09/03/2025-09/10/2025 Massive npm Supply Chain Attack, Critical SAP NetWeaver Vulnerability, SAP S/4HANA Critical Vulnerability And More.

1. Massive npm Supply Chain Attack Hits 18 Popular Packages with 2B Weekly Downloads

A major supply chain attack compromised 18 popular npm packages with over two billion weekly downloads, according to security firm Aikido. The malware, first detected on September 8, targeted developers and end-users by injecting obfuscated code into widely used libraries like chalk (299M downloads), debug (358M), and ansi-styles (371M). Once installed, it silently intercepted crypto and web3 transactions, manipulated wallet interactions, and redirected funds to attacker-controlled accounts. Aikido researchers said the campaign appeared to be the work of a single threat group using relatively unsophisticated techniques and off-the-shelf obfuscation tools. The breach stemmed from a phishing campaign exploiting npm’s trust model: attackers registered a typosquatted domain, npmjs.help, and impersonated npm administrators to compromise maintainers’ accounts.

The attack follows other recent npm supply chain incidents, including Wiz’s discovery of an AI-powered campaign against the Nx build system and JFrog’s report of eight malicious React packages

2. Critical SAP NetWeaver Vulnerability Let Attackers Execute Arbitrary Code And Compromise System

A critical vulnerability, CVE-2025-42922, has been discovered in SAP NetWeaver, allowing low-privileged authenticated users to upload malicious files and achieve full system compromise. The flaw lies in the Deploy Web Service upload mechanism, which fails to properly enforce Role-Based Access Control (RBAC) or validate file types.

Incorrect authentication annotations and missing role checks let attackers bypass restrictions intended for administrators. By authenticating with valid low-level credentials, an attacker can upload a crafted file (e. g., JSP) to the server and execute it via a direct URL, gaining arbitrary code execution with SAP service account privileges. This access enables lateral movement, data theft, or malware deployment.
SAP has released a patch in Security Note 3643865, with a temporary workaround in KBA 3646072. Administrators are urged to restrict Deploy Web Service access, apply patches promptly, and monitor logs for suspicious multipart/form-data requests to DeployWS endpoints.

3. GitHub Account Compromise Led to Salesloft Drift Breach Affecting 22 Companies

Salesloft has confirmed that the recent data breach tied to its Drift application began with the compromise of its GitHub account. According to Mandiant, which is investigating, the threat actor UNC6395 accessed the account from March through June 2025, though the initial intrusion method remains unknown. At least 22 companies have been affected.

With GitHub access, the attackers downloaded repositories, added a guest user, and created workflows. They also carried out reconnaissance in both Salesloft and Drift environments. In the next phase, they infiltrated Drift’s AWS environment, stealing OAuth tokens used by customers’ integrations to access data.

Salesloft has since taken Drift offline (September 5), rotated credentials, and strengthened segmentation controls. It urged customers to revoke and reissue API keys for third-party integrations.

Meanwhile, Salesforce restored Salesloft integrations on September 7, but said Drift will remain disabled until further notice as part of ongoing remediation.

4. Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Adobe has issued an urgent advisory for CVE-2025-54236 (“SessionReaper”), a critical flaw (CVSS 9.1) impacting Adobe Commerce, Magento Open Source, and Adobe Commerce B2B. The bug, caused by improper input validation in the Commerce REST API, could allow attackers to hijack customer accounts and fully compromise e-commerce platforms. Affected products include Adobe Commerce 2.4.9-alpha2 and earlier, Magento Open Source 2.4.9-alpha2 and earlier, Adobe Commerce B2B 1.5.3-alpha2 and earlier, and the Custom Attributes Serializable module (0.1.0–0.3.0). Adobe has released the VULN-32437-2-4-X patch and urges immediate installation. Users of the Custom Attributes module must upgrade to 0.4.0 or later via Composer. Cloud-hosted customers are temporarily protected by new WAF rules, though patching remains essential.

Admins can verify patch application using the Quality Patches Tool. While no exploitation has been observed, Adobe warns the vulnerability poses serious risk to online merchants if left unpatched.

