Tag: supply chain attack

15 Attack Reports | 0 Vulnerabilities

Attack reports

Beware of AI Pickpockets: Pickai Backdoor Spreading Through ComfyUI Vulnerability

A new backdoor named Pickai is exploiting ComfyUI vulnerabilities to spread and steal sensitive AI data. Developed in C++, Pickai offers remote command execution and reverse shell capabilities with strong persistence and evasion techniques. It uses multiple C2 servers for redundancy and has infecte…
backdoor
evasion
vulnerability
persistence
c2
supply chain attack
2025-06-13
pickai
comfyui
ai data theft
Published: June 13, 2025
Downloadable IOCs: 9

PyPI Supply Chain Attack Uncovered: Colorama and Colorizr Name Confusion

A malicious package campaign targeting Python and NPM users on Windows and Linux has been discovered. The attack uses typo-squatting and name-confusion tactics against the popular colorama Python package and the similar colorizr JavaScript package. Multiple packages with risky payloads were uploade…
typosquatting
remote-access
npm
pypi
data-exfiltration
supply-chain-attack
2025-06-02
colorama
colorizr
Published: June 2, 2025
Downloadable IOCs: 2

Malicious attack method on hosted ML models now targets PyPI

A new malicious campaign has been discovered targeting the Python Package Index (PyPI) by exploiting the Pickle file format in machine learning models. Three malicious packages posing as an Alibaba AI Labs SDK were detected, containing infostealer payloads hidden inside PyTorch models. The packages…
infostealer
ai
pypi
machine learning
supply chain attack
pytorch
2025-05-26
pickle format
Published: May 26, 2025
Downloadable IOCs: 2

Backdoor implant discovered on PyPI posing as debugging utility

A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be pa…
backdoor
russia
ukraine
pypi
supply chain attack
hacktivist
2025-05-15
dbgpkg
function wrapping
global socket toolkit
requestsdev
discordpydebug
Published: May 15, 2025
Downloadable IOCs: 0

PyPI package targets Solana developers

A malicious PyPI package named solana-token has been discovered targeting Solana blockchain developers. The package, downloaded over 600 times, attempts to steal source code and developer secrets from infected machines. It uses suspicious behaviors like communicating with IP addresses on non-standa…
infostealer
cryptocurrency
exfiltration
open-source
pypi
blockchain
supply-chain-attack
2025-05-13
solana
solana-token
Published: May 13, 2025
Downloadable IOCs: 0

Disruption of Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan

Earth Ammit, a Chinese-linked threat actor, conducted two campaigns targeting drone supply chains in Taiwan and South Korea from 2023 to 2024. The VENOM campaign focused on software service providers using open-source tools, while TIDRONE targeted military industries with custom malware. Their tact…
south korea
taiwan
supply chain attack
2025-05-13
drone industry
venom campaign
custom backdoor
screencap
fiber-based
clntend
venfrpc
cxclnt
tidrone campagin
military sector
Published: May 13, 2025
Downloadable IOCs: 29

wget to Wipeout: Malicious Go Modules Fetch Destructive Payload

Socket's research team discovered a supply-chain attack targeting Go developers through three malicious modules: prototransform, go-mcp, and tlsproxy. These modules used obfuscation techniques to deliver a disk-wiping payload, exploiting the open nature of Go's ecosystem. The attack leveraged names…
linux
obfuscation
data destruction
2025-05-02
supply-chain attack
disk-wiper
go modules
namespace confusion
Published: May 2, 2025
Downloadable IOCs: 2

Malicious PyPi Package Detected Stealing Crypto Tokens

A malicious PyPI package named ccxt-mexc-futures has been discovered by security researchers. This package claims to extend the capabilities of the legitimate CCXT library for cryptocurrency trading, specifically for futures trading on the MEXC exchange. However, it actually hijacks user orders and…
cryptocurrency
pypi
supply-chain-attack
2025-04-16
api-hijacking
ccxt
mexc
Published: April 16, 2025
Downloadable IOCs: 2

Typosquatted Go Packages Deliver Malware Loader Targeting Li...

