08/27/2025-09/03/2025 TP-Link and WhatsApp Flaws, Nx Build System, Malicious npm Package nodejs-smtp And More.

1. CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw, CVE-2020-24363 (CVSS: 8.8), in TP-Link’s TL-WA855RE Wi-Fi extenders to its KEV catalog due to active exploitation. This missing authentication bug allows an unauthenticated attacker on the same network to perform a factory reset and set a new administrative password.

Although a firmware fix exists, the product has reached end-of-life and will receive no further updates. Users are advised to replace the hardware.
CISA also added a WhatsApp vulnerability (CVE-2025-55177) exploited in a targeted spyware campaign by chaining it with an Apple iOS flaw (CVE-2025-43300). Federal agencies must apply mitigations for both vulnerabilities by September 23, 2025.

2. Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack

In a supply chain attack dubbed ‘s1ngularity,’ hackers compromised the popular Nx build system (over 4 million weekly downloads) by stealing an NPM token. This allowed them to publish eight malicious versions of the Nx package between August 26th and 27th.

The malicious versions contained a script that executed on Linux and macOS systems, systematically harvesting sensitive data including SSH keys, GitHub tokens, and API keys. The stolen credentials were then exfiltrated to thousands of hastily created public GitHub repositories.

Security firms Wiz and GitGuardian confirmed the theft of thousands of valid secrets. Notably, this is the first known attack to weaponize AI coding assistants like Claude and Gemini for reconnaissance. All affected Nx packages have now been secured with mandatory 2FA, but users must immediately revoke any existing development tokens to prevent further compromise.

3. Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets

Cybersecurity researchers discovered a malicious npm package, nodejs-smtp, designed to inject code into desktop cryptocurrency wallets like Atomic and Exodus on Windows. The package mimicked the legitimate email library nodemailer, copying its tagline, page design, and README, and was downloaded 347 times since its April 2025 release by a user named “nikotimon.” It is now removed. The package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the app, and erase traces. Its goal is to redirect cryptocurrency transactions—including Bitcoin, Ethereum, Tether, XRP, and Solana—to attacker-controlled wallets, acting as a cryptocurrency clipper.

Nodejs-smtp still functions as a mailer compatible with nodemailer, allowing it to pass developer tests and avoid suspicion. This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots. This follows a similar campaign by ReversingLabs, where the “pdf-to-office” package modified wallet apps.

4. Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names

Cybersecurity researchers uncovered a loophole in the Visual Studio Code Marketplace that allows removed extension names to be reused. ReversingLabs found this after spotting a malicious extension, ahbanC.shiba, which mimicked earlier flagged extensions, ahban.shiba and ahban.cychelloworld. All three acted as downloaders, retrieving a PowerShell payload that encrypts files in a folder named “testShiba” and demands Shiba Inu tokens.

The issue arises because extension uniqueness is tied to the combination of publisher name and extension name. When an extension is removed, its name becomes reusable by others, bypassing official publishing rules. Unlike PyPI, VS Code does not block reuse of names from malicious extensions.

The finding highlights risks of open-source repositories, where attackers use typosquatting and obfuscation to deliver malware, steal data, or demand ransoms. Experts stress the need for secure development practices, monitoring, and automated supply chain scanning to mitigate such threats.