04/16/2025-04/23/2025 GCP Cloud Composer Bug, Critical Erlang/OTP SSH RCE Bug, Ripple’s xrpl.js npm Package.

1. GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

Cybersecurity researchers revealed a now-patched vulnerability in Google Cloud Platform’s Cloud Composer, a workflow service based on Apache Airflow. Dubbed ConfusedComposer, the flaw could have let attackers with edit permissions escalate access to the powerful Cloud Build service account, enabling them to access sensitive GCP services like Cloud Storage and Artifact Registry. Tenable, which discovered the issue, described it as a variant of a previous GCP flaw called ConfusedFunction. The vulnerability stemmed from Cloud Composer’s ability to install custom PyPI packages, which attackers could abuse to execute malicious scripts and gain elevated privileges.

Google patched the flaw on April 13, 2025, switching Cloud Composer to use its environment-specific service account for package installations.
The disclosure comes amid a wave of cloud vulnerabilities, including an Azure SQL Server flaw that could trigger data loss, a Microsoft Entra ID bug that allowed privilege abuse, and AWS EC2 attacks exploiting SSRF vulnerabilities to access sensitive metadata.

2. Critical Erlang/OTP SSH RCE Bug

A critical vulnerability in Erlang/OTP’s SSH implementation (CVE-2025-32433) now has public exploits, enabling unauthenticated remote code execution. The flaw stems from improper handling of SSH protocol messages before authentication.Patched in versions 25.3.2.10 and 26.2.4, the bug poses a serious risk to devices using Erlang/OTP in telecom, database, and high-availability systems—many of which may not be updated quickly.

Exploits were confirmed by researchers from the Zero Day Initiative and Horizon3, who found the vulnerability easy to weaponize. Public proof-of-concept (PoC) code has been shared on GitHub and Pastebin, raising the risk of widespread attacks. Security experts warn that threat actors may begin scanning for vulnerable systems soon, especially in critical infrastructure. While over 600,000 IPs run Erlang/OTP, most appear to use CouchDB, which is not affected. Immediate patching is strongly recommended.

3. SonicWall SMA VPN Devices Targeted in Attacks

A remote code execution flaw in SonicWall Secure Mobile Access (SMA) devices (CVE-2021-20035) has been actively exploited since January 2025. The vulnerability, originally patched in 2021 and initially classified as a denial-of-service risk, has now been reclassified as high severity with confirmed remote code execution potential.

The flaw affects SMA 200, 210, 400, 410, and 500v devices. It allows low-privileged attackers to inject commands via the SMA100 management interface, potentially leading to full compromise. SonicWall updated its advisory, and CISA has added the bug to its Known Exploited Vulnerabilities catalog, requiring federal agencies to secure systems by May 7.

Attackers used default credentials (e. g., “password” for a super admin account) and targeted VPN credentials on exposed SMA 100 appliances. Defenders are urged to patch immediately, limit VPN access, disable unused accounts, enable MFA, and reset local passwords to prevent further compromise.

4. Ripple’s xrpl.js npm Package Backdoored to Steal Private Keys in Major Supply Chain Attack

The popular Ripple cryptocurrency library xrpl.js was compromised in a supply chain attack aimed at stealing users’ private keys. The malicious code affected versions 4.2.1 to 4.2.4 and 2.14.2, but has been patched in versions 4.2.5 and 2.14.3.
The attacker, using a compromised npm account under the name “mukulljangid”, added a function named checkValidityOfSeed that exfiltrated keys to an external domain. The account likely belonged to a Ripple employee, suggesting the npm access token was stolen.

xrpl.js is a widely used JavaScript API for interacting with the XRP Ledger, downloaded over 2.9 million times with 135,000+ weekly downloads. The associated GitHub repository remains unaffected.

Security researchers believe the attacker released several versions quickly to evade detection. Users are urged to immediately update to versions 4.2.5 or 2.14.3 to secure their applications. The XRP Ledger itself was not impacted by the attack.