Cybersecurity researchers have flagged three malicious npm packages that are designed to target the Apple macOS version of Cursor, a popular artificial intelligence (AI)-powered source code editor.
"Disguised as developer tools offering 'the cheapest Cursor API,' these packages steal user credentials, fetch an encrypted payload from threat actor-controlled infrastructure, overwrite Cursor's

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials

The nation-state threat actor known as MirrorFace has been observed deploying malware dubbed ROAMINGMOUSE as part of a cyber espionage campaign directed against government agencies and public institutions in Japan and Taiwan.
The activity, detected by Trend Micro in March 2025, involved the use of spear-phishing lures to deliver an updated version of a backdoor called ANEL.
"The ANEL file from

MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Upgraded ANEL Malware

A new spam campaign is targeting Brazilian users with a clever twist — abusing the free trial period of trusted remote monitoring tools and the country’s electronic invoice system to spread malicious agents.

*   Cisco Talos identified a spam campaign targeting Brazilian users with commercial remote monitoring and management (RMM) tools since at least January 2025. Talos observed the use of PDQ Connect and N-able remote access tools in this campaign. 
*   The spam message uses the Brazilian electronic invoice system, NF-e, as a lure to entice users into clicking hyperlinks and accessing malicious content hosted in Dropbox. 
*   Talos has observed the threat actor abusing RMM tools in order to create and distribute malicious agents to victims. They then use the remote capabilities of these agents to download and install Screen Connect after the initial compromise.
*   Talos assesses with high confidence that the threat actor is an initial access broker (IAB) abusing the free trial periods of these RMM tools. 

Talos recently observed a spam campaign targeting Portuguese-speaking users in Brazil with the intention of installing commercial remote monitoring and management (RMM) tools. The initial infection occurs via specially crafted spam messages purporting to be from financial institutions or cell phone carriers with an overdue bill or electronic receipt of payment issued as an NF-e (see Figures 1 and 2). 

Figure 1. Spam message purporting to be from a cell phone provider. 

Figure 2. Spam message masquerading as a bill from a financial institution. 

Both messages link to a Dropbox file, which contains the malicious binary installer for the RMM tool. The file names also contain references to NF-e in their names: 

*   AGENT\_NFe\_<random>.exe 
*   Boleto\_NFe\_<random>.exe 
*   Eletronica\_NFe\_<random>.exe 
*   Nf-e<random>.exe 
*   NFE\_<random>.exe 
*   NOTA\_FISCAL\_NFe\_<random>.exe 

_Note: <random> means the filename uses a random sequence of letters and numbers in that position._ 

The victims targeted in this campaign are mostly C-level executives and financial and human resources accounts across several industries, including some educational and government institutions. This assessment is based on the most common recipients found in the messages Talos observed during this campaign. 

Figure 3. Targeted recipients.

This campaign's objective is to lure the victims into installing an RMM tool, which allows the threat actor to take complete control of the target machine. N-able RMM Remote Access is the most common tool distributed in this campaign and is developed by N-able, Inc., previously known as SolarWinds. N-able is aware of this abuse and took action to disable the affected trial accounts. Another tool Talos observed in some cases is PDQ Connect, a similar RMM application. Both provide a 15-day free trial period.

To assess whether these actors were using a trial version rather than stolen credentials to create these accounts, Talos checked samples older than 15 days and confirmed all of them returned errors that the accounts were disabled, while newer samples found in the last 15 days were all active.

Talos also examined the email accounts used to register for the service. They all use free email services such as Gmail or Proton Mail, as well as usernames following the theme of the spam campaign, with few exceptions where the threat actors used personal accounts. These exceptions are potentially compromised accounts which are being abused by the threat actors to create additional trial accounts. Talos did not find any samples in which the registered account was issued by a private company, so we can assess with high confidence these agents were created using trial accounts instead of stolen credentials.

_N-able is aware of this abuse and took action to disable the affected trial accounts._

Talos found no evidence of a common post-infection behavior for the affected machines, with most machines staying infected for days before any other malicious activity was executed by the tool. However, in some cases, we observed the threat actor installing an additional RMM tool and removing all security tools from the machine a few days after the initial compromise. This is consistent with actions of initial access broker (IAB) groups. 

