{"id":20558,"date":"2025-09-15T09:39:16","date_gmt":"2025-09-15T07:39:16","guid":{"rendered":"https:\/\/kordon.app\/?p=20558"},"modified":"2025-09-15T10:36:19","modified_gmt":"2025-09-15T08:36:19","slug":"cybersecurity-news-worth-your-attention-this-week-summarised-2025-09-15","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/cybersecurity-news-worth-your-attention-this-week-summarised-2025-09-15\/","title":{"rendered":"Cybersecurity News Worth Your Attention This Week Summarised \u2013 2025-09-15"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>This week feels like a greatest hits album of \u201cwhat could possibly go wrong.\u201d We\u2019ve got <strong>npm packages with 2 billion total downloads getting phished!<\/strong>, a <strong>Chinese APT sneaking around entirely in memory<\/strong>, and <strong>AI-branded apps that look shiny<\/strong> <strong>and good<\/strong>, actually do what they are supposed to <strong>but turn out to be pure malware.<\/strong> Kind of starting to feel likethis is an impossible fight &#8230;<\/p>\n\n\n\n<p>P.S. If you get value out of this summary, make sure to <strong>subscribe<\/strong> to it via e-mail (scroll down) or we also publish it on our <a href=\"https:\/\/www.linkedin.com\/company\/kordon-app\" title=\"\">LinkedIn<\/a> every Monday.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Massive npm Supply Chain Attack Compromises 18 Packages with 2 Billion Weekly Downloads<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">On September 8, <strong>attackers phished a maintainer via a spoofed npm support email and injected obfuscated, browser\u2010based malware into 18 high-use npm packages \u2014 chalk, debug, ansi-styles and others totaling 2 billion weekly downloads.<\/strong> The code hooks into Web3\/browser APIs to <strong>silently rewrite cryptocurrency transaction destinations, <\/strong>redirecting funds to attacker-controlled wallets; actual theft was under $1,000. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compromised packages include <strong>chalk (300 M)<\/strong>, <strong>debug (358 M)<\/strong>, <strong>ansi-styles (371 M)<\/strong>.<\/li>\n\n\n\n<li>Phishing domain \u201c[cencored].help\u201d mimicked npmjs.org to<strong> steal 2FA credentials<\/strong><\/li>\n\n\n\n<li>Malware hooks fetch, XMLHttpRequest, window.ethereum, etc., to swap wallet addresses<\/li>\n\n\n\n<li><strong>Aikido detected and disclosed the breach within minutes; <\/strong>theft tracked at ~$970<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised\">Aikido Security<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4053725\/massive-npm-supply-chain-attack-hits-18-popular-packages-with-2b-weekly-downloads.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Chinese APT Deploys EggStreme Fileless Malware Against Philippine Military Contractor<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Security researchers at Bitdefender uncovered <strong>EggStreme, a novel fileless malware framework used by a China-linked APT to infiltrate a Philippine military company<\/strong> over a year-long espionage campaign.  EggStreme\u2019s core backdoor\u2014EggStremeAgent\u2014<strong>executes entirely in memory via DLL sideloading, keylogging, and gRPC-based C2 communications<\/strong>, enabling stealthy reconnaissance, lateral movement, and data theft.  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>EggStremeAgent supports 58 commands<\/strong> &#8211; including system profiling, shellcode execution, and an injected keylogger tracking keystrokes and clipboard data.<\/li>\n\n\n\n<li><strong>Malware uses legitimate Windows services and DLL sideloading to load encrypted modules into memory,<\/strong> leaving no decrypted payloads on disk.<\/li>\n\n\n\n<li>All C2 traffic uses encrypted gRPC channels, and <strong>attackers maintain fallback servers for resilience.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/businessinsights\/eggstreme-fileless-malware-cyberattack-apac\">Bitdefender<\/a>, <a href=\"https:\/\/therecord.media\/philippines-military-company-suspected-china-espionage-eggstreme-malware\">The Record<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. EvilAI Malware Uses AI-Driven Fake Productivity Apps to Evade Detection<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A new campaign tracked as \"EvilAI\" hides Trojan-style malware inside fully functional, AI-branded tools with realistic UIs and valid digital signatures.<\/strong> In just one week, Trend Micro has spotted hundreds of organizations across manufacturing, government, healthcare and more infected via search ads, social media and fake vendor portals.  <strong>EvilAI apps perform normal tasks while mapping environments, disabling browsers and security products, then laying groundwork for future payloads\u2014leaving static antivirus defenses blind to their activity.  <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operators created new \u201cdisposable\u201d companies to get code-signing certificates<\/strong> for apps like Recipe Maker and Manual Finder.<\/li>\n\n\n\n<li><strong>Distribution via malicious search-engine ads, promoted links<\/strong> and counterfeit vendor sites.<\/li>\n\n\n\n<li>After install, apps scan for installed AV\/EDR, kill Edge\/Chrome processes and <strong>disable Bitdefender, Kaspersky and Fortinet products.<\/strong><\/li>\n\n\n\n<li>Uses control-flow flattening, anti-analysis loops and registry\/scheduled-task persistence to thwart signature scanners.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enforce application allow-listing<\/strong> for unapproved tools.<\/li>\n\n\n\n<li><strong>Share this with your organisation<\/strong> as an exmaple that even very legitimate looking apps can be malicious.