-
This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates. Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In October 2025, a significant breach exposed internal operational documents from APT35, also known as Charming Kitten, revealing that the Iranian state-sponsored group operates as a bureaucratized, quota-driven cyber-espionage unit with hierarchical command structures, performance metrics, and specialized attack teams. The leaked materials provide an unprecedented window into how this Islamic Revolutionary Guard Corps Intelligence […]
The post APT35 Data Leak Uncovers the Iranian Hacker Group’s Operations and Tactics appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
NVIDIA has released security updates addressing two critical code injection vulnerabilities in its Isaac-GR00T robotics software platform. The flaws could allow attackers with local system access to execute arbitrary code, escalate privileges, and tamper with sensitive data, potentially compromising robotic systems and their underlying infrastructure. The vulnerabilities, tracked as CVE-2025-33183 and CVE-2025-33184, affect all versions […]
The post NVIDIA Isaac-GROOT Flaws Let Attackers Inject Malicious Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A massive supply chain attack targeting the NPM accounts of automation giant Zapier and the Ethereum Name Service (ENS).
Identified by Aikido Security, the campaign is being orchestrated by the same threat actors responsible for the “Shai Hulud” self-propagating worm that first surfaced in September.
This latest wave, self-titled “Shai Hulud: The Second Coming,” has compromised multiple core packages and created over 19,000 public repositories containing stolen credentials.
The threat actor behind this campaign has pivoted from previous targets to inject malicious code directly into widely used dependencies within the Zapier and ENS ecosystems.
Unlike typical static malware, this attack uses a self-propagating worm that can rapidly expand. Once a developer installs an infected package, the malware activates to harvest sensitive secrets, including NPM tokens, GitHub Personal Access Tokens (PATs), and cloud infrastructure keys.
These stolen credentials are then immediately utilized to spread the infection further, creating a cascading effect across the open-source community. The speed of this propagation is alarming, with the impact surpassing the actor’s initial September campaign within just five hours of detection.
Data Exfiltration Tactics
The primary objective of this attack appears to be maximum disruption and data exposure. The malware employs TruffleHog, a tool designed to hunt for secrets, to exfiltrate sensitive data from infected environments.
The attackers are not just keeping these credentials to themselves. They are also sharing them publicly on GitHub in repositories with descriptive titles “Shai Hulud: The Second Coming.”
This public exposure exponentially increases the risk, as it allows other opportunistic threat actors to weaponize the exposed keys before organizations can rotate them, Aikido Security said to Cybersecurity News.
The sheer volume of created repositories suggests a highly automated execution meant to overwhelm security teams and incident responders.
The following packages have been confirmed as compromised and should be considered actively malicious.
Ecosystem Package Name Status Zapier zapier-platform-coreInfected / Malicious Zapier zapier-platform-cliInfected / Malicious Zapier zapier-platform-schemaInfected / Malicious Zapier @zapier/secret-scrubberInfected / Malicious ENS @ensdomains/ens-validationInfected / Malicious ENS @ensdomains/content-hashInfected / Malicious ENS ethereum-ensInfected / Malicious ENS @ensdomains/react-ens-addressInfected / Malicious ENS @ensdomains/ens-contractsInfected / Malicious ENS @ensdomains/ensjsInfected / Malicious ENS @ensdomains/ens-archived-contractsInfected / Malicious ENS @ensdomains/dnssecoraclejsInfected / Malicious Organizations utilizing any of the listed packages must assume a full compromise of their development environments. Security teams are urged to immediately rotate all GitHub, NPM, and cloud credentials to prevent unauthorized access.
It is critical to audit all dependencies and specifically scan GitHub organizations and employee accounts for repositories matching the “Shai Hulud” description.
To halt further spread, DevOps teams should temporarily disable NPM postinstall scripts in CI/CD pipelines where possible and enforce Multi-Factor Authentication (MFA) for all package maintainers.
Locking dependency versions and utilizing tools like SafeChain can help block the automatic execution of this malware while the ecosystem recovers.