An IAB's main objective is to rapidly create a network of compromised machines and then sell access to the network to third parties. Threat actors commonly use IABs when looking for specific target companies to deploy ransomware on. However, IABs have varied priorities and may sell their services to any threat actors, including state-sponsored actors.  

Adversaries’ abuse of commercial RMM tools has steadily increased in recent years. These tools are of interest to threat actors because they are usually digitally signed by recognized entities and are a fully featured backdoor. They also have little to no cost in software or infrastructure, as all of this is generally provided by the trial version application.  

Talos created a trial account to test what features were available for a trial user. In the case of the N-able remote access tool, the trial version offers a full set of features only limited by the 15-day trial period. Talos was able to confirm that by using a trial account, the threat actor has full access to the machine, including remote desktop like access, remote command execution, screen streaming, keystroke capture and remote shell access. 

Figure 4. N-able management interface showing available remote access tools. 

Figure 5. Administrative shell executed on a remote machine. 

The threat actor also has access to a fully featured file manager to easily read and write files to the remote file system. 

Figure 6. N-able file manager. 

The network traffic these tools create is also disguised as regular traffic, with many tools using communication over HTTPS and connecting to resources which are part of the infrastructure provided by the application provider. For example, N-able Remote Access uses a domain associated with its management interface, hosted on Amazon Web Services (AWS): 

*   hxxps://upload1\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload2\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload3\[.\]am\[.\]remote\[.\]management/ 
*   hxxps://upload4\[.\]am\[.\]remote\[.\]management/ 

_**Disclaimer**: The URLs above are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. Customers must complete an assessment before enabling block signatures for these domains._ 

The domain the agent uses is the same for any customer using the tool, with only the username and API key differentiating which customer the agent belongs to, as can be seen in Figure 7. This makes it even more difficult to identify the origin of the attacks and perform threat actor attribution.

Figure 7. Example configuration file. 

By extracting the configuration files inside the agent installer files still available on Dropbox, we can see some email addresses follow the same theme of the spam emails, using names of finance-related users and domains, while others could be potentially compromised accounts being used to create trial accounts for N-able Remote Access.  

With these trial versions being limited only by time and providing full remote-control features with little to no cost to the threat actors, Talos expects these tools to become even more common in attacks. 

Cisco Secure Firewall Application control is able to detect the unintended usage of RMM tools in customer's networks. Instructions on how to set up Application control can be found at Cisco Secure Firewall documentation. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

ClamAV detections are also available for this threat:  

Txt.Backdoor.NableRemoteAccessConfig-10044370-0  
Txt.Backdoor.NableRemoteAccessConfig-10044371-0   
Txt.Backdoor.NableRemoteAccessConfig-10044372-0 

**Indicators of Compromise **

_**Disclaimer**: The URLs below are part of the management infrastructure for the RMM tools described in this blog and are not controlled by the threat actor. An assessment must be done by customers before enabling block signatures for these domains._ 

_IOCs for this threat can be found on our GitHub repository_ _here__._ 

**Network IOCs **

hxxps://upload1\[.\]am\[.\]remote\[.\]management/   
hxxps://upload2\[.\]am\[.\]remote\[.\]management/   
hxxps://upload3\[.\]am\[.\]remote\[.\]management/   
hxxps://upload4\[.\]am\[.\]remote\[.\]management/   
198\[.\]45\[.\]54\[.\]34\[.\]bc\[.\]googleusercontent\[.\]com 

