March 25, 2025
⚡ THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More
A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects. That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad

Mar 24, 2025Ravie LakshmananWeekly Recap / Hacking

A quiet tweak in a popular open-source tool opened the door to a supply chain breach—what started as a targeted attack quickly spiraled, exposing secrets across countless projects.

That wasn’t the only stealth move. A new all-in-one malware is silently stealing passwords, crypto, and control—while hiding in plain sight. And over 300 Android apps joined the chaos, running ad fraud at scale behind innocent-looking icons.

Meanwhile, ransomware gangs are getting smarter—using stolen drivers to shut down defenses—and threat groups are quietly shifting from activism to profit. Even browser extensions are changing hands, turning trusted tools into silent threats.

AI is adding fuel to the fire—used by both attackers and defenders—while critical bugs, cloud loopholes, and privacy shakeups are keeping teams on edge.

Let’s dive into the threats making noise behind the scenes.

⚡ Threat of the Week

Coinbase the Initial Target of GitHub Action Supply Chain Breach — The supply chain compromise involving the GitHub Action “tj-actions/changed-files” started as a highly-targeted attack against one of Coinbase’s open-source projects, before evolving into something more widespread and less stealthy. The attackers are suspected of attempting to poison open-source projects associated with Coinbase, failing which they mounted a large-scale campaign by pushing a malicious version of “tj-actions/changed-files” that leaked CI/CD secrets from any repository that ran the workflow. It’s not clear what the end goal of the campaign was, but Palo Alto Networks Unit 42 told The Hacker News that it was likely financially motivated with an aim to conduct cryptocurrency theft.

🔔 Top News

  • StilachiRAT is a Swiss Army knife of RATs — A stealthy remote access trojan (RAT) called StilachiRAT illustrates how threat actors are bundling a wide array of malicious capabilities into a single tool. The RAT is a Swiss Army knife for hackers, incorporating features for extensive system reconnaissance, data gathering, cryptocurrency theft, and credential theft with mechanisms to evade detection and maintain persistence on compromised systems. It also delays connection to an external server to fly under the radar. Microsoft said it first detected the malware in November 2024 in limited attacks, but the exact delivery mechanism remains unclear.
  • Over 300 Android Apps Behind Ad Fraud Campaign — A large-scale ad fraud campaign has resulted in more than 60 million downloads of malicious apps from the Google Play Store. As many as 331 apps have been discovered as part of the active campaign codenamed Vapor. These apps display out-of-context ads and attempt to steal credentials from online services. Google has since removed the apps from the Google Play Store, but they may be still available for download from unofficial third-party app marketplaces.
  • Medusa Ransomware Uses ABYSSWORKER to Blind EDR Software — The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to terminate anti-malware tools. The driver samples are signed using likely stolen, revoked certificates from Chinese companies, allowing it to sidestep security defenses. The development comes as cybercriminals are abusing Microsoft’s Trusted Signing platform to sign malware executables with short-lived three-day certificates.
  • Head Mare and Twelve Likely Collaborating to Target Russia — Two known hacktivist groups codenamed Head Mare and Twelve are likely working together to target Russian entities. The links are based on Head Mare’s use of tools previously associated with Twelve, as well as command-and-control (C2) servers exclusively employed by Twelve prior to these incidents. The attacks culminated in the deployment of LockBit for Windows and Babuk for Linux (ESXi) in exchange for a ransom.
  • Aquatic Panda Attributed to 2022 Espionage Campaign — The China-aligned Aquatic Panda has been linked to a “global espionage campaign” that took place in 2022 targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the United States. The attacks that took place between January and October 2022 have been codenamed Operation FishMedley. The intrusion set made use of an as-yet-unknown initial access vector to deploy malware families such as ShadowPad, Spyder, SodaMaster, and a previously undocumented C++ implant called RPipeCommander.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-29927 (Next.js), CVE-2025-23120 (Veeam Backup & Replication), CVE-2024-56346, CVE-2024-56347 (IBM Advanced Interactive eXecutive), CVE-2024-10441 (Synology BeeStation Manager, DiskStation Manager, and Unified Controller), CVE-2025-26909 (WP Ghost), CVE-2023-43650, CVE-2023-43651, CVE-2023-43652, CVE-2023-42818, CVE-2023-46123, CVE-2024-29201, CVE-2024-29202, CVE-2024-40628, CVE-2024-40629 (JumpServer), and CVE-2025-0927 (Linux kernel)

