In a significant data breach disclosed by TransUnion LLC, more than 4.4 million consumers had sensitive personal information compromised in late July 2025. The credit reporting agency, headquartered at 555 W. Adams Street in Chicago, Illinois, revealed the incident on August 26, following its discovery on July 30. TransUnion’s Senior Privacy Counsel, Sanjana Palla, reported […]
Adversary-in-the-Middle (AiTM) attacks are among the most sophisticated and dangerous phishing techniques in the modern cybersecurity landscape.
Unlike traditional phishing attacks that merely collect static credentials, AiTM attacks actively intercept and manipulate communications between users and legitimate services in real-time, enabling attackers to bypass multi-factor authentication (MFA) and evade endpoint detection and response (EDR) systems.
These attacks have surged in popularity as organizations increasingly adopt MFA protections, with Microsoft reporting that AiTM phishing campaigns have targeted over 10,000 organizations globally.
The emergence of phishing-as-a-service (PhaaS) platforms like Tycoon 2FA and Evilginx2 has industrialized these attacks, lowering the technical barrier for cybercriminals and making sophisticated AiTM capabilities accessible through subscription models starting at just $120.
AiTM Attack Flow Process.
Introduction to AiTM Attacks
Adversary-in-the-Middle attacks fundamentally differ from traditional man-in-the-middle (MitM) attacks through their active manipulation and sophisticated orchestration of authentication processes.
While traditional MitM attacks often focus on passive eavesdropping, AiTM attacks involve attackers positioning themselves as active intermediaries between victims and legitimate services, using reverse proxy servers to create seamless, real-time communication channels.
The technical foundation of AiTM attacks relies on reverse proxy architecture, where attackers deploy servers that act as intermediaries between victims and legitimate authentication portals.
This approach allows attackers to present users with authentic-looking login pages that are actually legitimate pages served through the malicious proxy, making detection extremely difficult.
Modern AiTM toolkits leverage sophisticated technologies, including WebSocket connections for real-time bidirectional communication, automated SSL certificate generation through services like Let’s Encrypt, and advanced cloaking mechanisms using tokenized URLs to evade detection.
When a victim attempts to access a service like Microsoft 365 or Gmail, the AiTM proxy intercepts the request, forwards it to the legitimate service, captures the response, and relays it back to the victim while simultaneously harvesting all authentication data in transit.
The most prominent open-source AiTM frameworks include Evilginx2, Muraena, and Modlishka, each offering unique capabilities for credential harvesting and session hijacking.
These tools have evolved to include features such as multi-domain hosting, custom branding integration, and advanced evasion techniques that make them particularly effective against modern security measures.
AiTM Attack Architecture.
The Role of MFA in Modern Security
Multi-factor authentication has become the cornerstone of modern cybersecurity strategies, with Microsoft blocking over 7,000 password attacks per second, representing a 75% year-over-year increase.
MFA implementations typically require users to provide something they know (password), something they have (mobile device or hardware token), or something they are (biometric data).
Traditional MFA methods include SMS codes, push notifications, authenticator apps generating time-based one-time passwords (TOTP), and hardware security keys.
MFA Method
Authentication Factor
Adoption Rate
AiTM Vulnerability
Traditional Security Level
Common Bypass Methods
SMS Codes (SMS OTP)
Something you have
High (60%+)
High – Easily intercepted
Low
SIM swapping, SS7 attacks
Push Notifications
Something you have
High (50%+)
High – Tokens stolen post-auth
Medium-High
Push fatigue, device compromise
Authenticator Apps (TOTP)
Something you have
Medium (35%+)
High – Codes relayed in real-time
High
Device compromise, phishing
Hardware Security Keys (FIDO2)
Something you have
Low (15%+)
Medium – Session tokens still stolen
Very High
Session token theft (AiTM only)
Voice Calls
Something you have
Medium (25%+)
High – Codes intercepted
Low
Voice phishing, call forwarding
Email OTP
Something you have
Medium (30%+)
High – Easily intercepted
Low-Medium
Email compromise, phishing
Biometric Authentication
Something you are
Growing (20%+)
Medium – Session tokens stolen
Very High
Session token theft
Certificate-based Authentication
Something you have
Low (10%+)
Medium – Certificates bypassed
Very High
Session token theft, cert theft
The security model of MFA relies on the assumption that compromising multiple authentication factors simultaneously is significantly more difficult than bypassing a single password.
