study details how Kairos, identified as a data-extortion actor rather than a confirmed ransomware group, successfully extorted $1 million from a U.S. government entity. This incident involved the compromise and alleged exfiltration of over 2 TB of data, comprising approximately 1.6 million files, leading to a successful ransom payment after negotiations.

Technical Breakdown:

  • Threat Actor: Kairos (operates primarily as a data-extortion group; ransomware group status is unverified).
  • Target: A U.S. government body.
  • TTPs (Extortion):
    • Data exfiltration (claimed over 2 TB / ~1.6 million files).
    • Negotiation via leaked transcripts.
  • IOCs (Financial):
    • Ransom Amount: $1,000,000 USD (paid in cryptocurrency).
    • Payment Flow: Traced to cryptocurrency exchanges including ByBit, OKX, and BELQI.

Defense: Organizations, especially government entities, must prioritize robust data exfiltration detection mechanisms and comprehensive incident response plans that specifically address data-only extortion scenarios to prevent financial losses and sensitive data exposure.

Source: https://ransom-isac.org/blog/kairos-ransomware-data-extortion-case-study/

u/falconupkid — 3 days ago

Kali365 PhaaS Kit: OAuth Device-Code Phishing Enables MFA-Satisfied Token Theft

Kali365 PhaaS leverages OAuth Device-Code Phishing to steal MFA-protected Microsoft 365 tokens. This sophisticated Phishing-as-a-Service (PhaaS) kit enables threat actors to bypass multi-factor authentication by legitimately satisfying MFA prompts, ultimately stealing long-lived refresh tokens.

  • Threat: Kali365 (K365) is a subscription-based PhaaS platform targeting Microsoft 365 accounts.
  • TTPs:
    • Phishing Method: OAuth device-code phishing (RFC 8628).
    • MFA Bypass: The attack flow legitimately satisfies MFA during the device code authentication process.
    • Objective: Steal long-lived refresh tokens for persistent access.
    • Operator Tools: The kit includes an operator-side client application (kali365.exe) and a web UI for managing campaigns.
  • Defense: Focus on monitoring OAuth application consent grants, detecting unusual device-code flows, and continuous scrutiny of token usage and refresh token validity. User education remains critical against social engineering.

Source: https://ransom-isac.org/blog/kali365-phaas-oauth-device-code-phishing/

u/falconupkid — 3 days ago

Selling Success: Inside the Telegram Network Behind Alleged NEET Paper Leaks

Telegram Network Exploits India's NEET Exam for Organized Fraud

A Telegram-based network has been identified promoting alleged paper leaks for India's National Eligibility cum Entrance Test (NEET), a critical medical entrance examination. StealthMole's intelligence highlights a pattern of organized fraud targeting the high-stakes exam, impacting millions of students annually.

Technical Breakdown:

  • TTPs (MITRE ATT&CK - related):
    • Resource Development (T1587): Creation and maintenance of interconnected Telegram channels for promoting and distributing alleged leaked question papers and answer keys.
    • Initial Access (T1566): Leveraging social media and messaging platforms (Telegram) to reach a wide audience of students seeking an advantage.
    • Collection (T1560): Claims of "guaranteed answer keys" and "access to exam before test day" indicate attempts to collect and monetize sensitive exam material.
    • Persistence (T1547.001 - related): Maintaining historical digital footprints across the network, even after specific accounts are flagged or taken down, suggesting resilience and a degree of organization.
  • IOCs: The summary does not provide specific channel IDs, user handles, or associated IP addresses.
  • Affected Systems: The integrity of the NEET examination process and its participants.

Defense: Proactive monitoring of high-volume social media and messaging platforms for suspicious activity and keywords related to exam leaks, coupled with public awareness campaigns against such fraud schemes.

Source: https://stealthmole-intelligence-hub.blogspot.com/2026/07/selling-success-inside-telegram-network.html

reddit.com
u/falconupkid — 3 days ago

Verified X ad spreads Mac malware, while ConsentFix steals Microsoft accounts

Two distinct campaigns highlight a shift towards social engineering over software exploits: one distributing Mac malware via a verified X (formerly Twitter) ad, and another, dubbed "ConsentFix," stealing Microsoft accounts through deceptive consent dialogs.

  • Campaign 1: X Malvertising & Mac Malware

    • Threat: Distribution of unspecified Mac malware.
    • Vector: Malicious ads displayed on X from verified accounts, leveraging trust associated with the platform's verification status.
    • TTPs (MITRE): Initial Access (T1566 - Phishing: Spearphishing via Service), User Execution (T1204.001 - Malicious Link).
    • Affected: Users clicking on malicious ads on X.
  • Campaign 2: ConsentFix & Microsoft Accounts

    • Threat: Credential theft targeting Microsoft accounts.
    • Vector: Campaign named "ConsentFix" employing fake consent dialogs.
    • TTPs (MITRE): Credential Access (T1566.002 - Phishing: Spearphishing Link), User Execution (T1204.001 - Malicious Link).
    • Affected: Microsoft account holders interacting with the deceptive dialogs.

Defense: Emphasize user awareness regarding social engineering tactics, even from seemingly legitimate sources or verified accounts. Implement robust email and web filtering, enforce MFA across all accounts, and educate users to scrutinize URLs and consent requests carefully before interacting.

Source: https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts

u/falconupkid — 3 days ago

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

Armored Likho Emerges: New Threat Actor Targets Gov and Power Sectors with BusySnake Stealer

A previously undocumented threat actor, dubbed Armored Likho, has been identified targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. This actor notably blends financially motivated campaigns against private individuals with targeted cyber espionage operations.

Technical Breakdown:

  • Threat Actor: Armored Likho (newly identified, previously undocumented).
  • Malware: BusySnake Stealer.
  • Targets:
    • Government agencies.
    • Electric power sector organizations (specifically in Russia, Brazil, Kazakhstan).
    • Private individuals (for financial gain).
  • Motivation: Dual-purpose operations, combining cyber espionage with financially motivated campaigns.
  • TTPs: While specific TTPs for initial access or persistence aren't detailed in the summary, the actor's strategy involves a blend of financial and espionage objectives, implying adaptable approaches to targeting.

Defense: Organizations, especially those in critical infrastructure and government sectors, should enhance their endpoint security, implement robust threat intelligence feeds, and monitor for indicators associated with information stealers. Incident response plans should be updated to address advanced persistent threats with blended motivations.

Source: https://thehackernews.com/2026/07/armored-likho-targets-government.html

u/falconupkid — 3 days ago