Jamf Threat Labs has identified a new family of malicious stealers tracked as DigitStealer, representing a significant evolution in macOS-targeted malware. Unlike traditional infostealers that follow linear execution paths, DigitStealer introduced sophisticated multi-stage attack techniques, extensive anti-analysis checks, and novel persistence mechanisms, demonstrating the threat actors’ deep understanding of macOS architecture. The DigitStealer campaign begins […]
Cybersecurity researchers have uncovered a sophisticated campaign where threat actors abuse legitimate JSON storage services to deliver malware to software developers.
The campaign, known as Contagious Interview, represents a significant shift in how attackers are concealing malicious payloads within seemingly legitimate development projects.
By exploiting platforms such as JSON Keeper, JSONsilo, and npoint.io, threat actors have found a way to blend malicious code delivery into legitimate traffic, making detection increasingly difficult.
The Contagious Interview campaign has been active since at least 2023 and is aligned with Democratic People’s Republic of Korea (DPRK) actors.
The operation specifically targets software developers across Windows, Linux, and macOS systems, with particular focus on those working in cryptocurrency and Web3 projects.
The attackers’ goal is financial gain, aiming to steal sensitive information and digital assets from victims.
Initial access is gained through meticulously crafted social engineering tactics, where fake recruiters approach potential victims on job searching platforms like LinkedIn with compelling job opportunities.
The attack typically begins with a professionally crafted message from a fake recruiter claiming to represent a legitimate company working on real estate or Web3 projects.
Overview of the Contagious Interview malware campaign (Source – NVISO Labs)
After several messages exchanging pleasantries and discussing the role, the recruiter shares a demo project hosted on GitLab or GitHub as part of an interview assessment.
NVISO Labs security analysts identified that this approach successfully tricks developers into downloading and executing trojanized code.
Attack Mechanism
The demo projects appear legitimate, featuring detailed readme files and professional layouts that showcase real estate platforms or cryptocurrency applications, creating a convincing facade.
Once developers download and run the projects using Node.js, the infection chain begins. The real technical cleverness lies in how the malware is delivered.
Configuration files within these projects contain base64-encoded variables that mask JSON storage service URLs. When decoded, these variables reveal links to JSON Keeper or similar platforms hosting heavily obfuscated JavaScript code.
This code is automatically fetched and executed through legitimate Node.js operations, making it difficult for traditional security tools to catch the attack.
The obfuscated JavaScript fetches the BeaverTail infostealer, which specializes in stealing wallet information, system data, and browser extension information related to cryptocurrency.
Following BeaverTail execution, the InvisibleFerret Remote Access Tool is deployed in subsequent stages.
This modular framework, written in Python, carries multiple capabilities, including data exfiltration, system fingerprinting, and downloading additional payloads.
The attack chain continues through multiple stages, utilizing legitimate services like Pastebin and Railway to host payloads and evade detection.
What distinguishes this campaign is the attacker’s sophisticated use of legitimate infrastructure to avoid detection.
By hosting malware through widely used JSON storage services and code repositories, the threat actors ensure their traffic appears normal.
Organizations should exercise extreme caution when receiving unsolicited code from recruiters or any unknown sources.
Inspecting configuration files for suspicious API keys and monitoring Node.js execution behaviors can help identify and prevent similar attacks before the threat establishes itself within the network.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A new campaign leveraging Formbook malware has emerged, showcasing sophisticated multi-stage infection tactics that underscore the importance of analyzing more than just executable files during malware investigations. When teaching malware reverse-engineering in courses like SANS FOR610, it’s critical to addressed that reverse engineering applies to every component in the infection chain, not just PE or […]
Cisco has released security updates to address two critical vulnerabilities in Unified Contact Center Express (Unified CCX) that could allow unauthenticated attackers to execute arbitrary commands with root privileges and bypass authentication mechanisms.
The flaws, tracked as CVE-2025-20354 and CVE-2025-20358, affect the Java Remote Method Invocation (RMI) process and CCX Editor application, respectively.
