10/31/2024-11/06/2024 LiteSpeed Cache Plugin Vulnerability, Zero-Day Vulnerability in SQLite Database Engine And More.

1. LottieFiles Issues Warning About Compromised “lottie-player” npm Package

LottieFiles has revealed that its npm package “lottie-player” was compromised as part of a supply chain attack, prompting it to release an updated version of the library. According to the company, “a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release.”  The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8 . Even with 2FA configured, the threat actors somehow got the npm automation token set in the CI/CD pipeline to automate version releases to publish the malicious versions 2.0.5, 2.0.6, and 2.0.7 of the npm package.

2. LiteSpeed Cache Plugin Vulnerability Poses Significant Risk to WordPress Websites

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions. The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin. The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed. The newly identified issue, per Patchstack, is rooted in a function named is_role_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8). It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator. CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2). Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes. 

3. Researchers Uncover Python Package Targeting Crypto Wallets with Malicious Code

Cybersecurity researchers have identified a malicious Python package called “CryptoAITools,” which pretends to be a cryptocurrency trading tool but is actually designed to steal sensitive data and drain crypto wallets. Distributed on both the Python Package Index (PyPI) and GitHub, it was downloaded over 1,300 times before PyPI removed it. The malware activates immediately upon installation on Windows and macOS, deploying a deceptive interface to distract users while it performs data theft in the background. Embedded in the code is a function that downloads further malicious payloads from a fake cryptocurrency trading site, enabling multi-stage infections. CryptoAITools gathers a range of sensitive data, including cryptocurrency wallet information, passwords, cookies, SSH keys, and files. It even targets Apple-specific data on macOS. In addition, a related GitHub repository, “Meme Token Hunter Bot,” and a Telegram channel are used to promote the malware, extending its reach to cautious users across multiple platforms.

4. Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

Google recently uncovered a zero-day vulnerability in the SQLite open-source database using its AI-powered Big Sleep framework (formerly Project Naptime). This marks the “first real-world vulnerability” found by an AI tool, according to Google.The vulnerability is a stack buffer underflow in SQLite, caused by referencing memory locations outside a buffer’s bounds, potentially leading to crashes or unauthorized code execution. Following responsible disclosure, the issue was addressed as of October 2024. Big Sleep, initially detailed in June 2024, leverages large language models to automate vulnerability detection. It enables AI to simulate human analysis, using tools to navigate code, perform sandboxed tests, and debug. While Big Sleep shows promise for pre-release security, Google notes it’s experimental and that specialized fuzzers might still be as effective for certain targets.

5. Massive Git Config Breach Exposes 15,000 Credentials; 10,000 Private Repos Cloned

Cybersecurity researchers have uncovered a large-scale campaign, dubbed EMERALDWHALE, that targets exposed Git configurations to steal credentials, clone private repositories, and access cloud services.EMERALDWHALE is believed to have compromised over 10,000 private repositories, with the stolen data stored in an Amazon S3 bucket linked to a prior victim. The operation has obtained at least 15,000 credentials from cloud providers and email services, reportedly for phishing and spam. Although not highly advanced, EMERALDWHALE uses private tools to scan for exposed Git config files and Laravel `.env` files, scraping sensitive information. The group employs tools like MZR V2 and Seyzo-v2, which exploit exposed IPs and are available on underground markets. Additionally, lists of vulnerable Git paths are sold on Telegram, highlighting a growing market for configuration files with sensitive data.