Daily News Update: Friday, March 28, 2025 (Australia/Melbourne)
Infostealer Campaign Compromises 10 npm Packages
Ten npm packages were updated with malicious code to steal environment variables and other sensitive data from developers' systems. The campaign targeted multiple cryptocurrency-related packages, and the popular 'country-currency-map' package was downloaded thousands of times a week.
All these packages, except for country-currency-map, are still available on npm.
The malicious code was discovered by Sonatype researcher Ali ElShakankiry and is found in two heavily obfuscated scripts, "/scripts/launch.js" and "/scripts/diagnostic-report.js," which execute upon the package installation.
Sonatype reports:
"Given the concurrent timing of the attacks on multiple packages from distinct maintainers, the first scenario (maintainer accounts takeover) appears to be a more likely scenario as opposed to well-orchestrated phishing attacks."
The JavaScript steals the device's environment variables and sends them to the remote host "eoi2ectd5a5tn1h[.]m[.]pipedream[.]net".
Bleeping Computer | "Infostealer campaign compromises 10 npm packages, targets devs"
Mozilla Patches Critical Firefox Sandbox Escape Flaw
Mozilla has released Firefox 136.0.4 to address a critical security vulnerability, CVE-2025-2857, that allows attackers to escape the web browser's sandbox on Windows systems. The vulnerability, described as an "incorrect handle could lead to sandbox escapes," was reported by Mozilla developer Andrew McCreight. The flaw impacts the latest Firefox standard and extended support releases (ESR).
Mozilla stated:
"Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled [sic] child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected."
Mozilla noted that the vulnerability is similar to the Chrome zero-day, CVE-2025-2783, exploited in the Operation ForumTroll espionage campaign targeting Russian organisations. In October, Mozilla patched a zero-day vulnerability, CVE-2024-9680, exploited by the Russian-based RomCom cybercrime group.
Bleeping Computer | "Mozilla warns Windows users of critical Firefox sandbox escape flaw"
ICO Fines Advanced £3.1 Million Over 2022 LockBit Ransomware Attack
Advanced, a UK-based IT services provider for healthcare, has been fined £3.1 million by the Information Commissioner's Office (ICO) following a ransomware attack in August 2022. The attack caused widespread disruption and saw the personal information of 79,404 people compromised, which included sensitive details like home entry instructions for 890 individuals receiving at-home care.
The ICO emphasized that Advanced's security measures "fell seriously short" of expectations for an organization handling such sensitive data. Information Commissioner John Edwards stated:
"With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable."
The fine was reduced from an initial £6 million due to Advanced's cooperation with authorities, including the NCSC, NCA, and NHS, and their agreement to pay without appeal. The ICO highlighted the lack of vulnerability scanning and inadequate patch management as contributing factors to the breach.
The Record | "British company Advanced fined £3m by privacy regulator over ransomware attack"
The Register | "Ransomwared NHS software supplier nabs £3M discount from ICO for good behavior"
Browser Extension Sales Pose Hidden Threat to Enterprises
Browser extensions, which can be bought, sold, and repurposed without warning, are a blind spot for organizations. John Tuckner, founder of Secure Annex, demonstrated how quickly he bought and repurposed an extension to redirect traffic. He purchased an extension named “Website Blocker” for $50 and transferred ownership to himself in the Chrome Web Store for a $5 fee.
Tuckner stated:
"Browser extension updates, by default, occur automatically and silently when a user's browser detects a new version available in the Chrome web store. Only if new permissions are requested by the extension is the user ever notified or prompted."
Once Tuckner gained ownership, he submitted an update to the Chrome Web Store and pushed new code to the user base, abusing existing permissions granted to the app to redirect users to a Rick Roll.
CyberScoop | "Browser extension sales, updates pose hidden threat to enterprises"
Vulnerabilities in Solar Inverters Could Disrupt Power Grids
Researchers at Vedere Labs have identified 46 vulnerabilities in solar inverters from leading manufacturers Sungrow, Growatt, and SMA. These vulnerabilities could allow attackers to remotely control devices, execute code, and potentially disrupt power grids. The most severe impacts include unauthorized access to cloud platforms, remote code execution (RCE), device takeover, information disclosure, physical damage, and denial of service.
One notable vulnerability, CVE-2025-0731, affects SMA products, enabling remote code execution through the upload of .ASPX files. Growatt inverters are particularly vulnerable due to the ease of control via the cloud backend, allowing attackers to modify configuration parameters. Sungrow inverters can be compromised through multiple vulnerabilities, including IDORs (CVE-2024-50685, CVE-2024-50693, CVE-2024-50686) and hard-coded MQTT credentials (CVE-2024-50692), leading to remote code execution on communication dongles (CVE-2024-50694, CVE-2024-50695, CVE-2024-50698).
