Red Hat on Thursday confirmed an attacker gained access to and stole data from a GitLab instance used by its consulting team, exposing some customer data. The open-source software company, a subsidiary of IBM, said the breach is contained and an investigation into the attack is underway. 

“Upon detection, we promptly launched a thorough investigation, removed the unauthorized party’s access, isolated the instance, and contacted the appropriate authorities,” Red Hat said in a security update. “Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance.”

Red Hat said the compromised GitLab instance contained work related to consulting engagements with some customers, including project specifications, example code snippets and internal communications about the consulting services. 

“This GitLab instance typically does not house sensitive personal data,” Red Hat said. “While our analysis remains ongoing, we have not identified sensitive personal data within the impacted data at this time.”

GitLab underscored that the incident involves a self-managed instance of its free GitLab Community Edition. “There has been no breach of GitLab’s managed systems or infrastructure. GitLab remains secure and unaffected,” a GitLab spokesperson said in a statement.

“Customers who deploy free, self-managed instances on their own infrastructure are responsible for securing their instances, including applying security patches, configuring access controls, and maintenance,” the spokesperson added.

A cybercrime group calling itself Crimson Collective claimed responsibility for the attack and said it stole more than 28,000 repositories from Red Hat’s GitLab instance. The threat group published a directory tree on Telegram listing the names of hundreds of companies it claims were impacted by the attack. 

The Centre for Cybersecurity Belgium published a warning Thursday, describing the breach as a high risk that potentially exposed sensitive information including credentials, tokens and network configuration data shared with Red Hat’s consulting team. 

“We have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” a spokesperson said in a statement. 

The company said potential exposure is limited to Red Hat Consulting customers, adding that those who are impacted will be notified directly.

“Red Hat takes the security and integrity of our systems and the data entrusted to us extremely seriously, and we are addressing this issue with the highest priority,” the company said.

Red Hat did not say when it detected the intrusion, but said additional hardening measures have been implemented to prevent further access.

Update: 10/3/2025, 10:13 a.m.: This story was updated to include comments from GitLab.

The post Red Hat confirms breach of GitLab instance, which stored company’s consulting data appeared first on CyberScoop.

Threat actors impersonating PyPI ask users to verify their email for security purposes, directing them to fake websites.

The post PyPI Warns Users of Fresh Phishing Campaign appeared first on SecurityWeek.

Security professionals and observers across the industry got swept into a pit of fear Monday when an attacker took over and injected malicious code into a series of widely used open-source packages in the node.js package manager, or npm. Despite all that worry, the disaster that many presumed a foregone conclusion was averted and the consequences of the supply-chain attack were short-lived and minimal. 

Josh Junon, a developer and maintainer of the impacted software packages, took to social media early Monday to confirm his npm account was compromised via social engineering — a two-factor reset email that looked legitimate, he said. The attacker quickly posted updated software packages with payloads designed to intercept, manipulate and redirect cryptocurrency activity, according to researchers.

Apprehension fueled by the popularity of the 18 packages affected — capturing more than 2 billion downloads per week combined, according to Aikido Security — pushed some defenders to the brink of full-on freak-out mode. Ultimately, the open-source poisoning attack was successful, but impact was thwarted.

“There was a lot of fear, uncertainty, and doubt in sensationalized headlines about the attack,” Melissa Bischoping, senior director of security and product design research at Tanium, told CyberScoop. “The overall blast radius of the attack was relatively small, it was caught quickly, and the incident response process worked as intended. That’s a good news story, not a horror story.”

Junon said his account was restored about eight hours after he was duped by the social engineering attack, and infected versions of the packages were available for up to six hours before npm took them down and published stable versions. The most popular of the affected packages include ansi-styles, debug, chalk and supports-color.

Many expected the compromise would result in widespread cryptocurrency theft, but the downstream effects of the attack appear negligible. The attacker’s crypto address showed only $66.52, Arda Büyükkaya, senior cyber threat intelligent analyst at EclecticIQ, said in a LinkedIn post Monday. 

Researchers at blockchain analytics platform Arkham have traced about $1,027 in stolen cryptocurrency to the attack as of Wednesday morning.