A malicious campaign is targeting the Go ecosystem with typosquatted packages that install hidden loader malware on Linux and macOS systems. The threat actor has published at least seven packages impersonating popular Go libraries, using array-based string obfuscation to hide malicious commands. Th…
linux
obfuscation
typosquatting
macos
supply-chain-attack
2025-04-04
elf-malware
go-packages
f0eee999
Published: April 4, 2025
Downloadable IOCs: 0

Over 150K websites hit by full-page hijack linking to Chinese gambling sites

In February, C/Side uncovered a threat actor targeting over 35,000 websites with a malicious full-page hijack injection. C/Side continued to monitor this actor’s activities and have identified new tactics and techniques. They’ve scaled up their operations significantly, as we now estimate that appr…
javascript
cyber
chinese
credit card skimmer
supply chain attack
magecart
2025-03-27
february
blog
c/side
client-side
web
development
client/side
cyber security
security
pci dss v4
browser attack
formjacking
website vulnerability scanner
data breaches
content security policies
tag manager
browser side script
javascript security
html entity
uiux changesthe
bet365
english
williamhill
id parameter
css position
Published: March 27, 2025
Downloadable IOCs: 15

From Credit Card Skimming to Exploiting Zero-Days

XE Group, a cybercriminal organization active since 2013, has evolved from credit card skimming to exploiting zero-day vulnerabilities. The group initially focused on web vulnerabilities and supply chain attacks but has now shifted to targeted information theft in manufacturing and distribution sec…
powershell
zero-day
meterpreter
aspxspy
webshell
supply-chain-attack
2025-02-03
CVE-2024-57968
CVE-2025-25181
information-theft
remote-access-trojan
sql-injection
persistent-access
Published: February 3, 2025
Linked vulnerabilities : CVE-2024-57968 (CVSS 9.9), CVE-2025-25181 (CVSS 5.8), CVE-2019-18935, CVE-2017-9248
Downloadable IOCs: 17

Compromised ultralytics PyPI package delivers crypto coinminer

A malicious version of the popular AI library ultralytics was published on PyPI, containing downloader code for the XMRig coinminer. The compromise was achieved by exploiting a known GitHub Actions script injection. Two versions, 8.3.41 and 8.3.42, were affected before a clean version 8.3.43 was re…
xmrig
coinminer
pypi
2024-12-07
ultralytics
supply-chain-attack
Published: December 7, 2024
Downloadable IOCs: 0

Differential analysis raises red flags over @lottiefiles/lottie-player

ReversingLabs researchers discovered malicious versions of the popular npm package @lottiefiles/lottie-player. Versions 2.0.5, 2.0.6, and 2.0.7 were compromised and used to spread malicious code designed to steal crypto wallet assets. The attackers altered the lottie-player.js file, replacing its c…
npm
cryptocurrency theft
supply chain attack
2024-11-22
package compromise
open-source security
differential analysis
Published: November 22, 2024
Downloadable IOCs: 0

Threat Assessment: Distributors of BlackSuit Ransomware

Ignoble Scorpius, previously known as Royal ransomware, has rebranded as BlackSuit ransomware and increased its activity since March 2024. The group has targeted at least 93 victims globally, with a focus on the construction and manufacturing industries. Their initial ransom demands average 1.6% of…
ransomware
extortion
cobalt strike
credential theft
gootloader
lateral movement
mimikatz
data exfiltration
blacksuit
systembc
supply chain attack
2024-11-20
nanodump
Published: November 20, 2024
Downloadable IOCs: 2

Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites

Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites…
phishing
dga
gambling
2024-10-23
supply chain attack
funnull
triad nexus
suncity group
cdn
Published: October 23, 2024
Downloadable IOCs: 70
Click here to see more Attack Reports