Python downloader highlights noise problem in open source threat detection
RL discovered what appeared to be a malicious downloader on PyPI. It turned out to be red teaming — but highlights a growing problem for threat detection.
Threat Research
Python downloader highlights noise problem in open source threat detection
XZ Trojan highlights software supply chain risk posed by 'sock puppets'
There is no foolproof method to identify phony developer accounts — but there are telltale signs. Threat researchers share three.
Malicious helpers: VS Code Extensions observed stealing sensitive information
Two newly discovered extensions on the VS Code Marketplace are designed to steal sensitive information, showing that open source attacks are expanding.
Suspicious NuGet package grabs data from industrial systems
Here's what the RL research team knows about the suspicious SqzrFramework480 campaign, which is still available on the NuGet repository.
BIPClip: Malicious PyPI packages target crypto wallet recovery passwords
RL has discovered a campaign using PyPI packages posing as open-source libraries to steal BIP39 mnemonic phrases, which are used for wallet recovery.
Level up your YARA game
How to apply YARA rules for threat detection, searching, hunting and more.
Attackers leverage PyPI to sideload malicious DLLs
RL discovered two malicious packages and a subsequent larger campaign, showing that the approach is an emerging software supply chain attack method.
GitGot: GitHub leveraged by cybercriminals to store stolen data
ReversingLabs researchers found two suspicious npm packages that demonstrate how GitHub is increasingly being used to easily deploy malware in novel ways.
From the Labs: YARA Rule for Detecting BiBi Wiper
Cross-Platform Threats: Leveraging YARA to Identify BiBi Wiper on Linux and Windows Systems
Malware leveraging public infrastructure like GitHub on the rise
ReversingLabs researchers have uncovered two novel techniques running on GitHub — one abusing GitHub Gists, another issuing commands through git commit messages.
Protestware taps npm to call out wars in Ukraine, Gaza
ReversingLabs researchers have discovered npm packages that hide scripts broadcasting messages of peace related to the conflicts in Ukraine and in Israel and the Gaza Strip.
IAmReboot: Malicious NuGet packages exploit loophole in MSBuild integrations
ReversingLabs has highlighted threats in npm, PyPI and RubyGEMS in recent years. This finding shows NuGet is equally exposed to malicious activities by threat actors.
Typosquatting campaign delivers r77 rootkit via npm
ReversingLabs discovered that one “s” was all that separated a legit npm package from a malicious twin that delivered the r77 rootkit — and was downloaded more than 700 times.
BlackCat (ALPHV): What we know about the MGM hack
Ransomware-as-a-service gang ALPHV (a.k.a. BlackCat) carried out a sophisticated attack on the hotel and casino company MGM. Here’s what the ReversingLabs threat team understands.
Threat research roundup: Lessons learned from recent PyPI and npm supply chain attacks
RL threat researchers have discovered multiple malicious campaigns on open source repositories. Join the webinar to discuss key takeaways for app sec teams.