However, this assumption breaks down in the face of AiTM attacks, which don’t need to compromise individual factors but instead exploit the trust relationship established after successful authentication.
When users complete the MFA challenge through an AiTM proxy, they unknowingly provide attackers with both their credentials and the session tokens issued by the legitimate service.
How AiTM Attack Bypasses MFA and EDR
The MFA bypass mechanism in AiTM attacks operates through session token theft rather than authentication factor compromise. When victims interact with an AiTM phishing page, they complete the entire authentication process, including MFA challenges, but all communications pass through the attacker’s proxy server.
The proxy forwards the user’s credentials and MFA responses to the legitimate service, which then issues session cookies and authentication tokens back through the proxy.
The attacker captures these tokens while allowing the authentication to complete successfully, creating a scenario where the victim believes they’ve securely logged in while the attacker has gained persistent access to their account.
Session tokens, particularly Primary Refresh Tokens (PRTs) in Microsoft environments, can provide extended access lasting 30 days or more if kept active.
These tokens contain cryptographic proof of successful authentication and can be replayed by attackers to access accounts without triggering additional MFA challenges.
The sophistication of modern AiTM kits like Tycoon 2FA includes features for session token management, automatic token refresh, and persistence mechanisms that allow attackers to maintain access even after password changes.
EDR evasion in AiTM attacks occurs through several mechanisms that exploit fundamental limitations in endpoint monitoring. Traditional EDR solutions focus on detecting malicious processes, file modifications, and network connections originating from the endpoint itself.
However, AiTM attacks primarily occur server-side, where the malicious proxy operates independently of the victim’s endpoint. The victim’s device only interacts with what appears to be legitimate web traffic to authentic domains, making the malicious activity invisible to endpoint-based detection systems.
Advanced AiTM campaigns employ sophisticated evasion techniques, including code obfuscation using Base64 encoding, dynamic code generation that alters signatures with each execution, and anti-debugging mechanisms designed to frustrate automated analysis.
These techniques specifically target the static and behavioral analysis capabilities of EDR systems. Additionally, attackers abuse legitimate services like CodeSandbox, Glitch, and Notion as redirect mechanisms, leveraging the trust these domains have with security systems to bypass URL filtering and reputation-based blocking.
The use of living-off-the-land techniques further complicates EDR detection, as AiTM attacks often rely on standard web protocols and legitimate authentication flows.
Attackers may also implement EDR communication blocking techniques, using tools like Windows Filtering Platform (WFP) to prevent EDR agents from communicating with their cloud infrastructure, effectively blinding the security solution to ongoing malicious activities.
Indicators of AiTM Attacks
Authentication log analysis reveals several key indicators of AiTM activity, with impossible travel being among the most reliable signals. When attackers use stolen session tokens, they often authenticate from geographic locations that would be impossible for the legitimate user to reach within the observed timeframe.
Microsoft’s delayed logging can complicate this analysis, as some authentication events may take up to 20 hours to appear in audit logs, making real-time detection challenging.
Multiple rapid sign-ins from different locations within short timeframes, particularly when accompanied by successful MFA completion, often indicate session token replay attacks.
Category
Indicator
Description
MITRE_ATT&CK
Authentication Logs
Impossible Travel
User authentication from geographically impossible locations within short timeframes
T1078.004
Authentication Logs
Multiple Rapid Sign-ins
Multiple successful authentications from different locations in rapid succession
T1078.004
Authentication Logs
Session Token Anomalies
Authentication without password entry or MFA prompts in logs
T1078.004
Network Indicators
Unknown IP Addresses
Sign-ins from previously unseen IP addresses or suspicious ASNs
T1557
Network Indicators
Suspicious Domains
Connections to domains mimicking legitimate services or suspicious TLDs
T1557
User Behavior
Mailbox Rule Creation
Creation of inbox rules to hide or redirect emails, especially with random names
T1564.008
User Behavior
Email Forwarding Rules
New forwarding rules redirecting emails to external addresses
T1114.003
Email Indicators
Phishing Email Patterns
Emails from trusted senders with suspicious links or urgent language
T1566.002
Email Indicators
Legitimate Service Abuse
Abuse of legitimate services like CodeSandbox, Glitch, or Notion for redirection
T1566.002
Technical Artifacts
Reverse Proxy Artifacts
WebSocket connections, specific HTTP headers, or proxy-related network signatures
T1557
The evolution of AiTM attacks from simple credential harvesting to sophisticated, service-oriented attack platforms represents a fundamental shift in the threat landscape that requires equally sophisticated defense strategies.