Both vulnerabilities stem from improper authentication mechanisms and carry CVSS base scores of 9.8 and 9.4, earning a “Critical” severity rating from Cisco.
CVE-2025-20354 represents the more severe threat, enabling remote attackers to upload malicious files through the Java RMI process without authentication.
Successful exploitation enables attackers to execute arbitrary commands on the underlying operating system with root privileges, granting complete system control.
CVE-2025-20358 targets the CCX Editor application, allowing attackers to circumvent authentication by redirecting the authentication flow to a malicious server.
This tricks the CCX Editor into granting administrative permissions for script creation and execution. While exploitation results in access as an internal non-root user rather than root, attackers can still create and execute arbitrary scripts on the affected server.
Cisco Unified CCX Vulnerability
The vulnerabilities affect all Cisco Unified CCX deployments regardless of configuration. Cisco has confirmed that related products, including Packaged Contact Center Enterprise and Unified Contact Center Enterprise, are not impacted by these flaws.
The authentication bypass in CVE-2025-20358 exploits weaknesses in communication protocols between the CCX Editor and Unified CCX servers, while CVE-2025-20354 leverages insufficient validation in the Java RMI process to enable arbitrary file uploads.
Cisco has released patches for affected versions:
Cisco Unified CCX 12.5 SU3 and earlier: Upgrade to 12.5 SU3 ES07
Cisco Unified CCX 15.0: Upgrade to 15.0 ES01
No workarounds are available to mitigate these vulnerabilities. Cisco strongly recommends that organizations running affected versions upgrade to the fixed releases immediately to remediate the security risks fully.
Organizations using Cisco Unified CCX should prioritize patching these vulnerabilities given their critical severity and the potential for unauthenticated remote code execution.
The Cisco Product Security Incident Response Team reports no evidence of active exploitation or public proof-of-concept code at this time, providing a window for proactive remediation.
System administrators should verify their current Unified CCX versions and schedule maintenance windows to apply the security updates. Given the lack of workarounds, patching remains the only effective defense against these vulnerabilities.
Researchers at Group-IB have uncovered a sophisticated phishing framework that demonstrates how cybercriminals are industrializing credential theft through automation, evasion techniques, and Telegram-based data exfiltration. The kit targets explicitly Aruba S.p.A., an Italian IT services provider serving over 5.4 million customers, highlighting the significant financial and operational risks posed by modern phishing-as-a-service operations. The analyzed […]
Security researcher Paul McCarty uncovered a significant coordinated spam campaign targeting the npm ecosystem.
The IndonesianFoods worm, as it has been named, consists of more than 43,000 spam packages published across at least eleven user accounts over almost two years.
These packages have survived undetected, representing more than one percent of the entire npm registry while waiting for activation.
The campaign’s scope is alarming. A single execution of the malicious script can publish approximately twelve packages per minute, generating around 720 per hour or 17,000 per day.
The attack leverages a clever naming scheme that uses Indonesian names like “andi” and “budi” combined with food terms such as “rendang” and “sate,” followed by random numbers and suffixes like “-kyuki” or “-breki.”
Examples include packages named “zul-tapai9-kyuki” and “andi-rendang23-breki.” This distinctive pattern creates camouflage within the repository while remaining traceable.
Each package appears legitimate on first inspection, containing standard Next[.]js project structures with proper configuration files, legitimate dependencies like React and Tailwind CSS, and professional documentation.
The malicious component lies in hidden script files named either “auto[.]js” or “publishScript[.]js,” which sit dormant and unreferenced in the package structure.
ENDOR Labs security analysts identified that these packages were part of an attack first described in April 2024, where attackers abuse the TEA protocol meant for rewarding open source contributions.
The platform tracks cryptocurrency rewards for ecosystem participants, which the attackers exploited to monetize their spam campaign.
At least one maintainer appeared to be an Indonesian software engineer, explaining the regional specificity of this operation.
The Worm’s Self-Replicating Mechanism: How Dormant Code Activates and Spreads
The IndonesianFoods worm demonstrates a particularly insidious spreading mechanism through dependency chains.
