Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Hackers Use Look-Alike Domain Trick to Imitate Microsoft and Capture User Credentials

  A new phishing operation is misleading users through an extremely subtle visual technique that alters the appearance of Microsoft’s domain...

All the recent news you need to know
Shai-Hulud 2.0 worm
developer credentials JavaScript SDK compromise malware npm malware attack PostHog security breach Shai-Hulud 2.0 worm

PostHog Details “Most Impactful” Security Breach as Shai-Hulud 2.0 npm Worm Spreads Through JavaScript SDKs

 

PostHog has described the Shai-Hulud 2.0 npm worm incident as “the largest and most impactful security incident” the company has ever faced, after attackers managed to push tainted versions of its JavaScript SDKs and attempted to automatically harvest developer credentials.

In a recently published postmortem, PostHog — one of the affected maintainers caught up in the Shai-Hulud 2.0 outbreak — revealed that multiple packages, including core libraries such as posthog-node, posthog-js, and posthog-react-native, were compromised. The malicious versions included a pre-install script that ran the moment the package was added to a project. This script executed TruffleHog to search for secrets, exported any discovered credentials to newly created public GitHub repositories, and then used the stolen npm tokens to publish additional malicious updates, allowing the worm to continue spreading.

Researchers at Wiz, who identified the resurgence of the Shai-Hulud campaign, reported that more than 25,000 developers had their credentials exposed within just three days. Beyond PostHog, the malware also infiltrated packages from Zapier, AsyncAPI, ENS Domains, and Postman — many of which receive thousands of downloads every week.

Unlike a standard trojan, Shai-Hulud 2.0 operates like a fully autonomous worm. Once a compromised package is installed, it can collect a wide range of sensitive data — from npm and GitHub tokens to cloud provider credentials (AWS, Azure, GCP), CI/CD secrets, environment variables, and other confidential information found on developer machines or build environments. PostHog has since revoked all affected tokens, removed the infected package versions, and rolled out “known-good” releases.

However, the postmortem also underscored a deeper systemic flaw: the breach wasn’t caused by a leaked secret, but by a misconfigured CI/CD workflow that allowed untrusted pull-request code to execute with overly broad privileges. A malicious pull request triggered an automated script that ran with full access to the project. Because the workflow did not restrict execution of code from the attacker’s branch, the intruder was able to extract a bot’s personal-access token with organization-wide write permissions and use it to inject malicious updates.

Using the stolen credentials, the attacker created a tampered lint workflow designed to siphon all GitHub secrets — including the npm publishing token. With that token in hand, they uploaded the weaponized SDKs to npm, turning the infection into a self-propagating dependency-chain worm.

PostHog says it is now shifting to a “trusted publisher” model for npm releases, tightening workflow review processes, and disabling install-script execution in CI/CD pipelines, among other security improvements.

If this sounds all too familiar, that’s because it reflects a broader pattern across the ecosystem: over-privileged bots, automated workflows running unchecked, and dependency updates happening faster than anyone can thoroughly validate. As the incident shows, sometimes that’s all a worm needs to thrive.
Read more »
North Korea Cyber Operations
APT Cyber Crime cyber espionage Cyber Security Financial crime Financial Cybersecurity North Korea North Korea Cyber Operations

North Korean APT Collaboration Signals Escalating Cyber Espionage and Financial Cybercrime

 

Security analysts have identified a new escalation in cyber operations linked to North Korea, as two of the country’s most well-known threat actors—Kimsuky and Lazarus—have begun coordinating attacks with unprecedented precision. A recent report from Trend Micro reveals that the collaboration merges Kimsuky’s extensive espionage methods with Lazarus’s advanced financial intrusion capabilities, creating a two-part operation designed to steal intelligence, exploit vulnerabilities, and extract funds at scale. 

Rather than operating independently, the two groups are now functioning as a complementary system. Kimsuky reportedly initiates most campaigns by collecting intelligence and identifying high-value victims through sophisticated phishing schemes. One notable 2024 campaign involved fraudulent invitations to a fake “Blockchain Security Symposium.” Attached to the email was a malicious Hangul Word Processor document embedded with FPSpy malware, which stealthily installed a keylogger called KLogEXE. This allowed operators to record keystrokes, steal credentials, and map internal systems for later exploitation. 

