Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,588
- Points
- 113
Why only mindfulness can save developers from the ubiquitous hackers?
In the NuGet package manager for the framework .NET detected a malicious package that distributes a Trojan virus called SeroXen RAT.
A package named "Pathoschild.Stardew. Mod. Build. Config", published by the user "Disti", is a named corruption of the real package Pathoschild.Stardew. ModBuildConfig - the difference is literally a couple of dots. Phylum, a software security company, reported the detection of the threat.
Although the real package was downloaded about 79,000 times, the malicious version managed to overtake it, increasing its download count to over 100,000 downloads after the package was published on October 6, 2023.
In total, the author of the malicious package published as many as six packages with a total number of downloads of more than 2.1 million. Four of them are masquerading as libraries for cryptoservices such as Kraken, KuCoin, Solana, and Monero, but are also designed to deploy SeroXen RAT.
The attack chain is initiated during package installation using the tools/init.ps1 script, which is designed to execute code as stealthily as possible.
"Although deprecated, the init.ps1 script is still supported by Visual Studio and will run without any warnings when installing the NuGet package. Meanwhile, inside the file .ps1 an attacker can write arbitrary commands," JFrog representatives said in March of this year, when they were faced with a similar principle for deploying malware.
SeroXen RAT is malware that is sold on cybercrime forums for $ 60. This fileless remote access Trojan combines the features of the open source Quasar RAT software, the r77 rootkit, and the NirCmd command-line tool .
Phylum noted that the discovery of SeroXen RAT in NuGet packages highlights the trend that attackers continue to use open source software for malicious purposes.
It is noteworthy that just a couple of days before the discovery of the threat in NuGet, Phylum specialists found seven malicious packages in the PyPI repository that mimic legitimate offers from cloud providers such as Aliyun, AWS and Tencent Cloud to secretly transfer credentials to a hidden remote URL of intruders.
The Checkmarx researchers also shared additional details of the same campaign, saying that it also targeted Telegram via the deceptive telethon2 package. The majority of fake library downloads came from the US, followed by China, Singapore, Hong Kong, Russia, and France.
Earlier this month, Checkmarx also revealed a campaign targeting PyPI to inject 271 malicious Python packages into the software supply chain to steal sensitive data and cryptocurrencies.
In the NuGet package manager for the framework .NET detected a malicious package that distributes a Trojan virus called SeroXen RAT.
A package named "Pathoschild.Stardew. Mod. Build. Config", published by the user "Disti", is a named corruption of the real package Pathoschild.Stardew. ModBuildConfig - the difference is literally a couple of dots. Phylum, a software security company, reported the detection of the threat.
Although the real package was downloaded about 79,000 times, the malicious version managed to overtake it, increasing its download count to over 100,000 downloads after the package was published on October 6, 2023.
In total, the author of the malicious package published as many as six packages with a total number of downloads of more than 2.1 million. Four of them are masquerading as libraries for cryptoservices such as Kraken, KuCoin, Solana, and Monero, but are also designed to deploy SeroXen RAT.
The attack chain is initiated during package installation using the tools/init.ps1 script, which is designed to execute code as stealthily as possible.
"Although deprecated, the init.ps1 script is still supported by Visual Studio and will run without any warnings when installing the NuGet package. Meanwhile, inside the file .ps1 an attacker can write arbitrary commands," JFrog representatives said in March of this year, when they were faced with a similar principle for deploying malware.
SeroXen RAT is malware that is sold on cybercrime forums for $ 60. This fileless remote access Trojan combines the features of the open source Quasar RAT software, the r77 rootkit, and the NirCmd command-line tool .
Phylum noted that the discovery of SeroXen RAT in NuGet packages highlights the trend that attackers continue to use open source software for malicious purposes.
It is noteworthy that just a couple of days before the discovery of the threat in NuGet, Phylum specialists found seven malicious packages in the PyPI repository that mimic legitimate offers from cloud providers such as Aliyun, AWS and Tencent Cloud to secretly transfer credentials to a hidden remote URL of intruders.
The Checkmarx researchers also shared additional details of the same campaign, saying that it also targeted Telegram via the deceptive telethon2 package. The majority of fake library downloads came from the US, followed by China, Singapore, Hong Kong, Russia, and France.
Earlier this month, Checkmarx also revealed a campaign targeting PyPI to inject 271 malicious Python packages into the software supply chain to steal sensitive data and cryptocurrencies.
