Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Developers. Show all posts
Spyware
API Keys Cybersecurity Data Breach Developers malware npm packages open-source phishing Software Supply Chain Spyware

Rise in Data-Stealing Malware Targeting Developers, Sonatype Warns

 

A recent report released on April 2 has uncovered a worrying rise in open-source malware aimed at developers. These attacks, described as “smash and grab” operations, are designed to swiftly exfiltrate sensitive data from development environments.

Brian Fox, co-founder and CTO of Sonatype, explained that developers are increasingly falling victim to deceptive software packages. Once installed, these packages execute malicious code to harvest confidential data such as API keys, session cookies, and database credentials—then transmit it externally.

“It’s over in a flash,” Fox said. “Many of the times, people don’t recognize that this was even an attack.”

Sonatype, a leader in software supply-chain security, revealed that 56% of malware identified in Q1 2025 focused on data exfiltration. These programs are tailored to extract sensitive information from compromised systems. This marks a sharp increase from Q4 2024, when only 26% of open-source threats had such capabilities. The company defines open-source malware as “malicious code intentionally crafted to target developers in order to infiltrate and exploit software supply chains.”

Fox emphasized that these attacks often begin with spear phishing tactics—posing as legitimate software packages on public repositories. Minor changes, such as replacing hyphens with underscores in filenames, can mislead even seasoned developers.

“The attackers fake the number of downloads. They fake the stars so it can look as legit as the original one, because there’s not enough awareness. [Developers] are not yet trained to be skeptical,” Fox told us.

These stolen data fragments—while small—can have massive consequences. API keys, hashed passwords, and cookie caches serve as backdoors for broader attacks.

“They’re breaking into the janitor’s closet, not to put in a bomb, but to grab his keychain, and then they’re going to come back at night with the keychain,” Fox said.

The 2025 report highlights early examples:

Compromised JavaScript packages on npm were found to steal environment variables, which typically contain API tokens, SSH credentials, and other sensitive information.

A fake npm extension embedded spyware that enabled complete remote access.

Malicious packages targeted cryptocurrency developers, deploying Windows trojans capable of keylogging and data exfiltration. These packages had over 1,900 downloads collectively.

A separate report published by Sonatype in November 2024 reported a 156% year-over-year surge in open-source malware. Since October 2023, over 512,847 malicious packages have been identified—including but not limited to data-exfiltrating malware.
Read more »
python
Crypto Wallets Developers Ethereum malware PyPI python

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Latest PyPi Malware Steals Ethereum Private Keys, Developers Targeted

Researchers at Socket have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.” 

Masked as a simple utility tool for Python sets, the package imitates commonly used libraries such as python-utils (712M+ downloads) and utils (23.5M+ downloads). The trap baits innocent developers into installing the malicious package, allowing hackers unauthorized entry to Ethereum wallets. 

Since the start of this year, set-utils has been downloaded over 1000 times, exposing Ethereum users and developers to risk. The package attacks people working with blockchain technology, especially developers using Python-based wallet management libraries like eth-account. 

The package hacks Ethereum account creation to steal private keys through the blockchain by exploiting https://rpc-amoy.polygon.technology/ as a Command and Control server (C2). This lets hackers retrieve stolen credentials covertly. 

PyPi Targets

PyPi targets Ethereum developers and businesses working with Python-based blockchain apps. These include:

  • Web3 apps and crypto exchanges integrating Ethereum transactions.
  • Users having personal Ethereum wallets via Python automation. 
  • Blockchain developers using the eth-account for wallet creation and handling.
  • People who installed the package may expose their private keys to hackers, causing major financial losses. 

Consequences of PyPi attack

  • Stealing Ethereum private keys: PyPi ties into standard wallet creation methods, which makes it difficult to notice.
  • Exploit of Polygon RPC (rpc-amoy.polygon.technology/) as a C2 channel: By not using traditional network extraction, hackers hide stolen data inside blockchain transactions, making it difficult to detect.
  • Hardcoded hacker-controlled RSA public key: The private keys are encrypted and then sent, hiding the data from basic monitoring. 
  • Permanent breach: Even if a user uninstalls set-utils, Ethereum wallets made “while it was active are already exposed and compromised.”

Controlling the damage

For mitigating risk, businesses and developers should implement robust measures to protect software supply chains. Routine dependency audits and using automated scanning software can help detect malicious or suspicious behaviours in third-party packages when they are incorporated into production environments. 

