Authorities in the United States and the Netherlands have seized VerifTools, a marketplace selling fake IDs for cybercrime.…

Authorities in the United States and the Netherlands have seized VerifTools, a marketplace selling fake IDs for cybercrime. The operation links to $6.4M in fraud, but the site has reportedly relaunched.

Following a joint international investigation, authorities in the Netherlands and the United States have seized a major illicit marketplace that sold fraudulent identity documents to criminals worldwide.

The US Attorney’s Office for the District of New Mexico announced on August 28 the takedown of two marketplace domains, veriftools and veriftoolsnet, along with an associated blog. The servers for the operation were seized in Amsterdam in a coordinated effort with the Dutch National Police.

Seizure notice (source: DoJ)

****A Global Fraud Hub****

The VerifTools marketplace produced and sold counterfeit driver’s licenses, passports, and other identification documents that could be used to bypass identity verification systems and gain unauthorised access to online accounts.

As we know it, many companies and agencies rely on “Know Your Customer” (KYC) checks that often only require an image of an ID. Criminals used VerifTools to bypass these checks and commit crimes like bank fraud and phishing.

The FBI began investigating in August 2022 after uncovering a conspiracy to use fake identities to access cryptocurrency accounts. As part of their investigation, the FBI used the marketplace to buy counterfeit New Mexico driver’s licenses, paying for them with cryptocurrency.

A sample counterfeit Russian driver’s license created through VerifTools

The probe revealed that VerifTools generated counterfeit IDs for all 50 US states and numerous foreign countries, with documents sold for as little as $9. The FBI has linked the equivalent of approximately $6.4 million in illegal proceeds to the marketplace, and two physical servers, along with more than 21 virtual servers, were confiscated.

Acting US Attorney Ryan Ellison spoke about the operation’s importance, stating, “The internet is not a refuge for criminals. If you build or sell tools that let offenders impersonate victims, you are part of the crime.” Acting Special Agent in Charge Philip Russell of the FBI’s Albuquerque Division also noted that the seizure is a “major step in protecting the public from fraud and identity theft crime.”

The Dutch National Police described VerifTools as one of the largest providers of false identity documents. It is worth noting that in the Netherlands, forgery and false proof of identity carry a maximum prison sentence of six years.

****New VerifTools Website Already Online****

Despite the takedown, the site’s operators have reportedly already relaunched their service under a new domain, veriftoolscom, announced in a Telegram message on August 28.

VerifTools is back as VerifTools.com (Image credit: Hackread.com

The relaunch of VerifTools shows that seizing such platforms may not be a permanent solution. In the past, cybercrime forums like BreachForums and XSS.IS were seized but quickly resurfaced without delay.

Still, law enforcement officials have made it clear that they will continue to pursue these platforms wherever they operate, even if they return under new domains.

Feds Seize VerifTools.Net, Operators Relaunch with VerifTools.com

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The flaw was used to steal data. Update your app now to stay protected.

WhatsApp has revealed it has patched a serious security vulnerability in its apps for Apple devices that was used to secretly compromise the iPhones and Macs of “specific targeted users.”

The bug, identified as CVE-2025-55177, was discovered by WhatsApp’s internal security team. The company explained in its official advisory that the flaw was part of a sophisticated attack chain that linked two separate vulnerabilities. This is a zero-click attack method, which does not require a victim to click on a link, open a file, or take any other action for their device to be compromised.

The flaw itself was a case of “incomplete authorisation of linked device synchronisation messages,” the advisory explains. This allowed an unrelated user to force a target’s device to process content from a malicious web address.

When paired with a separate Apple flaw, CVE-2025-43300 (which Apple had already fixed), in how it handles images, this attack chain could be used to install a malicious program and steal data without any user interaction. It is worth noting that the flaw affects WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp confirmed it had sent notifications to “less than 200” users it believed had been affected.

According to a statement from the National Cybersecurity Agency (NCSA) in Qatar, the severity of this flaw lies in its mechanism for processing synchronisation messages between linked devices, which could allow a hacker to gain initial access to a victim’s device.