**RMM Installer - Hashes **

03b5c76ad07987cfa3236eae5f8a5d42cef228dda22b392c40236872b512684e   
0759b628512b4eaabc6c3118012dd29f880e77d2af2feca01127a6fcf2fbbf10   
080e29e52a87d0e0e39eca5591d7185ff024367ddaded3e3fd26d3dbdb096a39   
0de612ea433676f12731da515cb16df0f98817b45b5ebc9bbf121d0b9e59c412   
1182b8e97daf59ad5abd1cb4b514436249dd4d36b4f3589b939d053f1de8fe23   
14c1cb13ffc67b222b42095a2e9ec9476f101e3a57246a1c33912d8fe3297878   
2850a346ecb7aebee3320ed7160f21a744e38f2d1a76c54f44c892ffc5c4ab77   
4787df4eea91d9ceb9e25d9eb7373d79a0df4a5320411d7435f9a6621da2fd6b   
51fa1d7b95831a6263bf260df8044f77812c68a9b720dad7379ae96200b065dd   
527a40f5f73aeb663c7186db6e8236eec6f61fa04923cde560ebcd107911c9ff   
57a90105ad2023b76e357cf42ba01c5ca696d80a82f87b54aea58c4e0db8d683   
63cde9758f9209f15ee4068b11419fead501731b12777169d89ebb34063467ea   
79b041cedef44253fdda8a66b54bdd450605f01bbb77ea87da31450a9b4d2b63   
a2c17f5c7acb05af81d4554e5080f5ed40b10e3988e96b4d05c4ee3e6237c31a   
b53f9c2802a0846fc805c03798b36391c444ab5ea88dc2b36bffc908edc1f589   
c484d3394b32e3c7544414774c717ebc0ce4d04ca75a00e93f4fb04b9b48ecef   
ca11eb7b9341b88da855a536b0741ed3155e80fc1ab60d89600b58a4b80d63a5   
d1efebcca578357ea7af582d3860fa6c357d203e483e6be3d6f9592265f3b41c   
e2171735f02f212c90856e9259ff7abc699c3efb55eeb5b61e72e92bea96f99c   
e34b8c9798b92f6a0e2ca9853adce299b1bf425dedb29f1266254ac3a15c87cd   
ebdefa6f88e459555844d3d9c13a4d7908c272128f65a12df4fb82f1aeab139f   
f52b4d81c73520fd25a2cc9c6e0e364b57396e0bb782187caf7c1e49693bebbf   
f5efd939372f869750e6f929026b7b5d046c5dad2f6bd703ff1b2089738b4d9c   
F68ae2c1d42d1b95e3829f08a516fb1695f75679fcfe0046e3e14890460191cf   
a71e274fc3086de4c22e68ed1a58567ab63790cc47cd2e04367e843408b9a065

Spam campaign targeting Brazil abuses Remote Monitoring and Management tools

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM…

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM attacks and spread their WizardNet backdoor via manipulated software updates.

A sophisticated cyber espionage operation, linked to China and active since at least 2022, has been exposed by security researchers at ESET. The group dubbed TheWizards by ESET stands out for its innovative method of infiltrating computer networks. Reportedly, it employs a custom tool, named Spellbinder, to conduct adversary-in-the-middle (AitM) attacks, to deliver a sophisticated backdoor dubbed WizardNet by ESET.

ESET’s in-depth analysis, detailed in a recent blog post, reveals that Spellbinder manipulates network traffic via IPv6 SLAAC (stateless address autoconfiguration) spoofing, effectively intercepting legitimate Chinese software updates and redirecting them to attacker-controlled servers to deliver WizardNet.

Attack Method Explained (Source: ESET)

WizardNet is a sophisticated, modular backdoor capable of receiving and executing further malicious modules from a remote C2 server. This allows TheWizards to perform a wide range of malicious activities on compromised systems.

Reportedly, after gaining initial access, attackers deploy a specific archive which, through a process called side-loading, ultimately executes Spellbinder’s malicious code. Spellbinder, evolving since its 2022 analysis, uses WinPcap to capture packets and exploits IPv6’s Network Discovery Protocol by sending crafted ICMPv6 Router Advertisement (RA) messages. T

his tricks victims into using the attacker’s machine as the gateway, enabling traffic interception. It then monitors DNS queries for targeted Chinese platforms like Tencent, Baidu, and Xiaomi, generating fake DNS responses and directing victims to attacker-controlled IPs (e.g., 43.155.1167 in 2022, 43.155.6254 in 2024) serving malicious updates.

A notable instance involved hijacking legitimate update requests for Tencent QQ software by Spellbinder in 2024, directing the software to download a malicious archive from the attacker’s server. This archive contained a harmful component that, upon execution, installed the WizardNet backdoor.

ESET’s telemetry indicates that TheWizards have been actively targeting entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. The targets range from individuals to gambling companies and other currently unknown entities.

The initial discovery involved Sogou Pinyin (a widely used Chinese input method software) downloading WizardNet. This follows a pattern of abuse targeting Sogou Pinyin’s update process. In January 2024, as detailed by ESET, the hacking group Blackwood utilized this method to deploy an implant named NSPX30.

