{"id":89103,"date":"2025-09-20T07:00:00","date_gmt":"2025-09-20T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=89103"},"modified":"2025-09-20T09:07:35","modified_gmt":"2025-09-20T06:07:35","slug":"a-self-propagating-javascript-worm-spying-on-gucci-customers-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/a-self-propagating-javascript-worm-spying-on-gucci-customers-and-other-cybersecurity-news\/","title":{"rendered":"A self-propagating JavaScript worm, spying on Gucci customers, and other cybersecurity news"},"content":{"rendered":"<p>We round up the week\u2019s biggest cybersecurity stories.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Blockchain developers are increasingly in hackers\u2019 crosshairs.<\/li>\n<li>Canadian police seized more than $40m in cryptocurrency.<\/li>\n<li>A self-replicating worm is battering the JavaScript ecosystem.<\/li>\n<li>An attack on the auto industry could affect the UK economy.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Blockchain developers are increasingly in hackers\u2019 crosshairs<\/h2>\n<p>Software developers are drawing growing interest from crypto thieves. According to cybersecurity firm <a href=\"https:\/\/www.koi.security\/blog\/whitecobra-vscode-cursor-extensions-malware\">Koi Security<\/a>, the WhiteCobra group targeted users of the VSCode, Cursor and Windsurf code editors, posting 24 malicious extensions on Visual Studio Marketplace and the Open VSX registry.<\/p>\n<p>One victim of the \u201cdrainers\u201d was a key Ethereum developer, Zak Cole.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">I&#8217;ve been in crypto for over 10 years and I\u2019ve Never been hacked. Perfect OpSec record.<\/p>\n<p>Yesterday, my wallet was drained by a malicious <a href=\"https:\/\/twitter.com\/cursor_ai?ref_src=twsrc%5Etfw\">@cursor_ai<\/a> extension for the first time.<\/p>\n<p>If it can happen to me, it can happen to you. Here\u2019s a full breakdown. \ud83e\uddf5\ud83d\udc47<\/p>\n<p>\u2014 zak.eth (@0xzak) <a href=\"https:\/\/twitter.com\/0xzak\/status\/1955265807807545763?ref_src=twsrc%5Etfw\">August 12, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>He said cybercriminals stole his crypto using a plugin for Cursor, an AI code editor. Cole explained that the extension looked benign: a professional logo, a detailed description and 54,000 downloads on OpenVSX, Cursor\u2019s official registry.<\/p>\n<p>Koi Security believes WhiteCobra is part of the same group that in July <a href=\"https:\/\/forklog.com\/en\/news\/ai-at-fraudsters-service-ukrainian-phishers-dismantled-and-other-cybersecurity-developments\">stole<\/a> $500,000 in digital assets from a Russian blockchain developer.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cCross-compatibility and the lack of proper vetting when publishing on these platforms make them ideal for threat actors seeking to run broad-reach campaigns,\u201d<\/em> the Koi Security report says.<\/p>\n<\/blockquote>\n<p>The wallet drain begins when the main file, extension.js, runs. It is nearly identical to the standard Hello World template that ships with every VSCode extension. The malware then unpacks a stealer tailored to the user\u2019s operating system.<\/p>\n<p>WhiteCobra is zeroing in on holders of digital assets worth $10,000\u2013$500,000. Analysts reckon the group can spin up a fresh campaign in under three hours.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"631\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176-1024x631.png\" alt=\"image\" class=\"wp-image-266063\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176-1024x631.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176-300x185.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176-768x473.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176-1536x947.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-984a3b102a2471be-4688937369992176.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">An example of a legitimate and a fake developer extension. Source: Koi Security.<\/figcaption><\/figure>\n<p>For now, the attackers are hard to stop: malicious plugins are removed from OpenVSX only for new ones to pop up.<\/p>\n<p>Researchers advise sticking to well-known, reputable projects and treating with caution any new release that racks up downloads and glowing reviews in short order.<\/p>\n<h2 class=\"wp-block-heading\">Canadian police seized more than $40m in cryptocurrency<\/h2>\n<p>Canada\u2019s federal police <a href=\"https:\/\/rcmp.ca\/en\/news\/2025\/09\/rcmp-executes-record-seizure-more-56-million-dollars-cryptocurrency\">carried out<\/a> the largest crypto seizure in the country\u2019s history, noted on-chain sleuth <a href=\"https:\/\/t.me\/investigations\/275\">ZachXBT<\/a>.