According to Socket, “Integrating these security measures into development workflows, organizations can significantly reduce the likelihood of supply chain attacks.”  Socket has notified the PyPI team, and “it was promptly removed to prevent further attacks.”

Read more »
Technology
Artificial Intelligence Blockchain Developers Healthcare Marketing Technology

AI and Blockchain: Shaping the Future of Personalization and Security

 

The integration of Artificial Intelligence (AI) and blockchain technology is revolutionizing digital experiences, especially for developers aiming to enhance user interaction and improve security. By combining these cutting-edge technologies, digital platforms are becoming more personalized while ensuring that user data remains secure. 

Why Personalization and Security Are Essential 

A global survey conducted in the third quarter of 2024 revealed that 64% of consumers prefer to engage with companies that offer personalized experiences. Simultaneously, 53% of respondents expressed significant concerns about data privacy. These findings highlight a critical balance: users desire tailored interactions but are equally cautious about how their data is managed. The integration of AI and blockchain offers innovative solutions to address both personalization and privacy concerns. 

AI has seamlessly integrated into daily life, with tools like ChatGPT becoming indispensable across industries. A notable advancement in AI is the adoption of Common Crawl's customized blockchain. This system securely stores vast datasets used by AI models, enhancing data transparency and security. Blockchain’s immutable nature ensures data integrity, making it ideal for managing the extensive data required to train AI systems in applications like ChatGPT. 

The combined power of AI and blockchain is already transforming sectors like marketing and healthcare, where personalization and data privacy are paramount.

  • Marketing: Tools such as AURA by AdEx allow businesses to analyze user activity on blockchain platforms like Ethereum. By studying transaction data, AURA helps companies implement personalized marketing strategies. For instance, users frequently interacting with decentralized exchanges (DEXs) or moving assets across blockchains can receive tailored marketing content aligned with their behavior.
  • Healthcare: Blockchain technology is being used to store medical records securely, enabling AI systems to develop personalized treatment plans. This approach allows healthcare professionals to offer customized recommendations for nutrition, medication, and therapies while safeguarding sensitive patient data from unauthorized access.
Enhancing Data Security 

Despite AI's transformative capabilities, data privacy has been a longstanding concern. Earlier AI tools, such as previous versions of ChatGPT, stored user data to refine models without clear consent, raising privacy issues. However, the industry is evolving with the introduction of privacy-centric tools like Sentinel and Scribe. These platforms employ advanced encryption to protect user data, ensuring that information remains secure—even from large technology companies like Google and Microsoft. 
 
The future holds immense potential for developers leveraging AI and blockchain technologies. These innovations not only enhance user experiences through personalized interactions but also address critical privacy challenges that have persisted within the tech industry. As AI and blockchain continue to evolve, industries such as marketing, healthcare, and beyond can expect more powerful tools that prioritize customization and data security. By embracing these technologies, businesses can create engaging, secure digital environments that meet users' growing demands for personalization and privacy.
Read more »
Vulnerabilities and Exploits
Bug Fixes CVE Reporting Developers GitHub Vulnerabilities and Exploits

Maintaining Sanity Amidst Unnecessary CVE Reports

Maintaining Sanity Amidst Unnecessary CVE Reports

Developers strive to maintain robust codebases, but occasionally, they encounter dubious or exaggerated reports that can disrupt their work. 

A recent incident involving the popular open-source project “ip” sheds light on the challenges faced by developers when dealing with Common Vulnerabilities and Exposures (CVEs).

The Growing Nuisance of Dubious CVE Reports in Open Source Projects

The famous open source project 'ip' just had its GitHub repository archived, or turned "read-only" by its creator.

Developer Fedor Indutny began to receive online harassment when a CVE complaint was submitted against his project, bringing the vulnerability to his attention.

Unfortunately, Indutny's condition is not isolated. Recently, open-source developers have seen an increase in dubious or, in some cases, completely false CVE reports made for their projects without confirmation.

This might cause unjustified concern among users of these projects, as well as alerts from security scanners, which can be a source of frustration for developers.

The “ip” Project and the Dubious CVE

Fedor Indutny, the creator, disputed the severity of the bug. He argued that the impact was minimal and that the reported vulnerability did not warrant a CVE. However, the process for disputing a CVE can be complex and time-consuming. 

