Programmer’s Digest #126
03/12/2025-03/19/2025 Critical mySCADA myPRO Flaws, GitHub Action Hack, Malicious PyPI Packages Stole Cloud Tokens And More.
1. Critical mySCADA myPRO Flaws Could Let Attackers Take Over Industrial Control Systems
Cybersecurity researchers have disclosed two critical flaws in mySCADA myPRO, a SCADA system used in operational technology (OT) environments. These vulnerabilities could allow attackers to take control of affected systems.
Swiss security firm PRODAFT warns that exploitation could lead to severe operational disruptions and financial losses. Both flaws, rated 9.3 on the CVSS v4 scale, involve OS command injection via specially crafted POST requests:
- CVE-2025-20014 – Exploits a version parameter.
- CVE-2025-20061 – Exploits an email parameter.
Successful attacks could enable arbitrary code execution. The flaws stem from improper input sanitization and have been patched in:
- mySCADA PRO Manager 1.3
- mySCADA PRO Runtime 9.2.1
PRODAFT stresses the need for stronger SCADA security. Organizations should apply patches, isolate SCADA from IT networks, enforce strong authentication, and monitor for threats.
2. GitHub Action Hack Likely Led to Another in Cascading Supply Chain Attack
A cascading supply chain attack started with the compromise of reviewdog/action-setup@v1, leading to the breach of tj-actions/changed-files, exposing CI/CD secrets.Attackers modified tj-actions/changed-files, writing secrets to workflow logs in 23,000 repositories. If public, these logs could have leaked critical credentials.
Wiz researchers believe the root cause was reviewdog/action-setup, which was compromised to inject base64-encoded payloads dumping secrets to logs. Since tj-actions/eslint-changed-files used this action, attackers likely stole its Personal Access Token (PAT).
Other potentially affected actions:
- reviewdog/action-shellcheck
- reviewdog/action-composite-template
- reviewdog/action-staticcheck
Mitigation: Developers should check for reviewdog/action-setup@v1 references, remove affected actions, delete logs, and rotate secrets. To prevent future breaches, pin actions to commit hashes and use GitHub’s allow-listing feature.
Swift action is needed to minimize risk from leaked CI/CD secrets.
3. Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal
Cybersecurity researchers warn of a malicious campaign targeting PyPI users with fake “time”-themed packages designed to steal cloud access tokens.
ReversingLabs identified 20 such packages, downloaded over 14,100 times, including acloud-client (5,496 downloads) and snapshot-photo (2,448 downloads). These packages either upload stolen data or impersonate cloud service clients (AWS, Alibaba Cloud, Tencent Cloud) to exfiltrate secrets.
Three packages—acloud-client, enumer-iam, and tcloud-python-test—were dependencies of accesskey_tools, a GitHub project with 519 stars and 42 forks, suggesting a widespread impact. The malicious packages have now been removed from PyPI.
Meanwhile, Fortinet FortiGuard Labs found thousands of suspicious PyPI and npm packages embedding malicious install scripts or communicating with command-and-control (C&C) servers.
Mitigation: Developers should monitor dependencies for suspicious URLs and scrutinize package sources to prevent data theft and malware infections.
4. OBSCURE#BAT Malware Uses Fake CAPTCHA Pages to Deploy Rootkit r77 and Evade Detection
A new malware campaign, OBSCURE#BAT, uses social engineering to deploy the r77 rootkit, enabling persistence and evasion on infected systems. The attackers remain unidentified. The rootkit hides files, registry keys, and tasks with a specific prefix. It spreads through fake software downloads and CAPTCHA scams, mainly targeting users in the U.S., Canada, Germany, and the U.K.
Initial infection methods include:
- Fake Cloudflare CAPTCHA pages (ClickFix strategy)
- Malware disguised as legitimate tools like Tor Browser and VoIP software
Once executed, a batch script runs PowerShell commands to modify the Windows Registry, set up scheduled tasks, and install a stealthy rootkit (ACPIx86.sys). The malware also patches AMSI to bypass antivirus detection and monitors clipboard activity for potential data theft.
OBSCURE#BAT demonstrates advanced evasion techniques, making detection difficult. Security researchers warn that its persistence mechanisms ensure it survives reboots and injects into critical processes like winlogon.exe.