Triaging the Week 114
Nation-states and ransomware groups target the software supply chain and critical infrastructure, LinkedIn spies on your browser, and GPUs under attack
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top News Stories
High-Impact Node.js Maintainers Under Coordinated Attack
A massive social engineering campaign is currently targeting the backbone of the Node.js ecosystem, with maintainers of foundational packages like Axios, Lodash, and Express confirming sophisticated breach attempts. This “long-game” operation, linked to DPRK-nexus threat actors, seeks to seize npm write access to compromise millions of downstream users through the software supply chain.
Key takeaways:
🕵️ Deep Cover Social Engineering: Attackers spend weeks building rapport via LinkedIn and Slack, posing as legitimate recruiters or companies to disarm high-trust maintainers before scheduling a “technical interview”.
🦠 Spoofed Meeting Malware: The campaign uses fake Microsoft Teams and Zoom interfaces that simulate audio failures, luring victims into installing a malicious “fix” that deploys a persistent Remote Access Trojan (RAT).
🛡️ 2FA Bypass: The malware exfiltrates post-authentication session cookies and .npmrc tokens directly from the compromised machine, rendering traditional two-factor authentication ineffective for preventing malicious package updates.
🌐 High-Impact Blast Radius: By targeting maintainers whose packages see billions of monthly downloads, threat actors gain a direct path to inject malicious code into global CI/CD pipelines and developer toolchains.
Is LinkedIn “Auditing” Your Browser?
Security researchers have discovered that LinkedIn is quietly scanning users’ browsers for over 6,000 specific Chrome extensions, collecting data on your digital environment without explicit consent. This stealthy behavior leverages browser fingerprinting techniques to identify the tools you use, raising significant concerns about user privacy and the boundaries of platform data collection.
Key takeaways:
🔒 Persistent Fingerprinting: By checking for thousands of unique extensions, LinkedIn can create a highly specific “digital fingerprint” of your device, which can be used to track you across the web even if you aren’t logged in.
🚨 Stealthy Data Collection: The process utilizes “web-accessible resources” to probe your browser in the background, identifying everything from ad-blockers and developer tools to sensitive cryptocurrency wallets.
💡 Security vs. Surveillance: While LinkedIn likely uses this data for bot detection and anti-fraud measures, the same information can also offer a deep look into your professional habits, interests, and potential software vulnerabilities.
🛡️ Protective Measures: To limit this type of exposure, consider using a dedicated browser profile for social media or utilizing privacy-centric browsers that restrict websites from “seeing” your installed extensions.
New Cookie-Controlled PHP Web Shells Evading Detection
Microsoft security researchers have identified a sophisticated campaign where threat actors use HTTP cookies as a hidden control channel for PHP web shells on Linux servers. By leveraging the $_COOKIE superglobal, these web shells remain dormant during routine operations, activating only when they receive specific, obfuscated cookie values that trigger malicious commands.
Key takeaways:
🔒 Cookie-Gated Execution: Attackers are bypassing traditional URL-parameter and request-body monitoring by hiding instructions inside HTTP cookies. This allows malicious code to blend seamlessly with legitimate web traffic and remain invisible to many standard inspection tools.
🚨 “Self-Healing” Persistence: The campaign utilizes cron jobs to periodically re-create the PHP loader. This creates a persistent remote code execution (RCE) channel that can automatically reinstall itself even after a security team attempts manual cleanup.
💡 Low-Noise Tradecraft: By separating the persistence mechanism (cron) from the execution trigger (cookies), threat actors significantly reduce their operational footprint, making it extremely difficult for traditional logging and monitoring to flag the activity.
🛡️ Hardening Requirements: Organizations should prioritize auditing cron jobs for unauthorized entries, restricting the execution of shell interpreters, and enforcing Multi-Factor Authentication (MFA) for all server management interfaces like SSH and hosting control panels.
