06/18/2025-06/25/2025 200+ Trojanized GitHub Repositories, New Linux Flaws Grant Full Root Access, Hackers Exploit Misconfigured Docker APIs And More.

1. 200+ Trojanized GitHub Repositories Found in Campaign Targeting Gamers and Developers

Cybersecurity researchers have uncovered a malicious campaign involving over 67 GitHub repositories posing as Python-based hacking tools but delivering trojanized payloads. Dubbed Banana Squad by ReversingLabs, the campaign is linked to a 2023 effort that targeted the Python Package Index (PyPI) with similar tactics. These repositories impersonate popular tools like Discord cleaners, Fortnite cheats, and TikTok checkers, aiming to lure users searching for such software. Once downloaded, the payloads steal data, inject code into cryptocurrency apps, and establish remote access. The threat actors also abuse GitHub’s trust system by using fake stars and forks to boost visibility. Related campaigns like Water Curse and Stargazers Ghost Network exploit GitHub to distribute malware, often targeting gamers and novice hackers.

Sophos identified 133 repositories using techniques like Visual Studio PreBuild backdoors. The broader trend reflects a growing malware distribution model leveraging open-source platforms. Developers are urged to verify repository integrity before use.

2. New Linux Flaws Grant Full Root Access Across Major Distributions

Security researchers have discovered two major vulnerabilities in Linux that allow attackers to escalate privileges and gain full root access. The flaws (CVE-2025-6018 and CVE-2025-6019) impact major distributions including Ubuntu, Debian, Fedora, and openSUSE.Attackers can combine these flaws to escalate from a basic GUI or SSH session to full root access. The attack leverages udisks loop mounts and PAM quirks to bypass polkit trust zones.

Who Is Affected:

• CVE-2025-6018 affects openSUSE Leap 15 and SUSE Linux Enterprise 15.
• CVE-2025-6019 impacts libblockdev via the udisks daemon, which is installed by default on most Linux systems.

Once exploited, an attacker can disable security tools, install rootkits, or establish persistent access.

Patch Immediately: Linux vendors are releasing updates. Users should apply security patches as soon as possible, modify polkit rules for org.freedesktop.udisks2.modify-device, require auth_admin to block unauthorized actions.

3. Hackers Exploit Misconfigured Docker APIs to Mine Cryptocurrency via Tor Network

Misconfigured Docker instances are being exploited in a new cryptojacking campaign that uses the Tor network to hide attacker activity. Attackers abuse exposed Docker APIs to access containerized environments, deploy crypto miners, and mask their origin via Tor.

The attack begins with a request from IP 198.199.72[.]27 to list containers. If none exist, a new one is created using the “alpine” image, with the host’s root directory mounted inside—allowing dangerous access to the host system. A Base64-encoded script installs Tor and fetches a remote payload from a .onion domain. The attacker then modifies SSH settings to enable root login, installs tools like masscan and torsocks, and delivers an XMRig miner. All traffic is routed through Tor for anonymity. Targets include tech, finance, and healthcare sectors. Separately, Wiz found hundreds of leaked credentials in public code repositories, posing major risks to over 30 companies—including Fortune 100 firms.

4. Cloudflare Blocks Record 7.3 Tbps DDoS Attack Against Hosting Provider

In May 2025, Cloudflare mitigated a record-breaking DDoS attack that peaked at 7.3 Tbps—12% larger than the previous record. The 45-second attack targeted a hosting provider, generating 37.4 TB of traffic, equivalent to 7,500 hours of HD streaming.

The attack came from over 122,000 IPs across 161 countries, mainly Brazil, Vietnam, Taiwan, and China. It flooded multiple ports—peaking at 34,517 ports/second—using techniques like UDP floods, QOTD and Echo reflection, NTP amplification, and Mirai botnet traffic.

Cloudflare’s automated system, powered by its anycast network and real-time threat detection tools, handled the attack without human intervention, dispersing traffic across 477 global data centers.

Despite 99.996% of the traffic being UDP floods, other vectors probed for weaknesses. Indicators of compromise were added to Cloudflare’s free DDoS Botnet Threat Feed, now used by over 600 organizations.