Massive Python Supply Chain Hack, $2.1B Scam Losses, North Korea Targets Crypto Execs

cybersecurity today would like to thank meter for their support and bringing you this podcast meter delivers a complete networking stack wired wireless and cellular in one integrated solution that's built for performance and scale you can find them at meter.com slash cst A popular open source tool is the latest supply chain threat. Social media scams cost Americans more than $2 billion last year. A Brazilian hacking crew returns with fake Minecraft cheats. A new ransomware strain accidentally destroys files. North Korean hackers run fake Zoom meetings to drain crypto executives' wallets. This is Cybersecurity Today, and I'm your host, David Shipley. Let's get started. A popular Python tool called Elementary Data got hijacked this past weekend, and anyone who installed the bad version is in for a rough cleanup. Elementary Data is a behind-the-scenes tool used by data engineers to keep an eye on data pipelines. It pulls down about 1.1 million downloads a month from PyPy, the main hub where Python developers share open source code. According to Bleeping Computer, the attacker didn't steal a password. They didn't phish a maintainer. They went after the project's automated build system. Here's how they did it. They posted a sneaky comment on a pull request. Basically, a suggested code change on GitHub. That comment was crafted to make the build system run the attacker's code. From there, they grabbed the system's release token, signed a fake update, and pushed version 0.23.3 to PyPy. That poisoned release also got baked into the project's Docker image. That's the prepackaged version a lot of teams also pull automatically. Once installed, the bad version went to work. It scraped SSH keys, Git logins, cloud credentials for AWS, Google, and Microsoft, Kubernetes and Docker secrets, environmental files, developer tokens, and crypto wallets for Bitcoin, Litecoin, Dogecoin, Monero, and a few others. Basically, a smash and grab on a developer's whole digital life. A community member on GitHub spotted it Saturday and flagged it to the maintainers. A clean version, 0.23.4, is now out. But anyone who pulled 0.23.3 or grabbed the latest Docker images over the weekend, well, they need to rotate every secret on that machine and restore from a known good backup. Americans lost more than $2.1 billion to social media scams last year. That the latest numbers from the U Federal Trade Commission Nearly one in three people who reported losing money to a scam in 2025 said it started on social media Losses from those online scams have jumped eightfold since 2020, and they now top nearly every other route scammers use, including phone, text, and email combined. The platform leading the pack, Facebook, across every age group under 80, More money was lost to scams that started on Facebook than any other site. WhatsApp and Instagram came in second and third. All three are owned by Meta. Why social media? The FTC's read here is simple. It's cheap, it's global, and it hand scammers the same powerful ad tools real businesses use. Target people by age, interests, even shopping habits. Plus, they can scrape target posts to figure out which pitch is most likely to land. Meta says it removed 159 million scam ads and took down close to 11 million scam accounts last year. It also says it's rolling out warnings for suspicious friend requests, sketchy group chat invites, and screen sharing with strangers on video calls. The FTC's advice here is solid. Lockdown, who can see your posts? Don't take investment tips from someone you've only ever met online. And before you buy from a company you've never heard of, search the name plus the word scam and see what comes back. In the meantime, Meta's facing a lot of heat for scam ads. They're facing down a class action lawsuit that we reported on previously. A Brazilian hacking crew that went quiet three years ago is back, and this time they're going after Minecraft players. The group calls itself Lofi Gang. They've been around since late 2021, mostly known for sneaking malicious code into NPM, the giant library of free building blocks JavaScript developers use to put their software together. Back then, the goal was stealing Discord accounts and credit card numbers. Now, according to the Hacker News and the Brazilian security firm Xenox, they've changed tactics. Their new tool is called Lofi Stealer, and it's hidden inside a fake Minecraft cheat program named Slinky. It even uses the official Minecraft icon to look legit. The target audience here? Young players who trust what they download from gaming forums and YouTube tutorials. Here's what happens when they run it. A small piece of JavaScript quietly loads the real malware straight into the computer's memory. No obvious file sitting on the hard drive. From there, it sweeps through every major browser on the machine. Chrome, Edge, Firefox, Brave, Opera. It