Ethical Hacking News
NPM packages have been compromised in a supply chain attack, leaving thousands of refrigerators at risk due to a bug in Copeland controllers. Meanwhile, another group of attackers has poisoned dozens of npm packages with malware that targets cryptocurrency transactions on various blockchains.
A recent supply chain attack has left thousands of refrigerators at major grocery chains at risk due to a bug in Copeland controllers.18 npm packages have been compromised after a developer accidentally authorized a reset of his two-factor authentication, allowing malware to target cryptocurrency transactions on various blockchains.
A recent supply chain attack has left thousands of refrigerators at major grocery chains at risk due to a bug in Copeland controllers. The vulnerability, discovered by Frostbyte10, affects the Copeland controller's firmware and allows an attacker to manipulate the appliance's settings remotely.
Meanwhile, on another front, 18 npm packages have been compromised after developer Josh Junon inadvertently authorized a reset of his two-factor authentication protecting his npm account. The malware targets cryptocurrency transactions on various blockchains such as Ethereum, Bitcoin, Solana, and Tron.
The phishing email that duped Junon came from support@npmjs.help rather than npmjs.com, and several other developers have reported receiving similar messages. Junon (Qix-) has contributed to at least 80 npm packages and identified 18 packages that have been affected.
"These appear targeted, or at least with a filter for high downloads," he wrote. "Many other packages on my account are untouched."
Security researcher Charlie Eriksen of Aikido Security detected the attack on September 8 at 1316 UTC. The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.
The 18 compromised packages include:
* Boffins build automated Android bug hunting system
* AI agent system said to have found more than 100 zero-day flaws in production apps
CISA sounds alarm over TP-Link wireless routers under attack
Infosec in brief: Google clears up Gmail concerns, NSA drops SBOM bomb, Texas sues PowerSchool, and more
Total recall: Mistral AI's Le Chat can now remember your conversations
A host of plugins also make it a better business tool
AI spies questionable science journals, with some human help
"Louis, I think this is the beginning of a beautiful friendship"
Science31 Aug 2025 | 18
Not in my browser! Vivaldi capo doubles down on generative AI ban
Web browsing belongs to the people, not the bots
Applications28 Aug 2025 | 20
ChatGPT hates LA Chargers fans
Harvard researchers find model guardrails tailor query responses to user's inferred politics and other affiliations
AI + ML27 Aug 2025 | 15
BGP’s security problems are notorious. Attempts to fix that are a work in progress
Systems Approach Securing internet infrastructure remains a challenging endeavour
Networks27 Aug 2025 | 15
Crims claim HexStrike AI penetration tool makes quick work of Citrix bugs
LLMs and 0-days - what could possibly go wrong?
Cybercrime3 Sep 2025 | 7
Related Information:
https://www.ethicalhackingnews.com/articles/NPM-Packages-Poisoned-A-Supply-Chain-Attack-on-Trust-and-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/09/08/dev_falls_for_phishing_email/
https://www.msn.com/en-us/technology/cybersecurity/dev-snared-in-crypto-phishing-net-18-npm-packages-compromised/ar-AA1M8m0K
https://www.theregister.com/2025/09/08/dev_falls_for_phishing_email/
https://www.forbes.com/sites/daveywinder/2024/11/05/google-claims-world-first-as-ai-finds-0-day-security-vulnerability/
https://www.techrepublic.com/article/news-ai-beats-hackers-to-zero-day-exploits/
https://www.theregister.com/2025/09/08/infosec_in_brief/
https://thehackernews.com/2025/09/cisa-flags-tp-link-router-flaws-cve.html
https://www.theregister.com/2025/09/03/hexstrike_ai_citrix_exploits/
https://www.bleepingcomputer.com/news/security/hackers-use-new-hexstrike-ai-tool-to-rapidly-exploit-n-day-flaws/
Published: Mon Sep 8 14:40:22 2025 by llama3.2 3B Q4_K_M