5. SAP S/4HANA Critical Vulnerability CVE-2025-42957 Exploited in the Wild

A critical vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild. The flaw, a command injection issue in a function module exposed via RFC, allows attackers with low-privileged access to inject arbitrary ABAP code, bypass authorization checks, and fully compromise SAP systems. Successful exploitation can modify databases, create superuser accounts with SAP_ALL privileges, steal password hashes, and manipulate business processes.
SecurityBridge and Pathlock have confirmed observed exploitation attempts affecting both on-premise and Private Cloud editions. While widespread attacks are not yet reported, reverse engineering the patch to develop exploits is considered straightforward. Threat actors could use the flaw for fraud, data theft, espionage, or ransomware deployment.

Organizations are urged to apply SAP’s August 2025 security updates immediately, monitor logs for suspicious RFC calls or new admin accounts, enforce proper segmentation, maintain backups, restrict RFC usage via SAP UCON, and review authorization object S_DMIS activity 02.

08/27/2025-09/03/2025 TP-Link and WhatsApp Flaws, Nx Build System, Malicious npm Package nodejs-smtp And More.

1. CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw, CVE-2020-24363 (CVSS: 8.8), in TP-Link’s TL-WA855RE Wi-Fi extenders to its KEV catalog due to active exploitation. This missing authentication bug allows an unauthenticated attacker on the same network to perform a factory reset and set a new administrative password.

Although a firmware fix exists, the product has reached end-of-life and will receive no further updates. Users are advised to replace the hardware.
CISA also added a WhatsApp vulnerability (CVE-2025-55177) exploited in a targeted spyware campaign by chaining it with an Apple iOS flaw (CVE-2025-43300). Federal agencies must apply mitigations for both vulnerabilities by September 23, 2025.

2. Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack

In a supply chain attack dubbed ‘s1ngularity,’ hackers compromised the popular Nx build system (over 4 million weekly downloads) by stealing an NPM token. This allowed them to publish eight malicious versions of the Nx package between August 26th and 27th.

The malicious versions contained a script that executed on Linux and macOS systems, systematically harvesting sensitive data including SSH keys, GitHub tokens, and API keys. The stolen credentials were then exfiltrated to thousands of hastily created public GitHub repositories.

Security firms Wiz and GitGuardian confirmed the theft of thousands of valid secrets. Notably, this is the first known attack to weaponize AI coding assistants like Claude and Gemini for reconnaissance. All affected Nx packages have now been secured with mandatory 2FA, but users must immediately revoke any existing development tokens to prevent further compromise.

3. Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets

Cybersecurity researchers discovered a malicious npm package, nodejs-smtp, designed to inject code into desktop cryptocurrency wallets like Atomic and Exodus on Windows. The package mimicked the legitimate email library nodemailer, copying its tagline, page design, and README, and was downloaded 347 times since its April 2025 release by a user named “nikotimon.” It is now removed. The package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the app, and erase traces. Its goal is to redirect cryptocurrency transactions—including Bitcoin, Ethereum, Tether, XRP, and Solana—to attacker-controlled wallets, acting as a cryptocurrency clipper.

Nodejs-smtp still functions as a mailer compatible with nodemailer, allowing it to pass developer tests and avoid suspicion. This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots. This follows a similar campaign by ReversingLabs, where the “pdf-to-office” package modified wallet apps.

4. Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names

Cybersecurity researchers uncovered a loophole in the Visual Studio Code Marketplace that allows removed extension names to be reused. ReversingLabs found this after spotting a malicious extension, ahbanC.shiba, which mimicked earlier flagged extensions, ahban.shiba and ahban.cychelloworld. All three acted as downloaders, retrieving a PowerShell payload that encrypts files in a folder named “testShiba” and demands Shiba Inu tokens.

The issue arises because extension uniqueness is tied to the combination of publisher name and extension name. When an extension is removed, its name becomes reusable by others, bypassing official publishing rules. Unlike PyPI, VS Code does not block reuse of names from malicious extensions.

The finding highlights risks of open-source repositories, where attackers use typosquatting and obfuscation to deliver malware, steal data, or demand ransoms. Experts stress the need for secure development practices, monitoring, and automated supply chain scanning to mitigate such threats.

08/21/2025-08/27/2025 Citrix Vulnerabilities, Docker Fixes Critical Desktop Flaw, Linux Malware Delivered via Malicious RAR Filenames And More.