> #Meta, the owner of the famous chat app #WhatsApp, has announced the existence of a critical vulnerability in the app. The severity of this flaw lies in the mechanism for processing synchronization messages between linked devices, allowing an attacker to send a crafted… pic.twitter.com/dYIwdij0gP
> 
> — Qatar Tribune (@Qatar\_Tribune) August 30, 2025

Amnesty International’s Security Lab, led by Donncha Ó Cearbhaill, described the pair of bugs as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May, and was capable of stealing data from a user’s device, including messages. In a post on X, Cearbhaill also shared necessary tips, advising people to update their devices or perform a factory reset.

(X.com)

While it’s not yet clear who is behind this latest attack, it is not the first time that WhatsApp users have been targeted by advanced spyware. In 2019, the messaging app sued the spyware maker NSO Group for a hacking campaign that compromised more than 1,400 users with its Pegasus spyware. A US court later ordered the company to pay WhatsApp $167 million in damages.

This new incident shows the ongoing threat of government spyware and malware. It also emphasises why users should always keep their apps and operating systems updated, as these updates often contain critical security patches to protect against such sophisticated attacks.

WhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users

WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers gain admin access via the…

WatchTowr Labs uncovers a zero-day exploit (CVE-2025-54309) in CrushFTP. The vulnerability lets hackers gain admin access via the web interface. Update to v10.8.5 or v11.3.4.

A zero-day vulnerability in CrushFTP, a widely used file transfer server, is being actively exploited by hackers. Cybersecurity firm watchTowr Labs discovered the active exploitation of this flaw, tracked as CVE-2025-54309. The vulnerability was added to the CISA Known Exploited Vulnerabilities Catalogue on July 22, 2025, confirming its critical status.

watchTowr Labs’ investigation revealed a critical threat to over 30,000 online instances of the software. In its official statement, CrushFTP confirmed that the vulnerability had been exploited in the wild as early as July 18, 2025.

CrushFTP official announcement (Source: watchTowr Labs)

The company noted that the latest versions of the software had already fixed the issue. Hackers likely figured out how to exploit the bug after the company made a recent code change to fix a different problem, accidentally revealing the vulnerability to attackers.

“We believe this bug was in builds prior to July 1st time period, roughly… the latest versions of CrushFTP already have the issue patched. The attack vector was HTTP(S) for how they could exploit the server. We had fixed a different issue related to AS2 in HTTP(S) not realizing that prior bug could be used like this exploit was. Hackers apparently saw our code change, and figured out a way to exploit the prior bug.” CrushFTP’s statement.

****The Exploit Explained****

watchTowr Labs used its proprietary honeypot network, called Attacker Eye, to capture the attack as it happened. The team deployed a specific sensor for CrushFTP and received an immediate alert when the sensor was breached.

Analysis of the raw network traffic revealed a distinct pattern: two similar HTTP requests were being sent in rapid succession, repeated over 1,000 times. The key difference between the two requests was in their headers.

The first request contained a header that pointed to the internal administrative user crushadmin, while the second request did not. This behaviour hinted at a race condition, which occurs when two tasks are competing for resources, and the outcome depends on which one finishes first.

In this case, the two requests were racing to be processed. If the requests arrived in a very specific order, the second request was able to take advantage of the first, executing as the crushadmin user without proper authentication (as the server thinks the attacker is an administrator).

From there, it is effectively game over because the hacker can bypass authentication and then take full control of the server, retrieve sensitive files, and cause significant damage.

The attack specifically occurs via the software’s web interface in versions prior to CrushFTP v10.8.5 and CrushFTP v11.3.4\_23. Please note that enterprise customers using a DMZ CrushFTP instance to isolate their main server are not believed to be affected.

To confirm their findings, watchTowr Labs created their own script to replicate the attack and successfully created a new administrator account on a vulnerable instance.

****What You Need to Do****

According to researchers, the developers of CrushFTP had silently patched this issue in recent updates without publicly warning users, leaving many at risk. Given that this vulnerability is being actively exploited, it is critical to secure your system by updating the software to the latest patched versions immediately.

Hackers Exploit CrushFTP Zero-Day to Take Over Servers

JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser…

JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers.

Cybersecurity researchers from JFrog Security Research have discovered eight malicious NPM packages. These packages are designed to attack Windows users on the Google Chrome browser and steal personal data.