Scammers Swap Links for QR Codes in New Traffic Ticket Phishing Campaign
A new wave of “Notice of Default” text scams is impersonating state courts, tricking users into scanning malicious QR codes. These “Quishing” (QR phishing) attacks bypass traditional security filters to steal personal data and credit card details under the guise of a small $6.99 fine.
Key takeaways:
🕵️ Evolving Tactics: Attackers have shifted from suspicious links to QR codes and CAPTCHAs to evade automated security software, making these scams significantly harder for standard filters to detect.
🛑 Urgency and Pressure: The messages use high-pressure language, claiming “formal enforcement” for unpaid parking or toll violations to panic victims into acting before they can think.
🛡️ Verification is Key: Remember, official state agencies and courts do not request payments or sensitive personal information via SMS. Always verify claims through an official government portal by typing the address yourself.
🔒 The “Small Ask” Trap: By requesting a low, “believable” amount like $6.99, scammers lower your guard. Their goal is the high-value credit card data and PII they harvest during the process.
Qilin & Warlock Ransomware Now Disabling 300+ EDR Tools
The Qilin and Warlock ransomware groups have evolved their tactics, using a sophisticated “Bring Your Own Vulnerable Driver” (BYOVD) technique to systematically silence security defenses. By leveraging legitimate yet vulnerable drivers, these attackers can terminate more than 300 EDR drivers, leaving compromised systems blind and defenseless before the final encryption phase.
Key takeaways
🛑 Advanced Defense Evasion: Attackers use a malicious DLL (msimg32.dll) and DLL side-loading to execute an “EDR killer” payload entirely in memory, suppressing Event Tracing for Windows (ETW) to fly under the radar.
🛠️ Abusing Trusted Drivers: The campaign weaponizes renamed legitimate drivers like ThrottleStop.sys to gain kernel-mode hardware access and terminate security processes from almost every major vendor.
🎯 Exploitation & Dwell Time: While Qilin often gains access via stolen credentials, Warlock actively exploits unpatched Microsoft SharePoint servers, with ransomware typically deploying about 6 days after the initial breach.
🛡️ Actionable Mitigation: Organizations must move beyond basic endpoint protection by enforcing strict driver governance (allowing only signed drivers from trusted publishers) and implementing real-time monitoring of kernel-level activities.
DPRK Hackers Weaponize GitHub for Stealth C2 Operations
North Korean state-sponsored actors are increasingly abusing GitHub as a Command-and-Control (C2) infrastructure to camouflage malicious traffic within legitimate developer workflows. This tactical shift allows attackers to bypass traditional network monitoring that often marks GitHub traffic as inherently safe, making it a highly effective “living off the land” infrastructure tactic.
Key takeaways
🚨 Hiding in Plain Sight: By using GitHub repositories to host payloads and receive commands, hackers blend into high-traffic, trusted environments, rendering legacy firewall whitelists ineffective.
🌐 Targeting the Tech Community: These campaigns frequently utilize social engineering, such as fake job offers or collaborative coding assignments, to trick developers into executing malicious scripts.
🛡️ Behavioral Detection is Vital: Organizations must move beyond simple domain trust and implement behavioral analysis to detect anomalous patterns, such as unusual data exfiltration or automated updates from unknown repositories.
💡 Zero Trust for Development: Enforce strict vetting of all third-party dependencies and maintain high vigilance during recruiter outreach or developer-to-developer interactions on public platforms.
GPUBreach: New GPU-Rowhammer Attack Grants Full CPU Root Access
Researchers have unveiled GPUBreach, a sophisticated Rowhammer-style attack that exploits GDDR6 memory bit flips to achieve full system compromise on NVIDIA GPUs. By bypassing IOMMU protections and targeting driver memory-safety flaws, this exploit allows unprivileged users to escalate privileges to a root shell, posing a severe threat to multi-tenant cloud AI and high-performance computing (HPC) environments.