1. CISA Adds Citrix Vulnerabilities to KEV Catalog as New Flaws Emerge

CISA has added two Citrix flaws to its KEV catalog as new NetScaler issues emerge—one already under active attack.

Added on August 25, the medium-severity bugs patched in November 2024 are CVE-2024-8069 (deserialization of untrusted data) and CVE-2024-8068 (improper privilege management) in Citrix Session Recording. CISA also listed CVE-2025-48384, an 8.0 Git link-following flaw.

On August 26, Citrix disclosed three NetScaler vulnerabilities: CVE-2025-7775 (CVSS 9.2), a memory overflow enabling remote code execution/DoS; CVE-2025-7776 (CVSS 8.8), another memory overflow causing instability; and CVE-2025-8424 (CVSS 8.7), improper access control on the management interface. Exploits of CVE-2025-7775 have already been observed, with reports of attackers dropping webshells to backdoor systems.

Patches are available in NetScaler ADC/Gateway versions 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, and 12.1-FIPS/NDcPP 12.1-55.330+. Older 12.1 and 13.0 builds are end-of-life.

2. Docker Fixes Critical Desktop Flaw Allowing Container Escapes

Docker has patched a critical flaw (CVE-2025-9074, CVSS 9.3) in Docker Desktop for Windows and macOS that could allow attackers to escape containers and compromise the host.

The bug let Linux containers access the Docker Engine API via the default subnet 192.168.65.7:2375, even with Enhanced Container Isolation (ECI) or TLS disabled. Attackers could issue privileged API commands, control other containers, or mount host drives. A proof-of-concept showed containers binding the Windows C:\ drive with read/write access, enabling full host takeover.

Researcher Felix Boulet called it a “simple oversight,” as Docker’s internal API was reachable without authentication. Philippe Dugre found Windows particularly exposed—allowing filesystem access, DLL tampering, and data theft—while macOS had reduced impact due to isolation. Linux was unaffected, as it uses named pipes.
Exploitation is possible via malicious containers or Server-Side Request Forgery (SSRF). The flaw has been fixed in Docker Desktop 4.44.3, and users are urged to update immediately.

3. GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Researchers are warning of multiple campaigns abusing exposed Redis servers and known vulnerabilities to build botnets, proxies, and cryptomining networks.
One wave exploits CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer to deploy binaries disguised as legitimate SDKs. These apps covertly monetize victims’ bandwidth by acting as residential proxies, consuming few resources and avoiding detection. Over 7,100 GeoServer instances remain exposed worldwide.

Separately, Censys tracked the PolarEdge IoT botnet, active since 2023, with about 40,000 devices—routers, firewalls, and IP cameras—infected mainly in South Korea, the U.S., and Hong Kong. It installs a TLS backdoor for encrypted C2 and likely functions as an Operational Relay Box (ORB) network to proxy attacker traffic.
Another campaign deploys a Mirai variant dubbed gayfemboy, spreading across industries in multiple countries and adding persistence, evasion, and powerful DDoS functions.

Finally, threat actor TA-NATALSTATUS is hijacking unauthenticated Redis servers for cryptojacking, using cron jobs, defense evasion, mass scanning, and rootkit-like tricks to hide miners.

4. Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Cybersecurity researchers have uncovered a novel phishing campaign that delivers the VShell backdoor, a Go-based remote access tool widely used by Chinese hacking groups.

The attack begins with a spam email posing as a beauty product survey offering a cash reward. The message carries a RAR archive (“yy.rar”) containing a file with a maliciously crafted name:
ziliao2.pdf\{echo,}|{base64,-d}|bash``

Unlike typical malware hidden in content or macros, the payload is encoded directly in the filename. When a shell script or command processes it, the embedded Base64 Bash downloader executes, fetching an ELF binary tailored for the host’s architecture. This binary retrieves and runs the encrypted VShell payload, enabling remote control, file operations, process management, and encrypted C2 communications—all while operating in memory to evade detection.

The discovery highlights an emerging Linux threat vector that exploits shell command injection via filenames. In parallel, Picus Security detailed RingReaper, a stealthy Linux post-exploit tool abusing the io_uring framework to bypass security monitoring.