Indicator Type Value / Description Repo Name Pattern Shai Hulud: The Second Coming Malware Behavior Automated execution of TruffleHog for secret scanning Targeted Assets NPM Tokens, GitHub PATs, Cloud Keys Public Repo Count > 19,000 malicious repositories created Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Zapier’s NPM Account Hacked and Multiple Packages Infected with Self-propogating Malware appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Zapier’s NPM account has been successfully compromised, leading to the injection of the Shai Hulud malware into 425 packages currently distributed across the npm ecosystem. The attack represents a significant supply chain threat, with the affected packages collectively generating approximately 132 million monthly downloads across critical infrastructure and development tools. The malware-laden packages span multiple […]
The post Zapier’s NPM Account Hacked, Multiple Packages Infected with Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The Linux kernel development team has released version 6.18-rc7, marking another step toward the final 6.18 release expected next weekend. According to kernel maintainer Linus Torvalds, the release cycle remains on track despite a minor setback in the previous version that required immediate attention. What’s New in rc7 The release candidate includes a more modest […]
The post Linux 6.18-rc7 Released With New Bug Fixes and Driver Updates appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Cybersecurity researchers have uncovered a sophisticated Python-based malware that employs process injection techniques to hide inside legitimate Windows binaries.
This threat represents a new evolution in fileless attack strategies, combining multi-layer obfuscation with trusted system utilities to evade detection.
The malware’s ability to masquerade as harmless files while deploying a full Python runtime environment marks a significant advancement in delivery mechanisms that challenge traditional security approaches.
During a routine analysis at K7 Labs, security researchers identified this novel threat that uses a 65 MB blob containing mostly filler data with a small valid marshalled .pyc fragment hidden at the end.
This fragment contains the actual malicious code designed to inject processes into legitimate Windows executables.
The sample demonstrates several advanced features including multi-layer encoding, archive type masquerading, and bundling of a Python runtime with a signed executable name that appears legitimate to casual observation.
K7 Labs security analysts noted that the malware’s impact extends beyond initial infection, establishing persistent command-and-control communications that continue even after the original loader terminates.
The infection chain begins with a PE dropper that reconstructs a batch script through runtime decryption using SIMD operations.
This script drops config.bat into the public user directory, which then downloads a file disguised as a PNG image from cloud storage.
In reality, this PNG file is a RAR archive—a simple but effective trick that bypasses security filters treating image files as harmless.
The batch script extracts this archive using the built-in tar command, revealing three components: AsusMouseDriver.sys (a password-protected RAR disguised as a system file), Interput.json (renamed to Install.bat), and a legitimate WinRAR executable used for further extraction.
.png)
Execution Flow Chart (Source – K7 Labs) Once executed, the Python interpreter processes command-line arguments “dcconsbot” and “dcaat” to trigger a sophisticated de-obfuscation chain through Base64 decoding, BZ2 decompression, Zlib decompression, and finally marshal loading to reconstruct the compiled Python bytecode in memory.
This code immediately targets cvtres.exe, a legitimate Microsoft resource conversion utility, for process injection.
Infection Mechanism Deep Dive
The core infection mechanism leverages a carefully orchestrated multi-stage extraction process that demonstrates the attackers’ deep understanding of Windows internals and security tool behaviors.
After the initial PE dropper executes, the config.bat script establishes C:\DragonAntivirus as a working directory before downloading the disguised archive.
The Install.bat script then renames the bundled WinRAR executable and uses it to extract the password-protected AsusMouseDriver.sys archive with a hardcoded password into C:\Users\Public\WindowsSecurityA.
This directory contains the fake ntoskrnl.exe (actually a bundled Python runtime) and the Lib\image blob containing the obfuscated payload.
.png)
Deobfuscated content (Source – K7 Labs) A decoy PDF opens to distract users while malicious code executes silently, parsing the image file through the layered de-obfuscation routine before injecting into cvtres.exe and establishing encrypted C2 communications.
