Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. 

Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering — a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.

Apprehension fueled by the popularity of the 18 packages affected — capturing more than 2 billion downloads per week combined, according to Aikido Security — pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.

“There was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,” Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. “The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That’s a good news story, not a horror story.”

Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.

Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker’s crypto address showed only $66.52, Arda Büyükkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a LinkedIn post Monday. 

Researchers at blockchain analytics platform Arkham have traced about $1,027 in stolen cryptocurrency to the attack as of Wednesday morning.

“While their motivation appears financial, it’s easy to see how this could have been catastrophic and reminds us of the XZ Utils breach in 2024 and others in recent memory,” Bischoping said. 

Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker’s technical actions tipped off other developers.

“The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” Andrey Polkovnichenko, security researcher at JFrog, said in a blog post. 

While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include duckdb, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a blog post Monday. 

“The open-source community are so often the heroes in our industry,” Bischoping said. “The passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.”

The post The npm incident frightened everyone, but ended up being nothing to fret about appeared first on CyberScoop.

Federal authorities on Monday imposed sanctions on 19 people and organizations allegedly involved in major cyberscam hubs in Burma and Cambodia.

“Criminal actors across Southeast Asia have increasingly exploited the vulnerabilities of Americans online,” Secretary of State Marco Rubio said in a statement. “In 2024, Americans lost at least $10 billion to scam operations in Southeast Asia, according to a U.S. government estimate.” That’s a 66% increase from the prior year, officials said. 

People who staff these scam centers are often victimized as well. Criminal organizations in Southeast Asia recruit workers under false pretenses and use debt bondage, violence, and threats of forced prostitution to coerce them to scam strangers online via messaging apps or text messages, authorities said.

The Treasury Department’s Office of Foreign Assets Control levied sanctions against nine targets operating in Shwe Kokko, Burma, which it described as a “notorious hub for virtual currency investment scams under the protection of the OFAC-designated Karen National Army.” KNA was sanctioned as a transnational criminal organization in May. 

Tin Win, Saw Min Min Oo, Chit Linn Myaing Co., Chit Linn Myaing Toyota Co., Chit Linn Myaing Mining & Industry Co., Shwe Myint Thaung Yinn Industry and Manufacturing Co., She Zhijang, Yatai International Holdings Group and Myanmar Yatai International Holding Group Co. were all sanctioned for their alleged involvement in these scam centers near Burma’s border with Thailand.

She Shijiang and Saw Chit Thu, the leader of the KNA who was previously sanctioned in May, are accused of transforming a small village in Shwe Kokko into a city built for gambling, drug trafficking, prostitution and a compound of scam centers. Tin Win and Saw Min Min Oo allegedly control property that hosts the scam centers and personally run organizations that support the operations.

“Southeast Asia’s cyber scam industry not only threatens the well-being and financial security of Americans, but also subjects thousands of people to modern slavery,” John K. Hurley, under secretary of the Treasury for terrorism and financial intelligence, said in a statement.

The Treasury Department also sanctioned four people and six organizations for their alleged involvement in forced labor compounds in Cambodia that operate virtual currency investment scams targeting victims in the United States, Europe, China and elsewhere. 

T C Capital Co., K B Hotel Co., K B X Investment Co., M D S Heng He Investment Co., Heng He Bavet Property Co., HH Bank Cambodia, Dong Lecheng, Xu Aimin, Chen Al Len and Su Liangsheng were all sanctioned for their alleged involvement in scam centers in Cambodia. 

“These sanctions protect Americans from the pervasive threat of online scam operations by disrupting the ability of criminal networks to perpetuate industrial-scale fraud, forced labor, physical and sexual abuse, and theft of Americans’ hard-earned savings,” Rubio said.

The post Treasury Department targets Southeast Asia scam hubs with sanctions appeared first on CyberScoop.

The FBI released a trove of research on The Com last week, warning that the sprawling cybercriminal network of minors and young adults is growing rapidly and splintering into three primary subsets described by officials as Hacker Com, In Real Life Com and Extortion Com.

The warnings lay out how The Com’s thousands of members, typically between 11 and 25 years old, pose a rising threat, especially to youth online, the FBI said. Criminal acts committed by these multiple, interconnected networks include swatting, extortion and sextortion of minors, production and distribution of child sexual abuse material, violent crime and various other cybercrimes, the bureau said.

“The motivations behind the criminal activity vary, but often fall within one of the following: financial gain, retaliation, ideology, sexual gratification and notoriety,” the FBI said in a public service announcement.

