Malicious npm packages steal developer credentials on multiple platforms

Nineteen malicious packages on the npm registry are spreading a worm known as SANDWORM_MODE. These packages steal crypto keys, CI secrets, API tokens, and AI API keys. The theft occurs through MCP injection.

16. Dezember 2025 Von KI berichtet

Ongoing exploitation of the React2Shell vulnerability (CVE-2025-55182)—previously detailed in coverage of China-nexus and cybercriminal campaigns—now includes widespread Linux backdoor installations, arbitrary command execution, and large-scale theft of cloud credentials.

Researchers have identified a new Linux botnet called SSHStalker that relies on the outdated IRC protocol for its command-and-control operations. The botnet spreads through SSH scanning and brute-forcing, targeting cloud infrastructure. It incorporates old vulnerabilities and persistence mechanisms for broad infection.

22. Januar 2026 Von KI berichtet

A deceptive package on the PyPI repository has been found impersonating the popular SymPy library. This malicious software targets Linux systems, downloading and executing the XMRig cryptocurrency miner through in-memory techniques. Security researchers have highlighted the risks posed by such supply chain attacks in open-source ecosystems.

North Korean hackers have begun exploiting a critical vulnerability known as React2Shell in malware attacks. This follows similar actions by Chinese hackers, indicating a growing interest in this security flaw. The issue poses significant risks to affected systems.

18. Februar 2026 Von KI berichtet

A new variant of the SysUpdate malware has been discovered targeting Linux systems, featuring advanced encryption for command-and-control communications. Security researchers at LevelBlue identified the threat during a digital forensics engagement and developed a tool to decrypt its traffic. The malware disguises itself as a legitimate system service to evade detection.