Internet users can do their best to stay secure and safe online. With this, they tend to classify some sites and web applications as "trustworthy". Cybercriminals know this and they're waiting to exploit this trust for their malicious purposes. Sometimes, it's the application that disappoints you when it acts the way you think it should not, potentially putting your personal data at risk.
That opening statement is a summary of the articles that we are about to review.
Researchers cause GitLab AI developer assistant to turn safe code malicious
If you read the article's title and you're thinking: another prompt injection attack? Yes, you are right. The good news is that GitLab mitigated the risk and from the article, did not necessarily fix the issue. Nonetheless, this shows that developers should always check and verify the code generated by Large Language Models for signs of malice. Trust me, you can never be too careful in this regard.
From the article:
This vulnerability highlights the double-edged nature of AI assistants like GitLab Duo: when deeply integrated into development workflows, they inherit not just context—but risk.
What that means is that code-developer assistants don’t offer quite the gee-wiz productivity that marketers promise. It’s incumbent on developers to carefully inspect the code and other output produced by these assistants.
Ongoing Campaign Uses 60 NPM Packages to Steal Data
When it comes to stealing user's data, there is no better way that attackers can think of than tricking users into installing their malicious code. They're smart enough not to dub it "malicious". Instead, they exploit trust. In this case, they're exploiting the user's trust in the NPM package registry.
Here is how the packages work:
...the nefarious script collects both internal and external network identifiers, it allows the threat actor to link private developer environments to public-facing infrastructure, enabling them to mount follow-up attacks.
By harvesting internal and external IP addresses, DNS servers, usernames, and project paths, it enables a threat actor to chart the network and identify high‑value targets for future campaigns.
Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to Hackers
Sometimes, we humans let our laziness get the best of us. I mean, we can enter the address of a site we visit regularly into the web address URL bar and hit enter on our keyboard. Nonetheless, we go to a search engine like Google and still search for something that we use almost every day. You can argue that it's convenient. However, it comes at a price; cybercriminals could be waiting for you.
The excerpt from the article shows a typical attack scenario:
It all starts when an employee searches for their company's payroll portal on search engines like Google, with deceptive lookalike websites surfacing to the top of the results using sponsored links.
Those who end up clicking on the bogus links are led to a WordPress site that redirects to a phishing page mimicking a Microsoft login portal when visited from a mobile device. The credentials entered on the fake landing page are subsequently exfiltrated to an attacker-controlled website.
Word to the wise: Beware of fake Docusign emails
I am always thinking of a world where we can solve all the threats that we face online. If not all, at least, a world where we can reduce it to something insignificant. This campaign is as you'd expect: designed to harvest personal information.
The following is the attack lifecycle and how to stay safe as an organization:
Victims will typically receive an email with a spoofed Docusign “envelope” requesting that they click on a large yellow box to “review document.” There may also be an attachment featuring a QR code. Both actions could lead to the same result: the victim is taken to a phishing site such as a fake Microsoft login page.
Fortunately, there’s plenty you can do to keep yourself and your company safe from Docusign threats. From a company’s perspective, the first course of action is to be aware of the risks and update your phishing awareness programs to ensure staff are able to spot the warning signs of a scam email.
Cybercriminals Clone Antivirus Site to Spread Venom RAT and Steal Crypto Wallets
Imagine the tragedy of installing malware while attempting to protect yourself from malware. It's unthinkable, yet, this article shows that it's happening and anyone can be a victim.
Here is what's going on:
- The website in question, "bitdefender-download[.]com," advertises site visitors to download a Windows version of the Antivirus software.
- Clicking on the prominent "Download for Windows" button initiates a file download from a Bitbucket repository that redirects to an Amazon S3 bucket
- The ZIP archive ("BitDefender.zip") contains an executable called "StoreInstaller.exe," which includes malware configurations associated with Venom RAT, as well as code related to the open-source post-exploitation framework SilentTrinity and StormKitty stealer.
- These tools work in concert: Venom RAT sneaks in, StormKitty grabs your passwords and digital wallet info, and SilentTrinity ensures the attacker can stay hidden and maintain control.
OneDrive Gives Web Apps Full Read Access to All Files
This is the case of telling a web app the following: please take one. But it has the capability of taking it all without your knowledge. That's the issue of OneDrive at the time of writing. You'll notice that I did not call it a bug because it appears to be a misconfiguration that Microsoft needs to address.
To you, dear reader, note the following:
Just because it’s Microsoft, we cannot assume it’s safe. “Users should assume that every SaaS plug-in they authorize has the keys to their personal or enterprise crown jewels unless proven otherwise.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.
Top comments (0)