Once reconnaissance was complete, data collected by Kimsuky was funneled to Lazarus, which then executed the second phase of attacks. Investigators found Lazarus leveraged an unpatched Windows zero-day vulnerability, identified as CVE-2024-38193, to obtain full system privileges. The group distributed infected Node.js repositories posing as legitimate open-source tools to compromise server environments. With this access, the InvisibleFerret backdoor was deployed to extract cryptocurrency wallet contents and transactional logs. Advanced anti-analysis techniques, including Fudmodule, helped the malware avoid detection by enterprise security tools. Researchers estimate that within a 48-hour window, more than $30 million in digital assets were quietly stolen. 

Further digital forensic evidence reveals that both groups operated using shared command-and-control servers and identical infrastructure patterns previously observed in earlier North Korean cyberattacks, including the 2014 breach of a South Korean nuclear operator. This shared ecosystem suggests a formalized, state-aligned operational structure rather than ad-hoc collaboration.  

Threat activity has also expanded beyond finance and government entities. In early 2025, European energy providers received a series of targeted phishing attempts aimed at collecting operational power grid intelligence, signaling a concerning pivot toward critical infrastructure sectors. Experts believe this shift aligns with broader strategic motivations: bypassing sanctions, funding state programs, and positioning the regime to disrupt sensitive systems if geopolitical tensions escalate. 

Cybersecurity specialists advise organizations to strengthen resilience through aggressive patch management, multi-layered email security, secure cryptocurrency storage practices, and active monitoring for indicators of compromise such as unexpected execution of winlogon.exe or unauthorized access to blockchain-related directories. 

Researchers warn that the coordinated activity between Lazarus and Kimsuky marks a new phase in North Korea’s cyber posture—one blending intelligence gathering with highly organized financial theft, creating a sustained and evolving global threat.
Read more »
Phishing Attacks
Cybernews data security malware Phishing Attacks

More Breaches, More Risks: Experts say Protect Your Data Now

 

As data breaches surge, experts warn consumers to guard personal information before it reaches the dark web With data breaches becoming almost routine, more consumers are being forced to confront the risks of having their personal information exposed online. 

A recent US News survey found that 44 percent of respondents had received notices for multiple breaches involving their personal data. For many people, it now feels like another familiar company announces a breach every few days. Once stolen, this information typically ends up on the dark web, where it becomes a valuable resource for hackers, scammers, and cybercriminals. Breaches are only one pathway for data to be leaked. 

Clicking phishing links, entering details in viral social media quizzes, or having a device compromised by malware can all provide criminals with access to personal information that later circulates on underground forums. 

Dr. Darren Williams, founder and CEO of data privacy and ransomware protection company BlackFog, says the presence of some personal data on the dark web does not mean consumers should surrender to the problem. According to him, there are steps that can reduce exposure and protect information that has not yet been compromised. 

Williams explains that criminals increasingly rely on AI to pull together stolen data into detailed information bundles called “fullz.” These files can include banking credentials, addresses, medical data, and social security numbers. Scammers use them to impersonate relatives, romantic partners, or trusted contacts in targeted fraud attempts. 

He notes that while highly individualized scams are less common, criminals tend to target groups of victims at scale using dark web data. To understand their level of exposure, experts recommend that consumers start by scanning the dark web for leaked credentials. 

Many password managers and personal data removal services now offer monitoring tools that track whether email addresses, usernames, or passwords have been posted online. Removing data once it appears on dark web marketplaces is extremely difficult, which is why privacy specialists advise minimizing personal information shared online. Williams says reducing digital footprints can make individuals less appealing to attackers. 

Personal data removal services can help scrub information from commercial data broker sites, which can number in the hundreds. Security specialists also emphasize the importance of preventing criminals from expanding access to personal devices or financial accounts. 

Recommended practices include enabling multi-factor authentication, using strong and unique passwords stored in a password manager, installing antivirus software, avoiding links from unknown senders, updating operating systems regularly, and using a VPN on public Wi-Fi. Identity theft protection platforms and credit monitoring services can offer an extra layer of defense and provide real-time alerts if suspicious activity occurs.
Read more »
X Location Feature
Cyber Security Foreign Influence Political Misinformation US Politics X Location Feature

X’s New Location Feature Exposes Foreign Manipulation of US Political Accounts

 

X's new location feature has revealed that many high-engagement US political accounts, particularly pro-Trump ones, are actually operated from countries outside the United States such as Russia, Iran, and Kenya. 

This includes accounts that strongly claim to represent American interests but are based abroad, misleading followers and potentially influencing US political discourse. Similarly, some anti-Trump accounts that seemed to be run by Americans are also found to be foreign-operated. For example, a prominent anti-Trump account with 52,000 followers was based in Kenya and was deleted after exposure. 