grabs saved passwords, login cookies, credit card numbers, even bank account details. All of it gets shipped off to a server the attackers control The bigger shift here Lofi Gang has moved to what called malware as a service They have a free version a paid version pick your tier Anyone with a few dollars and bad intentions can rent their tool and run their own campaign. For parents listening, if there's a kid in the house who plays Minecraft, this is the conversation you need to have. Cheats and mods downloaded from random sites are exactly how this lands. The official Minecraft marketplace is fine. A YouTube comment promising free diamonds is not. And general advice I give to parents, don't do your family banking on computers you let kids play on unsupervised on the internet. There's a new ransomware operation called Vect 2.0, and according to the Hacker News, it has one small problem. It doesn't actually work. A normal ransomware operation looks like this. Crooks break in, scrambles your files, then sell you the key so that you can unscramble them. Pay up, get your stuff back. That's the typical business model, if they're competent. Vect 2.0 skips the second half of the deal, not by choice, by mistake. Researchers at Checkpoint dug into the code and found a flaw. When Vect locks any file bigger than 131 kilobytes, basically anything more useful than a short note, it chops the file into four pieces, scrambles each piece with a separate key, and then throws three of those four keys in the garbage. Doesn't save them. Doesn't send them home. Just loses them. So even if a victim pays up, the criminals can't hand over working keys. They never had them. Pay or don't pay, your data is still toast. This thing runs on Windows, Linux, and the server software VMware uses to host virtual machines, meaning it can take down a whole data center in one swing. Checkpoints read is that the people behind VEC might be amateurs, Or, and this is a fun theory, chunks of the code may have been written by an AI tool that didn't quite know what it's doing. Negotiation is not an option here. Offline backups, tested recovery plans, fast containment. That's it for the defense. A North Korean hacking unit has spent the past five months running a remarkably patient con, and its marks are crypto executives. The group goes by Blue Noruf. It's the money-making arm of a larger North Korean operation known as Lazarus. That's the same crew tied to some of the biggest crypto heists on record. Researchers at the security firm Arctic Wolf laid out the latest campaign in a report published Monday. Here's how it worked. The attackers hand about 100 senior executives across more than 20 countries founders exchange operators people who build crypto wallets Roughly 40 were based in the US with Singapore and the UK close behind. The common thread here, every target had direct access to the keys that move serious digital money. The bait was a calendar invite. Look normal, calendar link, scheduled Zoom or Teams call, the usual. But the meeting link was a fake domain, the kind where one letter was swapped out to fool someone who just took a quick glance. The attackers had registered more than 80 of these phony domains since last year. Once an executive joined the call, the malware quietly started recording the live camera feed. Researchers found roughly 950 files on the attacker servers, stolen video footage being mixed with AI-generated faces to build fake meetings for the next round of victims. Each successful con made the next one even better. Arctic Wolf says the attackers did serious homework here, populating fake calls with familiar industry faces tailored to whoever they were targeting. That's the part that got people to relax and to trust. Crypto companies here face a double hurdle with this threat. One of the best defenses here is awareness, but many of these tech companies skip security awareness training unless they're regulated to do it because they know better. Second, if they do have a program, many senior executives often balk at doing the same cybersecurity training and often ask to be exempted from things like phishing simulations. This is a good story for the security teams at those companies to use to reinforce why either choice is not a great one when faced with these kinds of threats. That's Cybersecurity Today for Wednesday, April 29th, 2026. I've been your host, David Shipley. Thanks for listening, and thanks to everyone who's left a review, liked, subscribed, left a rating, or emailed us with their comments. Jim Love will be back on Friday. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full-stack networking infrastructure, wired, wireless, and cellular, to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable, and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices, warehouses, and large campuses to data centers. Book a demo at meter.com slash CST. That's M-E-T-E-R dot com slash C-S-T.