09/17/2025-09/24/2025 Typosquatted Malicious PyPI Packages, Ivanti Software Flaws, Misconfigured AWS Docker Containers And More.

1. Beware of Typosquatted Malicious PyPI Packages That Delivers SilentSync RAT

Python developers are increasingly targeted by typosquatted packages on PyPI, where malicious actors create near-identical copies of legitimate libraries to distribute malware. In July 2025, researchers discovered the package termncolor, signaling a broader campaign. By early August, Zscaler identified two more malicious packages, sisaws and secmeasure, both linked to the same author and delivering a new Remote Access Trojan (RAT) called SilentSync.

Sisaws mimics the legitimate sisa package demonstrating the attackers’ careful social engineering. SilentSync is a sophisticated cross-platform RAT with persistence mechanisms on Windows (registry entry), Linux (crontab), and macOS (launch agent), comprehensive data exfiltration, and C2 communication over HTTP. It targets Chromium-based browsers and Firefox, harvesting history, cookies, autofill data, and credentials, while erasing traces to evade detection. These attacks highlight the evolving supply chain threats within trusted open-source ecosystems.

2. CISA Flags Some More Serious Ivanti Software Flaws, So Patch Now

CISA warns that attackers chained CVE-2025-4427 and CVE-2025-4428 to breach Ivanti EPMM systems. Both flaws affect Ivanti Endpoint Manager Mobile (EPMM), with the first allowing API authentication bypass (severity 7.5/10) and the second enabling unauthenticated Remote Code Execution (RCE, severity 8.8/10). Both were patched in May 2025.

Attackers used the two vulnerabilities together to deploy malware in two stages. One set injects a malicious listener into Apache Tomcat to intercept HTTP requests and execute Java code. The other processes encoded password parameters similarly. Both were delivered via Java Expression Language (EL) injection over HTTP GET requests. Payloads were Base64-encoded, written in parts to temporary directories, and reconstructed to evade detection.

CISA did not confirm attribution. Reports cited by The Register suggest a possible Chinese actor targeting an Australian entity, but official details on threat actors or victims remain unclear.

3. Fortra Releases Critical Patch for CVSS 10.0 GoAnywhere MFT Vulnerability

Fortra has disclosed a critical flaw in GoAnywhere Managed File Transfer (MFT) software, CVE-2025-10035, with a maximum CVSS score of 10.0. The vulnerability is a deserialization issue in the License Servlet that allows attackers with a forged license signature to deserialize arbitrary objects, potentially leading to command injection. Exploitation requires the system to be publicly accessible. Fortra advises updating to version 7.8.4 or the Sustain Release 7.6.3, or restricting public access to the Admin Console if immediate patching isn’t possible. While no in-the-wild attacks have been reported, previous GoAnywhere vulnerabilities, including CVE-2023-0669 (CVSS 7.2) and CVE-2024-0204 (CVSS 9.8), were exploited by ransomware groups to steal data or create admin users.

Ryan Dewhurst of watchTowr notes the new flaw impacts the same license code path as the earlier widely exploited CVE-2023-0669, suggesting high likelihood of future attacks. Organizations with internet-facing GoAnywhere instances should patch immediately and restrict external access.

4. SolarWinds Releases Third Patch to Fix Web Help Desk RCE Bug

SolarWinds has released a hotfix for a critical Web Help Desk (WHD) vulnerability, CVE-2025-26399, which allows unauthenticated remote code execution. This marks the third attempt to address an older flaw, CVE-2024-28986, affecting WHD 12.8.3 and earlier versions. The issue impacts WHD 12.8.7 and arises from unsafe deserialization in the AjaxProxy component. Successful exploitation lets attackers run commands on the host machine.

SolarWinds notes that CVE-2025-26399 is a patch bypass of previous flaws, creating a chain of vulnerabilities. The original CVE-2024-28986 was flagged by CISA in the Known Exploited Vulnerabilities catalog. The new flaw was reported via Trend Micro’s Zero Day Initiative (ZDI), and no in-the-wild exploitation has been observed yet.

The hotfix requires updating to WHD 12.8.7, replacing key JAR files in the /lib directory, and restarting the service. Organizations are advised to apply the update immediately to prevent potential attacks.

5. GitHub Mandates 2FA and Short-Lived Tokens to Strengthen npm Supply Chain Security

GitHub announced upcoming changes to authentication and publishing to counter recent npm supply chain attacks, including the Shai-Hulud incident. Measures include local publishing with mandatory 2FA, short-lived seven-day granular tokens, and trusted publishing via OpenID Connect (OIDC), which eliminates npm tokens and adds cryptographic proof for each publish. The npm CLI will also generate provenance attestations, allowing users to verify the source and build environment. GitHub plans to deprecate legacy tokens, migrate users from TOTP to FIDO-based 2FA, shorten token lifetimes, enforce 2FA for local publishing, and expand trusted publishing providers. These changes follow Shai-Hulud, a self-replicating npm worm that harvested secrets, and a malicious package fezbox, which used QR codes to steal browser credentials. Both incidents highlight evolving supply chain threats and sophisticated obfuscation techniques.

GitHub’s update aligns with broader ecosystem efforts, including NuGet and RubyGems, to improve supply chain security and enforce stricter administrative and publishing controls.

6. ShadowV2 Botnet Exploits Misconfigured AWS Docker Containers for DDoS-for-Hire Service

Researchers have disclosed the ShadowV2 botnet, a “DDoS-for-hire” platform targeting misconfigured Docker containers on AWS. ShadowV2 deploys Go-based malware to co-opt infected systems as attack nodes and uses a Python-based command-and-control (C2) framework hosted on GitHub Codespaces.

The botnet leverages advanced techniques, including HTTP/2 Rapid Reset attacks, Cloudflare Under Attack Mode bypass, and large-scale HTTP floods. It spreads via Docker by creating temporary Ubuntu containers, installing tools, and executing a Go ELF binary that communicates with a C2 server for commands. Operators can manage users, configure attacks, and control targets through a structured API and web interface.

ShadowV2 demonstrates the growing sophistication of cybercrime-as-a-service, combining containerization, modular RAT functionality, and an operator-friendly interface. The disclosure coincides with other large-scale DDoS activity, including Cloudflare’s mitigation of attacks exceeding 22 Tbps, and highlights ongoing threats from botnets like AISURU, which targets routers and cameras worldwide for DDoS and proxy functionality.