08/27/2025-09/03/2025 TP-Link and WhatsApp Flaws, Nx Build System, Malicious npm Package nodejs-smtp And More.

1. CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

CISA has added a high-severity flaw, CVE-2020-24363 (CVSS: 8.8), in TP-Link’s TL-WA855RE Wi-Fi extenders to its KEV catalog due to active exploitation. This missing authentication bug allows an unauthenticated attacker on the same network to perform a factory reset and set a new administrative password.

Although a firmware fix exists, the product has reached end-of-life and will receive no further updates. Users are advised to replace the hardware.
CISA also added a WhatsApp vulnerability (CVE-2025-55177) exploited in a targeted spyware campaign by chaining it with an Apple iOS flaw (CVE-2025-43300). Federal agencies must apply mitigations for both vulnerabilities by September 23, 2025.

2. Hackers Target Popular Nx Build System in First AI-Weaponized Supply Chain Attack

In a supply chain attack dubbed ‘s1ngularity,’ hackers compromised the popular Nx build system (over 4 million weekly downloads) by stealing an NPM token. This allowed them to publish eight malicious versions of the Nx package between August 26th and 27th.

The malicious versions contained a script that executed on Linux and macOS systems, systematically harvesting sensitive data including SSH keys, GitHub tokens, and API keys. The stolen credentials were then exfiltrated to thousands of hastily created public GitHub repositories.

Security firms Wiz and GitGuardian confirmed the theft of thousands of valid secrets. Notably, this is the first known attack to weaponize AI coding assistants like Claude and Gemini for reconnaissance. All affected Nx packages have now been secured with mandatory 2FA, but users must immediately revoke any existing development tokens to prevent further compromise.

3. Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets

Cybersecurity researchers discovered a malicious npm package, nodejs-smtp, designed to inject code into desktop cryptocurrency wallets like Atomic and Exodus on Windows. The package mimicked the legitimate email library nodemailer, copying its tagline, page design, and README, and was downloaded 347 times since its April 2025 release by a user named “nikotimon.” It is now removed. The package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the app, and erase traces. Its goal is to redirect cryptocurrency transactions—including Bitcoin, Ethereum, Tether, XRP, and Solana—to attacker-controlled wallets, acting as a cryptocurrency clipper.

Nodejs-smtp still functions as a mailer compatible with nodemailer, allowing it to pass developer tests and avoid suspicion. This campaign shows how a routine import on a developer workstation can quietly modify a separate desktop application and persist across reboots. This follows a similar campaign by ReversingLabs, where the “pdf-to-office” package modified wallet apps.

4. Researchers Find VS Code Flaw Allowing Attackers to Republish Deleted Extensions Under Same Names

Cybersecurity researchers uncovered a loophole in the Visual Studio Code Marketplace that allows removed extension names to be reused. ReversingLabs found this after spotting a malicious extension, ahbanC.shiba, which mimicked earlier flagged extensions, ahban.shiba and ahban.cychelloworld. All three acted as downloaders, retrieving a PowerShell payload that encrypts files in a folder named “testShiba” and demands Shiba Inu tokens.

The issue arises because extension uniqueness is tied to the combination of publisher name and extension name. When an extension is removed, its name becomes reusable by others, bypassing official publishing rules. Unlike PyPI, VS Code does not block reuse of names from malicious extensions.

The finding highlights risks of open-source repositories, where attackers use typosquatting and obfuscation to deliver malware, steal data, or demand ransoms. Experts stress the need for secure development practices, monitoring, and automated supply chain scanning to mitigate such threats.

08/21/2025-08/27/2025 Citrix Vulnerabilities, Docker Fixes Critical Desktop Flaw, Linux Malware Delivered via Malicious RAR Filenames And More.

1. CISA Adds Citrix Vulnerabilities to KEV Catalog as New Flaws Emerge

CISA has added two Citrix flaws to its KEV catalog as new NetScaler issues emerge—one already under active attack.

Added on August 25, the medium-severity bugs patched in November 2024 are CVE-2024-8069 (deserialization of untrusted data) and CVE-2024-8068 (improper privilege management) in Citrix Session Recording. CISA also listed CVE-2025-48384, an 8.0 Git link-following flaw.

On August 26, Citrix disclosed three NetScaler vulnerabilities: CVE-2025-7775 (CVSS 9.2), a memory overflow enabling remote code execution/DoS; CVE-2025-7776 (CVSS 8.8), another memory overflow causing instability; and CVE-2025-8424 (CVSS 8.7), improper access control on the management interface. Exploits of CVE-2025-7775 have already been observed, with reports of attackers dropping webshells to backdoor systems.

Patches are available in NetScaler ADC/Gateway versions 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, and 12.1-FIPS/NDcPP 12.1-55.330+. Older 12.1 and 13.0 builds are end-of-life.

2. Docker Fixes Critical Desktop Flaw Allowing Container Escapes

Docker has patched a critical flaw (CVE-2025-9074, CVSS 9.3) in Docker Desktop for Windows and macOS that could allow attackers to escape containers and compromise the host.

The bug let Linux containers access the Docker Engine API via the default subnet 192.168.65.7:2375, even with Enhanced Container Isolation (ECI) or TLS disabled. Attackers could issue privileged API commands, control other containers, or mount host drives. A proof-of-concept showed containers binding the Windows C:\ drive with read/write access, enabling full host takeover.

Researcher Felix Boulet called it a “simple oversight,” as Docker’s internal API was reachable without authentication. Philippe Dugre found Windows particularly exposed—allowing filesystem access, DLL tampering, and data theft—while macOS had reduced impact due to isolation. Linux was unaffected, as it uses named pipes.
Exploitation is possible via malicious containers or Server-Side Request Forgery (SSRF). The flaw has been fixed in Docker Desktop 4.44.3, and users are urged to update immediately.

3. GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Researchers are warning of multiple campaigns abusing exposed Redis servers and known vulnerabilities to build botnets, proxies, and cryptomining networks.
One wave exploits CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer to deploy binaries disguised as legitimate SDKs. These apps covertly monetize victims’ bandwidth by acting as residential proxies, consuming few resources and avoiding detection. Over 7,100 GeoServer instances remain exposed worldwide.

Separately, Censys tracked the PolarEdge IoT botnet, active since 2023, with about 40,000 devices—routers, firewalls, and IP cameras—infected mainly in South Korea, the U.S., and Hong Kong. It installs a TLS backdoor for encrypted C2 and likely functions as an Operational Relay Box (ORB) network to proxy attacker traffic.
Another campaign deploys a Mirai variant dubbed gayfemboy, spreading across industries in multiple countries and adding persistence, evasion, and powerful DDoS functions.

Finally, threat actor TA-NATALSTATUS is hijacking unauthenticated Redis servers for cryptojacking, using cron jobs, defense evasion, mass scanning, and rootkit-like tricks to hide miners.

4. Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection

Cybersecurity researchers have uncovered a novel phishing campaign that delivers the VShell backdoor, a Go-based remote access tool widely used by Chinese hacking groups.

The attack begins with a spam email posing as a beauty product survey offering a cash reward. The message carries a RAR archive (“yy.rar”) containing a file with a maliciously crafted name:
ziliao2.pdf\{echo,}|{base64,-d}|bash``

Unlike typical malware hidden in content or macros, the payload is encoded directly in the filename. When a shell script or command processes it, the embedded Base64 Bash downloader executes, fetching an ELF binary tailored for the host’s architecture. This binary retrieves and runs the encrypted VShell payload, enabling remote control, file operations, process management, and encrypted C2 communications—all while operating in memory to evade detection.

The discovery highlights an emerging Linux threat vector that exploits shell command injection via filenames. In parallel, Picus Security detailed RingReaper, a stealthy Linux post-exploit tool abusing the io_uring framework to bypass security monitoring.

08/13/2025-08/20/2025 N-able N-central Flaws, Malicious PyPI and npm Packages, CVE-2025-20265.

1. CISA Warns of N-able N-central Flaws Exploited in Zero-day Attacks

CISA warned that attackers are actively exploiting two security flaws in N-able’s N-central remote monitoring and management (RMM) platform. Widely used by MSPs and IT teams, N-central lets admins manage networks and devices from a central console.

The vulnerabilities—CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (improper input sanitization)—can allow authenticated attackers to execute commands. N-able confirmed the exploits, patched them in N-central 2025.3.1, and urged on-premises customers to upgrade immediately, stressing that its hosted cloud environments show no evidence of compromise.

CISA added the flaws to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by August 20 under Binding Operational Directive (BOD) 22-01. About 2,000 exposed N-central instances worldwide, mostly in the U.S., Australia, and Germany.CISA also urged private organizations to secure their systems quickly, warning that such flaws remain frequent attack vectors for malicious actors.

2. PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks

PyPI now checks for expired domains to block supply chain attacks. The update targets domain resurrection attacks, where attackers buy expired domains and hijack PyPI accounts through password resets. These changes improve PyPI’s overall account security posture. Since June 2025, PyPI has unverified more than 1,800 email addresses tied to expiring domains. While not foolproof, the safeguard helps close a major attack vector, especially for abandoned packages still widely used by developers.

Expired domains pose a critical risk because attackers can acquire them, intercept password reset emails, and seize package accounts—an issue highlighted in 2022 when the ctx package was compromised. The new measure, powered by Fastly’s Status API, checks domains every 30 days and un-verifies expired ones. PyPI also urges users to enable two-factor authentication and add a backup email from a trusted domain like Gmail or Outlook.

3. Cisco’s Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole

Cisco has released a patch for a critical vulnerability in its Secure Firewall Management Center (FMC) software that could let unauthenticated, remote attackers execute arbitrary shell commands.

Tracked as CVE-2025-20265 and rated 10.0 on the CVSS scale, the flaw stems from improper input handling in FMC’s RADIUS authentication subsystem during login. Exploitation is possible only if FMC is configured to use RADIUS authentication for its web or SSH management interfaces. Cisco engineer Brandon Sakai discovered the bug during internal testing.

Cisco FMC is widely used by enterprises, MSPs, government agencies, and schools to manage firewalls, intrusion prevention, and other network security tools. While no exploitation has been observed yet, Cisco warns attackers could gain high-level privileges if the flaw is abused.

This marks the latest in a string of maximum-severity bugs in Cisco products, following three separate ISE and ISE-PIC flaws disclosed earlier this summer that also allowed root-level code execution.

4. Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Researchers have uncovered a malicious package on the Python Package Index that uses a dependency to establish persistence and enable remote code execution.
The package, termncolor, relied on a secondary library called colorinal in a multi-stage malware chain. Termncolor was downloaded 355 times and colorinal 529 before removal. Once executed, termncolor imported colorinal, which loaded a rogue DLL to decrypt and launch further payloads. The malware deployed “vcpktsvr.exe” with a malicious “libcef.dll,” capable of stealing system data and communicating with a command-and-control server via Zulip chat. Persistence was achieved through a Windows registry entry, while Linux systems were infected with a shared object file called “terminate.so.” The disclosure comes as npm has also faced waves of malicious packages used for data theft, credential harvesting, and cryptocurrency attacks, underscoring the ongoing risks to open-source supply chains.