<\/li>\n\n\n\n<li><strong>Validate digital certificates<\/strong> against known trusted vendors.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/i\/evilai.html\" title=\"\">Trend Micro<\/a><strong>, <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/ai-backed-malware-hits-companies-worldwide\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. GhostAction campaign exfiltrates 3,325 secrets via malicious GitHub Actions workflows<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Attackers injected a rogue GitHub Actions workflow into the FastUUID project<\/strong> on September 2, harvesting 3,325 secrets from 817 repositories, including <strong>PyPI, npm, DockerHub, AWS, Cloudflare and GitHub tokens<\/strong>, before being contained on September 5. <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malicious workflow introduced by \u201cGrommash9\u201d on Sep 2 in the FastUUID repository<\/li>\n\n\n\n<li><strong>Campaign spread to 817 repos, affecting 327 users and exfiltrating secrets via HTTP POST to a single endpoint<\/strong><\/li>\n\n\n\n<li><strong>Stolen tokens<\/strong> span PyPI, npm, DockerHub, GitHub, Cloudflare API, AWS access keys and database credentials<\/li>\n\n\n\n<li>GitGuardian contained the attack on Sep 5. <strong>573 projects notified; 9 npm and 15 PyPI packages still at risk<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit all GitHub Actions workflows <\/strong>for unauthorized changes<\/li>\n\n\n\n<li>Rotate and revoke any potentially exposed tokens immediately<\/li>\n\n\n\n<li><strong>Enforce least-privilege permissions on CI\/CD secrets and workflows<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4052826\/ghostaction-campaign-steals-3325-secrets-in-github-supply-chain-attack.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Legacy OAuth Tokens in SalesLoft-Drift Deal Expose Fourth-Party Risk<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A recent breach of SalesLoft\u2019s acquired Drift chat platform abused dormant OAuth tokens\u2014some inactive for over 18 months\u2014to pivot into customer Salesforce and Google Workspace environments.<strong> The incident underscores \u201cfourth-party\u201d risk, where organizations inherit unseen integrations and permissions through vendor M&amp;A, greatly expanding their attack surface beyond traditional third-party controls.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attackers leveraged active <strong>Drift OAuth tokens to access hundreds of Salesforce instances and some Google Workspace accounts.<\/strong><\/li>\n\n\n\n<li>Tokens likely predated SalesLoft\u2019s February 2024 acquisition of Drift and remained valid until explicitly revoked.<\/li>\n\n\n\n<li>Traditional vendor assessments rarely track a supplier\u2019s acquisition history or inherited OAuth access.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Start monitoring M&amp;A-s of your high risk vendors<\/strong> (set up a Google Alert)<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4053891\/what-the-salesloft-drift-breaches-reveal-about-4th-party-risk.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Compromised ScreenConnect Used to Deploy Fileless AsyncRAT via In-Memory Loader<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Security researchers at <strong>LevelBlue Labs uncovered a fileless attack chain that leverages a compromised ScreenConnect client to load AsyncRAT entirely in memory<\/strong>, bypassing disk-based defenses. <br>The multi-stage VBScript and PowerShell loader uses .NET reflection, AMSI\/ETW disabling, and a disguised scheduled task for persistence, exposing organizations to credential theft and full remote control.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Initial access via unauthorized ScreenConnect relay at relay.shipperzone.online<\/li>\n\n\n\n<li>Update.vbs script runs PowerShell to fetch two .NET payloads (`logs.ldk`, `logs.ldr`) into memory<\/li>\n\n\n\n<li>Loader assembly patches AMSI and ETW, then invokes secondary AsyncRAT assembly via reflection<\/li>\n\n\n\n<li><strong>Persistence achieved by a scheduled task named \u201cSkype Update\u201d; C2 config encrypted with AES-256 linking to DuckDNS server<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alert on scheduled tasks using updater-style names and monitor AMSI\/ETW modifications<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4056389\/stealthy-asyncrat-flees-the-disk-for-a-fileless-infection.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. VoidProxy PhaaS Uses AitM Phishing to Bypass MFA on Microsoft, Google Accounts<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Okta researchers discovered VoidProxy, a phishing-as-a-service platform<\/strong> using Adversary-in-the-Middle techniques to intercept passwords, MFA codes, and session tokens from Microsoft and Google login flows. The scalable, multi-layered attack bypasses SMS and OTP protections, leveraging disposable domains and Cloudflare defenses to evade email filters and security tools.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Phishing emails sent from compromised ESP accounts redirect through URL shorteners and multiple Cloudflare-protected domains.<\/li>\n\n\n\n<li><strong>Users face a CAPTCHA check then a perfect replica of Microsoft or Google login pages; automated scanners see only a benign \u201cWelcome\u201d page.<\/strong><\/li>\n\n\n\n<li><strong>VoidProxy\u2019s reverse proxy captures credentials, MFA codes, and session cookies<\/strong>, enabling attackers to hijack validated sessions.<\/li>\n\n\n\n<li>Anti-analysis measures include dynamic DNS, disposable low-cost TLDs, and Cloudflare Workers to mask infrastructure.