📰 Around the Cyber World

  • Google Releases OSV-Scanner 2 — Google has announced the release of an updated iteration of OSV-Scanner, its free vulnerability scanner for open-source developers. “This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities to OSV-Scanner, making it a comprehensive vulnerability scanner and remediation tool with broad support for formats and ecosystems,” Google said. OSV-SCALIBR, an open-source Go library, was released by Google earlier this January.
  • North Korea Sets Up New Hacking Group — The North Korean government is reportedly setting up a new hacking group within the intelligence agency Reconnaissance General Bureau (RGB). According to DailyNK, the new unit, called Research Center 227, will focus on research to develop “offensive hacking technologies and programs.” It’s also said to research Western cybersecurity systems and computer networks, bolster Pyongyang’s capabilities to steal digital assets, and develop AI-based techniques for information theft. Over the past couple of years, North Korean hackers have become adept at siphoning funds from cryptocurrency exchanges and companies around the world, like the recent $1.4 billion-worth hack of Bybit. “The Bybit attack demonstrated a sophisticated, multi-stage approach which ultimately allowed the threat actor to take control of Bybit’s cold wallet and siphon funds,” Sygnia said in a post-mortem report of the incident. “During the attack, the threat actor showed a sophisticated ability to overcome security challenges across multiple domains, including macOS malwares, AWS cloud compromise, application security and smart contract security.” The incident is said to have first infected a macOS workstation belonging to a Safe{Wallet} developer on February 4, 2025, using their AWS access token to access Safe{Wallet}’s AWS infrastructure and injected malicious JavaScript on the platform’s web interface. “The malicious code included an activation condition, set to execute the transaction manipulation only on a specific Bybit’s cold wallet,” Sygnia added. “Bybit initiated a transaction from the targeted cold wallet using Safe{Wallet}’s web interface. The transaction was manipulated, and the attackers siphoned the funds from the cold wallets.” The malicious JavaScript code was removed two minutes after the transaction went through. In the meanwhile, cryptocurrency exchange OKX has temporarily suspended its DEX aggregator services misused by the North Korean hackers to launder stolen funds. The threat actors are estimated to have already successfully converted at least $300 million of the stolen assets to unrecoverable funds.
  • Cloudflare Blocks Unencrypted Traffic to its API Endpoints; Debuts AI Labyrinth — Cloudflare has announced that it’s closing all HTTP ports on api.cloudflare.com so as to enforce the use of HTTPS so as to secure Cloudflare API traffic. “Connections made over cleartext HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries, such as ISPs, Wi-Fi hotspot providers, or malicious actors on the same network,” it noted. “It’s common for servers to either redirect or return a 403 (Forbidden) response to close the HTTP connection and enforce the use of HTTPS by clients. However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in cleartext in the initial client request.” Furthermore, third-parties on shared networks could intercept sensitive data from the plaintext HTTP request, or even carry out a Monster-in-the-Middle (MITM) attack by impersonating the web server. The company said it intends to introduce the ability for customers to opt-in to disable all HTTP port traffic for their websites on Cloudflare. The security feature is expected to be made available for free in the last quarter of 2025. The web infrastructure provider has also announced a new feature called AI Labyrinth that aims to combat unauthorized AI data scraping by serving fake AI-generated decoy content when “inappropriate bot behavior” is detected. “When we detect unauthorized crawling, rather than blocking the request, we will link to a series of AI-generated pages that are convincing enough to entice a crawler to traverse them,” Cloudflare said. “But while real looking, this content is not actually the content of the site we are protecting, so the crawler wastes time and resources.”
  • Europol Warns off AI Reshaping Organized Crime — Europol has warned that artificial intelligence (AI) is turbocharging organized crime gangs’ ability to pull off scams and expand their operations globally. The technology allows them to create multi-lingual messages, impersonate individuals, conduct more sophisticated cyber fraud, and generate manipulated or synthetic imagery. Identifying ransomware, data theft, and disinformation as most acute hybrid cybercrime threats, the European police organization said that criminal groups are using cryptocurrency to launder money and move funds around, making their activities harder to detect. “The emergence of fully autonomous AI could pave the way for entirely AI-controlled criminal networks, marking a new era in organized crime,” Europol said.