These packages are a clear example of what is known as a supply chain attack, a growing risk in the software industry. This kind of attack happens when malicious code is secretly injected into a legitimate part of the software development process, like an open-source library, which is then used by many different developers. This allows the hackers to reach a huge number of people without directly hacking each one individually.

Packages uploaded to the npm repository containing the malicious code (JFrog)

According to JFrog’s blog post, attackers hid their malicious code in the packages using a series of advanced techniques, including what experts call “multi-layered obfuscation,” to hide their true purpose.

The malicious code was buried under a total of “70 layers of code obfuscation,” making it extremely difficult to detect. What’s more, the code automatically downloaded and installed a specific version of Python on a victim’s machine. It then used that to run a hidden script. All this, without any user input or approval.

The final goal of this attack cycle was to steal sensitive data from the Chrome browser, including passwords, credit card information, cryptocurrency funds, and user cookies. The attackers behind this were an NPM user named “ruer” and another named “npjun.”

****The Concern****

Open-source software repositories, as we know them, are becoming a prime target for attackers. Hackers are increasingly using tactics like typosquatting and masquerading, where they create packages with names similar to popular ones to trick developers into using them by mistake.

Nevertheless, JFrog researchers reported the incident, and all 8 malicious packages have been removed.

Guy Korolevski, a Security Researcher at JFrog and author of this report, shared his comment with Hackread.com, noting that the sophistication of these attacks shows why constant vigilance is necessary.

“The impact of sophisticated multi-layer campaigns designed to evade traditional security and steal sensitive data highlights the importance of having visibility across the entire software supply chain with rigorous automated scanning and a single source of truth for all software components,” he stated.

8 Malicious NPM Packages Stole Chrome User Data on Windows

Dexter: Resurrection finale leaks in Russian dub ahead of release. Episodes 9 and 10 surface online, echoing past…

Dexter: Resurrection finale leaks in Russian dub ahead of release. Episodes 9 and 10 surface online, echoing past TV leaks like Game of Thrones.

Fans waiting for the end of Dexter: Resurrection were hit with an unexpected spoiler storm when the last two episodes appeared online ahead of schedule. Episode 9 and the season finale, Episode 10, surfaced in a Russian-dubbed version nearly a week before their official release, and clips quickly spread across platforms like TikTok, X (Twitter), YouTube and other social media platforms.

****Who is Behind This Leak?****

What makes this leak stand out is not just the timing but also the language. The Russian dub suggests the source was not hackers breaching into Showtime’s servers, but rather a copy handed over to foreign dubbing or distribution teams.

According to Umbrex’s breakdown of how distribution works in the TV and film industry, TV Shows are often delivered early to localization partners so that translated versions are ready for premiere day, which leaves open the risk of someone on the inside leaking the material.

This method has been seen before. Critics and insiders sometimes receive advance screeners that are meant to remain private, yet a single compromised account or file can end up online.

Once in the hands of piracy groups, episodes are ripped, compressed, and circulated worldwide. In this case, the fact that a dubbed version leaked first points more to the supply chain of international partners than to a traditional cyberattack.

****Previous Such Incidents****

Television leaks are not a new problem. Back in 2017, several unaired episodes of Game of Thrones were released early after being copied from a partner in India. Around the same period, Curb Your Enthusiasm episodes appeared online months before their scheduled return, following a breach at HBO’s international affiliates.

Even game shows have not been immune. In 2017, several episodes of Steve Harvey’s Funderdome aired online ahead of ABC’s schedule after a hacker group gained access to distribution material.

Leaks like these show how fragile the pipeline between production studios and international partners can be. Each early copy sent out for dubbing, subtitling, or review creates another point of exposure.

While fans are quick to share clips and spoilers across social media, the real story is about the risks tied to distribution. Every handoff of an episode outside the main studio adds a new chance for it to surface online before audiences were meant to see it.

For now, Showtime has not commented publicly on the Dexter: Resurrection leak, but with the finale already circulating, many fans will struggle to avoid spoilers before the official airing.