Furthermore, earlier in 2025, the Slovak cybersecurity firm revealed another threat group known as PlushDaemon that also leveraged the same technique to distribute a custom downloader called LittleDaemon.

As detailed in their report, researchers observed potential links between TheWizards and a Chinese company Sichuan Dianke Network Security Technology (UPSEC) through the analysis of the Android malware DarkNights (DarkNimbus).

Despite TheWizards primarily using WizardNet on Windows, their infrastructure served DarkNights as a malicious update for Android Tencent QQ.

Such sophisticated manipulation of trusted update mechanisms highlights the persistent and evolving threat from state-aligned cyber espionage and the ongoing need for improving security measures and caution against these threats.

Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor

What if attackers aren't breaking in—they're already inside, watching, and adapting?
This week showed a sharp rise in stealth tactics built for long-term access and silent control. AI is being used to shape opinions. Malware is hiding inside software we trust. And old threats are returning under new names. The real danger isn’t just the breach—it’s not knowing who’s still lurking in your

⚡ Weekly Recap: Nation-State Hacks, Spyware Alerts, Deepfake Malware, Supply Chain Backdoors

The open source software easyjson is used by the US government and American companies. But its ties to Russia’s VK, whose CEO has been sanctioned, have researchers sounding the alarm.

Since Russian troops invaded Ukraine more than three years ago, Russian technology companies and executives have been widely sanctioned for supporting the Kremlin. That includes Vladimir Kiriyenko, the son of one of Vladimir Putin’s top aides and the CEO of VK Group, which runs VK, Russia’s Facebook equivalent that has increasingly shifted towards the regime’s repressive positioning.

Now cybersecurity researchers are warning that a widely used piece of open source code—which is linked to Kiriyenko’s company and managed by Russian developers—may pose a “persistent” national security risk to the United States. The open source software (OSS), called easyjson, has been widely used by the US Department of Defense and “extensively” across software used in the finance, technology, and healthcare sectors, say researchers at security company Hunted Labs, which is behind the claims. The fear is that Russia could alter easyjson to steal data or otherwise be abused.

“You have this really critical package that’s basically a linchpin for the cloud native ecosystem, that’s maintained by a group of individuals based in Moscow belonging to an organization that has this suspicious history,” says Hayden Smith, a cofounder at Hunted Labs.

For decades, open source software has underpinned large swathes of the technology industry and the systems people rely on day to day. Open source technology allows anyone to see and modify code, helping to make improvements, detect security vulnerabilities, and apply independent scrutiny that’s absent from the closed tech of corporate giants. However, the fracturing of geopolitical norms and the specter of stealthy supply chain attacks has led to an increase in questions about risk levels of "foreign" code.

Easyjson is a code serialization tool for the Go programming language and is often used across the wider cloud ecosystem, being present in other open source software, according to Hunted Labs. The package is hosted on GitHub by a MailRu account, which is owned by VK after the mail company rebranded itself in 2021. The VK Group itself is not sanctioned. Easyjson has been available on Github since 2016, with most of its updates coming before 2020. Kiriyenko became the CEO of VK Group in December 2021 and was sanctioned in February 2022.

Hunted Labs’ analysis shared with WIRED shows the most active developers on the project in recent years have listed themselves as being based in Moscow. Smith says that Hunted Labs has not identified vulnerabilities in the easyjson code.

However, the link to the sanctioned CEO’s company, plus Russia’s aggressive state-backed cyberattacks, may increase potential risks, Smith says. Research from Hunted Labs details how code serialization tools could be abused by malicious hackers. “A Russian-controlled software package could be used as a ‘sleeper cell’ to cause serious harm to critical US infrastructure or for espionage and weaponized influence campaigns,” it says.

“Nation states take on a strategic positioning,” says George Barnes, a former deputy director at the National Security Agency, who spent 36 years at the NSA and now acts as a senior advisor and investor in Hunted Labs. Barnes says that hackers within Russia’s intelligence agencies could see easyjson as a potential opportunity for abuse in the future.

