Charles

Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Despite the ceasefire, Hezbollah has been launching rockets, missiles and drones at Israeli communities while actively sabotaging diplomatic efforts between Israel and Lebanon. Israel's actions in Lebanon are aimed at removing an ongoing threat and ensuring the security of our people.

Two teenage girls, aged 17 and 15, were injured in a Palestinian car-ramming terror attack at the Gush Etzion Junction on Sunday May, 31st. One remains in serious condition. The terrorist drove into a bus stop before being neutralized by an IDF soldier, who then provided emergency care to the victims. We wish the girls a full and speedy recovery. 💔

A young American Jewish couple was pushed out of a LGBTQ sauna. Their offense? Wearing a Jewish star. While the couple was being confronted by staff and forced to leave other patrons stood by complacently. Spanish authorities must investigate this blatant example of discrimination based on religion and ethnicity.  Antisemitism has no place anywhere. https://t.co/3tL1fSalgo