Organizations must recognize that traditional perimeter defenses and even MFA are insufficient against these advanced persistent threats, necessitating comprehensive security architectures that include behavioral analytics, session token protection, and continuous authentication mechanisms to counter this growing menace effectively.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Authorities from the Netherlands and the United States have announced the dismantling of an illicit marketplace called VerifTools that peddled fraudulent identity documents to cybercriminals across the world.
To that end, two marketplace domains (verif[.]tools and veriftools[.]net) and one blog have been taken down, redirecting site visitors to a splash page stating the action was undertaken by
A high-severity Server-Side Request Forgery (SSRF) vulnerability has been identified in the widely used PhpSpreadsheet library, potentially allowing attackers to exploit internal network resources and compromise server security.
The vulnerability, tracked as CVE-2025-54370, affects multiple versions of the phpoffice/phpspreadsheet package and carries a CVSS v4.0 score of 8.7.
Key Takeaways 1. SSRF in PhpSpreadsheet’s Worksheet\Drawing::setPath via malicious HTML image tags. 2. Affects < 1.30.0, 2.0.0–2.1.11, 2.2.0–2.3.x, 3.0.0–3.9.x, 4.x < 5.0.0 3. Update immediately and validate inputs.
High-Severity SSRF Vulnerability
The vulnerability resides in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where malicious HTML input can trigger unauthorized server-side requests.
Security researcher Aleksey Solovev from Positive Technologies discovered this zero-day flaw while analyzing version 3.8.0 of the library.
The exploitation occurs when attackers craft malicious HTML documents containing image tags with src attributes pointing to internal network resources.
When the PhpSpreadsheet HTML reader processes these documents, the library inadvertently makes requests to the specified URLs, potentially exposing sensitive internal services.
Proof-of-concept code demonstrates the attack vector:
The vulnerability impacts multiple version ranges across the PhpSpreadsheet ecosystem:
Legacy versions: All versions prior to 1.30.0
Version 2.x series: 2.0.0 through 2.1.11 and 2.2.0 through 2.3.x
Version 3.x series: 3.0.0 through 3.9.x
Version 4.x series: All 4.x versions prior to 5.0.0
Patched versions include 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. Organizations using affected versions should prioritize immediate updates to prevent potential exploitation.
The vulnerability classification follows CWE-918: Server-Side Request Forgery, with attack vectors requiring no authentication or user interaction (AV:N/AC:L/PR:N/UI:N).
This enables remote attackers to exploit the flaw through network-accessible applications processing user-supplied HTML content.
Additional security concerns include potential phar deserialization attacks through the file_exists method of the vulnerable code, creating multiple attack surfaces within the same component.
Organizations utilizing PhpSpreadsheet for HTML document processing should implement input validation and network segmentation as additional protective measures while deploying the security updates.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Nagios XI, a widely-deployed network monitoring solution, has addressed a critical cross-site scripting (XSS) vulnerability in its Graph Explorer feature that could enable remote attackers to execute malicious JavaScript code within users’ browsers.
The security flaw was patched in version 2024R2.1, released on August 12, 2025, following responsible disclosure by security researcher Marius Lihet.
Key Takeaways 1. Critical XSS in Nagios XI Graph Explorer allows remote JS execution. 2. Can enable session hijack, data theft, or config tampering. 3. Upgrade and enforce WAF XSS protections.
The vulnerability specifically affects certain parameters within the Graph Explorer component, a key feature used by administrators to visualize network performance metrics and historical data trends.
XSS vulnerabilities of this nature typically occur when user-supplied input is not properly sanitized before being rendered in web pages, allowing malicious scripts to be injected and executed in the context of legitimate users’ sessions.
Cross-Site Scripting (XSS) Vulnerability
Cross-site scripting attacks through the Graph Explorer feature could potentially allow threat actors to perform session hijacking, steal authentication cookies, or execute unauthorized administrative actions within the Nagios XI interface.