“It is totally efficient code. There’s no known vulnerability about it, hence no other company has identified anything wrong with it,” Barnes says. “Yet the people who actually own it are under the guise of VK, which is tight with the Kremlin,” he says. “If I’m sitting there in the GRU or the FSB and I’m looking at the laundry list of opportunities… this is perfect. It’s just lying there,” Barnes says, referencing Russia’s foreign military and domestic security agencies.

VK Group did not respond to WIRED’s request for comment about easyjson. The US Department of Defense did not respond to a request for comment about the inclusion of easyjson in its software setup.

“NSA does not have a comment to make on this specific software,” a spokesperson for the National Security Agency says. “The NSA Cybersecurity Collaboration Center does welcome tips from the private sector—when a tip is received, NSA triages the tip against our own insights to fully understand the threat and, if corroborated, share any relevant mitigations with the community.” A spokesperson for the US Cybersecurity and Infrastructure Security Agency, which has faced upheaval under the second Trump administration, says: “We are going to refer you back to Hunted Labs.”

GitHub, a code repository owned by Microsoft, says that while it will investigate issues and take action where its policies are broken, it is not aware of malicious code in easyjson and VK is not sanctioned itself. Other tech companies’ treatment of VK varies. After Britain sanctioned the leaders of Russian banks who own stakes in VK in September 2022, for example, Apple removed its social media app from its App Store.

Dan Lorenc, the CEO of supply chain security firm Chainguard, says that with easyjson, the connections to Russia are in “plain sight” and that there is a “slightly higher” cybersecurity risk than those of other software libraries. He adds that the red flags around other open source technology may not be so obvious.

“In the overall open source space, you don’t necessarily even know where people are most of the time,” Lorenc says, pointing out that many developers do not disclose their identity or locations online, and even if they do, it is not always possible to verify the details are correct. “The code is what we have to trust and the code and the systems that are used to build that code. People are important, but we’re just not in a world where we can push the trust down to the individuals,” Lorenc says.

As Russia’s full-scale invasion of Ukraine has unfolded, there has been increased scrutiny on the use of open source systems and the impact of sanctions upon entities involved in the development. In October last year, a Linux kernel maintainer removed 11 Russian developers who were involved in the open souce project, broadly citing sanctions as the reason for the change. Then in January this year, the Linux Foundation issued guidance covering how international sanctions can impact open source, saying developers should be cautious of who they interact with and the nature of interactions.

The shift in perceived risk is coupled with the threat of supply chain attacks. Last year, corporate developers and the open source world were rocked as a mysterious attacker known as Jia Tan stealthily installed a backdoor in the widely used XZ Utils software, after spending two years diligently updating it without any signs of trouble. The backdoor was only discovered by chance.

“Years ago, OSS was developed by small groups of trusted developers who were known to one another,” says Nancy Mead, a fellow of the Carnegie Mellon University Software Engineering Institute. “In that time frame, no one expected a trusted developer of being a hacker, and the relatively slower pace provided time for review. These days, with automatic release, incorporation of updates, and the wide usage of OSS, the old assumptions are no longer valid.”

Scott Hissam, a senior member of technical staff also from the Carnegie Software Engineering Institute, says there can often be consideration about how many maintainers and the number of organizations that work on an open source project, but there is currently not a “mass movement” to consider other details about OSS projects. “However, it is coming, and there are several activities that collect details about OSS projects, which OSS consumers can use to get more insight into OSS projects and their activities,” Hissam says, pointing to two examples.

Hunted Lab’s Smith says he is currently looking into the provenance of other open source projects and the risks that could come with them, including scrutinizing countries known to have carried out cyberattacks against US entities. He says he is not encouraging people to avoid open source software at all, more that risk considerations have shifted over time. “We’re telling you to just make really good risk informed decisions when you're trying to use open source,” he says. “Open source software is basically good until it's not.”

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code.

AI-generated computer code is rife with references to nonexistent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows.

The study, which used 16 of the most widely used large language models to generate 576,000 code samples, found that 440,000 of the package dependencies they contained were “hallucinated,” meaning they were nonexistent. Open source models hallucinated the most, with 21 percent of the dependencies linking to nonexistent libraries. A dependency is an essential code component that a separate piece of code requires to work properly. Dependencies save developers the hassle of rewriting code and are an essential part of the modern software supply chain.

