10/23/2025-10/29/2025 10 npm Packages Caught Stealing Developer Credentials, Active Exploits Hit Dassault and XWiki, Magento Input Validation Vulnerability Exploited In Wild And More.

1. 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux

Cybersecurity researchers uncovered 10 typosquatted npm packages (uploaded July 4, 2025, ~9,900 total downloads) that install a multi-stage information stealer for Windows, Linux and macOS. The packages impersonated popular libraries (TypeScript, discord.js, ethers.js, nodemon, react-router-dom, zustand) and trigger a malicious postinstall hook that runs install.js, opens a new terminal window, and launches an obfuscated app.js. The payload shows a fake CAPTCHA and believable install output while fingerprinting victims by IP and fetching a 24 MB PyInstaller stealer from 195.133.79[.]43. app.js uses four layers of obfuscation (XOR, URL-encoding, hex/octal tricks) to resist analysis. The stealer extracts credentials, tokens, cookies, SSH keys and system keyring secrets (email, cloud sync, VPN, password managers), compresses them, and exfiltrates the archive — giving attackers direct access to corporate email, file storage, internal networks and production systems.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack

Threat actors are actively exploiting severe flaws in Dassault Systèmes DELMIA Apriso and XWiki, according to CISA and VulnCheck alerts. The affected issues include CVE-2025-6204 (code injection, CVSS 8.0) and CVE-2025-6205 (missing authorization, CVSS 9.1) in DELMIA Apriso releases 2020–2025, both patched in August, and CVE-2025-24893 (eval injection, CVSS 9.8) in XWiki. CISA recently added these flaws to its Known Exploited Vulnerabilities catalog, following earlier exploitation of CVE-2025-5086 in the same product. VulnCheck observed in-the-wild attacks leveraging the XWiki flaw to deploy a cryptocurrency miner via a two-stage chain: the first stage drops a downloader (“x640”) from 193.32.208[.]24, and the second fetches payloads (“x521,” “x522”) that install and run the miner while terminating rivals. The activity, traced to a Vietnam-based IP (123.25.249[.]88), highlights ongoing exploitation. CISA urges immediate patching, with federal agencies required to remediate DELMIA Apriso flaws by November 18, 2025.

3. Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit

Microsoft has issued out-of-band (OOB) security updates to fix CVE-2025-59287, a critical remote code execution flaw in Windows Server Update Services (WSUS). The vulnerability, now with public proof-of-concept exploit code, affects only Windows servers with the WSUS Server Role enabled. It allows remote, unauthenticated attackers to execute code with SYSTEM privileges via crafted events that trigger unsafe object deserialization, making it potentially wormable between WSUS servers. Microsoft urges admins to install the patches immediately for all supported Windows Server versions (2012–2025). Servers without the WSUS role are not affected, but enabling WSUS without patching exposes systems to attack. As a temporary workaround, admins can disable the WSUS role or block inbound traffic on ports 8530 and 8531, though this stops Windows endpoints from receiving updates. The cumulative OOB patch replaces prior updates, and Microsoft recommends rebooting servers after installation.

4. CISA Flags Critical Lanscope Bug

CISA has warned of a critical vulnerability (CVE-2025-61932, CVSS 9.3) in Motex Lanscope Endpoint Manager, urging all federal agencies to patch or mitigate affected systems by November 12, 2025. The flaw, confirmed by Motex through Japan’s JVN portal, allows remote code execution via specially crafted packets due to improper verification of communication sources. Exploitation could enable attackers to steal data, deploy ransomware, or compromise entire networks. The issue affects on-premises versions of Lanscope’s Client and Detection Agent. Motex has released fixes in versions 9.3.2.7–9.4.7.3; systems running 9.4.7.1 or earlier remain vulnerable. CISA advises organizations to upgrade immediately, restrict network access, enable zero-trust controls, and continuously monitor for anomalies. Because Lanscope manages privileged enterprise endpoints, unpatched systems present significant risk, underscoring the need for timely updates, strong access control, and layered cyber defenses.

5. Magento Input Validation Vulnerability Exploited In Wild To Hijack Session And Execute Malicious Codes

A critical flaw in Magento (Adobe Commerce), dubbed SessionReaper and tracked as CVE-2025-54236, allows attackers to hijack user sessions and execute remote code. First disclosed on September 9, 2025, the vulnerability gained urgency after Sansec released a proof-of-concept exploit on October 22, sparking mass exploitation attempts. Over 250 Magento stores were reportedly compromised as attackers targeted unpatched systems ahead of the holiday season. The flaw, rated CVSS 9.8, stems from improper input validation in Magento’s authentication process, enabling attackers to impersonate users, access admin panels, or upload malicious code to steal data and install backdoors. Akamai detected more than 300 probes within 48 hours of the exploit’s release, blocking attacks via its security engine. Experts warn that while web application firewalls help, the only reliable defense is applying Adobe’s latest patches immediately to prevent large-scale e-commerce breaches.