“While their motivation appears financial, it’s easy to see how this could have been catastrophic and reminds us of the XZ Utils breach in 2024 and others in recent memory,” Bischoping said. 

Researchers from multiple security outfits described the compromise as the largest npm attack on record due to the potential scale of compromise. Fortunately, the attacker’s technical actions tipped off other developers.

“The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” Andrey Polkovnichenko, security researcher at JFrog, said in a blog post. 

While the initial wave of the attack was mostly stunted, researchers warn other npm maintainers were targeted and compromised by the same phishing campaign. Other packages known to be impacted include duckdb, proto-tinker-wc, prebid-universal-creative, prebid and prebid.js, Sonatype researchers said in a blog post Monday. 

“The open-source community are so often the heroes in our industry,” Bischoping said. “The passion, dedication, and resilience of the open-source community provide value we all benefit from. Every organization should consider how they can better support, fund and contribute to open-source projects because without them the tech industry would suffer.”

The post The npm incident frightened everyone, but ended up being nothing to fret about appeared first on CyberScoop.

Two executive orders President Donald Trump has signed in recent months could prove to have a more dramatic impact on cybersecurity than first thought, for better or for worse.

Overall, some of Trump’s executive orders have been more about sending a message than spurring lasting change, as there are limits to their powers. Specifically, some of the provisions of the two executive orders with cyber ramifications — one from March on state and local preparedness generally, and one from June explicitly on cybersecurity — are more puzzling to cyber experts than anything else, while others preserve policies of the prior administration which Trump has criticized in harsh terms. Yet others might fall short of the orders’ intentions, in practice.

But amid the flurry of personnel changes, budget cuts and other executive branch activity in the first half of 2025 under Trump, the full scope of the two cyber-related executive orders might have been somewhat overlooked. And the effects of some of those orders could soon begin coming to fruition as key top Trump cyber officials assume their posts.

The Foundation for Defense of Democracies’ Mark Montgomery said the executive orders were “more important” than he originally understood, noting that he “underestimated” the March order after examining it more closely. Some of the steps would be positive if fully implemented, such as the preparedness order’s call for the creation of a national resilience strategy, he said.

The Center for Democracy & Technology said the June order, which would unravel some elements of executive orders under presidents Joe Biden and Barack Obama, would have a negative effect on cybersecurity.

“Rolling back numerous provisions focused on improving cybersecurity and identity verification in the name of preventing fraud, waste, and abuse is like claiming we need safer roads while removing guardrails from bridges,” said the group’s president, Alexandra Reeve Givens. “The only beneficiaries of this step backward are hackers who want to break into federal systems, fraudsters who want to steal taxpayer money from insecure services, and legacy vendors who want to maintain lucrative contracts without implementing modern security protections.”

The big changes and the in-betweens

Perhaps the largest shift in either order is the deletion of a section of an executive order Biden signed in January on digital identity verification that was intended to fight cybercrime and fraud. In undoing the measures in that section, the White House asserted that it was removing mandates “that risked widespread abuse by enabling illegal immigrants to improperly access public benefits.”

One critic, speaking on condition of anonymity to discuss the changes candidly, said “there’s not a single true statement or phrase or word in” the White House’s claim. The National Security Council did not respond to requests for comment on the order.

Some, though, such as Nick Leiserson of the Institute for Security and Technology, observed that the digital identities language in the Biden order was among the “weakest” in the document, since it only talked about how agencies should “consider” ways to accept digital identities.

The biggest prospective change in the March order was a stated shift for state and local governments to handle disaster preparedness, including for cyberattacks, a notion that drew intense criticism from cyber experts at the time who said states don’t have the resources to defend themselves against Chinese hackers alone. But that shift could have bigger ripples than originally realized.

Errol Weiss, chief security officer at the Health-ISAC, an organization devoted to exchanging threat information in the health sector, said that as the Cybersecurity and Infrastructure Security Agency has scaled back the free services it offers like vulnerability scanning, states would hypothetically have to step into that gap to aid entities like the ones Weiss serves. “If that service goes away, and pieces of it probably already have, there’s going to be a gap there,” he said.