Some have even questioned if Paramount can release both episodes since the finale has already leaked, leaving fans debating whether an early drop would be better than waiting for the scheduled date.

Nevertheless, whether through localization leaks, press screeners, or insider access, history has shown that once a show is in the wild, it spreads faster than studios can contain it. If you are a Dexter: Resurrection fan, here’s what you can do to keep leaks from ruining the show for you:

*   Avoid fan hashtags, since that’s where most leaks spread first.

*   Stick to official trailers and previews from Showtime or Paramount+ instead of fan edits.

*   Mute keywords like “Dexter Resurrection,” “Dexter finale,” and “Dexter leak” on TikTok, Twitter/X, and Reddit.

Dexter: Resurrection Finale Leaks Online in Russian Dub

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware steals crypto and personal data.

Cybersecurity researchers at Bitdefender Labs have discovered a new malicious ad campaign (malvertising) on Facebook that is actively spreading a notorious Android spyware against unsuspecting users.

The research, shared with _Hackread.com_, reveals that the campaign tricks victims into downloading Brokewell spyware, which has been operational since at least early 2024. In one previous case reported in April 2024, the Brokewell spyware was spotted spreading via Fake Chrome Updates.

****How the Ads Find Their Targets****

Researchers found that this malvertising campaign doesn’t just target a general group of users; it uses the Facebook ad network to specifically target Android users with tailored ads. In just one month, these ads have already been served to tens of thousands of users in the European Union alone, showing how eagerly cyber criminals have been attempting to spread this threat.

The campaign’s modus operandi involves attackers creating advertisements that look like they’re from the legitimate platforms. For example, one company specifically targeted in this malvertising is TradingView, a widely used online trading platform.

As shown in the screenshot below, scammers have used the company’s branding and visuals. These ads promise a high-value item, a free premium app, to trick users into clicking.

Malicious ads which spread BrokeWell malware – Source: Bitdefender Labs

****New Features****

According to researchers, once installed, the malware displays spyware and Remote Access Trojan (RAT) capabilities, suggesting that this is an advanced version of Brokewell.

The malware then requests permissions, often posing as fake update prompts, to gain total control. It can steal cryptocurrencies, bypass two-factor authentication, and even take over a user’s accounts.

It also allows the attackers to record screen activity, log keystrokes, and use the device’s camera and microphone. The malware can even intercept sensitive text messages, including banking and security codes.

All these capabilities show Android spyware is out of control, and as more people rely on smartphones for banking, crypto wallets, and other financial apps, a single compromised device can give hackers access to a person’s entire financial life. Researchers suggest the following security tips to stay protected from such campaigns:

*   Avoid clicking on ads on social media.

*   Check website URLs carefully for fakes.

*   Review app permissions before granting them.

*   Avoid installing apps from unofficial sources (sideloading).

*   Be cautious of ads, even on trusted platforms like Facebook.

Fake Facebook Ads Push Brokewell Spyware to Android Users

A TransUnion data breach exposed 4.4 million US consumers’ Social Security numbers via a Salesforce hack. The attack…

A TransUnion data breach exposed 4.4 million US consumers’ Social Security numbers via a Salesforce hack. The attack is linked to hacker groups UNC6395.

A new data breach at credit reporting giant TransUnion has exposed the personal information of 4.4 million US consumers. The company stated the incident, which began on July 28, 2025, did not affect its core credit database or credit reports, but it did expose sensitive data, including names, birth dates, phone numbers, and Social Security numbers. The company is now offering free credit monitoring services to those impacted.

According to filings with state authorities, the breach was a result of a cyberattack on a third-party application used for TransUnion’s customer support operations. While TransUnion has not publicly named the third-party company, cybersecurity analysts believe it is part of a wider wave of attacks targeting Salesforce databases.

****A Recurring Trend****

This breach seems to be part of a trend of cyberattacks targeting companies that hold large amounts of customer data. Firms like Allianz Life and Farmers Insurance, along with others such as Google, Workday, Pandora, Cisco, Chanel, and Qantas, have also recently been hit by similar third-party breaches. Experts from Google-owned firm Mandiant have attributed this widespread data theft campaign to a group known as UNC6395.