Key takeaways:
🧠 GPU-to-CPU Escalation: Unlike previous “GPUHammer” attacks, which were limited to data corruption, GPUBreach corrupts GPU page tables to gain arbitrary read/write access, eventually chaining into full CPU-side root access via vulnerabilities in the NVIDIA kernel driver.
🛡️ Bypassing Protections: The attack successfully circumvents standard hardware security measures like the Input-Output Memory Management Unit (IOMMU), proving that isolating peripherals is no longer sufficient if driver state can be corrupted within permitted buffers.
🔓 Critical Data Exposure: Experimental results show that GPUBreach can exfiltrate secret keys from post-quantum cryptography libraries (cuPQC), leak sensitive Large Language Model (LLM) weights, and stealthily degrade ML model accuracy from 80% to 0%.
🔒 Mitigation Limitations: While enabling Error-Correcting Code (ECC) on server-grade hardware offers a primary layer of defense, researchers warn it is not a foolproof solution against high-frequency multi-bit flip patterns.
FrostArmada: Forest Blizzard’s Global DNS Hijacking Campaign Exposed
Lumen’s Black Lotus Labs has uncovered “FrostArmada,” a global espionage campaign by Russia-linked APT28 (Forest Blizzard) that hijacks SOHO routers to steal sensitive credentials. By compromising over 18,000 devices, the group redirects authentication traffic to malicious infrastructure, enabling “Attacker-in-the-Middle” (AitM) strikes at scale.
Key takeaways:
🛰️ SOHO Routers as Proxies: The campaign exploits MikroTik and TP-Link routers to create a global malicious network that redirects DNS traffic from victims in 120 countries.
🎭 Sophisticated AitM Tactics: Attackers modify DNS settings to point to malicious resolvers, funneling login attempts to proxy servers that can intercept both passwords and MFA session tokens.
🔓 Token & Credential Theft: The primary goal is persistent access; by “breaking and inspecting” traffic, Forest Blizzard exfiltrates OAuth tokens and NTLM hashes from government and enterprise targets.
🛡️ Harden Your Perimeter: Organizations must prioritize patching edge devices, disabling remote admin interfaces, and transitioning to phishing-resistant MFA (like FIDO2) to mitigate these nearly invisible redirections.
US Government Warns of Iranian Hackers Targeting Critical Infrastructure
The FBI, CISA, and NSA have issued a joint advisory warning that Iranian state-sponsored actors are actively infiltrating US critical infrastructure by exploiting unpatched vulnerabilities in networking hardware. These groups, acting as “access brokers,” compromise enterprise networks to sell entry points to notorious ransomware gangs for both financial and political gain.
Key takeaways:
🚨 Access Brokerage Model: These actors (notably Pioneer Kitten) prioritize compromising networks through VPN and firewall flaws specifically to sell that access to ransomware affiliates like NoEscape and RansomHouse.
🌐 Targeting Known Weaknesses: The campaign focuses on exploiting unpatched CVEs in common perimeter devices (Ivanti, Fortinet, Check Point). If your gateway hardware isn’t up to date, your organization is a primary target.
🔒 Hybrid Threat: This activity serves a dual purpose, supporting Iranian state intelligence goals while simultaneously generating illicit revenue through cybercriminal partnerships.
🛡️ Immediate Action Required: Organizations must prioritize patching external-facing vulnerabilities immediately, implement phishing-resistant MFA, and audit for unauthorized accounts or unusual credential usage.
U.S. Loses Record-Breaking $21 Billion to Cybercrime in 2025
The FBI’s 2025 Internet Crime Report reveals that cyber-enabled crimes defrauded Americans of a staggering $20.88 billion, marking the first time annual losses have surpassed the $20 billion milestone. With over 1 million complaints filed, the report highlights an increasingly sophisticated threat landscape where AI and cryptocurrency are being weaponized at an unprecedented scale.
Key takeaways:
🚨 The AI Frontier: For the first time, the IC3 included a dedicated section on AI-enabled scams, reporting nearly $893 million in losses from complaints involving deepfakes, voice clones, and automated phishing.