Attackers could craft malicious URLs containing JavaScript payloads that, when accessed by authenticated users, would execute within their browser context with the privileges of their Nagios session.
The vulnerability’s exploitation requires social engineering tactics to trick legitimate users into clicking specially crafted links or visiting compromised pages that trigger the XSS payload.
Once executed, the malicious JavaScript could access sensitive monitoring data, modify system configurations, or serve as a pivot point for further lateral movement within the network infrastructure.
Beyond addressing the XSS vulnerability, the 2024R2.1 release introduces several significant security and functionality improvements.
The update includes enhanced Nagios Mod-Gearman integration (GL:XI#1242), which provides distributed monitoring capabilities and improved scalability for large enterprise environments.
Critical fixes address authentication and dashboard management issues, including resolving problems with null dashboard entries for users without home dashboards (GL:XI#1975) and improving the SSO user import functionality when handling large user directories (GL:XI#1966).
The release also implements updated logrotate configuration logic (GL:XI#333) to ensure proper log management across system upgrades.
Network administrators should immediately update to version 2024R2.1 to mitigate the XSS vulnerability and benefit from enhanced security controls.
Organizations should also review their Nagios XI access logs for any suspicious Graph Explorer activity and implement additional web application firewall (WAF) rules to detect and block potential XSS attempts targeting monitoring infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
A sophisticated new Mac malware campaign has emerged, targeting users through a deceptive PDF conversion website that conceals a dangerous two-stage payload.
The malware, dubbed “JSCoreRunner,” represents a significant evolution in macOS threats, demonstrating how cybercriminals are adapting their techniques to bypass Apple’s security measures while maintaining zero detection rates on major security platforms.
The threat operates through fileripple[.]com, a fraudulent website that masquerades as a legitimate PDF conversion service.
Users visiting the site are prompted to download what appears to be a helpful utility called “FileRipple.pkg,” which creates the illusion of a genuine PDF tool by launching a fake webview interface.
This sophisticated deception allows the malware to execute its malicious activities silently while users believe they are interacting with a legitimate application.
9to5Mac analysts identified this campaign as particularly concerning due to its zero-day status at the time of discovery.
The malware had achieved complete evasion across all security vendors on VirusTotal, highlighting the advanced nature of this threat and the challenges facing traditional detection methods.
The malware’s primary objective centers on browser hijacking, specifically targeting Google Chrome installations on infected systems.
JSCoreRunner systematically traverses the ~/Library/Application Support/Google/Chrome/ directory to locate both default and additional user profiles, then manipulates search engine configurations through TemplateURL object modifications.
Two-Stage Infection Mechanism
The JSCoreRunner campaign employs a carefully orchestrated two-stage deployment strategy designed to circumvent macOS security controls.
The initial stage involves a signed package that was deliberately crafted to appear legitimate, though Apple subsequently revoked the developer’s signature.
This revocation triggers macOS Gatekeeper to block the first-stage package, creating a false sense of security for users who might assume the threat has been neutralized.
However, the second stage, “Safari14.1.2MojaveAuto.pkg,” operates as an unsigned payload that downloads directly from the same compromised domain.
This unsigned nature allows it to bypass Gatekeeper’s default blocking mechanisms, as macOS typically focuses signature validation on initially downloaded packages rather than subsequently fetched components.
Upon successful installation, the malware establishes persistence by modifying Chrome’s search engine settings, redirecting users to fraudulent search engines while hiding crash logs and session restoration prompts to maintain stealth operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
TransUnion, one of the nation’s three major credit reporting agencies, has disclosed a significant data breach that exposed the personal information of more than four million U.S. customers.
The company is now alerting affected individuals about the cyber incident, which involved unauthorized access to data stored on a third-party application.
On July 28, 2025, TransUnion LLC confirmed a sophisticated cyber intrusion that compromised the personal data of over 4.4 million consumers.
The unauthorized access, detected on July 30, 2025, targeted TransUnion’s consumer reporting systems and exposed sensitive Personally Identifiable Information (PII).
Key Takeaways 1. 4.4M+ PII records exposed in a July 28 SQL-injection breach. 2. MFA, segmentation, forensics, and notifications deployed. 3. Two years of free myTrueIdentity credit monitoring provided.