****Package Hallucination Flashbacks****

These nonexistent dependencies represent a threat to the software supply chain by exacerbating so-called dependency confusion attacks. These attacks work by causing a software package to access the wrong component dependency, for instance by publishing a malicious package and giving it the same name as the legitimate one but with a later version stamp. Software that depends on the package will, in some cases, choose the malicious version rather than the legitimate one because the former appears to be more recent.

Also known as package confusion, this form of attack was first demonstrated in 2021 in a proof-of-concept exploit that executed counterfeit code on networks belonging to some of the biggest companies on the planet, Apple, Microsoft, and Tesla included. It's one type of technique used in software supply-chain attacks, which aim to poison software at its very source in an attempt to infect all users downstream.

“Once the attacker publishes a package under the hallucinated name, containing some malicious code, they rely on the model suggesting that name to unsuspecting users,” Joseph Spracklen, a University of Texas at San Antonio PhD student and lead researcher, told Ars via email. “If a user trusts the LLM's output and installs the package without carefully verifying it, the attacker’s payload, hidden in the malicious package, would be executed on the user's system.”

In AI, hallucinations occur when an LLM produces outputs that are factually incorrect, nonsensical, or completely unrelated to the task it was assigned. Hallucinations have long dogged LLMs because they degrade their usefulness and trustworthiness and have proven vexingly difficult to predict and remedy. In a paper scheduled to be presented at the 2025 USENIX Security Symposium, they have dubbed the phenomenon “package hallucination.”

For the study, the researchers ran 30 tests, 16 in the Python programming language and 14 in JavaScript, that generated 19,200 code samples per test, for a total of 576,000 code samples. Of the 2.23 million package references contained in those samples, 440,445, or 19.7 percent, pointed to packages that didn’t exist. Among these 440,445 package hallucinations, 205,474 had unique package names.

One of the things that makes package hallucinations potentially useful in supply-chain attacks is that 43 percent of package hallucinations were repeated over 10 queries. “In addition,” the researchers wrote, “58 percent of the time, a hallucinated package is repeated more than once in 10 iterations, which shows that the majority of hallucinations are not simply random errors but a repeatable phenomenon that persists across multiple iterations. This is significant, because a persistent hallucination is more valuable for malicious actors looking to exploit this vulnerability and makes the hallucination attack vector a more viable threat.”

In other words, many package hallucinations aren’t random, one-off errors. Rather, specific names of nonexistent packages are repeated over and over. Attackers could seize on the pattern by identifying nonexistent packages that are repeatedly hallucinated. The attackers would then publish malware using those names and wait for them to be accessed by large numbers of developers.

The study uncovered disparities in the LLMs and programming languages that produced the most package hallucinations. The average percentage of package hallucinations produced by open source LLMs such as CodeLlama and DeepSeek was nearly 22 percent, compared with a little more than 5 percent by commercial models. Code written in Python resulted in fewer hallucinations than JavaScript code, with an average of almost 16 percent compared with a little over 21 percent for JavaScript. Asked what caused the differences, Spracklen wrote:

_“This is a difficult question because large language models are extraordinarily complex systems, making it hard to directly trace causality. That said, we observed a significant disparity between commercial models (such as the ChatGPT series) and open-source models, which is almost certainly attributable to the much larger parameter counts of the commercial variants. Most estimates suggest that ChatGPT models have at least 10 times more parameters than the open-source models we tested, though the exact architecture and training details remain proprietary. Interestingly, among open-source models, we did not find a clear link between model size and hallucination rate, likely because they all operate within a relatively smaller parameter range._

_“Beyond model size, differences in training data, fine-tuning, instruction training, and safety tuning all likely play a role in package hallucination rate. These processes are intended to improve model usability and reduce certain types of errors, but they may have unforeseen downstream effects on phenomena like package hallucination._

_“Similarly, the higher hallucination rate for JavaScript packages compared to Python is also difficult to attribute definitively. We speculate that it stems from the fact that JavaScript has roughly 10 times more packages in its ecosystem than Python, combined with a more complicated namespace. With a much larger and more complex package landscape, it becomes harder for models to accurately recall specific package names, leading to greater uncertainty in their internal predictions and, ultimately, a higher rate of hallucinated packages.”_

The findings are the latest to demonstrate the inherent untrustworthiness of LLM output. With Microsoft CTO Kevin Scott predicting that 95 percent of code will be AI-generated within five years, here’s hoping developers heed the message.