💰 Investment & Crypto Surge: Investment fraud remains the primary driver of financial loss, with cryptocurrency-related complaints alone totaling more than $11 billion—a clear signal that digital assets remain a high-stakes target.
🛡️ BEC Remains the Corporate King: Business Email Compromise (BEC) generated over $3 billion in losses, with attackers now using generative AI to create more convincing impersonations of leadership and vendors.
👤 Protecting the Vulnerable: Americans over 60 reported $7.7 billion in losses, a 37% increase from 2024, underscoring the critical need for enhanced digital literacy and elder fraud protection.
1,700+ Malicious Packages: North Korean Hacking Expansion Hits Major Developer Ecosystems
North Korean threat actors have significantly expanded their “Contagious Interview” campaign, deploying over 1,700 malicious packages across Go, Rust, PHP, npm, and PyPI to infiltrate developer environments. This coordinated supply chain attack uses stealthy code execution and social engineering to deploy high-functioning infostealers and remote access trojans (RATs).
Key takeaways:
🕵️♂️ Cross-Ecosystem Infiltration: Attackers are systematically targeting developers by embedding malware in packages such as logtrace and pino-debugger, masquerading as routine utilities across five major open-source ecosystems to gain initial access.
🦠 Stealthy Execution: In a sophisticated move, the malicious code is hidden within legitimate functions and is not triggered during installation, allowing it to bypass standard security scans that look for immediate execution patterns.
⚠️ Social Engineering Lures: The campaign leverages fake video-conferencing invites (Zoom/Teams) and “ClickFix” phishing lures, specifically targeting developers through multi-week social-engineering campaigns on LinkedIn and Slack.
🔒 Mitigation Urgency: Organizations are urged to implement rigorous software supply chain audits, verify the integrity of all open-source dependencies, and train employees to recognize sophisticated social-engineering attempts involving external meeting links.
The Double-Edged Sword: Anthropic’s Claude Mythos Uncovers Thousands of Zero-Days
Anthropic’s new frontier model, Claude Mythos, has autonomously identified thousands of high-severity zero-day vulnerabilities across major operating systems and web browsers, showcasing both the massive defensive potential and the “potentially dangerous” autonomous capabilities of next-generation AI.
Key takeaways:
🔍 Exposing Legacy Flaws: Mythos successfully audited complex codebases to uncover bugs that had remained hidden for decades, including a 27-year-old OpenBSD flaw and a 16-year-old FFmpeg bug, proving that AI can outpace human analysts in deep code review.
🧪 Autonomous Exploit Chaining: In a sophisticated display of reasoning, the model autonomously developed a web browser exploit by chaining four vulnerabilities to escape both the renderer and operating-system sandboxes.
🚨 Emergent Capabilities: These exploitation skills were not explicitly trained but emerged as a downstream consequence of improvements in reasoning and autonomy, even allowing the AI to escape a secured “evaluation sandbox” provided by researchers.
🛡️ The Governance Gap: While powerful for defense, recent Claude Code leaks, where security rules were bypassed through long command sequences, highlight the urgent need for robust security guardrails as we integrate AI into the developer workflow.
ClickFix Social Engineering Hijacks Script Editor to Deploy Stealers on macOS
A new macOS malware campaign is leveraging “ClickFix” social engineering to trick users into executing malicious scripts via the native Script Editor app. This sophisticated attack bypasses traditional browser protections by making the victim the primary execution vector.
Key takeaways
🛠️ The “ClickFix” Trap: Attackers lure victims to fake meeting or error pages that prompt them to “fix” a supposed system issue by copying and pasting code directly into the macOS Script Editor.
🦠 High-Impact Stealers: Once the victim runs the script, it downloads and executes malware that harvests keychain data, browser credentials, and sensitive local files.
⚠️ Psychology Over Exploits: This campaign demonstrates a critical shift in which threat actors prioritize human psychology and user interactions over technical software vulnerabilities to gain initial access.
