#typosquat attack now also in the #golang eco system

"... due to Go’s caching mechanism, developers installing the package using the go CLI continued to download the cached malicious version from the Go Module Mirror, rather than the updated, benign version."

https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence

#devsecops #security #cloud

🎃 Trick or treat? #Malware authors opted for the former with a series of malicious #npm packages targeting #Puppeteer users in an ongoing #typosquat campaign!

https://blog.phylum.io/supply-chain-security-typosquat-campaign-targeting-puppeteer-users/

#nodejs #npm #ethereum #opensource #javascript #cryptocurrency #cybersecurity #infosec #typescript

Threat actor using lookalike domains that drive through a traffic distribution system (TDS) to illegal gambling and malicious content. This actor runs a TDS using a few different domains, including choto[.]xyz and choto[.]click. The attack chain typically begins when an internet user unknowingly mistypes a website (e.g. dizscord[.]com instead of discord.com). Subsequently, the user is profiled via one or two TDS servers and then conditionally redirected to a fraudulent webpage. Earlier this year, they ran campaigns that leveraged a second stage TDS (victory-leads[.]xyz) that conditionally routed users to different malicious content based on their geo-location (see attached image). We recommend blocking the following TDS domains; doing so will effectively disrupt the attack chains that are conducted by this actor. Currently, only choto[.]click appears to be actively used. We have been tracking this TDS since Spring 2023.

<Lookalike Domains>
donga[.]delivery (imitating donga.com - South Korean newspaper company)
tutorialspoint[.]pics (imitating tutorialspoint.com - video tutorial education service)
icicibank[.]observer (imitating icicibank.com - Indian banking)
netflixg[.]com (imitating netflix.com - video streaming service)
capktalone[.]com (imitating capitalone.com - American banking company)
cbssportas[.]com (imitating cbssports.com - American sports network)
betwah[.]de (imitating betway.com - British gambling company)

<TDS Domains>
choto[.]click
choto[.]xyz
choto[.]store
victory-leads[.]xyz

<Fraud Landing Page Domains>
lotto60[.]com
joya[.]casino
tickets[.]love

#dns #cybersecurity #InfobloxThreatIntel #Infoblox #tds #gambling #scam #lookalike #typosquat #threatintel #cybercrime

We've uncovered a large #typosquat campaign targeting #python developers. In the wake of this campaign, #pypi has suspended new user registrations and project creation!

https://blog.phylum.io/typosquatting-campaign-targets-python-developers/

#malware #opensource #CyberSecurity #SoftwareDevelopment #infosec #network #software #hacking

Phylum reports on the active and ongoing typosquatting campaign targeting PyPI. "This automated typosquat attack carried out over a few short hours in a handful of quick bursts, witnessed the publication of over 500 packages and targeted 16 popular PyPI packages." Phylum describes the attack chain where installing the package triggers malware deployment. No IOC provided but Phylum provides a full package list. 🔗 https://blog.phylum.io/typosquatting-campaign-targets-python-developers/

#PyPi #threatintel #Python #typosquat

README has been crafted for the upcoming Domain Assassin release for both the local and lambda versions with terraforms included for it, and tfenv files plus shell scripts to package the lambda to a zip as well as switch between AWS prod and dev for you easily.

I have some more tweaks to do before I am comfortable putting it up on Github but I don't see much deviating from here other than the addition of piping #Crowdstrike IOC over API
#Cybersecurity #InfoSec #AWS #OpenSource #Typosquat

Got the official thumbs up from my bosses internally about the Domain Assassin tool I forked from @cybersheepdog Domain Hunter tool. It's working in dev right now on the multiple domains we have as an AWS lambda and piping tickets to Jira in our sandbox. Next step is working with Ops to add the Crowdstrike IoC integration.

I plan to hopefully open source both the local and terraform versions after sanitizing it end of month. I even have a shell script to switch tfenv files #Infosec #typosquat

We are tracking a large #typosquat campaign targeting the #npm ecosystem. As of this writing, 125 packages have been released in what appears to be an ongoing campaign.

https://blog.phylum.io/large-typosquat-campaign-targeting-react-and-angular/

#javascript #opensource #infosec #react #angular #cybersecurity

#Typosquat alert: Someone set up a #fake site that mimics Sophos branding on Sopbos[.]com and that site delivers a #malware #coinminer installer called SophosInstaller.exe

If you work on a team with a #domain #reputation service or feature, please mark that domain as #malicious.

Let's all work to render this kind of garbage, and their domain registration, utterly useless. #FAFO

It seams that typosquated packages where prepared to do some #DataExfiltration on developer systems on Crates.io. The packages where successful removed by the Crates.io team.

https://blog.phylum.io/rust-malware-staged-on-crates-io/
#Rust #phylum #typosquat #Malware #infosec