Over 4 Million Individuals’ PII Stolen
According to the Maine office filing, the breach affected 4,461,511 individuals nationwide, including 16,828 residents of Maine.
The breach targeted an application used for the company’s U.S. consumer support operations. While the intrusion compromised sensitive personal data, TransUnion has assured its customers that the accessed information did not include credit reports or core credit information.
The compromised data elements included full names, Social Security numbers, dates of birth, and driver’s license numbers, constituting a classic PII aggregation that heightens the risk of identity theft and financial fraud.
The breach was discovered on August 15, 2025, after the company’s cybersecurity team detected suspicious activity on its network. An internal investigation, conducted in collaboration with a leading cybersecurity firm, revealed that an unauthorized third party had gained access to the system for a period of two weeks in late July.
“We take our responsibility to protect consumer data very seriously,” said a TransUnion spokesperson in a statement released Friday. “We have taken immediate steps to secure the application and are working with law enforcement to investigate this matter. We are committed to supporting our customers and have begun the process of notifying all affected individuals.”
TransUnion is offering two years of free credit monitoring and identity theft protection services to all impacted customers. The notification letters will include instructions on how to enroll in these services. The company has also set up a dedicated call center to answer customer questions and has posted an FAQ on its website.
TransUnion issued written Data Breach Notifications to all affected consumers on August 26, 2025, in compliance with state and federal regulations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
DPRK IT workers have leveraged popular code-sharing platforms such as GitHub, CodeSandbox, and Medium to cultivate convincing developer portfolios and land remote positions under fabricated identities. Investigations reveal approximately 50 active GitHub profiles operated by North Korean actors, supplemented by dozens of profiles across niche freelancing and forum sites. These operatives employ deepfake profile photos, […]
Emerging in mid-2025, a sophisticated campaign attributed to the Silver Fox APT has begun exploiting a previously unreported vulnerable driver to compromise modern Windows environments.
This campaign leverages the WatchDog Antimalware driver (amsdk.sys, version 1.0.600), a Microsoft-signed component built on the Zemana Anti-Malware SDK.
By abusing its arbitrary process termination capability, threat actors bypass endpoint detection and response (EDR) and antivirus (AV) protections on fully patched Windows 10 and 11 systems without triggering signature-based defenses.
Initial stages of the attack involve deploying a self-contained loader that embeds multiple drivers and anti-analysis layers.
Infected machines receive a loader binary that first performs checks against virtual machines, sandboxes, and known analysis environments.
Once these checks pass, the loader drops two drivers—one legacy Zemana-based driver for compatibility with older systems, and the newer WatchDog Antimalware driver for modern targets—into a newly created C:\Program Files\RunTime directory.
Check Point researchers noted that both drivers are then registered as kernel services: the legacy driver under ZAM.exe for Windows 7, and amsdk.sys for Windows 10/11.
The loader’s “Termaintor” service ensures persistence for the executed loader stub, while Amsdk_Service facilitates driver loading.
Following driver registration, the campaign’s custom EDR/AV killer logic opens a handle to the vulnerable driver’s device namespace (\\.\amsdk) and issues IOCTL calls to register the malicious process and terminate protected security service processes.
The termination routine reads from a Base64-encoded process list of over 190 entries—spanning popular antivirus and endpoint protection services—and sends IOCTL_TERMINATE_PROCESS commands via DeviceIoControl to eliminate running defenses.
Process termination (Source – Check Point)
By abusing the driver’s lack of a FILE_DEVICE_SECURE_OPEN flag and missing PP/PPL checks, Silver Fox achieves reliable AV evasion.
Check Point analysts identified that after terminating security processes, the loader decodes and injects a UPX-packed ValleyRAT downloader module into memory.
This module connects to Chinese-hosted C2 servers, decrypts configuration traffic using a simple XOR cipher, and fetches the final ValleyRAT backdoor payload.
ValleyRAT (“Winos”) offers full remote access capabilities including command execution and data exfiltration, confirming the campaign’s attribution to Silver Fox.
Detection Evasion through Signed-Driver Manipulation
Although WatchDog released a patched driver (wamsdk.sys, version 1.1.100) following disclosure, Silver Fox quickly adapted by flipping a single byte within the unauthenticated attributes of the driver’s signature timestamp.