<\/p>\n<p>Officers confiscated digital assets worth over 56m Canadian dollars (~$40.5m) from the TradeOgre platform. Shutting down a cryptocurrency exchange platform was a first of its kind in the country.<\/p>\n<p>The probe began in June 2024 following a tip from Europol. It found the venue violated Canadian law and had not registered with the Financial Transactions and Reports Analysis Centre as a money services business.<\/p>\n<p>Investigators have reason to believe most funds moving through TradeOgre came from criminal sources. The platform attracted wrongdoers by forgoing mandatory user identity checks.<\/p>\n<p>According to police, transaction data obtained from TradeOgre will be analysed to bring charges. The investigation continues.<\/p>\n<h2 class=\"wp-block-heading\">A self-propagating worm is attacking the JavaScript ecosystem<\/h2>\n<p>After an <a href=\"https:\/\/forklog.com\/en\/news\/hackers-target-javascript-ecosystem-to-hijack-crypto-wallets\">attack<\/a> on NPM to inject malware into JavaScript packages, the perpetrators <a href=\"https:\/\/socket.dev\/blog\/tinycolor-supply-chain-attack-affects-40-packages\">shifted<\/a> to a fully fledged worm. The incident is snowballing: at the time of writing, more than 500 NPM packages are known to be compromised.<\/p>\n<p>The coordinated campaign, <span data-descr=\"a reference to Shai-Hulud\u2014the sandworms from Frank Herbert\u2019s Dune saga\" class=\"old_tooltip\">Shai-Hulud<\/span>, began on September 15th by compromising @ctrl\/tinycolor, which is downloaded over 2m times a week.<\/p>\n<p>According to analysts at <a href=\"https:\/\/www.truesec.com\/hub\/blog\/500-npm-packages-compromised-in-ongoing-supply-chain-attack-shai-hulud\">Truesec<\/a>, the campaign has since widened considerably and now includes packages published under the CrowdStrike namespace.<\/p>\n<p>Experts say the tainted variants contain a function that extracts the package\u2019s tar archive, modifies package.json, injects a local script, rebuilds the archive and republishes it. On installation, a script executes automatically to download and run TruffleHog, a legitimate tool for scanning secrets and finding tokens.<\/p>\n<p>Truesec believes the attack is scaling rapidly and growing more sophisticated. While the attackers reuse many old tricks, they have refined them into a fully autonomous worm. The malware does the following:<\/p>\n<ul class=\"wp-block-list\">\n<li>collects secrets and publicly discloses them on GitHub;<\/li>\n<li>runs TruffleHog and queries cloud metadata endpoints to extract sensitive credentials;<\/li>\n<li>attempts to inject a GitHub Actions workflow designed to exfiltrate data via webhook.site;<\/li>\n<li>enumerates all GitHub repositories for the compromised user and forcibly makes them public.<\/li>\n<\/ul>\n<p>Its standout feature is its method: instead of relying on a single infected object, it automatically spreads to all NPM packages.<\/p>\n<h2 class=\"wp-block-heading\">A car-industry attack could weigh on Britain\u2019s economy<\/h2>\n<p>Jaguar Land Rover (JLR) has failed to restart production for a third week after a cyberattack. The luxury carmaker <a href=\"https:\/\/media.jaguarlandrover.com\/news\/2025\/09\/statement-cyber-incident-2\">said<\/a> its assembly lines will remain halted at least until September 24th.<\/p>\n<p>The company confirmed data was stolen from its network but has yet to pin the attack on a specific hacking group.<\/p>\n<p>According to BleepingComputer, a gang calling itself Scattered Lapsus$ Hunters claimed responsibility, posting screenshots of JLR\u2019s internal systems on Telegram. The post alleges the hackers also deployed ransomware on the firm\u2019s compromised infrastructure.<\/p>\n<p><a href=\"https:\/\/www.bbc.com\/news\/articles\/czewlj57e24o\">BBC<\/a> estimates each week of downtime costs the company at least \u00a350m (~$68m). <a href=\"https:\/\/www.telegraph.co.uk\/business\/2025\/09\/15\/jaguar-land-rover-production-shutdown-november\/\">The Telegraph<\/a> puts weekly losses at about $100m. JLR\u2019s suppliers fear they cannot weather the sudden shock and worry about going bankrupt.<\/p>\n<h2 class=\"wp-block-heading\">Secret data from China\u2019s Great Firewall spilled online<\/h2>\n<p>On September 12th, researchers from the <a href=\"https:\/\/gfw.report\/blog\/geedge_and_mesa_leak\/en\/\">Great Firewall Report<\/a> team reported the biggest leak in the history of China\u2019s \u201cGreat Firewall\u201d.<\/p>\n<p>Roughly 600GB of internal documents, source code and developers\u2019 internal correspondence used to build and maintain the national traffic-filtering system have appeared online.