Karlo Zanki

Reverse Engineer at ReversingLabs

Posts from Karlo Zanki

July 11, 2024

Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs

Malware authors upped their game, using homoglyphs to impersonate a protected NuGet prefix and IL weaving to inject malicious code, RL researchers found.

Read More about Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs

Malicious NuGet campaign uses homoglyphs and IL weaving to fool devs

June 5, 2024

Python downloader highlights noise problem in open source threat detection

RL discovered what appeared to be a malicious downloader on PyPI. It turned out to be red teaming — but highlights a growing problem for threat detection.

Read More about Python downloader highlights noise problem in open source threat detection

Python downloader highlights noise problem in open source threat detection

March 12, 2024

BIPClip: Malicious PyPI packages target crypto wallet recovery passwords

RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery.

Read More about BIPClip: Malicious PyPI packages target crypto wallet recovery passwords

BIPClip: Malicious PyPI packages target crypto wallet recovery passwords

December 19, 2023

Malware leveraging public infrastructure like GitHub on the rise

ReversingLabs researchers have uncovered two novel techniques running on GitHub — one abusing GitHub Gists, another issuing commands through git commit messages.

Read More about Malware leveraging public infrastructure like GitHub on the rise

Malware leveraging public infrastructure like GitHub on the rise

October 31, 2023

IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations

ReversingLabs has highlighted threats in npm, PyPI and RubyGEMS in recent years. This finding shows NuGet is equally exposed to malicious activities by threat actors.

Read More about IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations

IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations

August 31, 2023

VMConnect supply chain attack continues, evidence points to North Korea

ReversingLabs researchers discovered more packages that are part of the previously identified VMConnect campaign, as well as evidence linking the campaign to North Korea's Lazarus Group.

Read More about VMConnect supply chain attack continues, evidence points to North Korea

VMConnect supply chain attack continues, evidence points to North Korea

August 3, 2023

VMConnect: Malicious PyPI packages imitate popular open source modules

ReversingLabs threat researchers have identified a new malicious PyPI campaign that includes a suspicious VMConnect package published to the PyPI repo.

Read More about VMConnect: Malicious PyPI packages imitate popular open source modules

VMConnect: Malicious PyPI packages imitate popular open source modules

June 1, 2023

When byte code bites: Who checks the contents of compiled Python files?

The ReversingLabs research team has identified a novel attack on PyPI using compiled Python code to evade detection — possibly the first attack to take advantage of PYC file direct execution.

Read More about When byte code bites: Who checks the contents of compiled Python files?

When byte code bites: Who checks the contents of compiled Python files?

March 30, 2023

Red flags flew over software supply chain-compromised 3CX update

The VOIP software company missed signs that its client had been tampered with before it pushed the update to customers.

Read More about Red flags flew over software supply chain-compromised 3CX update

Red flags flew over software supply chain-compromised 3CX update