Indutny decided to take a drastic step: he archived the “ip” repository on GitHub, making it read-only. This move was a clear expression of frustration and a signal that he would not tolerate unwarranted disruptions to his project.

The 'node-ip' project is listed on the npmjs.com registry as the 'ip' package, with 17 million downloads per week, making it one of the most popular IP address parsing utilities JavaScript developers use.

Indutny resorted to social media to express his reasons for archiving 'node-ip': 

“There is something that have been bothering me for past few months, and resulted in me archiving node-ip repo on github.Someone filed a dubious CVE about my npm package, and then I started getting messages from all people getting warnings from `npm audit`.”

The Challenge of Disputing a CVE

Disputing a CVE involves navigating a bureaucratic maze. Developers must provide evidence that the reported vulnerability is either invalid or less severe than initially assessed. Unfortunately, this process is not always straightforward. In the case of the “ip” project, Indutny’s efforts to revoke the CVE faced hurdles:

  • Severity Assessment: The initial severity assigned to the vulnerability was likely based on the worst-case scenario. However, Indutny argued that the real-world impact was minimal. Balancing severity with practical implications is a delicate task.
  • CVE Documentation: Properly documenting the dispute requires clear communication. Developers must provide detailed explanations, code samples, and any relevant context. This documentation is essential for CVE reviewers to reevaluate the issue.
  • Community Perception: Public perception matters. When a project receives a CVE, users may panic, assuming the worst. Even if the impact is minor, the mere existence of a CVE can create unnecessary anxiety.

GitHub’s Response and Recommendations

GitHub, the platform hosting the “ip” repository, adjusted the severity of the CVE after Indutny’s actions. They also recommended enabling private vulnerability reporting. This feature allows maintainers to receive vulnerability reports privately, assess them, and decide whether they warrant public disclosure. By doing so, maintainers can avoid unnecessary panic and focus on addressing legitimate issues.

Read more »
Technology Upgrade
AI Apple Cyber Attacks CyberCrime Cybersecurity Developers iOS Technology Upgrade

Apple's AI Features Demand More Power: Not All iPhones Make the Cut

 


A large portion of Apple's developer conference on Monday was devoted to infusing artificial intelligence (AI) technology into its software. Some of the features Apple has rumoured to incorporate are not expected to work on all iPhones. If you read this article correctly, it sounds as if Apple is betting its long-awaited AI features will be enough to make you upgrade your iPhone — especially if the AI requires the latest smartphone. The annual developer conference of Apple, WWDC, is expected to take place on Monday with the announcement of iOS 18. 

According to Bloomberg, the company will release a new version of its artificial intelligence software, dubbed "Apple Intelligence," which will include features that will run directly on the iPhone's processor instead of being powered by cloud servers - in other words, they'll be powered directly from the device itself. According to the report, some of the AI services will still utilize cloud-based computing, however, many won't. The iPhone, iOS18, as well as any of Apple's other products and devices, are set to be updated, and anything short of a full array of AI-based features will likely disappoint developers and industry analysts, not to mention investors, with any changes Apple makes to its operating system. 

The company has turned to artificial intelligence (AI) as a way to revive its loyal fan base of over 1 billion customers and reverse the decline of its best-selling product in the face of choppy consumer spending and resurgent tech rivals. A key selling point that Apple uses to differentiate itself from its competitors is the fact that it is committed to privacy. There are still questions to be answered in regards to how Federighi will make sure that the personal context of a user will be shared across multiple devices belonging to the same user. 

However, he said that all data will be processed on-device and will never be shared across cloud servers. It is widely believed that the move by Apple was an evolution of the generative AI domain that would lead to the adoption of generative AI by enterprises by streamlining the best practices for AI privacy in the industrial sector. Analysts said that the software is likely to encourage a cascade of new purchases, as it requires at least an iPhone 15 or 15 Pro to be able to function. It has been predicted that we will likely see Apple's most significant upgrade cycle since the launch of the iPhone 12 in 2020, when 5G connectivity was part of the appeal for consumers for the device. 

