Stefan Tanase

Toncoin (TON) -> Gram (GRAM) Community vote is live. Since Telegram took a leading role in TON's development, the chain got 10× faster, fees 6× lower. And now Telegram proposes one more change: renaming Toncoin to Gram - the name from the original TON White Paper that never left the codebase. Vote here -> https://t.co/TH8DTmXJ61

Microsoft has identified a npm supply chain compromise impacting 90+ redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Famous Chollima, the North Korean threat group known for fake job interview lures, appears to have used a PHP/Packagist package path in a targeted developer lure. We found the loader in a compromised Laravel package, on a branch that could be installed through Composer. It was appended after a normal Tailwind config and used TRON, Aptos, and BNB Smart Chain RPC infrastructure to retrieve and run remote JavaScript. Developers should be careful with “interview task” or “take-home project” requests that ask them to clone a repo, check out a specific branch, or install an exact dev dependency.

Yesterday the FBI released an advisory on the Silent Ransom Group (SRG), aka Luna Moth, Chatty Spider, and UNC3753, who use social engineering techniques like phone calls and phishing emails to access victim computers. SRG actors have been steadily targeting law firms since 2023, and they focus on accessing victim systems, exfiltrating data, and extorting their victims by threatening to release or sell the stolen data. Since SRG actors use legitimate remote access tools, there are few artifacts of their attacks. Review the advisory to learn how SRG actors operate to exfiltrate data and potential signs of SRG activity: https://t.co/JxQXleJNC8.

Microsoft has uncovered a supply chain attack involving malicious npm packages registered under organizational scopes that mirror real internal corporate namespaces, employing dependency confusion technique to deploy a reconnaissance payload. https://t.co/z2GjRIAyYS A threat actor operating under three maintainer aliases, mr.4nd3r50n, ce-rwb, and t-in-one, published malicious packages that impersonate internal corporate packages, with several spoofing internal enterprise infrastructure URLs in their package.json to appear legitimate. Once installed, the packages download and execute an obfuscated payload from an attacker-controlled command-and-control (C2) server to collect system information, hostnames, environment variables, and developer context. Read the blog for in-depth analysis and mitigation, detection, and hunting details.