For your information, UNC6395 is a recently identified threat actor group believed to be responsible for a widespread data theft campaign that has targeted hundreds of organizations, particularly those using Salesforce. However, the hacking group Shiny Hunters has also claimed responsibility.

These attackers are known to use social engineering, a method of human manipulation rather than technical hacking, to gain access. They trick employees into granting access to malicious applications, allowing them to steal data from large platforms like Salesforce. The specific third-party application targeted in these attacks was a tool called Salesloft Drift.

****The Extent of the Compromise****

The attackers claim to have stolen records for more than 13 million people, with over 4.4 million of those being US consumers. A review of the stolen data revealed that it includes a significant amount of personal information, along with details about customer support tickets. While TransUnion says the compromised data was “limited,” the presence of unredacted Social Security numbers makes it a serious security event.

The TransUnion breach demonstrates the risks of using third-party services. Even when a company’s main security systems are strong, a vulnerability in one of its trusted partners can still lead to a massive data leak.

Commenting on this situation, Cory Michal, Vice President of Information Security at AppOmni, stated that “This incident poses a significantly higher risk to victims than many of the other Salesforce-related breaches disclosed so far because it involves Social Security numbers in addition to contact and support data.

TransUnion Data Breach: 4.4 Million US Consumers’ Data Stolen

CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must…

CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must patch the flaws by September 15, 2025.

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its list of flaws that are actively being exploited by hackers, warning federal agencies to patch them immediately. The urgent alert, issued on August 25, 2025, covers two vulnerabilities in Citrix Session Recording and a major flaw in Git, the popular code management system.

These vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalogue, a public list of security issues that are confirmed to be under attack. While the mandate to fix these vulnerabilities applies directly to federal government agencies, CISA strongly urges all private organisations to treat these as a top priority for remediation to protect against cyber threats.

****Flaws in Citrix and Git****

Two of the newly added vulnerabilities, identified as CVE-2024-8068 and CVE-2024-8069, affect Citrix Session Recording. Both of these flaws have a CVSS score of 5.1, which is considered a medium-severity rating.

Reportedly, these flaws could allow an attacker who is already inside a network to take over a system and run malicious code. The vulnerabilities can only be exploited by an authenticated user on the same network, meaning a hacker needs to have a foothold inside the system first. Citrix released security patches for both of these issues back in November 2024.

The third vulnerability, CVE-2025-48384, affects Git, a tool that millions of developers use to manage and share their code. This particular flaw, which was given a high severity score of 8.1, stems from how Git handles certain text characters in its configuration files.

An attacker could exploit this by composing a malicious file that, when a user clones a repository, could lead to a silent and unexpected code execution on their machine. A proof-of-concept for this exploit was released by Datadog shortly after it was patched by Git in July 2025.

****The Call to Action****

To comply with Binding Operational Directive (BOD) 22-01, all US Federal Civilian Executive Branch agencies must fix these vulnerabilities by September 15, 2025. CISA emphasises that all organisations should make it a practice to regularly review the KEV Catalogue and prioritise fixing the flaws listed, as they represent the most immediate and significant risks being exploited in the wild.

In a comment shared with Hackread.com, Gunter Ollmann, CTO of Cobalt, emphasised the importance of this alert for everyone. He explained that even moderate security flaws can become highly dangerous when hackers have access to reliable tools to exploit them.

“Organisations should treat the KEV catalogue as a living threat intelligence feed, prioritising remediation of these vulnerabilities because they represent what attackers are actively exploiting today,” he stated.

This highlights that the vulnerabilities on this list are not just theoretical risks; they are the active weapons in an attacker’s arsenal right now.

CISA Adds Citrix and Git Flaws to KEV Catalogue Amid Active Exploitation

Miami, United States, 28th August 2025, CyberNewsWire

**Miami, United States, August 28th, 2025, CyberNewsWire**

Halo Security, a leading provider of external risk management solutions, today announced significant platform enhancements designed to give security teams greater flexibility and control within the platform. The new features include custom dashboards, configurable reports, and improved automation capabilities that give organizations better control over how they visualize and manage their exposure data.

