FISA

A highly advanced software supply chain attack has been uncovered, which exploits Python Package Index (PyPI) repositories to spread malware. This attack uses Google’s SMTP infrastructure as a covert command-and-control (C2) channel. The campaign distributed seven malicious packages— Coffin-Codes-Pro, Coffin-Codes-NET2, Coffin-Codes-NET, Coffin-Codes-2022, Coffin2022, Coffin-Grave , and cfc-bsb —which collectively exceeded 55,000 downloads before being taken down. Advanced Communication Method These malicious packages establish an SMTP connection to Gmail’s servers using embedded credentials. Through this, a two-way communication tunnel is formed, allowing attackers to run remote commands and extract data from compromised systems. This method is particularly stealthy, as SMTP traffic typically bypasses firewall and endpoint defenses due to its appearance as normal outbound email communication. The Coffin-Codes-Pro package exemplifies this attack. Once the initial SMTP connect...

Security has seen quite a bit of transformation in a short amount of time thanks to artificial intelligence (AI). From completely new threat types we’d never even considered all the way to “ upcycled ” vulnerabilities that are using new vectors to become relevant again, defenders are getting a crash course in the power AI can wield — on both the resourceful and malicious fronts. This is particularly true of blue teams who defend Layer 7.  Nation-state attackers  and emotional teenagers alike have adopted AI to execute cybercrime by deploying a new generation of sophisticated, automated tools. Attacks on web applications are surging at a rate that’s as dramatic as a high school breakup — our analysts observed a  33% year-over-year increase  in 2024. And APIs have emerged as a steadily growing target, with  150 billion documented attacks on APIs  in 2024. We can’t blame it all on AI, though; there’s not usually a single reason for changes in malicious activit...

Source: The Hacker News Imagine installing a plugin that promises to protect your WordPress site, only to find out later that it left the door wide open for attackers. That’s exactly what’s been happening in a recent malware campaign where a fake WordPress security plugin is acting more like a saboteur than a shield. Researchers have uncovered a plugin going by the name wp-antymalwary-bot.php , posing as a security solution while silently handing over admin access to threat actors. Once installed, it injects a stealthy backdoor into the site, letting attackers execute remote commands and manipulate content without raising any red flags. It’s a slick operation. Nothing shows up in the admin panel, and the plugin re-installs itself even after deletion, using a tampered wp-cron.php file as its anchor. Under the Hood T he attackers aren’t just brute-forcing their way in, they’ve baked persistence into the plugin itself. Once active, the malware uses a function called emergency_login_all_a...