# Simplified de-obfuscation chain import base64, bz2, zlib, marshal def deobfuscate_payload(image_data): # Layer 1: Base64 decoding stage1 = base64.b64decode(image_data) # Layer 2: BZ2 decompression stage2 = bz2.decompress(stage1) # Layer 3: Zlib decompression stage3 = zlib.decompress(stage2) # Layer 4: Marshal loading (Python bytecode) final_payload = marshal.loads(stage3) return final_payloadThe malware’s ability to hide within legitimate Microsoft processes while maintaining encrypted communications channels makes it particularly dangerous for enterprise environments where traditional signature-based detection may fail to identify the threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Threats Actors Leverage Python-based Malware to Inject Process into a Legitimate Windows Binary appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
The rapid proliferation of large language models has transformed how organizations approach automation, coding, and research. Yet this technological advancement presents a double-edged sword: threat actors are increasingly exploring how to weaponize these tools for creating next-generation, autonomously operating malware. Recent research from Netskope Threat Labs reveals that GPT-3.5-Turbo and GPT-4 can be manipulated to […]
The post LLMs Tools Like GPT-3.5-Turbo and GPT-4 Fuel the Development of Fully Autonomous Malware appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
New research from CrowdStrike has revealed that DeepSeek’s artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China. “We found that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated phishing campaign is currently leveraging a subtle typographical trick to bypass user vigilance, deceiving victims into handing over sensitive login credentials. Attackers utilize the domain “rnicrosoft.com” to impersonate the tech giant.
By replacing the letter ‘m’ with the combination of ‘r’ and ‘n’, fraudsters create a visual doppleganger that is nearly indistinguishable from the legitimate domain at a casual glance.
This technique, known as typosquatting, relies heavily on the font rendering used in modern email clients and web browsers.
When placed closely together, the kerning between ‘r’ and ‘n’ often mimics the structure of the letter ‘m’, fooling the brain into autocorrecting the error.
Harley Sugarman, CEO of Anagram, recently highlighted this specific vector, noting that the emails often mirror the official logo, layout, and tone of legitimate Microsoft correspondence.
Visual Deception to Steal Logins
The effectiveness of this attack vector lies in its subtlety. On high-resolution desktop monitors, the discrepancy might be visible to a keen observer, but the brain’s tendency to predict text often masks the anomaly.
The threat becomes even more acute on mobile devices, where screen real estate is limited, and the address bar often truncates the full URL. Attackers exploit this by registering these look-alike domains to facilitate credential phishing, vendor invoice scams, and internal HR impersonation campaigns.
Once the user is convinced the email is from a trusted entity, they are more likely to click on malicious links or download weaponized attachments.
The “rn” swap is just one of several variations attackers use. Other common tactics include swapping the letter ‘o’ for a zero or adding hyphens to legitimate brand names to create a sense of authenticity.
Defending against these homoglyph and typosquatting attacks requires a shift in user behavior rather than relying solely on automated filters. Security experts advise that users must expand the full sender address before interacting with any unsolicited email.
Hovering over hyperlinks to reveal the actual destination URL or long-pressing the link on mobile devices can expose the deception before a connection is made.
Furthermore, analyzing email headers, specifically the “Reply-To” field, can reveal if a scammer is routing responses to an external, uncontrolled inbox.
In scenarios involving unexpected password reset requests, the safest course of action is to ignore the email link entirely and navigate directly to the official service via a new browser tab.
Organizations are encouraged to rehearse these identification scenarios to stop teams from reflexively clicking on familiar-looking notifications.
Common Typosquatting Variations
Technique Visual Example Deception Method Letter Combination rnicrosoft(.)com Uses ‘r’ and ‘n’ to mimic ‘m’. Number Swapping micros0ft(.)com Replaces the letter ‘o’ with the number ‘0’. Hyphenation microsoft-support(.)com Adds legitimate-sounding subdomains or suffixes. TLD Switching microsoft(.)co Uses a different Top Level Domain (dropping the ‘m’).
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Replace ‘m’ with ‘rn’ in Microsoft(.)com to Steal Users’ Login Credentials appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
