Risky Bulletin: Shai-Hulud goes open-source

The source code for the Shaihalud worm has been released online, a dark web market admin was charged after a major OPSEC failure, France investigates an Israeli disinfo firm, and Composer rushes to fix a GitHub token leak. This is the Risky Bulletin, prepared by Katalin Kimpanu and read by me, Claire Aird. Today is the 15th of May, and this podcast episode is brought to you by Knock Knock, which has built and shipped a grey noise integration. More details are in this week's sponsor interview. In today's top story, source code for the Shai Halud worm has been published on a hacking forum. The code was released by individuals claiming to be associated with the Team PCP hacking group. The code's authenticity has already been confirmed by multiple security vendors. The Shai Halud worm was first seen in November and has been tied to at least six supply chain attacks targeting NPM and Python libraries hosted on GitHub. The Team PCP group is encouraging other threat actors to use the worm, promising a $10,000 reward to whoever carries out the largest supply chain attack in the coming days. In other news, the US has charged a 49-year-old German national with running the defunct Dream Dark Web Marketplace. O. Martin Andersen was arrested in Germany last week. Dream Market launched in 2013 and was shut down by authorities in 2019. He operated the site under the pseudonym Speedstepper and was the market's top admin. Other Dream admins had already been arrested and imprisoned, but Speedstepper had remained unidentified for years. Authorities finally tracked him down after he started converting some of the Dream Market Bitcoin into gold bars and sending them to his home in Germany. South Korean authorities have extradited a Chinese hacker from Thailand. The suspect was the leader of a group that stole more than million from Korean celebrities The group hacked a South Korean telco in 2023 and used the data to gain access to the victim bank accounts The group most famous victim was Jungkook a member of K supergroup BTS Cambodian authorities have raided a scam compound in the city of Sihanoukville for the second time in six months. More than 400 suspects were detained, but even more fled through the streets. Gunshots were reported by authorities during the chaos. The same scam compound location was also raided in December. 50 suspects were arrested in that raid. Russian authorities have dismantled a sim farm operating in the city of St. Petersburg. The farm ran more than 6,000 sim cards and was primarily used to place scam calls. Russian authorities claim some of the sim farm's customers included scammers from Ukraine. A 16-year-old teenager in occupied Donetsk has been found guilty by a Russian court of selling hacked accounts on a Telegram channel. Authorities say the hacked accounts were later used to place fraudulent calls to Russian citizens through instant messenger platforms. His sentencing is scheduled for next month. Open AI is rotating code signing certificates after two employees were impacted by the TanStack supply chain attack this week. The company detected malicious activity originating from the employee's device that matched the mini Shihalud worm. OpenAI says the intrusion was limited to a small number of repositories and the malware didn't have any access to user data. Hackers have stolen $1.9 million from the Transit Finance cross-chain aggregator and another $2.8 million from the TAC cross-chain platform. The hacks took place on the same day, but it's unclear if the same group was behind both. In both instances, the hackers targeted smart contracts that interacted with the Ton blockchain. French authorities have launched an investigation into an Israeli company named Blackcore over a disinformation campaign. Officials say the company may be linked to an online campaign that smeared three mayoral candidates of the France Unbowed Party The campaign targeted mayoral candidates for the cities of Marseille Toulouse and Roubaix The far party has criticised Israel over its war in Gaza Microsoft has unveiled a new AI model harness that can discover and patch software vulnerabilities. The new M-Harness works by aggregating more than 100 specialised AI agents into one singular platform. 16 of the 130 vulnerabilities patched in this month's Patch Tuesday were discovered with MDash. Cisco has released firmware updates to patch a critical zero-day in Catalyst's SD-WAN devices. The zero-day allows attackers to become an authenticated peer of the target appliance and perform privileged operations. The vulnerability is being exploited in the wild and has been added to CIS's KevList. Cisco linked the recent attacks to another set of zero days exploited in February. The same group, designated as UAT8616 by Cisco Talus, was behind this zero day as well. Hackers began exploiting a vulnerability in Prazen AI servers within three hours of a patch for them becoming available. The attacks targeted a legacy API server that shipped with the main Prazen AI server that was left enabled without any authentication. The quick move to exploitation was likely the result of a simple pock. Threat actors have been prioritising vulnerabilities in AI servers recently, with many solutions coming under attacks as soon as bugs are disclosed. Meantime, hackers are exploiting a vulnerability in a popular WooCommerce plugin to inject malicious code on online shops and steal credit card data. More than 40,000 WooCommerce stores using the FunnelKit builder are affected. Patches have been released this week. The plugin is typically used to design custom checkout experiences on WordPress-based online stores. Packages has rolled out an emergency security update to the Composer PHP package manager to fix a bug that leaked GitHub tokens in public GitHub Actions logs The bug was traced back to GitHub changing the token format with tokens now including hyphen characters GitHub has since paused the rollout of the new format until May 18 PHP developers are advised to install the new Composer update by then to prevent their CICD pipelines from leaking the tokens. CPU maker AMD has advised users to install operating system security updates to mitigate a security flaw in its CPUs. The vulnerability was discovered internally. It allows malicious code running on the CPU to break the memory cache isolation and execute at higher privileges. The bug impacts AMD Zen 2 products. This includes the company's Ryzen and Epic product lines. Cisco will lay off 4,000 employees or around 5% of the company's global workforce. Cisco CEO Chuck Robbins says the company is currently focused on increasing its spend on AI technologies. The company announced the layoffs on the same day it reported record revenue of $15.8 billion. The Debian OS project is mandating that all new Debian packages use reproducible builds. All packages that want to be included in the upcoming Debian 14 release must allow developers to verify that a binary has originated from specific source code. And finally, Microsoft has open-sourced a project designed to help coders prevent server-side request forgery vulnerabilities. The anti-SSRF library is available for .NET and Node.js applications. The library works by automatically validating URLs and network connections generated based on user-supplied inputs. It also comes with an agent to block requests to internal or sensitive IP addresses. And that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at knock knock. That's K-N-O-C, K-N-O-C dot I-O. Thanks to your company. you