Daily Brief

Cybersecurity researchers have uncovered a supply chain attack targeting npm packages through the use of stolen project maintainers' npm tokens in a phishing campaign. Impacted maintainers inadvertently gave up their credentials through a typosquatted website, allowing attackers to publish malicious package updates directly to the npm registry. Malicious code integrated into the rogue npm package versions aims to execute a DLL on Windows machines, potentially leading to remote code execution. The phishing emails used for this campaign impersonated official npm communications, misleading recipients with links to a fraudulent npm login page. Developers using the affected packages are urged to verify their installed versions and revert to secure releases, while maintainers are recommended to enhance security measures using two-factor authentication and scoped tokens. The incident underscores vulnerabilities within digital supply chains, with potential widespread impacts on the broader software ecosystem. The operation is somewhat parallel to protestware-laden packages recently found on npm, designed to disrupt Russian and Belarusian domain visitors, showcasing the range of threats facing package repositories. Separate from the npm issue, the Arch Linux team removed three packages that contained malware, demonstrating a continued trend of repositories being targeted across different platforms.

A critical vulnerability in CrushFTP, CVE-2025-54309, with a CVSS score of 9.0, is being actively exploited to gain administrative access. The flaw is present in versions CrushFTP 10 prior to 10.8.5 and 11 prior to 11.3.4_23, exploiting the AS2 validation when the DMZ proxy is not utilized. CrushFTP, widely used in sectors like government, healthcare, and enterprise, acknowledged the zero-day exploitation discovered on July 18, 2025. Attackers gained access possibly by reverse engineering CrushFTP’s recent code changes and exploiting earlier undetected bugs. This administrative access permits potential data exfiltration, backdoor insertion, and internal system compromises. CrushFTP has released indicators of compromise and recommends security measures including checking modification times of user.xml and auditing permission changes. Previously, other high-severity vulnerabilities in CrushFTP have been exploited, suggesting a pattern of targeted attacks against the platform. Immediate patching and compliance with CrushFTP's mitigation recommendations are crucial to prevent further exploits.

A recent PoisonSeed phishing campaign exploits WebAuthn's cross-device sign-in feature to circumvent FIDO2 security key protections, targeting corporate login portals like Okta and Microsoft 365. The attackers guide victims to a fake website that mimics legitimate corporate portals, prompting them to enter their credentials. Utilizing an adversary-in-the-middle (AiTM) architecture, the attackers gain real-time access by submitting stolen credentials to the actual login page. The AiTM then tricks the real portal into initiating cross-device authentication, sending a QR code back to the phishing page for the victim to unknowingly authenticate. This method allows the user’s multimodal authentication sequence to be manipulated, avoiding the direct use of the victim’s FIDO2 security keys by substituting with a QR code scan. The campaigners abuse legitimate features within FIDO2 instead of exploiting direct vulnerabilities, showing advanced techniques in bypassing strong multifactor authentication. Expel's analysis highlights the need for heightened awareness and improved detection techniques to combat such sophisticated phishing approaches effectively.

Popular npm packages eslint-config-prettier and eslint-plugin-prettier were hijacked to distribute malware, impacting over 30 million weekly downloads. Compromise occurred through a phishing attack that enabled unauthorized access to npm maintainer credentials, used to publish infected package versions. Affected versions contain a malicious script designed to execute a DLL trojan on Windows systems, posing significant security risks. Initial detection was prompted by the community after observing discrepancies between published packages on npm and their corresponding GitHub repositories. Package maintainer quickly responded by revoking the compromised npm token and deprecating the malicious versions. Developers advised to avoid specific versions of the packages, check system logs, and consider security measures like rotating exposed secrets. These incidents highlight ongoing vulnerabilities in the supply chain and the importance of enhancing security practices among open-source maintainers.

Ariel Parnes, former commander in Israel's elite cyber unit, highlights the growing sophistication of social engineering in cyberattacks led by Iran-backed groups and other hackers. Iranian threat actors and the hacker group Scattered Spider do not rely solely on advanced malware but employ effective social engineering to compromise targets. In a notable 2020 incident, Iranian hackers targeted an Israeli insurance company, stealing and leaking sensitive data which had a major psychological impact. Techniques include spear-phishing, the creation of fake professional profiles, and strategic misinformation spread via social media to amplify the effects of the breaches. Parnes emphasizes that the real power of such attacks lies not just in the data theft itself, but in the attackers' ability to manipulate public perception and fear. With advancements in AI, these actors can now expedite their target reconnaissance, generating detailed reports on individuals to craft more believable phishing attempts. The former IDF officer pointed out that even without state-level resources, effective social engineering only requires a deep understanding of the target's operations and culture. Moreover, he indicated potential collaborations between financially motivated groups like Scattered Spider and state-backed entities, illustrating a fusion of tactics that enhance these groups' threat capacity.

