Tag: open-source

14 Attack Reports | 0 Vulnerabilities

Attack reports

Bootstrap script exposes PyPI to domain takeover attacks

A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include t…
supply chain
vulnerability
open-source
pypi
domain takeover
bootstrap script
2025-12-03
python packaging
Published: December 3, 2025
Downloadable IOCs: 0

Self-replicating Shai-hulud worm spreads token stealing malware on npm

A self-replicating worm named Shai-hulud has been detected on the npm registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The worm steals cloud service tokens, primarily targeting npm, GitHub, AWS, and GCP. It also installs Trufflehog to…
supply-chain
worm
npm
open-source
2025-09-16
self-replicating
shai-hulud
package-compromise
token-stealing
Published: September 16, 2025
Downloadable IOCs: 0

Yurei the New Ransomware Group on the Scene

Yurei, a newly emerged ransomware group, targeted a Sri Lankan food manufacturing company on September 5, 2025. The group employs a double-extortion model, encrypting files and exfiltrating sensitive data. Check Point Research discovered that Yurei's ransomware is based on the open-source Prince-Ra…
ransomware
open-source
go
double-extortion
2025-09-12
morocco
satanlockv2
shadow copies
prince-ransomware
yurei
Published: September 12, 2025
Downloadable IOCs: 5

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables eas…
social engineering
foggyweb
data exfiltration
open-source
post-exploitation
c2 framework
tunneling
adaptixc2
2025-09-10
ai-generated scripts
adversarial emulation
Published: September 10, 2025
Downloadable IOCs: 0

Loophole allows threat actors to claim VS Code extension names

A loophole in VS Code Marketplace allows malicious actors to reuse names of removed extensions. ReversingLabs discovered this vulnerability after finding a malicious extension with the same name as one previously identified. The platform's documentation states that extension names must be unique, b…
vulnerability
open-source
cybersecurity
extension
vs code
software supply chain
2025-08-29
loophole
package names
Published: August 29, 2025
Downloadable IOCs: 0

GhostContainer backdoor for Exchange servers

A sophisticated backdoor targeting Exchange servers of high-value organizations in Asia has been discovered. The malware, named GhostContainer, is a multi-functional backdoor that can be dynamically extended with additional modules. It leverages several open-source projects and employs various evas…
backdoor
apt
evasion
proxy
open-source
asia
2025-07-17
exchange
ghostcontainer
Published: July 17, 2025
Downloadable IOCs: 1

The Solidity Language open-source package was used in a $500,000 crypto heist

A blockchain developer in Russia lost $500,000 in crypto assets due to a malicious Solidity Language extension for Cursor AI IDE. The fake extension, downloaded 54,000 times, appeared higher in search results than the legitimate one due to ranking algorithms. It installed malware that allowed remot…
screenconnect
cryptocurrency
data theft
developers
open-source
quasar
blockchain
2025-07-11
heur:trojan-psw.msil.purelogs.gen
vmdetector
solidity
cursor ai
malicious extension
2025-07-16
Published: July 16, 2025
Linked vulnerabilities : CVE-2024-3721
Downloadable IOCs: 0

Threat actor Banana Squad exploits GitHub repos in new campaign

ReversingLabs researchers have uncovered a new campaign by the threat actor Banana Squad, involving over 60 GitHub repositories containing hundreds of trojanized Python files. The attackers create fake user accounts to host malicious repositories that mimic legitimate ones, using a technique that h…
backdoor
python
open-source
github
stealth techniques
supply chain attack
software supply chain
open-source security
code obfuscation
2025-06-19
2025-06-20
trojanized repositories
Published: June 20, 2025
Downloadable IOCs: 275

Stealthy GitHub Malware Campaign Targets Devs

A new campaign exploiting GitHub to distribute malicious Python code disguised as legitimate hacking tools has been uncovered. The operation, attributed to the group known as Banana Squad, used 67 repositories hosting trojanized files that mimicked benign open-source projects. The attackers exploit…
backdoor
python
supply chain
repositories
open-source
github
2025-06-19
trojanized files
encoding
Published: June 19, 2025
Downloadable IOCs: 2

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…
infostealer
cryptocurrency
exfiltration
open-source
pypi
blockchain
supply-chain-attack
2025-05-13
solana
solana-token
Published: May 13, 2025
Downloadable IOCs: 0

Fake GitHub projects distribute stealers in GitVenom campaign

The GitVenom campaign involves threat actors creating hundreds of fake repositories on GitHub containing malicious code disguised as legitimate projects. These repositories include well-designed README files and artificially inflated commit numbers to appear genuine. The malicious code, implemented…
cryptocurrency
stealer
asyncrat
open-source
github
quasar
2025-02-24
gitvenom
clipboard-hijacker
fake-projects
Published: February 24, 2025
Downloadable IOCs: 2

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclea…
impersonation
wordpress
sliver
golang
2024-06-28
open-source
donut
virtual disk
Published: June 28, 2024
Downloadable IOCs: 18
Click here to see more Attack Reports