> “No two organizations are the same, and different team members face different challenges,” said Lisa Dowling, CEO of Halo Security. “A vulnerability analyst needs different insights than a compliance manager, and a CISO requires different views than a security specialist. These updates give every team member the ability to create personalized dashboards and reports that make them more effective at protecting their organizations.”

**Key Platform Enhancements**

**Custom Dashboards with Drag-and-Drop Functionality**

Security professionals can now build personalized dashboards using more than a dozen customizable widgets, including risk score trends, critical findings tables, asset distribution charts, and compliance status monitors. The intuitive drag-and-drop interface allows users to create role-specific views while maintaining the ability to share dashboards across teams and apply global filtering across all custom views.

**Configurable Reports for Enhanced Asset Management**

The platform now features fully customizable data tables that allow users to select which columns display in their target lists, create multiple saved views for different scenarios, and resize columns to optimize their workflow. Pre-configured views include summary, scan schedule, tag management, and technical details options.

**Improved Auto-Tagging with Granular Control**

The Halo Security platform now provides more precise control over asset organization. Automations now offer three distinct tagging modes, allowing users to sync, add, or remove tags based on the defined rules. The improved automation system offers better performance and predictability to ensure consistent asset categorization.

**Industry Impact**

The cybersecurity industry continues to grapple with tool sprawl and workflow inefficiencies that can slow response times to critical security incidents. Security teams often struggle with managing multiple tools and platforms, creating challenges in data correlation and workflow management.

> “Security teams shouldn’t have to fight their tools to get the information they need,” said Nick Merritt, VP of Security at Halo Security. “These customization features let our customers organize their data the way they think about it and take control of how they interact with the security data we collect.”

**Availability**

The new customization features are immediately available to all Halo Security customers at no additional cost. Organizations using the platform can access custom dashboard creation through their existing accounts, with shared configurations automatically synchronized across team members.

New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

**Halo Security** is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. 

Users can learn more at **halosecurity.com**.

**Contact**

**VP of Marketing**  
**Nick Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Enhances Platform with Custom Dashboards and Reports

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted…

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis.

A sophisticated cyberattack, dubbed the “s1ngularity” attack, has compromised Nx, a popular build platform widely used by software developers. The attack, which began on August 26, 2025, is a supply chain attack, a type of security breach where hackers sneak malicious code into a widely used piece of software, which then infects all the people who use it.

The attack was designed to steal a wide variety of sensitive data, including GitHub tokens, npm authentication keys, and SSH private keys. These credentials are essentially digital keys that provide access to a user’s accounts and systems.

The malicious software also went a step further, targeting API keys for popular AI tools like Gemini, Claude, and Q, demonstrating a new focus on emerging technologies. In addition to stealing data, the attackers installed a destructive payload that modified users’ terminal startup files, causing their terminal sessions to crash.

GitGuardian’s analysis shared with Hackread.com revealed some surprising details about the attack and its victims. The firm found that 85% of the infected systems were running macOS, highlighting the attack’s particular impact on the developer community, which frequently uses Apple computers.

In a curious turn, GitGuardian found that of the hundreds of systems where AI tools were targeted, many of the AI clients unexpectedly resisted the malicious requests. They either outright refused to run the commands or gave responses suggesting they knew they were being asked to do something wrong, showing a potential, though unintentional, new layer of security.

The Attack Explained (Source: GitGuardian)

The stolen credentials were not only valuable but also widespread. GitGuardian’s monitoring platform, which tracks public GitHub activity, discovered 1,346 repositories used by the attackers to store stolen data.

To avoid detection, the attackers double-encoded the stolen data before uploading it. This number is far higher than the ten publicly visible repositories, as GitHub was quickly working to delete the rest.  An analysis of these repositories revealed 2,349 distinct secrets, with over 1,000 still valid and working at the time of the report. The most common secrets were for GitHub and popular AI platforms.

For anyone who used the malicious Nx versions 20.9.0 through 21.8.0, the most crucial step is to immediately assume that their credentials have been exposed. GitGuardian has created a free service called HasMySecretLeaked that allows developers to check for compromised credentials without ever revealing their actual keys.

This attack reminds us that simply deleting a compromised file is not enough; the actual secret keys and tokens must be revoked and rotated to prevent further access by the attackers.

Source

HackRead