The theme of this week's review is Cat and Mouse. Why? Most of the articles are about security incidents that show the efforts of cybersecurity defenders in defending users from attackers trying to compromise user's systems.
Highly Popular NPM Packages Poisoned in New Supply Chain Attack
Can you take a wild guess at the attack vector? A phishing email. It's 2025, and phishing is still effective. Moreover, when an X (formerly Twitter) user shared an image of the phishing email and asked what was wrong, the first thing that I noticed was the sender's address. Although, it was clear to me, a developer still fell for it.
From the article:
According to a GitHub advisory, any system on which the poisoned packages were installed should be considered fully compromised and all secrets and keys stored in that machine should be immediately rotated, from a different computer.
According to Wiz, cloud environments that resolved, bundled, and then served code using the infected package versions should be considered affected. These could be “production, staging, preview/pull request deployments, and local development servers used by employees”, Wiz says.
Cursor AI editor lets repos “autorun” malicious code on devices
The cause of this flaw is a feature enabled in VSCode but disabled in Cursor. Now, it gets a little problematic: at the time of writing, it appears that Cursor won't fix but the researchers have provided a way to enable the feature.
From the article:
Threat actors can exploit the flaw to drop malware, hijack developer environments, or steal credentials and API tokens, without developers having to execute any commands.
To prove their findings, Oasis Security published a proof-of-concept for a
tasks.jsonfile that executes a shell command to send the name of the current user when opening the project folder in Cursor.
Apple’s latest iPhone security feature just made life more difficult for spyware makers
The article's title says it all. But I want to add one thing: it's ONLY a matter of time before we learn that someone found a way in. Now, let's get a bit technical. What's the security feature and how does it work? You'll find the answer in the excerpt below.
The feature is called Memory Integrity Enforcement (MIE) and is designed to help stop memory corruption bugs, which are some of the most common vulnerabilities exploited by spyware developers and makers of phone forensic devices used by law enforcement.
MIE is built on a technology called Memory Tagging Extension (MTE), originally developed by chipmaker Arm. In its blog post, Apple said over the past five years it worked with Arm to expand and improve the memory safety features into a product called Enhanced Memory Tagging Extension (EMTE).
New HybridPetya Ransomware Bypasses UEFI Secure Boot With CVE-2024-7344 Exploit
At the time of writing, HybridPetya appears to be a Proof of Concept. Meanwhile, the threat is real, and Secure Boot bypasses are becoming attractive to attackers and researchers.
A key lesson from the article:
HybridPetya comes with two main components: a bootkit and an installer, with the former appearing in two distinct versions. The bootkit, which is deployed by the installer, is chiefly responsible for loading its configuration and checking its encryption status.
HybridPetya is now at least the fourth publicly known example of a real or proof-of-concept UEFI bootkit with UEFI Secure Boot bypass functionality, joining BlackLotus (exploiting CVE‑2022‑21894), BootKitty (exploiting LogoFail), and the Hyper-V Backdoor PoC (exploiting CVE‑2020‑26200).
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)