The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond.

Carolynn van Arsdale, Writer, ReversingLabs.

The Week in Security: NuGet hit by typosquatting, fake ChatGPT plug-in hijacks Facebook accounts

This week: NuGet is hit with a malicious typosquatting campaign. Also: A malicious ChatGPT Chrome extension is hijacking Facebook accounts.

This Week’s Top Story

NuGet software repository targeted with malicious packages

Software supply chain attacks have greatly increased over the past year, especially on open source software repositories. As a result, malicious packages have been downloaded hundreds of thousands of times, causing supply chain attacks globally. Popular repositories npm and PyPI saw an almost 300% increase in supply chain attacks on their platforms in the past four years combined. Other repositories, such as NuGet, which houses .NET code components, haven’t been taken advantage of by attackers… Until now.

Researchers at JFrog recently discovered a possible first for NuGet: 13 malicious packages with trojan components that compromise a victim’s installation system and download crypto-stealing malware with backdoor functionality. While the malicious packages have been removed from the repository, they were downloaded more than 166,000 times, possibly causing thousands of supply chain attacks. The malicious packages impersonated legitimate software tools like Coinbase and Microsoft ASP.NET, making it easy for developers to accidentally download them. The attackers used typosquatting, in which the name of a popular package is copied and slightly misspelled, to trick developers into downloading these packages.

This recent campaign discovered by JFrog is significant, considering that typosquatting attacks of this nature have not yet occurred on the platform. This demonstrates that threat actors are continuing to see open source repositories as a worthy landscape for carrying out software supply chain attacks. Also, it shows that even less popular repositories like NuGet, which seemed resilient before, are still susceptible to these kinds of attacks.

News Roundup

Here are the stories we’re paying attention to this week…

Bug in open source library causes a significant issue for ChatGPT (Sam Altman)

In a recent tweet, Altman of OpenAI shared that a bug in an open source library, for which a fix has now been released, caused a small percentage of ChatGPT users to see the titles of other users' conversation history: "we feel awful about this."

Facebook accounts hijacked by new malicious ChatGPT Chrome extension (BleepingComputer)

A trojanized version of the legitimate ChatGPT extension for Chrome is gaining popularity on the Chrome Web Store, accumulating over 9,000 downloads while stealing Facebook accounts. This malicious version includes additional code that attempts to steal Facebook session cookies.

CISA revises cybersecurity performance goals (Cybersecurity Dive)

The Cybersecurity and Infrastructure Security Agency (CISA) updated the cybersecurity performance goals originally released in October, in an effort to more closely align the goals with the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).

Ferrari confirms customer data breached following ransomware attack (TechRadar.pro)

The company published a press release on the Ferrari website, as well as sent an email to affected customers. The company's communications confirmed that following a cyber-incident, the Ferrari Italian subsidiary was contacted by a threat actor, demanding that the ransom demand be paid.

Hackers drain bitcoin ATMs of $1.5 million by exploiting 0-day bug (ArsTechnica)

Hackers drained millions of dollars in digital coins from cryptocurrency ATMs by exploiting a zero-day vulnerability, leaving customers on the hook for losses that can’t be reversed, the kiosk manufacturer has revealed.

North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer)

A joint cybersecurity advisory from Germany and South Korea warn about Kimsuky's use of Chrome extensions to steal target's Gmail emails. Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians.

Keep learning

Read the 2025 Gartner® Market Guide to Software Supply Chain Security. Plus: Join RL's May 28 webinar for expert insights.
Get the white paper: Go Beyond the SBOM. Plus: See the Webinar: Welcome CycloneDX xBOM.
Go big-picture on the software risk landscape with RL's 2025 Software Supply Chain Security Report. Plus: See our Webinar for discussion about the findings.
Get up to speed on securing AI/ML with our white paper: AI Is the Supply Chain. Plus: See RL's research on nullifAI and replay our Webinar to learn how RL discovered the novel threat.
Learn how commercial software risk is under-addressed: Download the white paper — and see our related Webinar for more insights.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security