Crimes attributed to members of The Com have grown increasingly complex, with perpetrators going to great lengths to mask identities, hide financial transactions and launder money. The Com generally targets young and impressionable people for recruitment on gaming sites and social media platforms to indoctrinate them into their ideology, officials said.

Various subsections of this group have been linked to high-profile crimes over the past few years. In April, two men accused of leading a Com offshoot known as “764” were charged with operating an international child exploitation enterprise. Scattered Spider, another offshoot, tends to focus on cybercrime like ransomware and data extortion. 

Allison Nixon, chief research officer at Unit 221B, commended the level of detail the FBI shared across the series of PSAs, noting that the agency left nothing of importance out of its warnings. Nixon has studied domestic and English-speaking cybercrime and tracked its rise for more than a decade.

“The assessments in this PSA are consistent with what we have seen. There has been a population explosion in The Com and it is good to see law enforcement respond to this — not just with a PSA but with real crackdowns,” she said.

“Hopefully this PSA helps the public understand that many cybercrime arrests nowadays implicate gang violence and sexual crime against children, by children.”

Hacker Com

Hacker Com members are involved in a vast array of cybercrime activities, including distributed denial-of-service attacks, personally identifiable information theft, the sale of government email accounts, ransomware attacks, phishing, malware development and deployment, cryptocurrency theft, intrusions and SIM swapping, according to the FBI.

Scattered Spider, which is responsible for attacks on more than 100 businesses since 2022, is included in this subset.

This subset of The Com uses remote access trojans, phishing kits, voice over internet protocol providers, voice modulators, virtual private networks, cryptocurrency cash-out services, live-streaming services and encrypted email domains, officials said.

“Open-source information indicates Hacker Com groups are responsible for high-profile attacks and intrusions and have affiliations with ransomware organizations,” the FBI said in a PSA dedicated solely to Hacker Com.

The group also has been observed using the same attack methods against each other. The FBI warning details how internal conflicts are common among members of The Com. Personal disputes or rivalries — often over cryptocurrency — frequently lead Hacker Com members to attack and steal from one another, the FBI said.

In Real Life (IRL) Com

Some Com subgroups have gone beyond digital means, offering swat-for-hire services and targeting members for swatting and doxxing, kidnapping and physical extortion, which the FBI refers to as “IRL Com.” 

“The intensification of these online conflicts has resulted in the emergence of a new layer of The Com known as In Real Life (IRL) Com, which includes subgroups that aim to facilitate real world acts of violence, oftentimes resulting from online conflicts,” the FBI said.

Acts of physical violence have intensified and expanded to other layers of The Com, as multiple subgroups adopt similar methods of retaliation, the FBI said in a PSA dedicated solely to IRL Com. Some subgroups advertise contracts on messaging apps or other social media networks to commit violence or swatting for payment. 

“IRL Com groups also see swatting as a way of gaining credibility among members; the more attention a swatting incident gets, the more attention the member receives from the group,” the FBI said. “Leaders from IRL Com groups may use swatting to ensure members of the group remain obedient. When members of the IRL Com group disobey orders or refuse to comply with demands, the member or the member’s family may become the target of swatting.”

Extortion Com

The FBI also released a PSA about a subgroup it calls “Extortion Com,” which “systematically targets underage females” and vulnerable populations, including children and those who struggle with mental health issues.

“Victims are typically between the ages of 10 and 17 years old, but the FBI has seen some victims as young as 9 years old,” the FBI said in its PSA. “Threat actors often groom their victims by first establishing a trusting or romantic relationship before eventually manipulating and coercing them into engaging in escalating harmful behavior designed to shame and isolate them.”

Officials said these acts are driven by a range of personal motives, including the pursuit of social status, sexual gratification or a sense of belonging. 

The FBI warns that members of this subgroup manipulate or coerce their victims to produce pornographic material or other videos depicting animal cruelty and self-harm, oftentimes further threatening to share the material with victims’ families, friends or other public communities on the internet.

Two alleged leaders of the child sextortion group 764 were arrested and charged for directing and distributing CSAM in April. The two men, Leonidas Varagiannis and Prasan Nepal, are accused of exploiting at least eight minor victims, some as young as 13 years old, and face charges that carry a maximum penalty of life in prison.

Officials advised people to look for warning signs that a victim may be targeted by The Com and shared resources for help, including the National Center for Missing and Exploited Children’s CyberTipline and Take It Down service. Victims are encouraged to retain all information about an incident and immediately report to the FBI’s Internet Crime Complaint Center and an FBI Field Office.

The post FBI alerts tie together threats of cybercrime, physical violence from The Com appeared first on CyberScoop.