When the malicious script executes manually—triggered by commands like “node auto[.]js”—it performs three continuous actions. First, it removes the “private”: true flag from package[.]json files, a protection developers use to prevent accidental publication of proprietary code.
Second, it generates random version numbers like “2.3.1” to bypass npm’s duplicate detection systems.
Third, it updates the package[.]json and package-lock[.]json files, then runs “npm publish –access public” to flood the registry with new packages on a seven to ten-second cycle.
What makes this attack particularly dangerous is that each spam package references eight to ten additional spam packages as dependencies.
When developers install one contaminated package, npm automatically fetches its entire dependency tree, potentially pulling in over a hundred related spam packages in cascade.
Installing a single package could expose systems to exponential proliferation of malicious packages across the registry.
Some of these packages accumulated thousands of weekly downloads, creating opportunities for attackers to inject actual malicious code in future updates affecting massive numbers of installations.
The monetization aspect through TEA token rewards demonstrates attackers are earning cryptocurrency through artificial ecosystem value, with some packages openly displaying their earned token amounts in their documentation, reinforcing the financial motivation behind this coordinated, two-year operation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Cisco Talos has identified an emerging threat from Kraken, a sophisticated cross-platform ransomware group that has emerged from the remnants of the HelloKitty ransomware cartel. In August 2025, the security firm observed the Russian-speaking group conducting big-game hunting and double-extortion attacks against enterprise environments worldwide. Kraken represents a significant evolution in ransomware threats due to […]
Key Takeaways:
85 active ransomware and extortion groups observed in Q3 2025, reflecting the most decentralized ransomware ecosystem to date.
1,590 victims disclosed across 85 leak sites, showing high, sustained activity despite law-enforcement pressure.
14 new ransomware brands launched this quarter, proving how quickly affiliates reconstitute after takedowns.
LockBit’s reappearance with
The Washington Post has publicly disclosed a significant data breach involving external hacking of its Oracle E-Suite system, impacting over 9,700 employees and contractors worldwide.
The breach notification, filed with Maine’s Attorney General, reveals the incident occurred on July 10, 2025, but remained undiscovered until October 27, 2025, nearly three-and-a-half months later.
Maine official regulatory filing submitted by ZwillGen PLLC, the prestigious news organization’s legal counsel. The breach compromised the personal information of 9,720 individuals, including 31 Maine residents.
Oracle E-Suite Exposes Employee Data
The compromised data included names and other personal identifiers combined with additional sensitive information.
Though specific details about what additional data was exposed remain limited in the public disclosure. The Washington Post’s headquarters, located at 1301 K Street NW in Washington, DC, was the site of the intrusion, which was discovered during routine security monitoring.
The extended discovery window raises questions about the organization’s detection capabilities and security monitoring practices within its systems.
Such gaps between breach occurrence and discovery are common in major cyber incidents, allowing threat actors to maintain extended access to sensitive systems and data.
As part of its incident response, The Washington Post offered complimentary identity theft protection services to all impacted employees and contractors.
This proactive approach reflects emerging best practices in breach response. It demonstrates a commitment to mitigating potential harm from unauthorized data access.
Senior Legal Director Marci Rozen, representing The Washington Post through external counsel firm ZwillGen PLLC, filed the formal breach notification with Maine regulators.
The filing represents part of the organization’s legal obligations under the state’s data breach notification laws, which require notification of affected residents within a specific timeframe.
The Oracle E-Suite system targeted in this incident manages employee data and administrative functions across the organization.
Maine’s breach report underscores ongoing vulnerabilities in enterprise software systems and highlights the persistent threat posed by external threat actors.
Targeting major organizations, including media outlets handling sensitive editorial and proprietary information.
The Washington Post’s rapid notification to affected individuals and its provision of identity protection services demonstrate that it has established incident response protocols.
State-sponsored threat actors from China used artificial intelligence (AI) technology developed by Anthropic to orchestrate automated cyber attacks as part of a “highly sophisticated espionage campaign” in mid-September 2025.
“The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree – using AI not just as an advisor, but to execute the cyber attacks themselves,” the AI upstart
.webp)
.webp)