Adult content malvertising scheme leads to clickjacking

Malwarebytes researchers have found a malvertising scheme that leads to clickjacking. Clickjacking is a form of ad fraud which is also referred to as click fraud or click spam. It is a practice performed by certain dubious advertising networks, where they sometimes use automated programs--from...

Malicious Python Package Uses Unicode Trickery to Evade Detection and Steal Data

A malicious Python package on the Python Package Index PyPI repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware. The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and...

New Kritec Magecart skimmer found on Magento stores

Threat actors often compete for the same resources, and this couldn't be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once. In the past, we have seen such occurrences with Magecart threat actor...

Researchers Uncover Obfuscated Malicious Code in PyPI Python Packages

Four different rogue packages in the Python Package Index PyPI have been found to carry out a number of malicious actions, including dropping malware, deleting the netstat utility, and manipulating the SSH authorizedkeys file. The packages in question are aptx, bingchilling2, httops, and tkint3rs...

Malicious Package

Overview awsclii is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass impo...

Malicious Package

Overview certifie is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass...

Malicious Package

Overview cerifi is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass impor...

Malicious Package

Overview b3oto3 is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass impor...

Malicious Package

Overview certife is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass impo...

Malicious Package

Overview certifiee is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass...

Adult popunder campaign used in mainstream ad fraud scheme

This blog post was authored by Jerome Segura Online advertising is a multi billion dollar industry with projected spending to reach over 600 billion U.S. dollars for 2022. It's not surprising that criminals are trying their hardest to abuse this ecosystem in any way that they can. One of the...

MCPMappingViewer 路径遍历漏洞

MCPMappingViewer is a small GUI for viewing the mapping from Minecraft obfuscated code names to MCP code names. A path traversal vulnerability exists in MCPMappingViewer. An attacker could use this vulnerability to perform incorrect operations to obtain sensitive information in file directories...

Malicious Package

Overview firefoxupdate is a malicious package. This is a "dependency confusion" package, which means the package name is based on existing repositories, namespaces, or components. It aims to trick users into downloading the package which contains obfuscated malicious code and initiates connection...

Researchers Uncover Covert Attack Campaign Targeting Military Contractors

A new covert attack campaign singled out multiple military and weapons contractor companies with spear-phishing emails to trigger a multi-stage infection process designed to deploy an unknown payload on compromised machines. The highly-targeted intrusions, dubbed STEEPMAVERICK by Securonix, also...

IconBurst software supply chain attack offers malicious versions of NPM packages

Researchers discovered evidence of a widespread software supply chain attack involving malicious Javascript packages offered via the npm package manager. The threat actors behind the IconBurst campaign used typosquatting to mislead developers looking for very popular packages. npm npm is short fo...

Researchers Find Backdoor in School Management Plugin for WordPress

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier CVE-2022-1609 and is rated 10 out o...

Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)

Exploit Title: Ivanti Endpoint Manager 4.6 - Remote Code Execution RCE Date: 20/03/2022 Exploit Author: d7x Vendor Homepage: https://www.ivanti.com/ Software Link: https://forums.ivanti.com/s/article/Customer-Update-Cloud-Service-Appliance-4-6 Version: CSA 4.6 4.5 - EOF Aug 2021 Tested on: Linux...

Malicious npm Code Packages Built for Hijacking Discord Servers

A series of malicious packages in the Node.js package manager npm code repository are looking to harvest Discord tokens, which can be used to take over unsuspecting users’ accounts and servers. The npm repository is an open-source home for JavaScript developers to share and reuse code blocks. The...

Citrix gateway plugin executes PowerShell script obfuscated code which might be blocked by Antivirus software

We might see errors somewhat like below in AntiVirus : Event type: Process action blocked Component: Adaptive Anomaly Control Rule name: PowerShell executes obfuscated code Source process: c:\windows\system32\windowspowershell\v1.0\powershell.exe Application : "C:\Program Files\Citrix\Secure Acce...

UPX Packed Headaches

Researching malware has many challenges. One of those challenges is obfuscated code and intentionally corrupted binaries. To address challenges like this, we've written a small tool in C that could fix intentionally corrupted binaries automatically. We also plan to open-source the project so othe...