A self-propagating JavaScript worm, spying on Gucci customers, and other cybersecurity news

We round up the week’s biggest cybersecurity stories.

Blockchain developers are increasingly in hackers’ crosshairs

Software developers are drawing growing interest from crypto thieves. According to cybersecurity firm Koi Security, the WhiteCobra group targeted users of the VSCode, Cursor and Windsurf code editors, posting 24 malicious extensions on Visual Studio Marketplace and the Open VSX registry.

One victim of the “drainers” was a key Ethereum developer, Zak Cole.

See more

I’ve been in crypto for over 10 years and I’ve Never been hacked. Perfect OpSec record.

Yesterday, my wallet was drained by a malicious @cursor_ai extension for the first time.

If it can happen to me, it can happen to you. Here’s a full breakdown. 🧵👇

— zak.eth (@0xzak) August 12, 2025

He said cybercriminals stole his crypto using a plugin for Cursor, an AI code editor. Cole explained that the extension looked benign: a professional logo, a detailed description and 54,000 downloads on OpenVSX, Cursor’s official registry.

Koi Security believes WhiteCobra is part of the same group that in July stole $500,000 in digital assets from a Russian blockchain developer.

“Cross-compatibility and the lack of proper vetting when publishing on these platforms make them ideal for threat actors seeking to run broad-reach campaigns,” the Koi Security report says.

The wallet drain begins when the main file, extension.js, runs. It is nearly identical to the standard Hello World template that ships with every VSCode extension. The malware then unpacks a stealer tailored to the user’s operating system.

WhiteCobra is zeroing in on holders of digital assets worth $10,000–$500,000. Analysts reckon the group can spin up a fresh campaign in under three hours.

For now, the attackers are hard to stop: malicious plugins are removed from OpenVSX only for new ones to pop up.

Researchers advise sticking to well-known, reputable projects and treating with caution any new release that racks up downloads and glowing reviews in short order.

Canadian police seized more than $40m in cryptocurrency

Canada’s federal police carried out the largest crypto seizure in the country’s history, noted on-chain sleuth ZachXBT.

Officers confiscated digital assets worth over 56m Canadian dollars (~$40.5m) from the TradeOgre platform. Shutting down a cryptocurrency exchange platform was a first of its kind in the country.

The probe began in June 2024 following a tip from Europol. It found the venue violated Canadian law and had not registered with the Financial Transactions and Reports Analysis Centre as a money services business.

Investigators have reason to believe most funds moving through TradeOgre came from criminal sources. The platform attracted wrongdoers by forgoing mandatory user identity checks.

According to police, transaction data obtained from TradeOgre will be analysed to bring charges. The investigation continues.

A self-propagating worm is attacking the JavaScript ecosystem

After an attack on NPM to inject malware into JavaScript packages, the perpetrators shifted to a fully fledged worm. The incident is snowballing: at the time of writing, more than 500 NPM packages are known to be compromised.

The coordinated campaign, Shai-Hulud, began on September 15th by compromising @ctrl/tinycolor, which is downloaded over 2m times a week.

According to analysts at Truesec, the campaign has since widened considerably and now includes packages published under the CrowdStrike namespace.

Experts say the tainted variants contain a function that extracts the package’s tar archive, modifies package.json, injects a local script, rebuilds the archive and republishes it. On installation, a script executes automatically to download and run TruffleHog, a legitimate tool for scanning secrets and finding tokens.

Truesec believes the attack is scaling rapidly and growing more sophisticated. While the attackers reuse many old tricks, they have refined them into a fully autonomous worm. The malware does the following:

• collects secrets and publicly discloses them on GitHub;
• runs TruffleHog and queries cloud metadata endpoints to extract sensitive credentials;
• attempts to inject a GitHub Actions workflow designed to exfiltrate data via webhook.site;
• enumerates all GitHub repositories for the compromised user and forcibly makes them public.

Its standout feature is its method: instead of relying on a single infected object, it automatically spreads to all NPM packages.

A car-industry attack could weigh on Britain’s economy

Jaguar Land Rover (JLR) has failed to restart production for a third week after a cyberattack. The luxury carmaker said its assembly lines will remain halted at least until September 24th.

The company confirmed data was stolen from its network but has yet to pin the attack on a specific hacking group.

According to BleepingComputer, a gang calling itself Scattered Lapsus$ Hunters claimed responsibility, posting screenshots of JLR’s internal systems on Telegram. The post alleges the hackers also deployed ransomware on the firm’s compromised infrastructure.

BBC estimates each week of downtime costs the company at least £50m (~$68m). The Telegraph puts weekly losses at about $100m. JLR’s suppliers fear they cannot weather the sudden shock and worry about going bankrupt.

Secret data from China’s Great Firewall spilled online

On September 12th, researchers from the Great Firewall Report team reported the biggest leak in the history of China’s “Great Firewall”.

Roughly 600GB of internal documents, source code and developers’ internal correspondence used to build and maintain the national traffic-filtering system have appeared online.

Researchers say the leak includes full build systems for traffic-tracking platforms, as well as modules for detecting and throttling specific censorship-circumvention tools. Much of the stack targets detection of VPNs, which are banned in China.

Great Firewall Report specialists claim parts of the documentation relate to Tiangou, a commercial product for use by ISPs and border gateways. Early iterations of the programme were allegedly deployed on HP and Dell servers.

The documents also mention deployments in 26 data centres in Myanmar. The system was reportedly operated by the state telecoms firm and integrated at major internet exchange points, enabling both mass blocking and selective filtering.

According to Wired and Amnesty International, the infrastructure has also been exported to Pakistan, Ethiopia, Kazakhstan and other countries, where it is used alongside other lawful-intercept platforms.

Luxury consumers in hackers’ crosshairs

On September 15th, Kering, owner of multiple luxury brands, confirmed a data breach affecting customers of its subsidiaries Gucci, Balenciaga, Alexander McQueen and Yves Saint Laurent.

Per BBC, the hackers stole personal data including names, email addresses, phone numbers, home addresses and the total amounts customers spent in stores worldwide.

The attack is allegedly the work of ShinyHunters, which claims to have stolen personal data on at least 7m people, though the true tally is likely far higher.

The group is also suspected of pilfering multiple databases hosted on Salesforce. Several firms, including Allianz Life, Google, Qantas and Workday, have confirmed data theft as a result of these mass breaches.

Also on ForkLog:

• CZ warned of the threat from North Korean “ghost employees”.
• An updated lawsuit revealed details of the Coinbase hack.
• In Ethereum, DYDX tokens worth $26m were ‘stuck’.
• Israel demanded the freezing of 1.5m USDT tied to terrorists.
• In Monero occurred the largest block reorganisation in 12 years.
• The Shibarium bridge was hacked for ~$2.3m.

What to read this weekend?

ForkLog examined proposals from Privacy Stewards for Ethereum—a new team within the Ethereum Foundation—and outlined how the organisation aims to embed privacy at every layer of the network, up to and including applications.