_This story originally appeared on_ _Ars Technica._

AI Code Hallucinations Increase the Risk of ‘Package Confusion’ Attacks

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.…

France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign. Learn about the GRU-linked attacks, tactics, and previous incidents like the TV5Monde hack.

France has accused the Russian state-backed hacking group APT28, linked to Russia’s military intelligence agency GRU (Russian General Staff Main Intelligence Directorate), of targeting or compromising a dozen French government and other organizations.

Active since at least 2004 under names like BlueDelta, Fancy Bear, Forest Blizzard, Sednit, and Sofacy; APT28 typically targets government, military, energy, and media in Europe and the US.

Now, a report by the French cybersecurity agency ANSSI has attributed recent attacks on French local government, administration, defence, aerospace, research, finance, and think-tank organizations to APT28.

APT28’s Targets in France since 2021 (Source: ANSSI)

These attacks, primarily aimed at governmental, diplomatic, and research entities in 2024, utilized phishing, vulnerability exploitation, and brute-force attacks for initial access, often relying on inexpensive, outsourced infrastructure.

This infrastructure, as per ANSSI’s report (PDF), includes rented servers, free hosting services, VPNs (Virtual Private Networks), and temporary email addresses. This approach provides flexibility and enhances their ability to remain undetected.  

ANSSI noted APT28’s targeting of Roundcube email servers to distribute the HeadLace backdoor, use of the OceanMap stealer, and phishing campaigns against UKR.NET and Yahoo users, employing compromised routers and other methods to conceal their infrastructure.

France’s Ministry for Europe and Foreign Affairs strongly condemned Russia’s use of APT28, highlighting past attacks on the 2024 Olympics, and attempted interference in the 2017 elections. They emphasized that such actions violate UN norms of responsible state behaviour in cyberspace and pledged to counter Russia’s malicious cyber activities.

“France condemns in the strongest terms the use by Russia’s military intelligence service of the APT28 attack group, at the origin of several cyber-attacks on French interests,” the French foreign ministry’s statement read.

****France Accused APT28 of Impersonating ISIS Hackers****

Hackread.com has been following the activities of APT28, with a previous report linking it to a 2015 cyberattack on TV5Monde. Initially, that attack was attributed to a group posing as ISIS/ISIL militants, known as “CyberCaliphate,” who claimed responsibility by posting pro-ISIS messages on the broadcaster’s social media and temporarily blacking out their global TV channel.

However, subsequent investigations revealed matching IP addresses and techniques used by APT28, leading French authorities and cybersecurity experts to suspect Russian government involvement.

A similar cyberattack targeted the BBC’s live transmission in April 2015. However, it remains unclear whether the British government linked the incident to APT28 or acknowledged its impersonation tactics.

Nevertheless, this pattern of targeted activity indicates APT28’s persistent threat to France and other nations. It also suggests efforts to gather strategic intelligence and influence public perception within French society.

From TV5Monde to Govt: France Blames Russia’s APT28 for Cyberattacks

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides…

WordPress sites are under threat from a deceptive anti-malware plugin. Learn how this malware grants backdoor access, hides itself, and even modifies core files like wp-cron.php for persistence. Stay protected.

Security researchers at Wordfence recently uncovered a tricky piece of malware targeting WordPress websites. This malicious software is designed to look like a genuine anti-malware plugin, often appearing in the file system with names such as ‘WP-antymalwary-bot.php’.

According to Wordfence Threat Intelligence Team’s technical blog post, this fake plugin contains several dangerous capabilities. Such as, it allows attackers to control an infected website, hide from the WordPress admin dashboard, and execute malicious code remotely. It also has a “pinging” function that sends information back to a C&C server, spreads into other directories, and injects harmful JavaScript, which is then used to display unwanted advertisements.

Further analysis revealed that the malware uses a check_plugin GET parameter for status checks and, more dangerously, an emergency_login GET parameter for immediate admin access by providing a password. It also uses the REST API for remote code execution via a POST request to execute_admin_command, enabling cache clearing or injecting PHP code into theme headers. The hide\_plugin\_from\_list function conceals it from the admin dashboard.