A study from Apple analyst Ming-Chi Kuo published on Medium has claimed that the amount of on-board memory in the forthcoming iPhone 16 range, which is predicted to have 8GB of storage, may not be enough to be able to fully express the large language model (LLM) behind Apple's artificial intelligence (AI). It has been argued by analyst Kuo in a recent post that the iPhone 16's 8GB DRAM limit will likely restrict on-device learning curves from exceeding market expectations. Kuo suggests that eager Apple fans might want to temper their expectations before WWDC this year. 

Although this is true, Apple's powerful mobile chips and efficient iOS operating system can offer market-leading performance, regardless of how much RAM is available to them, on many of their previous iPhone models. As a result, memory has never been much of an issue on revious iPhone models. In the case of notoriously demanding AI tools, such as deep learning, however, the question becomes whether that level of complexity will still be applicable.

Several apps are set to feature AI technology, including Mail, Voice Memos, and Photos, as part of Apple's AI integration, but users will have to opt-in to use the features if they wish to use them. There were rumours that the company would deliver a series of features designed to simplify everyday tasks such as summarizing and writing emails, as well as suggesting custom emojis for emails. Moreover, Bloomberg reports that Siri is also going to undergo an AI overhaul to allow users to be able to do more specific tasks within apps, for instance, deleting an email inside an app will be one of these. According to The Information and Bloomberg, Apple has signed a deal with OpenAI to power some features, including a chatbot that is similar to ChatGPT, one of the most popular chatbots.
Read more »
Technology
AlphaCodium Artifcial Intelligence CodiumAI Developers Secure Coding Technology

AlphaCodium: Your New Coding Assistant

 


Meet AlphaCodium, the latest creation from CodiumAI, taking AI code generation to the next level, leaving Google's AlphaCode in its digital dust. Forget complicated terms; AlphaCodium simply means smarter, more accurate coding. Instead of following a set script, it learns and refines its code through a back-and-forth process, making it work more like how we humans tackle problems. Think of it like a super-smart sidekick for developers, helping them build faster and with zero bugs. So, get ready for a coding revolution – AlphaCodium is here to make programming easier, more efficient, and, most importantly, error-free.

AlphaCodium's success is attributed to its innovative 'flow engineering' method, shifting from a traditional prompt: answer approach to a dynamic iterative process. Unlike its predecessors, it incorporates elements of Generative Adversarial Network (GAN) architecture, developed by Ian Goodfellow in 2014. This includes a model for code generation and an adversarial model ensuring code integrity through testing, reflection, and specification matching.

The process begins with input, followed by pre-processing steps where AlphaCodium reflects on the problem, leading to an initial code solution. Subsequently, it generates additional tests to refine the solution iteratively, ultimately reaching a final functional code.

CodiumAI's mission, as stated on its website, is to "enable developers to build faster with zero bugs." The startup, founded in 2022, raised $10.6 million in March 2023. AlphaCodium's performance, tested on the CodeContests dataset containing 10,000 competitive programming problems, showcased an impressive improvement in accuracy from 19% to 44% compared to GPT-4.

Andrej Karpathy, previously director of AI at Tesla and now with OpenAI, highlighted AlphaCodium's 'flow engineering' as a revolutionary approach to improve code generation. This method not only allows the AI to generate boilerplate code but also ensures the generated code is accurate and functional.


CodiumAI's CEO on AlphaCodium's Significance

CodiumAI's CEO, Itamar Friedman, emphasised that AlphaCodium is not merely a model but a comprehensive system and algorithm facilitating a dynamic 'flow' of communication between a code-generating model and a 'critic' model. This approach, termed 'flow engineering,' distinguishes AlphaCodium as a groundbreaking solution.

Friedman acknowledges OpenAI (developer of Codex) and Google DeepMind as rivals but emphasises that the real competition lies in advancing code integrity technology. He sees AlphaCodium as the next generation of code integrity, aligning not only with specifications but also with cultural documents, beliefs, and guidelines of the developer community. 

Friedman expressed inspiration from DeepMind's work but highlighted the absence of 'flow engineering' in Google DeepMind's AlphaCode. He suggests that the mainstream narrative focused on improving large language models might be overlooking the essential aspect of creating a flow for effective code generation.


To look at it lucidly, AlphaCodium represents a shift in the AI coding mechanism, asserting the importance of a continuous 'flow' in generating not just code but accurate and functional solutions. The implementation of 'flow engineering' marks a significant departure from conventional methods, offering a more dynamic and iterative approach to generate accurate and functional code. 