  • U.K. NCSC Releases Guidance For Post-Quantum Cryptography (PQC) Migration — The UK’s National Cyber Security Centre has released a three-phase timeline to help organizations transition to quantum-resistant encryption by 2035. The advice emphasizes the adoption of post-quantum cryptography to protect sensitive data, such as banking and communications, from future risks posed by quantum computers. To that end, organizations are expected to identify cryptographic services needing upgrades and build a migration plan by 2028, execute high-priority upgrades and refine plans as PQC evolves from 2028 to 2031, and complete migration to PQC for all systems, services and products from 2031 to 2035.
  • New Campaign Targets Misconfigured Microsoft SQL (MS SQL) Servers for Crypto Mining — Misconfigured and vulnerable Microsoft SQL (MS SQL) servers have been targeted by unknown threat actors to deliver cryptocurrency miners capable of mining PKT Classic and Monero. “The attackers utilized the certutil utility, a legitimate Windows tool (also known as a LOLBin), to download PKT mining tool,” QuickHeal said. The attackers have also been observed launching cmd.exe to execute PowerShell commands that are responsible for downloading the XMRig mining software.
  • 3.2 Billion Credentials Compromised in 2024 — Information stealers were used to steal 2.1 billion credentials last year, accounting for nearly two-thirds of 3.2 billion credentials stolen from all organizations, according to a report from Flashpoint. The most prolific stealer malware families observed included RedLine, RisePRO, StealC, Lumma, and Meta Stealer. “This stolen data dominates illicit marketplaces and is used to fuel a number of illegal campaigns such as ransomware or other types of malware,” the company said. Over 200 million credentials have already been stolen since the start of 2025. Information stealer infections were detected on 23 million hosts during the time period, with a majority of the systems running Microsoft Windows. The development comes as GitGuardian revealed that it detected 23,770,171 hard-coded secrets in public GitHub commits in 2024, up from 19.1 million in 2023, even as 70% of the secrets leaked in 2022 continue to remain valid, posing a lucrative attack surface.
  • Telegram CEO Leaving France Amid Criminal Probe — French authorities have allowed Pavel Durov, Telegram’s CEO and founder, to temporarily leave the country as they continue to investigate criminal activity on the messaging platform. “As you may have heard, I’ve returned to Dubai after spending several months in France due to an investigation related to the activity of criminals on Telegram. The process is ongoing, but it feels great to be home,” Durov said in a post on Telegram. He was originally arrested in August 2024 in connection with a probe into the abuse of Telegram for fraud, drug trafficking, and illegal content distribution. Last week, the messaging service surpassed 1 billion monthly active users.
  • 7,966 New Flaws Uncovered in the WordPress Ecosystem in 2024 — As many as 7,966 new vulnerabilities impacting the WordPress ecosystem were discovered in 2024, with 7,633 defects affecting plugins, and 326 affecting themes. The number represents a 34% increase over 2023. “While the majority of vulnerabilities don’t pose an active risk, high priority vulnerabilities were also up 11% year on year,” Patchstack said. “Only seven vulnerabilities were uncovered in WordPress core itself, but none of those were significant enough to pose a widespread threat.”
  • Apple Discloses Passwords App Bug — Apple fixed a bug in the iOS 18.2 Passwords app that could have allowed a user with a privileged network position to leak credentials. The flaw, tracked as CVE-2024-44276, was addressed by using HTTPS when sending information over the network. Security researchers Talal Haj Bakry and Tommy Mysk of Mysk Inc, who have been credited with discovering and reporting the vulnerability, said the Passwords app was sending unencrypted HTTP requests for the logos and icons it displays next to the sites associated with the stored passwords, as well as the links for changing easily guessable passwords. This also means that an attacker on the same network could intercept the password reset links and redirect victims to a bogus phishing site.
  • What Happens When a Browser Extension Changes Hands? — Secure Annex has warned of the serious privacy and security risks resulting from web browser extensions changing ownership after they are listed for sale on extension marketplaces. “While original developers typically prioritize user interests, new owners may exploit valuable permissions to access everything from browsing patterns to authentication credentials,” John Tuckner said. “The danger lies in how seamlessly these changes occur—users receive no notification when an extension changes hands, and unless new permissions are required, the transition is invisible.” In the case of Google Chrome add-ons, registered developers are required to submit a request to Google, which then takes about a week to approve the transfer after verifying with the developer that the extension transfer was indeed requested. That said, once the transfer is complete, the new owner has complete control of the extension and could push code updates to the user base. “The new version I released did seem to go through a review process before being published, but it is very unclear to what degree of scrutiny,” Tuckner added.