Some of the changes from the March order might only be realized now that the Senate has confirmed Sean Cairncross as national cyber director, or after the Senate takes action on Sean Plankey to lead CISA, said Jim Lewis, a fellow at the Center for European Policy Analysis.

For instance: The order directs a review of critical infrastructure policy documents, including National Security Memorandum 22, a rewrite of a decade-old directive meant to foster better threat information sharing and respond to changing threats. There are already signs the administration plans to move away from that memorandum, a development that a Union of Concerned Scientists analyst said was worrisome, but critics of the memo such as Montgomery said a do-over could be a good thing.

Most of the other biggest potential changes, however, are in the June order. This is a partial list:

• It eliminates a requirement under the January Biden order that government vendors provide certifications about the security of their software development to CISA for review. “I just don’t think that you can play the whole, ‘We care about cyber,’ and, ‘Oh, by the way, this incredible accountability control? We rolled that back,’” said Jake Williams, director of research and development at Hunter Strategy.
• It removes another January Biden order requirement that the National Institute of Standards and Technology develop new guidance on minimum cybersecurity practices, thought to be among that order’s “most ambitious prescriptions.”
• It would move CISA in the direction of implementing a “no-knock” or “no-notice” approach to hunting threats within federal agencies, Leiserson noted.
• It strikes language saying that the internet data routing rules known as Border Gateway Protocol are “vulnerable to attack and misconfiguration,” something Williams said might ease pressure on internet service providers to make improvements. “The ISPs know it’s going to cost them a ton to address the issue,” he said.
• It erases a requirement from the Biden order that contained no deadline, but said that federal systems must deploy phishing-resistant multi-factor authentication. 
• It deletes requirements for pilot projects stemming from the Defense Advanced Research Projects Agency-led Artificial Intelligence Cyber Challenge. DARPA recently completed its 2025 challenge, awarding prize money at this year’s DEF CON cybersecurity conference.
• It says that “agencies’ policies must align investments and priorities to improve network visibility and security controls to reduce cyber risks,” a change security adviser and New York University adjunct professor Alex Sharpe praised.

Some of the changes led to analysts concluding, alternatively, a continuation or rollback of directives from the January Biden executive order on things like federal agency email encryption or post-quantum cryptography.

The head-scratchers and the mysteries

Some of the moves in the June order perplexed analysts.

One was specifying that cyber sanctions must be limited, in the words of a White House fact sheet, “to foreign malicious actors, preventing misuse against domestic political opponents and clarifying that sanctions do not apply to election-related activities.” The Congressional Research Service could find no indication that cyber sanctions had been used domestically, and said the executive order appears to match prior policy.

Another is the removal of the NIST guidance on minimum cybersecurity practices. “If you’re trying to deregulate, why kill the effort to harmonize the standards?” Sharpe asked. 

Yet another is deletion of a line from the January Biden order to the importance of open-source software. “This is a bit puzzling, as open source software does underlie almost all software, including federal systems,” Leiserson wrote (emphasis his).

Multiple sources told CyberScoop it’s unclear who wrote the June order and whom they consulted with in doing so. One source said some agency personnel complained about the lack of interagency vetting of the document. Another said Alexei Bulazel, the NSC director of cyber, appeared to have no role in it.

Another open question is how much force will be put behind implementing the June order.

It loosens the strictness with which agencies must carry out the directives it lays out, at least compared with the January Biden order. It gives the national cyber director a more prominent role in coordination, Leiserson said. And it gives CISA new jobs.

“Since President Trump took office — and strengthened by his Executive Order in June — CISA has taken decisive action to bolster America’s cybersecurity, focusing on critical protections against foreign cyber threats and advancing secure technology practices,” said Marci McCarthy, director of public affairs for CISA.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cyber subpanel, told CyberScoop he was skeptical about what the June executive order signalled about Trump’s commitment to cybersecurity.

“The President talks tough on cybersecurity, but it’s all for show,” he said in a statement. “He signed the law creating CISA and grew its budget, but also rolled back key Biden-era protections, abandoned supply chain efforts, and drove out cyber experts. CISA has lost a third of its workforce, and his FY 2026 budget slashes its funding …

“Even if his cyber and AI goals are sincere, he’s gutted the staff needed to meet them,” Swalwell continued. “He’s also made the government less secure by giving unvetted allies access to sensitive data. His actions don’t match his words.”