Zero-day vulnerability identified in CrushFTP, allowing administrative access via the web interface. CVE-2025-54309 exploited initially around July 18th; affects versions prior to CrushFTP v10.8.5 and v11.3.4_23. CrushFTP's recent patches post-July 1 address the vulnerability; unpatched systems remain at risk. Threat actors likely reverse-engineered software to discover and exploit the new vulnerability. CrushFTP highlights the significance of regular patching to prevent exploitation. Systems using a DMZ configuration and timely patches are reportedly not impacted. CrushFTP advises administrators of compromised systems to restore settings from backups prior to July 16th. Rapid7 cautions against using DMZs alone as a mitigation strategy against such exploits.

CrushFTP has identified an active exploitation of a zero-day vulnerability, CVE-2025-54309, which allows administrative access via its web interface. This vulnerability impacts versions prior to CrushFTP v10.8.5 and v11.3.4_23, with patched versions available since around July 1st. The flaw was inadvertently blocked by a prior unrelated fix, but has since been specifically addressed in later updates. CrushFTP advises that systems regularly updated are not at risk, and affected systems should restore configurations from backups before July 16th as a precaution. Rapid7 has criticized the use of DMZs (demilitarized zones) as an ineffective preventive measure against this type of exploit. The exact motives of the attackers remain unclear, but managed file transfer systems have historically been targeted for data theft and ransomware attacks. Security experts recommend regular system updates and monitoring upload/download logs for anomalies to mitigate such vulnerabilities.

A zero-day vulnerability in CrushFTP software, tracked as CVE-2025-54309, allows attackers administrative access via the web interface. The vulnerability affects versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4_23; systems updated after July 1st are patched against this exploit. Threat actors possibly reverse-engineered the software to exploit outdated versions, which had not patched this newly discovered bug. The initial detection of the exploit occurred on July 18th, with potential earlier activity starting the previous day. CrushFTP's previous security updates inadvertently mitigated the issue, though they targeted a different problem related to HTTP(S) AS2. Administrators with compromised systems should restore configurations from backups prior to July 16th and review logs for unusual activity. Rapid7 cautions against using DMZ (demilitarized zone) configurations as the sole strategy for defending against such exploits. It is still unclear if this exploit has been used for data theft or to deploy other malicious software.

Arch Linux has removed three AUR packages that were found installing the CHAOS remote access trojan on devices. The malicious packages, named "librewolf-fix-bin", "firefox-patch-bin", and "zen-browser-patched-bin", were uploaded on July 16 and removed by July 18 after community reports. These packages contained a script from a GitHub repository operated by the uploader, which was actually a trojan rather than a legitimate software patch. Users of the packages might have installed a "systemd-initd" executable found in the /tmp folder, indicating infection. A dormant Reddit account was revived to promote these malicious packages, reflecting a potential account compromise. CHAOS RAT, the trojan installed by these packages, can perform functions like file management, command execution, and a reverse shell to allow attackers remote control. The Arch Linux team advises anyone who installed these packages to remove them and verify their system's integrity to prevent further compromise.

The UK National Cyber Security Centre (NCSC) has attributed the "Authentic Antics" malware to Russia's GRU, specifically to the cyber threat group APT28, also known as Fancy Bear. Authentic Antics targets Microsoft 365, stealing credentials and OAuth 2.0 tokens to gain access to email accounts. The malware operates by embedding within the Outlook process, triggering multiple Microsoft login prompts to steal sign-in data and authorization codes. Stolen data is exfiltrated using the victim's Outlook account, cleverly avoiding detection by disabling the "save to sent" option. Consisting of a dropper, an infostealer, and several PowerShell scripts, Authentic Antics does not require a C2 server, instead utilizing victim's email for sending stolen data to an attacker-controlled address. It demonstrates high sophistication and stealth, maintaining lengthy, undetected access to victim accounts by minimizing its disk presence and storing data in Outlook-specific registry locations. The UK government imposed sanctions on three GRU units and 18 individuals linked to this and similar operations, stressing the increasing threat sophistication and commitment to countering such espionage activities.