  • Signal Threatens to Leave France Over “Narcotrafic” Law — Privacy-focused messaging app Signal said it would leave France if proposed amendments to Narcotrafic law are enacted. The changes would compel providers of encrypted communication services to implement backdoors, enabling law enforcement authorities to access decrypted messages of suspected criminals within 72 hours of a request. “End to end encryption must only have two ‘ends’ — sender and recipient(s). Otherwise, it is backdoored,” Signal President Meredith Whittaker said. “Whatever method is devised to add a ‘third end’ —- from a perverted PRNG in a cryptographic protocol to vendor-provided government software grafted onto the side of secure communications that allow said government to add themselves to your chats — it rips a hole in the hull of private communications and is a backdoor.” Similar backdoor demands have also been made by Sweden and the U.K., prompting Apple to disable the Advanced Data Protection (ADP) feature for iCloud for U.K. citizens. “The U.K.’s demand of Apple raises a number of serious concerns which directly impact national security and therefore warrant robust public debate,” according to a joint letter published by Senators Ron Wyden and Alex Padilla, along with Representatives Andy Biggs, Warren Davidson, and Zoe Lofgren. Google, for its part, has refused to deny if it has received a similar technical capabilities notice, something it would be prohibited from publicly disclosing even if that were the case.
  • Security Considerations With Azure App Proxy — New research has found that Microsoft Azure app proxy pre-authentication set to Passthrough may unintentionally expose private network resources. App proxy is a feature that allows for publishing on-premises applications to the public without opening ports on a firewall, allowing secure remote access via Entra ID for authentication. While Entra ID is the default option for pre-authentication, setting it to Passthrough means there are no protections restricting access from the Azure app proxy side. “Passthrough pre-authentication is basically the equivalent of opening a port on your firewall to the private system,” TRUSTEDSEC said.
  • Amazon to Send Alexa Voice Requests to Cloud Starting March 28 — Amazon is getting rid of a privacy feature that allows users of its Echo smart speaker to prevent their voice commands from going to the company’s cloud and instead be processed locally on-device. Starting March 28, 2025, the option “Do Not Send Voice Recordings” will no longer be available, with the company stating it made the decision in light of new generative artificial intelligence features that rely on being processed in the cloud. That said, users still have the option to prevent Alexa from saving voice recordings.
  • DragonForce Transitions to a Ransomware Group DragonForce, originally known for its pro-Palestinian hacktivist activities, has now transitioned into a financially motivated ransomware group. Their operations have expanded beyond ideological motives to include sophisticated ransomware attacks targeting global organizations. “The group uses a structured extortion model that features a Dark Web leak site to publicly showcase victim data, ransom negotiations, and countdown timers. This strategy increases pressure on victims to meet their demands,” researchers said. DragonForce’s ransomware is based on the LockBit builder from 2022, utilizing similar configurations and attack strategies. Notably, the ransomware includes its icon and wallpaper within the binary’s overlay, which is compressed using Zlib and loaded dynamically during execution. This approach improves stealth and helps to evade static detection methods.
  • Security Flaw in dirk1983/chatgpt Comes Under Exploitation — A medium-severity security flaw impacting dirk1983/chatgpt has come under active exploitation in the wild. The security vulnerability in question is CVE-2024-27564 (CVSS score: 6.5), a Server-Side Request Forgery (SSRF) in the pictureproxy.php component that could allow an attacker to force the application to make arbitrary requests via crafted URLs in the url parameter. Cybersecurity company Veriti said it observed over 10,479 attack attempts from a single malicious IP address, with financial institutions and U.S. government entities emerging as the top target of the activity. Financial and healthcare firms in Germany, Thailand, Indonesia, Colombia, and the U.K. have been targeted as well.
  • How Adversaries Could Abuse AWS SNS Service — Amazon Web Services (AWS) Simple Notification Service (SNS) is a web service that allows users to send and receive notifications from the cloud. Last year, SentinelOne disclosed how threat actors are weaponizing SNS to send bulk smishing messages. According to the latest analysis from Elastic Security Labs, the service could also be leveraged as a data exfiltration channel to bypass traditional data protection mechanisms such as network access control lists (ACLs). While this approach poses some challenges of its own – specifically when it comes to executing a script or running commands without triggering alarms (e.g., CloudTrail) – it offers a way to blend in with native AWS services and leaves minimal footprint.