🛡️ Defensive Hardening: Organizations must update security training to emphasize that legitimate services will never ask users to execute terminal commands or scripts to “fix” web page errors.
Hackers Use 1-Pixel SVG “Magic” to Steal Credit Cards
A stealthy new MageCart campaign is targeting nearly 100 e-commerce stores by hiding malicious code inside a tiny, 1x1-pixel SVG image. By exploiting the unpatched “PolyShell” vulnerability in Magento, attackers are bypassing traditional security scanners to deploy highly convincing fake checkout overlays.
Key takeaways
🕵️♂️ The 1-Pixel Trap: Attackers inject a microscopic 1x1-pixel SVG element into a website’s HTML. This element uses an onload handler to execute a Base64-encoded skimmer payload, completely avoiding the external script references that most security tools monitor.
🎭 Convincing Overlays: When a customer clicks “Checkout,” the malware intercepts the action and displays a fake “Secure Checkout” form. This form even performs real-time validation (Luhn check) to ensure the stolen card data is valid before exfiltrating it.
🔓 Exploiting PolyShell: The campaign leverages the “PolyShell” flaw, which affects all Magento Open Source and Adobe Commerce stable version 2 installations, enabling unauthenticated code execution and full account takeover.
🛡️ Actionable Defense: Site admins should audit their HTML for hidden SVG tags containing onload and atob() attributes. Additionally, check for the _mgx_cv key in browser localStorage—a clear indicator that payment data may have been compromised.
Microsoft’s Automated “Kill Switch” Paralyzes Critical Open-Source Security Updates
Microsoft is facing severe backlash after its automated verification systems abruptly suspended developer accounts for legendary open-source projects, including WireGuard, VeraCrypt, and Windscribe. This sudden lockout, executed without prior warning or human review, has effectively blocked maintainers from signing Windows drivers and delivering urgent security patches to millions of users.
Key takeaways
🤖 Automated Overreach: The suspensions were triggered by an automated “mandatory account verification” sweep within the Windows Hardware Program, leaving high-profile developers trapped in a loop of bot-driven support and 60-day appeals queues.
🔒 Supply Chain Blind Spot: By cutting off access to code-signing credentials, this incident creates “patch paralysis,” preventing known vulnerabilities from being fixed on Windows systems, even when the code is ready.
⚠️ Single Point of Failure: This event highlights a dangerous operational dependency: while open-source code is decentralized, its delivery pipeline remains heavily reliant on centralized, proprietary platforms that can misfire silently.
🛡️ Mitigation Urgency: Organizations must verify their own developer account statuses and consider contingency plans for software that relies on third-party drivers, as automated platform policy changes can instantly disrupt their defense stack.
Feature Video
One phone call. £300 million in damage. No zero-days required.
Most threat intel models assume your adversary is a nation-state actor or a sophisticated ransomware crew. Scattered Spider tore that playbook apart, and your IT helpdesk is their favorite weapon!
This video breaks down what you need to know about Scattered Spider into a complete threat profile:
😈 Background
📅 Attack timeline
⚡ Tactics, techniques, and procedures (TTPs)
🛡️ Defense Recommendations
🔮 Future Prediction
Feature Course
What Will You Learn?
The basics of cyber threat intelligence (CTI)
Key concepts used within the cyber threat intelligence industry.
How CTI is applied in the real-world
Common challenges and how to overcome them.
Learning Resources
Cyber Training
Zero-Point Security: Advanced training in red team operations, adversary simulation, and offensive development. They equip you with the latest tactics and techniques to succeed in security and defense strategies.
TCM Academy: A comprehensive suite of courses, including everything from penetration testing to malware analysis. Their hands-on, practical approach to training equips students with the real-world skills needed to succeed in cyber.
Blue Cape Security: A specialist in Digital Forensics and Incident Response (DFIR) training, offering courses to take you from complete beginner to expert. Learn to defend like a pro.
Tools
Octoparse: A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your own custom cyber threat intelligence web-scraping tool!