We’ve gathered the most important cybersecurity news from the past week.
- A new version of cryptocurrency theft software bypasses Apple’s security.
- Hackers accessed thousands of repositories on GitHub.
- Interpol conducted large-scale arrests in the Middle East and North Africa.
- A critical vulnerability was found in the ChromaDB database for AI developers.
New Cryptocurrency Theft Software Bypasses Apple Security
The new infostealer Reaper bypasses macOS protection by using a fake security update message. It targets sensitive browser data and cryptocurrency wallets. The threat was discovered by SentinelOne experts.
Unlike previous attacks using an earlier version of the SHub software, where attackers relied on ClickFix tactics, the new campaign employs a special applescript:// link. Clicking this link automatically opens the built-in macOS script application and executes malicious code.
According to SentinelOne, the attackers spread the malware through fake installers for WeChat and Miro. Some fraudulent domains masquerading as Microsoft and QQ services remained active at the time of publication.
Before invoking AppleScript, the malicious sites fingerprint the visitor's device to filter out researchers and terminals with Russian localization. The code scans for virtual machines and VPNs, as well as installed browser extensions for password managers and cryptocurrency wallets. All data is sent to the attacker via a Telegram bot.
Once executed, the user sees a fake Apple update notification. The program downloads a shell script and requests the macOS password.
Password request. Source: SentinelOne.After that, the infostealer targets:
- data from browsers including Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc, and Orion;
- browser extensions for cryptocurrency wallets, including MetaMask and Phantom;
- browser extensions for password managers like 1Password, Bitwarden, and LastPass;
- desktop applications for cryptocurrency wallets, including Exodus, Atomic Wallet, Ledger Live, Electrum, and Trezor Suite;
- iCloud and Telegram account data;
- configuration files related to programming.
Reaper also includes a Filegrabber module that searches the desktop and Documents folder for file types that may contain sensitive information. It collects target files smaller than 2 MB (or up to 6 MB for PNG images), with a total data limit set at 150 MB.
Experts warned that the malware embeds itself in the system, disguising itself as Google updates.
SentinelOne emphasized that SHub operators are expanding the stealer's capabilities by adding remote access features to compromised devices, which will allow for further payload distribution in the future.
Hackers Access Thousands of Repositories on GitHub
On May 19, hackers breached 3,800 internal GitHub repositories, gaining access through a malicious extension for the VS Code editor. This was reported by the company’s Chief Information Security Officer, Alexis Wails, in a statement.
The incident occurred when an employee installed an infected version of the popular Nx Console plugin (version 18.95.0). The malicious code targeted the theft of developer credentials and secrets for cloud platforms, including AWS, Kubernetes, GitHub, and Docker.
The cybercriminal group TeamPCP claimed responsibility for the breach. The hackers listed the stolen code for sale on the shadow forum Breached, demanding at least $50,000. Prior to this incident, the same group was linked to attacks on Mistral AI, UiPath, OpenSearch, and OpenAI employees.
The Nx Console developers explained that one of their own employees had previously fallen victim to an npm package supply chain attack on the TanStack project. Through the GitHub CLI utility, hackers stole his tokens, accessed his work account, and injected malicious code into the extension update.
The infected version of Nx Console was available in the official Visual Studio Marketplace for only 18 minutes (and 36 minutes on the OpenVSX platform). During that time, it was downloaded fewer than 70 times.
GitHub stated that they quickly isolated the compromised device and conducted an emergency rotation of all critical secrets and access keys.
Interpol Conducts Large-Scale Arrests in the Middle East and North Africa
Law enforcement from 13 countries in the Middle East and North Africa arrested 201 suspects during Operation Ramz, aimed at combating cybercrime, according to Interpol.
During the operation, the identities of 382 suspects were established in Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, UAE, Oman, Palestine, Qatar, and Tunisia.
Additionally, law enforcement seized 53 servers used for phishing, malware distribution, and internet fraud. Data analysis from this equipment revealed that 3,867 individuals had fallen victim to the criminals.
To track the hacker infrastructure, Interpol enlisted private cybersecurity companies, including Kaspersky Lab, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI.
Critical Vulnerability Found in ChromaDB Database for AI Developers
A critical high-level vulnerability was discovered in the ChromaDB database, widely used for developing AI applications. This was reported by experts from HiddenLayer.
ChromaDB is an open-source vector database and backend for data search, actively used in agent-based AI systems and related applications.
According to HiddenLayer, the vulnerability affects the Python version of the API (based on FastAPI) and lies in flawed security check logic. When a request is received, the system first downloads and executes the specified ML model (for example, a malicious payload from Hugging Face), and only then checks the user's authenticity. The server predictably returns an authorization error, but by that time, the hacker's code has already executed successfully.
Experts noted that about 73% of Chroma nodes operate on vulnerable versions. Local builds and projects using a Rust frontend are safe. The ChromaDB team has ignored inquiries from researchers, and it remains unclear whether the vulnerability has been fixed in the latest release 1.5.9.
Until official clarifications and patches are released, experts recommend users to:
- isolate the Python server from public access (restrict API port access using a firewall);
- use a Rust frontend as an alternative for open environments;
- carefully check third-party ML models for backdoors before running them, especially if the remote code trust parameter is enabled.
Europol Shuts Down First VPN Due to Frequent Use by Criminals
Law enforcement has shut down the First VPN service, which was used for extortion and data theft. The international operation was reported by Europol.
According to police, the service was advertised on hacker forums as a privacy-oriented tool that does not log user activity and ignores law enforcement requests. The name First VPN appeared in nearly every major cybercrime case supported by the agency.
The investigation into the service began in December 2021 under the guidance of authorities in France and the Netherlands. At one point, agents infiltrated the VPN infrastructure, collected a user database, and identified connections used by hackers.
As a result of the operation conducted from May 19 to 20, key infrastructure was disrupted. Law enforcement seized 33 servers located in 27 countries, confiscated domains, arrested an administrator, and conducted a search at the home of a suspect in Ukraine.
Also on ForkLog:
- Polymarket confirmed the compromise of a private key.
- MAPO token dropped by 96% after a hack.
- Media: Pentagon formed a group to implement hacker AI models.
- Opinion: AI and quantum technologies threaten existing security systems.
- BTCFi protocol Echo was hacked for $816,000.
- Hackers withdrew $11.5 million from the Verus protocol.
- The THORChain team revealed details of a $10 million hack.
What to Read This Weekend?
In a new article, ForkLog explains how to get acquainted with AI models that do not require internet access for free and what resources to use for beginners.