Risky Bulletin: Damaging worm rips through npm ecosystem

RubyGems disables sign-ups after an attack on staff, Instructure paid the ransom, the gentleman ransomware operation gets hacked, and another major supply chain attack on NPM. Yawn. This is the Risky Bulletin, prepared by Katalin Kimpano and read by me, Claire Aird. Today is the 13th of May, and this podcast episode is brought to you by Knock Knock, which has built and shipped a grey noise integration. More details are in this week's sponsor interview. In today's top story, the NPM packages of the popular TanStack web development framework were compromised to deliver a self-propagating worm and credential stealers. TanStack NPM packages were modified on Monday in a supply chain attack that quickly spread across the NPM ecosystem. Almost 400 packages were compromised, including libraries from AI company Mistral and business automation giant UiPath. The incident is the latest chapter in the Shai Halud worm infestation that's plagued the developer ecosystem since November. The worm has become more destructive and now wipes systems when their owners try to revoke or rotate stolen tokens. In other news, the RubyGems package repository has disabled new user sign-ups after a cyber attack targeted its staff. Hundreds of malicious packages were published on Monday, containing malicious code aimed at RubyGems developers. The code tried to execute cross-site scripting attacks and steal data. The RubyGems security team is investigating and will share more details soon. EdTech company Instructure has paid the hackers who took down its Canvas student management platform. The company emailed schools and colleges about the payment and the platform was restored over the weekend Almost 9 universities schools and school districts were impacted by the hack and couldn access the platform during end-of-year exams. It's unknown how much Instructure paid. A ransomware attack disrupted the activity of Foxconn's North American factories earlier this month. The company confirmed the incident after workers leaked some of its internal messages on social media last week. The Nitrogen Ransomware Group claimed responsibility for the attack in a blog post on Tuesday. The group claims it stole 8 terabytes of data, including confidential projects and chip drawings for Apple, Google and NVIDIA orders. A ransomware attack has also disrupted the operations of a major manufacturer of pharmaceutical drug packaging. The incident took place last week and impacted West Pharmaceutical Services. The attack impacted West's global business operations. Manufacturing, shipping and receiving operations have been restored at some locations per an SEC filing. Best Western International is notifying guests who stayed at its hotels of a security breach. The hotel chain says a hacker had access to its reservation system for over six months between October and April this year. The company operates several hotel brands, such as Best Western, Shore Hotels and World Hotels. The EU is expected to propose a block-wide social media ban for children as early as this summer. The new regulations will ban children under the age of 15 from creating new accounts on social media platforms. The EU is also considering banning social media platforms from using certain addictive design features, such as infinite scrolling and autoplay. Russia internet watchdog has denied blocking access to GitHub after access to the site has deteriorated over the past week Alexander Gorelkin a Russian lawmaker behind the bans of Western tech services in Russia blamed the issue on Microsoft Roskomnadzor also denied it would ban YouTube and WhatsApp prior to banning them. Google says a cybercrime group used AI tools to discover a zero-day in a popular open-source web-based system administration tool. The zero-day in the unnamed utility would have allowed the group to bypass 2FA during logins, if they had valid credentials. Google's security team says it detected the zero day before it was used in widespread attacks. An increasing number of ransomware and data extortion groups are now using threats of physical violence to intimidate victims into paying up. Threats of violence doubled last year and are more prevalent in the US. Threats are being sent to staff, executives and even ransomware negotiators. Most threats are being sent through violence as a service operations. The database and internal comms of the gentleman ransomware operation has been hacked and put up for sale on an underground hacking forum. The data was being offered for just $10,000 before the forum's admins took it down. The data is believed to have been stolen from the ransomware's web hosting provider, a shady service known as 4VPS. Iranian state-sponsored hackers breached an unnamed major South Korean electronics maker. The intrusion took place in February and lasted for a week. It was part of a sprawling cyber espionage campaign that breached at least eight other organizations across the globe. Symantec didn't name the company, but linked the attacks to a group known as Seedworm or Muddy Water. A security researcher dropped two Windows Zero Days minutes after Microsoft released this month's patch Tuesday. The two zero days include a privilege escalation bug named green plasma and a bitlocker bypass bug named yellow key The same researcher going by the nickname of nightmare Eclipse also dropped the Blue Hammer and Red Sun Zero Days last month Attackers can take over IP time home routers via the protocol used by ISPs to manage the devices. The attack doesn't require authentication and targets the CWMP protocol, also known as TR069. The vendor did not respond to the security researchers who reported the vulnerabilities. Google is rolling out a new security feature to Android smartphones to aid malware investigations. The new intrusion logging feature allows Android to create privacy-preserving forensics logs that don't expose users' sensitive data. The feature was designed in conjunction with the security teams at Amnesty International and Reporters Without Borders. It's rolling out to all devices running the Android 16 December update and newer. Support for end-to-end encrypted RCS messaging rolled out to Apple devices on Monday in iOS 26.5. E2EE RCS has been supported on Android for several years. The feature will allow Android and iPhone users to exchange encrypted messages between each other. RCS was designed as a replacement for SMS. And finally, OpenAI has launched Daybreak, a project to deploy frontier AI models in popular software projects to detect and patch vulnerabilities. Daybreak will use multiple OpenAI models, including the company's new GPT 5.5 cyber-specialized model. And that is all for this podcast edition. Today's show was brought to you by Knock Knock. Find them at knock knock. That's K-N-O-C, K-N-O-C dot I-O. Thanks for your company.