The malware often comes with a modified wp-cron.php file that can reactivate the plugin if removed, meaning even if the plugin file is deleted, the malicious code in wp-cron.php can reinstall it upon the next site visit, ensuring persistence.

An updated version reports to a C&C server (45.61.136.85) and differently handles code injection by fetching from a foreign ads.php file and injecting JavaScript into the header. It also stores ad server URLs, anticipating future use.

Initial infection likely occurs via wp-cron.php, possibly through compromised hosting or FTP credentials. The malware has been seen under names like WP-antymalwary-bot.php and addons.php.

According to the company’s blog post, the issue was discovered on January 22, 2025, during a website cleanup performed by a Wordfence security analyst after which a specific malware signature (a unique identifier for the malicious code) was released.

Since then, many new versions of this malware have emerged, but Wordfence confirms that their original signature from January is still effective at detecting them. To provide an extra layer of security, a firewall rule (a set of instructions to block malicious activity) was released on April 23, 2025, for Wordfence Premium, Care, and Response users, preventing the execution of the malware file. Free Wordfence users will receive this additional protection on May 23, 2025.

This WordPress malware, cleverly disguised as a security plugin, demonstrates the persistent and increasingly sophisticated threats targeting website owners. Its advanced persistence mechanism makes thorough cleanup crucial for affected websites. Lastly, website owners are strongly advised to stay informed about emerging threats, utilize reputable security plugins, and ensure timely updates to protect their sites effectively.

Sneaky WordPress Malware Disguised as Anti-Malware Plugin

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.

Citizen Lab reveals a targeted spear phishing campaign aimed at Uyghur activists, deploying surveillance malware disguised as a legitimate Uyghur language tool. Learn about the attack methods and suspected Chinese government involvement.

In March 2025, several leading figures within the World Uyghur Congress (WUC), an international organization based in Munich that advocates for the rights of the Uyghur people, became the targets of a carefully orchestrated cyber espionage attempt.

Researchers at the University of Toronto’s Citizen Lab report that these individuals received warnings from Google, indicating that their online accounts were under attack, allegedly, by state-sponsored actors. 

Google Alerts Sent to WUC (Source: The Citizen Lab)

The method used in this campaign was spear phishing, which is a targeted form of attack where emails are crafted to appear legitimate and trustworthy to specific individuals. In this case, the malicious emails impersonated a known contact from a partner organization of the WUC.

Phishing Email (Source: The Citizen Lab)

These emails contained links to Google Drive, which, if clicked, would lead to the download of a password-protected archive file. This archive held a compromised version of UyghurEditPP, a genuine open-source word processing and spell-check tool specifically designed for the Uyghur language.

The recipients had no idea that this seemingly harmless application was Trojanized, meaning it contained a hidden backdoor. Once the infected UyghurEditPP was executed on a victim’s computer, this backdoor would silently gather system information, including the machine name, username, IP address, operating system version, and a unique hash derived from the hardware. This data was then transmitted to a remote command-and-control (C2) server.

The server’s operators could then send instructions back to the infected device, enabling them to perform various malicious actions such as downloading files from the target, uploading additional malicious files (including further malware), and executing commands through uploaded plugins. 

The Citizen Lab’s analysis of the campaign’s infrastructure reveals two distinct command-and-control clusters. The first, likely active between June 2024 and February 2025, used domain names mimicking the UyghurEditPP tool’s developer (gheyretcom, gheyretnet, and uheyretcom).

The second, targeting the WUC between December 2024 and March 2025, used subdomains registered through Dynu Services, incorporating Uyghur words but not directly referencing the tool or its developer.

Both clusters shared the same Microsoft certificate and used IP addresses belonging to Choopa LLC, a hosting provider used by various cyber threat actors. This dual infrastructure either indicates attackers’ shifting tactics or targeting of different segments within the Uyghur community.

Furthermore, researchers highlighted the high level of social engineering in the delivery method of the surveillance malware, which itself was not as technologically advanced. The attackers demonstrated a deep understanding of the Uyghur community, leveraging the trust of the original developer of UyghurEditPP, known to members of the WUC.

This suggests a highly customized and targeted operation, possibly beginning in May 2024. The campaign likely involved (PDF) ties to the Chinese government, aligning with their known efforts to conduct transnational repression against the Uyghur community.

Tag

#backdoor