Montgomery said there was a contradiction between the June order giving more responsibilities to agencies like NIST while the administration was proposing around a 20% cut to that agency, and the March order shifting responsibilities to state and local governments without giving them the resources to handle it.

A WilmerHale analysis said that as the administration shapes cyber policy, the June order “signals what that approach is likely to be: removing requirements perceived as barriers to private sector growth and expansion while preserving key requirements that protect the U.S. government’s own systems against cyber threats posed by China and other hostile foreign actors.”

For all of the changes it could make, analysts agreed the June order does continue a fair number of Biden administration policies, like commitments to the Cyber Trust Mark labeling initiative, space cybersecurity policy and requirements for defense contractors to protect sensitive information.

Some of those proposals didn’t get very far before the changeover from Biden to Trump. But it might be easier for the Trump administration to achieve its goals.

“It’s hard to say the car is going in the wrong direction when they haven’t started the engine,” Lewis said. “These people don’t have the same problem, this current team, because they’re stripping stuff back. They’re saying, ‘We’re gonna do less.” So it’s easier to do less.”

The post The overlooked changes that two Trump executive orders could bring to cybersecurity appeared first on CyberScoop.

AsyncRAT, the most prevalent remote access trojan observed in the wild, has spawned more than 30 forks and variants that increase the impact of the open-source malware, making it a popular and sometimes disguised tool of choice for cybercriminals, ESET researchers said in a report released Tuesday. 

The open source remote access tool, which was first released on GitHub in 2019, shows up consistently in cyberattacks, most commonly distributed through spam campaigns, phishing and malicious ads, but also via exploited software vulnerabilities in more targeted operations, Nikola Knežević, malware researcher at ESET, told CyberScoop.

“Over the past year alone, we have detected activity consistent with tens of thousands of unique infected machines associated with AsyncRAT and its variants,” Knežević said.

AsyncRAT remains the most widely deployed, but other variants have been widely distributed, accounting for a significant number of attacks linked to the tree of remote access trojans. ESET telemetry determined DcRat is the most widely distributed fork, accounting for 24% of unique sample infections, followed by VenomRAT at 8%.

“Of all the forks we’ve come across, we believe VenomRAT to be one of the more concerning ones, largely due to its enhanced stealth, plethora of plugins and offensive capabilities,” Knežević said. “Unlike its simpler cousin, DcRat, VenomRAT integrates many of its features directly into the client, reducing reliance on external modules and making it more self-contained. It is also frequently bundled with phishing kits and deployed in multi-stage attacks.”

ESET identified multiple forks of AsyncRAT in its report, noting that some clones that authors publicly acknowledged as jokes, have been observed in the wild. 

“The uniqueness of AsyncRAT or its variants doesn’t lie in any single technical feature, but rather the sheer scale and fluidity of its evolution. Unlike other open-source modular remote access trojans, AsyncRAT has spawned an unusually large number of forks, ranging from serious threats like VenomRAT and DcRat to novelty variants like SantaRAT,” Knežević said.

AsyncRAT includes common remote access trojan functionalities, including keylogging, screen capturing and credential theft, but additional capabilities have popped up in various forks over time. 

“This diversity makes it more challenging to maintain consistent detection rules, as each fork may introduce altered configuration layouts, add new layers of obfuscation, or completely revamp the original codebase,” Knežević said.

Some forks, such as VenomRAT, could be considered and may appear as standalone malware because of the many features they contain, but they are all part of the same malware family, according to ESET. Defenders can usually identify forks in the malware’s configuration settings and values. 

“They share a common lineage and exhibit overlapping traits, such as similar configuration structures, encryption routines, and plugin architectures, which make them relatively easy to classify,” Knežević said. “Recognizing these shared characteristics is crucial for defenders, as it allows for more effective detection and attribution, even when the malware has been heavily obfuscated or superficially rebranded.”

The post AsyncRAT seeds family of more than 30 remote access trojans appeared first on CyberScoop.