11/05/2025-11/12/2025 126 Npm Package Targeting GitHub-Owned Repositories, Vibe-Coded Malicious VS Code Extension, Malicious NuGet Packages And More

1. Npm Package Targeting GitHub-Owned Repositories Flagged as Red Team Exercise

Cybersecurity researchers uncovered a malicious npm package, “@acitons/artifact,” that mimics GitHub’s legitimate “@actions/artifact” to target GitHub-owned repositories.The goal was to execute a script during GitHub builds, steal access tokens, and publish malicious artifacts.Six versions (4.0.12–4.0.17) contained a post-install hook that downloaded malware, though the latest npm version (4.0.10) is clean. The package, uploaded on October 29, 2025, had over 47,000 total downloads before the malicious versions were removed. Another similar package, “8jfiesaf83,” was downloaded about 1,000 times before removal. Analysis showed the malware downloaded a “harness” binary and executed “verify.js” to extract GitHub workflow data, sending it in encrypted form to a GitHub subdomain. GitHub later confirmed the incident was part of a Red Team security exercise, stating no systems or data were ever at risk.

2. Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities

Cybersecurity researchers have identified a malicious VS Code extension with basic ransomware capabilities, believed to be AI-generated or “vibe-coded.” Dubbed “susvsex,” the extension was uploaded to the marketplace on November 5, 2025, by “suspublisher18.” It was designed to automatically zip, upload, and encrypt files from a test directory upon activation. Microsoft has since removed it.

Fortunately, its impact was limited by its target directory, but the code could be easily updated. The extension also used a private GitHub repository for command-and-control (C2), polling for new instructions and exfiltrating results.

In a separate incident, Datadog uncovered 17 malicious npm packages posing as legitimate SDKs. These packages, published by now-banned accounts, secretly deployed the Vidar information stealer—marking its first appearance in the npm registry. The attack leveraged postinstall scripts to download and execute the malware from a remote server.

These events highlight the persistent threat of software supply chain attacks, underscoring the need for developers to exercise caution by reviewing packages and their dependencies before use.

3. GlassWorm Malware Discovered in Three VS Code Extensions with Thousands of Installs

Cybersecurity researchers have uncovered three new Visual Studio Code extensions tied to the GlassWorm campaign, showing ongoing attacks on the VS Code ecosystem. The extensions — ai-driven-dev.ai-driven-dev (3,402 downloads), adhamu.history-in-sublime-merge (4,057), and yasuyuky.transient-emacs (2,431) — remain available online. First revealed by Koi Security, GlassWorm spreads through malicious VS Code extensions to steal credentials, drain cryptocurrency wallets, and install remote-access tools. It hides code using invisible Unicode characters, enabling self-replication and wider compromise.

Although Open VSX removed earlier malicious extensions and revoked tokens on October 21, 2025, new variants have reappeared, using blockchain-based command-and-control (C2) mechanisms for persistence. Researchers found the attacker’s exposed server listing victims across the U.S., South America, Europe, and Asia, including a Middle Eastern government entity.

4. Malicious NuGet Packages Drop Disruptive ‘Time Bombs’

Researchers at Socket found nine malicious NuGet packages published under shanhai666 that include sabotage payloads scheduled to trigger between Aug 8, 2027 and Nov 29, 2028, targeting .NET database libraries and Siemens S7 PLCs. The packages (including Sharp7Extend) mix legitimate functionality with a ~20-line malicious payload implemented via C# extension methods so it runs transparently on each DB or PLC operation.

On the trigger dates the code uses a random check (20% chance) to either kill the host process or, for Sharp7Extend, immediately terminate PLC communications or corrupt PLC write operations after a 30–90 minute delay. Corrupted writes can prevent actuators from receiving commands, block safety engagements, and disrupt production. Sharp7Extend also deliberately fails initialization by reading a nonexistent config value.

Socket says the developer page and packages have since been delisted after ~9,500 downloads. Organizations are urged to audit for those nine packages, assume compromise if found, verify PLC/write integrity, and implement write-verification and safety-log checks.

5. Cisco: Actively Exploited Firewall Flaws Now Abused For DoS Attacks

Cisco has warned that two vulnerabilities, CVE-2025-20362 and CVE-2025-20333, are being exploited to force ASA and FTD firewalls into reboot loops. CVE-2025-20362 allows unauthenticated access to restricted URLs, while CVE-2025-20333 enables authenticated remote code execution. When combined, they give attackers full control over unpatched systems. Cisco released fixes on September 25, 2025, and the CISA issued an emergency directive requiring U.S. federal agencies to secure or disconnect affected ASA devices within 24 hours. Shadowserver tracks over 34,000 exposed ASA and FTD firewalls, down from nearly 50,000 in September.

The attacks are linked to the ArcaneDoor campaign and the UAT4356 group (STORM-1849), which previously exploited Cisco zero-days and deployed Line Dancer and Line Runner malware for persistence. Cisco also patched other RCE vulnerabilities, including CVE-2025-20352 and recent flaws in its Contact Center software, urging customers to apply all security updates immediately.

6. Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly

Google has uncovered a new experimental malware called PROMPTFLUX, a VBScript-based threat that uses Gemini AI’s API to rewrite its own source code for better obfuscation and evasion. According to Google Threat Intelligence Group (GTIG), the malware queries Gemini 1.5 Flash using a hard-coded API key to request code changes aimed at bypassing antivirus detection. PROMPTFLUX stores new versions in the Windows Startup folder for persistence and can spread via removable drives and network shares. Though its self-modifying feature is currently disabled, logs show the author’s intent to create an evolving, metamorphic script.

While still in development and not yet capable of system compromise, the malware reflects a growing trend of AI-assisted attacks. Google also cited other LLM-driven threats like FRUITSHELL, PROMPTLOCK, and PROMPTSTEAL, noting misuse of Gemini by China-, Iran-, and North Korea-linked actors to aid in phishing, malware creation, and data exfiltration.