This subtle modification preserved the Microsoft Authenticode signature while generating a new file hash, effectively bypassing hash-based blocklists without altering signature validity.
The altered driver is then seamlessly loaded on target systems, continuing the exploitation cycle.
This technique underscores a broader trend: adversaries weaponizing legitimate, signed drivers and manipulating timestamp countersigns to evade both static and behavior-based detection mechanisms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
A sophisticated supply chain attack has compromised the popular Nx build platform, affecting millions of weekly downloads and resulting in widespread credential theft.
The attack, dubbed “s1ngularity,” represents one of the most comprehensive credential harvesting campaigns targeting the developer ecosystem in 2025.
GitGuardian observed that malicious actors infiltrated multiple Nx package versions (20.9.0 through 21.8.0) on the npm registry, injecting credential-stealing malware that systematically scanned infected development environments.
Key Takeaways 1. Nx build platform compromised with malware stealing developer credentials. 2. First attack exploiting AI tools for credential harvesting, though many AI clients resisted. 3. 2,349+ secrets stolen via GitHub repositories; 50% remained valid despite cleanup efforts.
The attack demonstrates an evolution in supply chain tactics, combining traditional credential theft with novel attack vectors targeting AI development tools and employing GitHub repositories as exfiltration infrastructure.
The malicious payload implemented a comprehensive credential harvesting mechanism that scanned infected systems for multiple types of sensitive data.
The malware targeted GitHub personal access tokens, npm authentication keys, SSH private keys, AWS credentials, environment variable API keys, and cryptocurrency wallet files.
The scanning routines employed sophisticated file system traversal techniques, examining common configuration directories including ~/.ssh/, ~/.aws/, and various application-specific credential storage locations.
The harvested credentials underwent a distinctive double-base64 encoding process before exfiltration.
This encoding scheme (echo $data | base64 | base64) served dual purposes: evading basic detection mechanisms while maintaining data integrity during transmission.
The encoded payloads were then exfiltrated to public GitHub repositories following a predictable naming convention: “s1ngularity-repository-[random-string]”, each containing a single “results.b64” file with the encoded stolen data.
Analysis of the attack infrastructure reveals that the malware also implemented destructive capabilities, modifying users’ shell startup files (~/.bashrc and ~/.zshrc) with shutdown commands that would crash systems upon opening new terminal sessions, according to GitGuardian.
This secondary payload suggests the attack combined both data theft and system disruption objectives.
Targeting AI Development Tools
A particularly innovative aspect of the s1ngularity attack was its focus on Large Language Model (LLM) client configurations.
The malware specifically enumerated authentication tokens and configuration files for popular AI CLI tools including Claude, Gemini, and Q (Amazon’s AI assistant).
This targeting strategy reflects the attackers’ understanding that AI development tools often require elevated permissions and access to sensitive development environments.
The malware attempted to leverage LLM clients as enumeration vectors by crafting prompts designed to inventory system files and extract credential information.
However, analysis reveals that many AI clients demonstrated unexpected defensive behavior, with only 26% (95 out of 366 targeted systems) actually executing the malicious enumeration commands.
Many LLM clients explicitly refused requests that appeared to be credential harvesting attempts, potentially representing an unintentional but valuable security control in modern development environments.
The attack demonstrated remarkable reach across the developer ecosystem, with 85% of infected systems running macOS, highlighting the campaign’s particular impact on the Apple-dominant developer community.
Of the compromised systems analyzed, 33% had at least one LLM client installed, validating the attackers’ strategy of targeting this emerging attack surface.
Exfiltration repositories
GitGuardian’s monitoring infrastructure provided unique visibility into the ephemeral exfiltration repositories, detecting 1,346 repositories containing the “s1ngularity-repository” string, despite GitHub listing only approximately ten active repositories at the time of analysis.
This discrepancy indicates rapid repository deletion cycles and ongoing infections from developers continuing to use compromised package versions.
The analysis identified 2,349 distinct secrets across these repositories, with 1,079 repositories containing at least one leaked credential.
Critically, approximately 50% of these credentials remained valid at the time of discovery, indicating significant delays in credential revocation processes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
credit monitoring provided..webp)
.webp)