The feature exposed widespread misinformation and deception as these accounts garner millions of interactions, often resulting in financial compensation through X's revenue-sharing scheme, allowing both individuals and possibly state-backed groups to exploit the platform for monetary or political gain.

Foreign influence and misinformation

The new location disclosure highlighted significant foreign manipulation of political conversations on X, which raises concerns about authenticity and trust in online discourse. Accounts that present themselves as authentic American voices may actually be linked to troll farms or nation-state actors aiming to amplify divisive narratives or to profit financially. 

This phenomenon is exacerbated by X’s pay-for-play blue tick verification system, which some experts, including Alexios Mantzarlis from Cornell Tech, criticize as a revenue scheme rather than a meaningful validation effort. Mantzarlis emphasizes that financial incentives often motivate such deceptive activities, with operators stoking America's cultural conflicts on social media.

Additional geographic findings

Beyond US politics, BBC Verify found accounts supporting Scottish independence that are purportedly based in Iran despite having smaller followings. This pattern aligns with previous coordinated networks flagged for deceptive political influence. Such accounts often use AI-generated profile images and post highly similar content, generating substantial views while hiding their actual geographic origins.

While the location feature is claimed to be about 99% accurate, there are limitations such as the use of VPNs, proxies, and other methods that can mask true locations, causing some data inaccuracies. The tool's launch also sparked controversy as some users claim their locations are inaccurately displayed, causing breaches of user trust. Experts caution that despite the added transparency, it is a developing tool, and bad actors will likely find ways to circumvent these measures.

Platform responses and transparency efforts

X’s community notes feature, allowing users to add context to viral posts, is viewed as a step toward enhanced transparency, though deception remains widespread. The platform indicates ongoing efforts to introduce more ways to authenticate content and maintain integrity in the "global town square" of social media.

However, researchers emphasize the need for continuous scrutiny given the high stakes of political misinformation and manipulation.This new feature exposes deep challenges in ensuring authenticity and trust in political discourse on X, uncovering foreign manipulation that spans multiple political ends, and revealing the complexities of combating misinformation amid financial and geopolitical motives.
Read more »
Wireless Encryption
AirPods Security Android Security Bluetooth Protocols Cross-Platform Integration Device Spoofing Ecosystem Bypass Firmware Access Open-Source Tools Technology Wireless Encryption

Indian Teen Enables Apple-Exclusive AirPods Features on Android


 As Apple's AirPods have long been known, they offer a wide range of intelligent features, such as seamless device switching, adaptive noise control, and detailed battery indicators, but only if they are paired with an iPhone. This has left Android users with little more than basic audio functions, despite the fact that they are available to Android users. 


It is now being challenged by an 18-year-old developer from Gurugram, who is regarded as an intentional reinforcement of Apple's closed ecosystem. The latest creation from Kavish Devar, LibrePods, is a significant breakthrough in the field of mobile devices: an open-source, completely free tool designed to replicate the experience of AirPods on Android or even Linux systems with striking accuracy. 

LibrePods removes the limitations previously accepted by Apple that restricted the full potential of AirPods outside Apple's ecosystem, enabling the earbuds to perform almost identically to the way they perform when paired with Apple's iOS devices. With this upgrade, Android users who rely on AirPods will experience a markedly enhanced and seamless user experience, which will include core functionalities, polished integration, and an unexpectedly familiar fluidity that will surprise them. 

The earlier efforts of the community, including OpenPods and MaterialPods, provided limited capabilities, including battery readings, but LibrePods goes a much further than these. With its near-complete control suite, Android users can quickly and easily access the functions normally reserved for Apple devices, effectively narrowing a gap that has existed for many years among Android devices. 

During his high school years, Devar is still a self-taught programmer who developed LibrePods after studying earlier attempts at improving Android users such as OpenPods and MaterialPods, both of whom provided very limited improvements. 

A much more ambitious approach is taken by his project, according to the detailed notes on its GitHub page. As it enables Apple to unlock AirPods' otherwise exclusive features on non-Apple platforms, LibrePods was designed to achieve this purpose. Among the features offered by Apple are noise-control features, adaptive transparency, hearing-assistance functions, ear-detection, personalized transparency settings, and precise battery information, all of which are traditionally exclusive to Apple's ecosystem. 

By making use of an app that emulates the behavior of an authorized Apple endpoint, the app is able to accomplish what it aims to accomplish: Android devices can communicate with AirPods almost exactly as iPhones would if they were connected to an authorized Apple device. 