Cybersecurity researchers have identified a mobile forensics tool named Massistant used by Chinese law enforcement to extract data from confiscated phones. Developed by SDIC Intelligence Xiamen Information Co., formerly Meiya Pico, Massistant can access GPS data, SMS messages, images, and more. The tool requires physical access to install on devices and is typically used at border checkpoints or similar scenarios. Massistant and its predecessor, MFSocket, need to be connected to a forensic software via desktop to function, removing itself post-use. It supports data extraction from a range of third-party apps, including Signal and Letstalk, enhancing its surveillance capabilities. Not limited to Android, there is potential functionality for iOS devices, indicated by related patents for extracting data, including voiceprints. The company involved has faced sanctions by the U.S. for biometric surveillance and tracking activities, particularly targeting minorities in Xinjiang.

UNG0002 group has launched cyber espionage campaigns against multiple sectors in China, Hong Kong, and Pakistan, focusing mainly on industries like defense, energy, and healthcare. The campaigns, named Operation Cobalt Whisper and Operation AmberMist, utilized spear-phishing with LNK files and VBScripts disguised as resumes to deploy RATs and other malware. Cobalt Strike and Metasploit post-exploitation tools were used to maintain and expand the attackers' foothold within compromised networks. Attack strategies included fake job applications and deceptive landing pages mimicking official government platforms to deliver malware such as Shadow RAT and INET RAT. Seqrite Labs first identified and documented these sophisticated attack tactics in their reports, outlining the persistence and evolving methods of UNG0002. The exact origin of UNG0002 is uncertain, but evidence suggests it is a well-coordinated group from Southeast Asia specializing in espionage and intellectual property theft. The threat group's high adaptability and technical proficiency highlight the significant cybersecurity risk they pose to targeted regions and sectors.

WineLab, Russia's largest alcohol retailer and part of Novabev Group, has shuttered its stores following a strategic ransomware attack. The cyberattack, recognized on July 14, targeted Novabev's IT systems, causing significant disruptions to their operations and affecting the availability of essential services. Novabev confirmed the attackers demanded a ransom, which the company has refused to pay, emphasizing their non-compliance with the extortion demands. The attack led to temporary closure of physical stores and issues with online purchases, with the company’s website and mobile app remaining non-operational since the incident. Novabev is actively working to mitigate the damage and restore full functionality with their IT team engaged in extensive recovery efforts. While there are no current claims from ransomware groups, and no evidence suggests customer personal data was compromised, the ongoing investigation continues to assess the full impact. The incident is notable even on hacker forums and has stirred discussions about the increasing trend of ransomware attacks within Russia, despite most major Russian ransomware groups traditionally avoiding local targets.

Ivanti Connect Secure appliances were compromised using zero-day exploits to deliver new malware, MDifyLoader, and launch Cobalt Strike. The attacks, observed from December 2024 to July 2025, utilized CVE-2025-0282 and CVE-2025-22457, both enabling remote code execution. MDifyLoader employs DLL side-loading to introduce an encoded Cobalt Strike beacon into memory, facilitating in-memory attacks. Attackers also utilized VShell, a Go-based remote access tool, and Fscan, a network scanning utility, both linked to Chinese hacking groups. The offensive included brute-force attacks against FTP, MS-SQL, and SSH servers, and used the EternalBlue exploit for lateral movement. Methodologies also included creating new domain accounts and malware registration as services or in task schedulers to maintain long-term network access.

Japanese authorities have introduced a free decryptor for victims of Phobos and 8-Base ransomware, allowing them to recover encrypted files without cost. The decryptor is available on the Japanese police website and also via the Europol's NoMoreRansom project, promoting its legitimacy with support from the FBI. This initiative follows a substantial law enforcement action that saw a disruption of the Phobos operation and the arrest of key suspects involved in the ransomware distribution. The decryptor is effective against files encrypted with extensions such as ".phobos", ".8base", ".elbie", ".faust", and ".LIZARD", with potential support for additional extensions. It's noteworthy that some browsers may flag the decryptor as malware, yet testing confirms its safety and effectiveness in decrypting files. A recent case verified by BleepingComputer confirmed the decryptor successfully restored all 150 files encrypted by a variant of Phobos ransomware on a test system. Ransom victims are encouraged to utilize this tool even if the ransomware used different file extensions, as it might still decrypt their data successfully.