<\/p>\n<p>Researchers say the leak includes full build systems for traffic-tracking platforms, as well as modules for detecting and throttling specific censorship-circumvention tools. Much of the stack targets detection of VPNs, which are banned in China.<\/p>\n<p>Great Firewall Report specialists claim parts of the documentation relate to Tiangou, a commercial product for use by ISPs and border gateways. Early iterations of the programme were allegedly deployed on HP and Dell servers.<\/p>\n<p>The documents also mention deployments in 26 data centres in Myanmar. The system was reportedly operated by the state telecoms firm and integrated at major internet exchange points, enabling both mass blocking and selective filtering.<\/p>\n<p>According to <a href=\"https:\/\/www.wired.com\/story\/geedge-networks-mass-censorship-leak\/\">Wired<\/a> and <a href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2025\/09\/pakistan-mass-surveillance-and-censorship-machine-is-fueled-by-chinese-european-emirati-and-north-american-companies\">Amnesty International<\/a>, the infrastructure has also been exported to Pakistan, Ethiopia, Kazakhstan and other countries, where it is used alongside other lawful-intercept platforms.<\/p>\n<h2 class=\"wp-block-heading\">Luxury consumers in hackers\u2019 crosshairs<\/h2>\n<p>On September 15th, Kering, owner of multiple luxury brands, confirmed a data breach affecting customers of its subsidiaries Gucci, Balenciaga, Alexander McQueen and Yves Saint Laurent.<\/p>\n<p>Per <a href=\"https:\/\/www.bbc.com\/news\/articles\/crl5j8ld615o\">BBC<\/a>, the hackers stole personal data including names, email addresses, phone numbers, home addresses and the total amounts customers spent in stores worldwide.<\/p>\n<p>The attack is allegedly the work of ShinyHunters, which claims to have stolen personal data on at least 7m people, though the true tally is likely far higher.<\/p>\n<p>The group is also suspected of pilfering multiple databases hosted on Salesforce. Several firms, including Allianz Life, Google, Qantas and Workday, have confirmed data theft as a result of these mass breaches.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>CZ <a href=\"https:\/\/forklog.com\/en\/news\/cz-warns-of-imposter-employees-threat-from-north-korea\">warned<\/a> of the threat from North Korean \u201cghost employees\u201d.<\/li>\n<li>An updated lawsuit <a href=\"https:\/\/forklog.com\/en\/news\/revised-lawsuit-reveals-details-of-coinbase-hack\">revealed<\/a> details of the Coinbase hack.<\/li>\n<li>In Ethereum, DYDX tokens worth $26m <a href=\"https:\/\/forklog.com\/en\/news\/dydx-tokens-worth-26m-stranded-on-ethereum\">were \u2018stuck\u2019<\/a>.<\/li>\n<li>Israel <a href=\"https:\/\/forklog.com\/en\/news\/israel-demands-freeze-of-1-5-million-usdt-linked-to-terrorists\">demanded<\/a> the freezing of 1.5m USDT tied to terrorists.<\/li>\n<li>In Monero <a href=\"https:\/\/forklog.com\/en\/news\/monero-experiences-largest-block-reorganisation-in-12-years\">occurred<\/a> the largest block reorganisation in 12 years.<\/li>\n<li>The Shibarium bridge <a href=\"https:\/\/forklog.com\/en\/news\/shibarium-bridge-hacked-for-approximately-2-3-million\">was hacked<\/a> for ~$2.3m.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>ForkLog examined proposals from Privacy Stewards for Ethereum\u2014a new team within the Ethereum Foundation\u2014and outlined how the organisation aims to embed privacy at every layer of the network, up to and including applications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We round up the week\u2019s biggest cybersecurity stories.<\/p>\n","protected":false},"author":1,"featured_media":89104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"The week's key cybersecurity stories: from a JavaScript worm to a record Canadian crypto seizure.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-89103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"184","promo_type":"1","layout_type":"1","short_excerpt":"The week's key cybersecurity stories: from a JavaScript worm to a record Canadian crypto seizure.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=89103"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89103\/revisions"}],"predecessor-version":[{"id":89105,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/89103\/revisions\/89105"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/89104"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=89103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=89103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=89103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}