The report highlights the potential for attackers to control entire fleets of inverters, creating significant imbalances in power generation and demand. Forescout Vedere Labs noted:
"Each inverter can modulate its power generation within the range permitted by current PV panel production levels. The combined effect of the hijacked inverters produces a large effect on power generation in the grid."
Beyond grid disruption, these vulnerabilities could also lead to privacy breaches, smart device hijacking, and ransomware attacks. Sungrow and SMA have patched the reported vulnerabilities, while Growatt has also released fixes. The full report from Forescout's Vedere Labs provides detailed technical information on these vulnerabilities.
Bleeping Computer | "Dozens of solar inverter flaws could be exploited to attack power grids"
CrushFTP CEO: You're Not My Supervisor!
CrushFTP's CEO has responded aggressively to VulnCheck after the CNA released CVE-2025-2825 (CVSS 9.8) for a critical unauthenticated access vulnerability in its file transfer software. The vulnerability allows attackers to access file servers using specially crafted HTTP requests. CrushFTP had initially informed customers about the vulnerability on March 21, promising a CVE "soon," but had not yet issued one.
The CEO's email to VulnCheck stated:
"You don't know any details on this issue. Yours [CVE] will be deleted as a duplicate. You did not discover this. The real CVE is pending. Your reputation will go down if you do not voluntarily remove your fake item. It will be blatantly obvious when the real CVE is live since it literally explains in detail the vulnerability you know nothing about."
CrushFTP's advisory is behind a customer paywall and contains conflicting information regarding affected versions. Rapid7 noted that the vulnerability requires no privileges or user interaction to exploit.
A previous vulnerability from April 2024, CVE-2024-4040, was also assigned by a third party after CrushFTP failed to issue a CVE. CrushFTP claims to have high-profile clients, including Fortune 100 companies.
Vendors for this category of product need to have well developed vulnerability patching and disclosure processes, and CrushFTP has dropped the ball here - for the second time in as many years.
The Register | "CrushFTP CEO's feisty response to VulnCheck's CVE for critical make-me-admin bug"
Serbian Journalists Targeted with Pegasus Spyware
Amnesty International reports that two investigative journalists in Serbia were targeted with NSO Group’s Pegasus spyware in March. The journalists, working for the Balkan Investigative Reporting Network (BIRN), received suspicious messages on Viber containing links to a domain associated with Pegasus. Amnesty International’s Security Lab confirmed the spyware infection.
Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, stated that the links were determined with “high confidence” to be associated with Pegasus. The spyware appears to have been deployed as a one-click attack.
This marks the third time in two years that Amnesty has found Pegasus deployed against Serbian civil society. In December, Amnesty reported that Serbian authorities used Cellebrite software to unlock civilians’ phones and install homegrown spyware.
Amnesty International believes that the attacks were carried out by a Serbian state entity, citing the continued use of Serbian language Pegasus infection domain names and the consistent methodology used in targeting Serbian civil society.
The Record | "Two Serbian journalists reportedly targeted with Pegasus spyware"
Russian Authorities Arrest Three for Developing Mamont Malware
Russian authorities have arrested three individuals suspected of developing the Mamont malware, an Android banking trojan. The suspects were apprehended in the Saratov region and are linked to over 300 cybercrime incidents. Authorities seized computers, storage devices, communication tools, and bank cards.
The MVD stated that the trio is linked to over 300 cybercrime incidents. Mamont malware is delivered through Telegram channels, disguised as legitimate mobile apps or video files. Once installed, it allows criminals to transfer funds from the victim's bank account via SMS banking services.
The malware can also:
- Collect information about the infected device and exfiltrate messages related to financial or monetary transactions, sending them back to the attackers' controlled Telegram channel;
- Spread to contacts in the victim’s messenger app.
The Record | "Russia arrests three for allegedly creating Mamont malware, tied to over 300 cybercrimes"
Resecurity Infiltrates BlackLock Ransomware Gang
Resecurity, a cybersecurity vendor, has admitted to infiltrating the BlackLock ransomware gang's infrastructure, gathering data that was relayed to national agencies to help victims. Resecurity found a Local File Inclusion (LFI) vulnerability in BlackLock's TOR-based data leak site (DLS) and exploited it to gather server-side data, including config files and credentials.
Resecurity stated:
"Resecurity invested substantial time in hash-cracking threat actors' accounts to take over the infrastructure."
The data gathered included a history of commands entered by one of BlackLock's main operators, known as "$$$," which included copy-and-pasted credentials which were re-used across the actor's infrastructure.
Resecurity highlighted the gang's reliance on Mega for data exfiltration; attributing them as a Russia or China-based group and linking $$$ to the El Dorado and Mamona groups.
The company alerted CERT-FR and ANSSI, the French cybersecurity agency, and the Canadian Centre for Cyber Security about planned data leaks, enabling them to notify victims in advance of their data being published.
The Register | "Security shop pwns ransomware gang, passes insider info to authorities"
