01/03/2025-01/08/2025 Fake Hardhat npm Packages, Critical Flaws in Mitel and Oracle Systems, Nuclei Flaw, High-Severity Vulnerabilities in Cellular and Secure Routers.

1. Fake Hardhat npm Packages Target Ethereum Developers

A malicious campaign is targeting Ethereum developers using fake Hardhat npm packages to steal private keys, as reported by the Socket.dev Research Team. This supply chain attack exploits developers’ trust by mimicking legitimate Hardhat plugins, claiming similar functionalities like gas optimization and smart contract testing.

Hosted on npm, the fake packages appear trustworthy but steal sensitive data, including private keys and mnemonics, from the Hardhat environment. The stolen data is encrypted and sent to attacker-controlled endpoints. Attackers could also deploy malicious contracts, potentially disrupting the Ethereum mainnet.
Socket.dev researchers identified 20 malicious packages from three authors, including one with over 1,000 downloads, highlighting the campaign’s reach.
To protect against such threats, developers should implement strict security monitoring and auditing measures. Carefully scrutinizing npm packages and maintaining vigilant development practices are crucial to safeguarding Ethereum projects.

2. CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation

CISA added three vulnerabilities affecting Mitel MiCollab and Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence.

The flaws include:

• CVE-2024-41713 (CVSS 9.1): A Mitel MiCollab path traversal flaw allowing unauthorized access.
• CVE-2024-55550 (CVSS 4.4): A Mitel MiCollab path traversal issue enabling an admin to read local files.
• CVE-2020-2883 (CVSS 9.8): An Oracle WebLogic vulnerability exploitable via IIOP or T3.

CVE-2024-41713 and CVE-2024-55550 can be chained to allow remote attackers to read arbitrary server files. WatchTowr Labs reported these Mitel flaws in efforts to replicate another critical vulnerability (CVE-2024-35286).

Exploitation details, attackers, and targets remain unclear. Federal agencies must patch these flaws by January 28, 2025, per Binding Operational Directive 22-01.

3. Nuclei Flaw Lets Malicious Templates Bypass Signature Verification

A now-fixed vulnerability in the open-source vulnerability scanner Nuclei (CVE-2024-43405)  could potentially allow attackers to bypass template signature verification and execute malicious code on local systems.

Nuclei uses over 10,000 YAML templates to scan websites for vulnerabilities. Each template includes a digest hash for signature verification, ensuring integrity. However, researchers at Wiz discovered flaws in how Nuclei’s Go regex-based verification and YAML parser handle line breaks and multiple # digest: lines.
Attackers could exploit these mismatches to bypass verification by injecting malicious # digest: payloads that evade detection but execute when processed. Wiz demonstrated this by crafting a template using mismatched newline interpretations. Users should update to the latest version and run Nuclei in isolated environments to mitigate risks from malicious templates.

4. Moxa Alerts Users to High-Severity Vulnerabilities in Cellular and Secure Routers

Taiwan-based Moxa has disclosed two critical vulnerabilities in its routers and network appliances that could enable privilege escalation and command execution:

• CVE-2024-9138 (CVSS 8.6): Hard-coded credentials allowing authenticated users to gain root access, leading to system compromise and service disruption.
• CVE-2024-9140 (CVSS 9.3): Exploitation of special characters to bypass input restrictions, enabling unauthorized command execution.

These flaws, reported by researcher Lars Haulin, affect several product lines, including EDR-810, EDR-8010, EDR-G902, EDR-G9004, and TN-4900 Series with specific firmware versions.

Moxa has issued patches for most products (firmware version 3.14 or later). For NAT-102 and TN-4900 Series, users are advised to contact Moxa Technical Support.
Mitigations include avoiding internet exposure, restricting SSH access to trusted IPs, and employing firewalls and detection mechanisms to prevent exploitation attempts.