🎥 Expert Webinar

  • AI Is Fueling Attacks—Learn How to Shut Them Down — AI isn’t the future threat—it’s today’s biggest challenge. From deepfake phishing to AI-powered reconnaissance, attackers are moving faster than legacy defenses can keep up. In this session, Zscaler’s Diana Shtil shares practical ways to use Zero Trust to defend against AI-driven threats—before they reach your perimeter.
  • Forget Detection—Here’s How to Eliminate Identity-Based Attacks — Phishing, MFA bypass, and device risks are still winning—even after years of tool sprawl and training. Why? Because most defenses assume some attacks will succeed. This session flips that mindset. Join us to explore secure-by-design access that prevents breaches altogether. Learn how to block phishing, enforce device compliance (even on unmanaged endpoints), and apply continuous, risk-based access—before attackers even get a chance.
  • AI Tools Are Bypassing Your Controls—Here’s How to Find and Stop Them — You can’t protect what you can’t see. Shadow AI tools are quietly spreading across SaaS environments—often unnoticed until it’s too late. Join Reco’s Dvir Sasson for a real-world look at hidden AI usage, stealthy attack paths, and how to get visibility before threats become incidents.

🔧 Cybersecurity Tools

  • T-Pot Honeypot Platform —Looking to catch attackers before they cause damage? T-Pot is a powerful, all-in-one honeypot platform that bundles 20+ honeypots with built-in dashboards, live attack maps, and threat analysis tools—no commercial license needed. Whether you’re running a home lab or defending a small enterprise, T-Pot helps you simulate vulnerable services to detect real-world attacks in real-time. It runs on Docker, supports both ARM and x86, and even works in cloud or virtual machines. Ideal for learning, testing, or setting traps for bad actors—just don’t forget to isolate it properly from production systems.
  • Rogue — It’s an advanced AI-driven security tool that acts like a smart penetration tester—using large language models (OpenAI & Claude) to think through web app behavior, craft tailored attack payloads, and verify vulnerabilities with minimal false positives. Unlike traditional scanners, Rogue analyzes each target in real-time, adapting its tests based on responses and generating detailed, easy-to-read reports. With built-in subdomain discovery, traffic monitoring, and flexible CLI options, it’s a powerful free tool for security researchers and red teamers looking to automate smarter, context-aware testing.

🔒 Tip of the Week

Audit Your Active Directory in Minutes — If you manage or work with Active Directory (AD), don’t assume it’s secure by default. Many AD environments quietly collect risky settings—like unused admin accounts, weak password rules, or overly broad group permissions—that attackers love to exploit.

To find and fix these, try free tools like InvokeADCheck (great for quick AD health scans), PingCastle (for visual risk scoring and reports), and BloodHound Community Edition (to map attack paths across users and permissions). Even basic steps—like identifying inactive accounts, reviewing GPOs, or checking who’s a Domain Admin—can uncover big risks. Run these tools in a test-safe environment and start building a checklist of things to clean up. You don’t need a full red team to tighten your AD—just the right tools and a bit of time.

Conclusion

This week’s stories weren’t just headlines—they were warning shots. The tools we trust, the systems we rely on, and even the apps we barely notice are all part of the modern attack surface.

Cybersecurity isn’t just about blocking threats—it’s about understanding how fast the rules are changing. From code to cloud, from RATs to regulations, the landscape keeps shifting under our feet.

Stay curious, stay sharp, and don’t underestimate the small stuff—it’s often where the big breaches begin.

Until next week, patch smart and think like an attacker.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years

Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years

Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

Researchers Uncover ~200 Unique C2 Domains Linked to Raspberry Robin Access Broker

AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface

AI-Powered SaaS Security: Keeping Pace with an Expanding Attack Surface

Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps

Hackers Use .NET MAUI to Target Indian and Chinese Users with Fake Banking, Social Apps

You may have missed

Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years

Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years

SEC will keep $50 million of Ripple fine and refund the rest to wrap case, legal officer says SEC will keep million of Ripple fine and refund the rest to wrap case, legal officer says

SEC will keep $50 million of Ripple fine and refund the rest to wrap case, legal officer says

Google quantum exec says tech is ‘5 years out from a real breakout’ Google quantum exec says tech is '5 years out from a real breakout'

Google quantum exec says tech is ‘5 years out from a real breakout’

Napster pioneered music sharing over 25 years ago. It just got bought for $207 million Napster pioneered music sharing over 25 years ago. It just got bought for 7 million

Napster pioneered music sharing over 25 years ago. It just got bought for $207 million

Trump’s World Liberty Financial jumps into stablecoin game with USD1 reveal Trump’s World Liberty Financial jumps into stablecoin game with USD1 reveal

Trump’s World Liberty Financial jumps into stablecoin game with USD1 reveal

Samsung Galaxy S26 Ultra Tipped to Get Triple Rear Cameras, Larger Battery Samsung Galaxy S26 Ultra Tipped to Get Triple Rear Cameras, Larger Battery

Samsung Galaxy S26 Ultra Tipped to Get Triple Rear Cameras, Larger Battery