A full range of features is most effective on the second- and third-generation AirPod Pros that are rooted via the Xposed framework and can be accessed through rooted Android devices. OnePlus and Oppo models running OxygenOS 16 or ColorOS 16 are also able to use LibrePods without rooting, which means Devar has ensured that LibrePods are accessible to a broader range of devices. 

Even though the older models of AirPods are not as customizable as those in the newer generations, they still have the advantage of accurate battery reporting, which makes them a good option for anyone who wants accurate battery data. 

Having these features unlocked will allow users to switch effortlessly between the Noise Cancellation, the Adaptive Audio, and the Transparency modes, rename their earbuds so they can be managed more easily, enable automatic play-and-pause functions, assign long-press actions to toggle ANC or trigger a voice assistant, as well as use head gesture controls to answer calls. This is an entirely new way to experience the AirPods on Android, bringing it to the next level of functionality and convenience. 

A meticulous reverse-engineering effort by Devar enabled AirPods to recognize Android handsets as if they were iPhones or iPads, and enabled them to recognize them as if they were an iPhone or iPad, enabling this level of cross-platform functionality. By using this technical trick, Apple is able to share the status data and advanced controls within the earphones that it typically confines to its own ecosystem. 

LibrePods, however, is not without some conditions, owing to what Devar describes as a persistent limitation in the Android Bluetooth stack, which leads to it currently needing to be connected to a rooted device which runs the Xposed framework, in order to achieve full functionality.

OnePlus and Oppo smartphones running OxygenOS 16 or ColorOS 16 can run the app without rooting, but certain advanced features—such as fine-tuning the Transparency mode adjustments—which require elevated system access are still available to those using these devices. This is a partial exception, but users on OnePlus and Oppo smartphones can still make use of the app without rooting. 

A central priority remains that of ensuring wide compatibility, with support extended across all the AirPods devices, including AirPods Max, the second- and third-generation AirPods Pro, though older models are naturally equipped with a dwindling range of features. The extensive documentation found on the project's GitHub repository may be helpful to those interested in exploring it further, as well as downloading the APK and installing it on their own computers. 

The LibrePods continues to receive widespread attention, and Devar's work reveals a broader shift in how users expect technology to work, namely the ability to choose, be open, and use it in a way that is more useful to them. In addition to restoring functionality lost to Android users who had to settle for a diluted AirPods experience, this project demonstrates the power of community-driven innovation in challenging established norms and challenging established expectations. 

The tool still comes with technical caveats, but its rapid evolution makes it more likely that further refinements will be added in the future. LibrePods, therefore, shows great promise of an improved, more flexible multi-platform audio future, one which is user-centric rather than platform-centric.
Read more »
WhatsApp
AI Cloud malware Social Media Sturnus Telegram WhatsApp

Banking Malware Can Hack.Communications via Encrypted Apps


Sturnus hacks communication 

A new Android banking malware dubbed Sturnus can hack interactions from entirety via encrypted messaging networks like Signal, WhatsApp, and Telegram, as well as take complete control of the device.  

While still under growth, the virus is fully functional and has been programmed to target accounts at various financial institutions across Europe by employing "region-specific overlay templates."  

Attack tactic 

Sturnus uses a combination of plaintext, RSA, and AES-encrypted communication with the command-and-control (C2) server, making it a more sophisticated threat than existing Android malware families.

Sturnus may steal messages from secure messaging apps after the decryption step by recording the content from the device screen, according to a research from online fraud prevention and threat intelligence agency Threatfabric. The malware can also collect banking account details using HTML overlays and offers support for complete, real-time access through VNC session.

Malware distribution 

The researchers haven't found how the malware is disseminated but they assume that malvertising or direct communications are plausible approaches. Upon deployment, the malware connects to the C2 network to register the target via a cryptographic transaction. 

For instructions and data exfiltration, it creates an encrypted HTTPS connection; for real-time VNC operations and live monitoring, it creates an AES-encrypted WebSocket channel. Sturnus can begin reading text on the screen, record the victim's inputs, view the UI structure, identify program launches, press buttons, scroll, inject text, and traverse the phone by abusing the Accessibility services on the device.

To get full command of the system, Sturnus gets Android Device Administrator credentials, which let it keep tabs of password changes and attempts to unlock and lock the device remotely. The malware also tries to stop the user from disabling its privileges or deleting it from the device. Sturnus uses its permissions to identify message content, inputted text, contact names, and conversation contents when the user accesses WhatsApp, Telegram, or Signal.

Read more »
Subscribe to: Comments (Atom)

Featured