Read more »
RBI
App Developers Banks CISO Developers RBI

Security Issue in Banking Applications?

Recently, we tested a mobile application of a BFSI platform, which allowed the organization's employees to view and interact with new customer leads. 

The mobile app had a password-based authentication system, with the username being the mobile number of the user. We identified a major weakness in this mobile app. The app allows a user to reset the password if they can prove themselves via an OTP. When the 'forgot password' button is pressed, the user is sent to a page where they are prompted to enter an OTP. The OTP is sent to the phone number, and if the wrong OTP is entered, the server responds with `{"OTP":"Failure"}`. While this seems to have been implemented properly, we tried to change the server response by conducting an MITM. We changed the response from the server to `{"OTP":"Success"}`. This redirection led us to the password change screen, where we were prompted to enter a new password. 

Initially, we believed this was only a visual bug and that the password reset would fail. However, we soon discovered that the password reset page itself does not check the OTP, and there is no session to track the successful OTP. This means any attacker can take the password change request, replace the phone number, and change the password of any other user (phone number). In simple terms, the OTP verification and the password reset page are not connected. The password reset API call did not have any verification or authentication to ensure only the correct user can change the password. 

This reveals how BFSI developers, when asked to build an app, often create the requested features without considering any security architecture. These apps are usually rushed, and only the positive/happy paths are checked. Security testing and architecture are often considered only as an afterthought. Unless BFSI incorporates security architecture into the development stage itself, such vulnerabilities will continue to emerge.  

By
Suriya Prakash
Head DARWIS 
CySecurity Corp

Read more »
Two Factor Authentication
Blockchain Crypto Crypto Crime Crypto Theft Data Breach. Developers Two Factor Authentication

Over $30 Billion Stolen from Crypto Sector, Reveals SlowMist's

A recent report by cybersecurity firm SlowMist has uncovered a shocking revelation regarding the vulnerability of the crypto sector. According to the report, blockchain hacks have resulted in the theft of over $30 billion from the cryptocurrency industry since 2012. This alarming figure highlights the pressing need for enhanced security measures within the blockchain ecosystem.

The report from SlowMist, a renowned cybersecurity company specializing in blockchain technology, brings to light the magnitude of the problem facing the crypto sector. The findings emphasize the urgent requirement for robust security protocols to safeguard digital assets and protect investors.

The report reveals that hackers have been successful in exploiting vulnerabilities across various blockchain networks, resulting in significant financial losses. SlowMist's research indicates that these attacks have been carried out through a range of methods, including exchange hacks, smart contract vulnerabilities, and fraudulent schemes.

One of the primary areas of concern is the vulnerability of cryptocurrency exchanges. These platforms serve as a vital link between users and their digital assets, making them lucrative targets for hackers. SlowMist's report highlights the need for exchanges to prioritize security measures and implement robust systems to safeguard user funds.

The rise in smart contract-based attacks has also been a cause for concern. Smart contracts, which automate and facilitate transactions on blockchain platforms, have been exploited by hackers who identify vulnerabilities within the code. This highlights the need for thorough security audits and ongoing monitoring of smart contracts to prevent potential breaches.

Industry experts emphasize the significance of preemptive actions to thwart these threats in response to the report's conclusions. Renowned blockchain security expert Jack Smith emphasizes the value of ongoing surveillance and quick response mechanisms. According to him, "It is crucial for crypto companies to prioritize security and adopt a proactive approach to identify and mitigate vulnerabilities before hackers exploit them."

The report also highlights the demand for a greater user understanding of cryptocurrencies. If consumers don't employ prudence when transacting with and holding their digital assets, even the most comprehensive security measures won't be enough. By educating people about best practices, like as using hardware wallets and turning on two-factor authentication, the danger of being a victim of hacking efforts can be greatly decreased.

The cryptocurrency industry has grown rapidly in recent years, drawing both investors and bad actors looking to take advantage of its weaknesses. The SlowMist report is a wake-up call, highlighting the critical need for better security procedures to protect the billions of dollars invested in the sector.

The adoption of more robust security measures must continue to be a primary focus as the blockchain sector develops. The report's conclusions underscore that everyone is accountable for building a secure ecosystem that promotes trust and protects against possible dangers, including blockchain developers, cryptocurrency exchanges, and individual users.



Read more »
Subscribe to: Posts (Atom)