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Cosnider enforcing phishing-resistant authenticators<\/strong> (passkeys, security keys) for more employees.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4056512\/voidproxy-phishing-as-a-service-operation-steals-microsoft-google-login-credentials.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">8. New Salty2FA Phishing Kit Evolves to Enterprise-Grade, Bypasses MFA<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Salty2FA phishing kit now uses advanced subdomain rotation, dynamic branding, multiple MFA simulations and anti-research tactics to mimic enterprise software. Static IOCs and traditional defenses fail against these enterprise-grade phishing campaigns.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rotates subdomains every session to evade blacklists and tracking<\/strong><\/li>\n\n\n\n<li>Auto-applies authentic corporate branding for six different MFA flows<\/li>\n\n\n\n<li>Leverages legitimate platforms (e.g., Aha.io trial) to host phishing lures<\/li>\n\n\n\n<li>Uses geo-blocking, ASN\/IP filtering and JavaScript anti-debugging<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/salty2fa-phishing-kits-enterprise-level\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Apple Debuts Memory Integrity Enforcement in iPhone 17 and iPhone Air to Counter Mercenary Spyware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Apple\u2019s upcoming iPhone 17 and iPhone Air will ship with Memory Integrity Enforcement (MIE), a hardware-and-firmware feature that enforces real-time memory tagging to block buffer overflows and use-after-free exploits. <\/strong>By integrating Enhanced Memory Tagging Extension (EMTE) in the new A19 and A19 Pro chips, Apple raises the bar for mercenary spyware developers, <strong>making zero-click exploit chains costlier and harder to build<\/strong> and offering customers industry-first, always-on memory safety without performance impact.<\/pre>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/apple-iphone-17-memory-integrity-enforcement\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. AI-Powered Villager Framework Automates Advanced Attacks via Kali Linux and DeepSeek AI<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Villager is a new AI-driven penetration testing framework that integrates Kali Linux tools with DeepSeek AI to fully automate multi-stage cyber attacks.<\/strong> Distributed via PyPI with self-destructing containers and randomized SSH ports, it lowers the skill barrier for sophisticated intrusions and compresses detection and response windows for enterprises.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developed by Chinese-based Cyberspike and released on PyPI in July 2025, <strong>Villager hit over 10,000 downloads in two months.<\/strong><\/li>\n\n\n\n<li>Uses a Model Context Protocol (MCP) client on port 25989 with a database of 4,201 AI prompts to orchestrate exploits.<\/li>\n\n\n\n<li>Spawns isolated Kali Linux containers for scanning and assessment, auto-wiping logs after 24 hours and rotating SSH ports.<\/li>\n\n\n\n<li>Integrates DeepSeek AI (\u201cal-1s-20250421\u201d model via HTTP API) to adapt attack steps e.g., launching WPScan on WordPress targets.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/villager-ai-powered-pentesting-tool\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">11. ToneShell Backdoor Abuses Windows Task Scheduler COM Service for Stealthy Persistence<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The latest ToneShell variant leverages the Windows Task Scheduler COM interfaces to create a one-minute recurring task, ensuring its payload runs continuously from %APPDATA%, bypassing registry run-key detections.  <\/strong><br><br>Delivered via sideloaded DLLs in themed archives, it evades sandbox checks and blends into the user profile structure, complicating discovery by traditional file-based or service-installation heuristics.  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Archives contain a legitimate loader and a renamed malicious DLL that probes for sandbox artifacts.<\/li>\n\n\n\n<li>Backdoor copies itself and Visual C++ runtime libraries to a new subfolder under %APPDATA% to avoid scrutiny.<\/li>\n\n\n\n<li><strong>Uses ITaskService and IRegisteredTask COM interfaces to register a \u201cdokanctl\u201d scheduled task in the root folder.<\/strong><\/li>\n\n\n\n<li><strong>The task runs %APPDATA%\\svchosts.exe every minute, masquerading as a legitimate Windows process.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit root-folder tasks for unexpected names or executables in %APPDATA%.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/new-toneshell-backdoor-with-new-features-leverage\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            \n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This week summary of latest cybersecurity news from September 2025 feels like a greatest hits album of \u201cwhat could possibly go wrong.\u201d We\u2019ve got npm packages with 2 billion total downloads getting phished!, a Chinese APT sneaking around entirely in memory, and AI-branded apps that look shiny, actually do what they are supposed to but turn out to be pure malware. Kind of feels that this is becoming an impossible fight &#8230;<\/p>","protected":false},"author":1,"featured_media":20568,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20558","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20558"}],"version-history":[{"count":18,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20558\/revisions"}],"predecessor-version":[{"id":20577,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20558\/revisions\/20577"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20568"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}