PyPI Tokens Revoked After GhostAction Supply Chain Attack
The Python Software Foundation has confirmed that all PyPI publishing tokens stolen in early September's GhostAction supply chain attack have been invalidated, with no evidence that they were used to publish malicious packages. The incident began on September 5, when GitGuardian researchers identified malicious GitHub Actions workflows, including one tied to FastUUID, that attempted to exfiltrate PyPI tokens to a remote server. Although one initial notification to PyPI Security was delayed after being filtered as spam, GitGuardian quickly notified GitHub, npm, and PyPI once the full scope was uncovered. More than 570 affected repositories were flagged, and maintainers were urged to rotate tokens, revert workflow changes, or remove compromised workflows. While PyPI administrators confirmed that no repositories were compromised, they took preemptive action by invalidating all impacted tokens and contacting project owners directly to secure their accounts. GitGuardian’s analysis estimated that GhostAction exfiltrated over 33,000 secrets across multiple ecosystems, spanning PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS, with some companies’ entire SDK portfolios affected simultaneously across Python, Rust, JavaScript, and Go. Attackers modified workflows to send tokens and credentials to external servers, creating the potential for widespread supply chain abuse. On September 15, PyPI administrator Mike Fiedler urged maintainers to replace long-lived tokens with short-lived Trusted Publishers tokens when using GitHub Actions, which would significantly reduce exposure in future attacks. He also recommended that maintainers review their account security history for any unusual activity. The GhostAction campaign highlights the growing threat of malicious CI/CD workflow tampering and emphasizes the importance of software maintainers adopting short-lived credentials, enforcing stricter repository controls, and monitoring for anomalous pipeline behavior.
Microsoft and Cloudflare Disrupt RaccoonO365 Phishing Service
Microsoft’s Digital Crimes Unit (DCU), working in conjunction with Cloudflare, has dismantled a large-scale phishing-as-a-service (PhaaS) operation known as RaccoonO365, internally tracked as Storm-2246. Between September 2 and September 8, 2025, the coordinated effort seized 338 malicious domains, terminated Cloudflare Worker scripts, and suspended related accounts under a court order from the Southern District of New York. RaccoonO365 offered subscription-based kits, charging $355 for 30 days or $999 for 90 days, which enabled cybercriminals to steal Microsoft 365 credentials at scale without requiring advanced skills. Since July 2024, the service has facilitated the theft of over 5,000 accounts across 94 countries, allowing customers to target up to 9,000 email addresses per day. The phishing kits typically spoofed trusted brands, including Microsoft, DocuSign, SharePoint, and Adobe, with campaigns already linked to tax-themed lures, ransomware precursors, and attempts to bypass multi-factor authentication protections. At least 20 U.S. healthcare organizations were among the victims, underlining the potential risks to critical infrastructure and patient safety. Investigators identified Nigerian national Joshua Ogundipe as the individual behind RaccoonO365, along with several associates who marketed the service through an 850-member Telegram channel. The group is believed to have received at least $100,000 in cryptocurrency payments, although Microsoft notes the real number of subscriptions sold could be significantly higher. The service recently expanded its offerings to include an AI-powered feature called AI-MailCheck, designed to scale phishing campaigns and improve success rates. Beyond phishing kits, the group implemented additional measures to evade detection, including the use of Cloudflare Turnstile CAPTCHA and bot-detection scripts that restricted access to human targets while blocking scanners and automated crawlers. Microsoft and Cloudflare emphasized that the seizure represents a strategic shift from reactive, single-domain takedowns to broader infrastructure disruption, raising operational costs for criminals and sending a clear deterrence signal. While Ogundipe and his team remain at large, a criminal referral has been sent to international law enforcement. Microsoft has stressed the need for continued vigilance, cross-border legal cooperation, and the adoption of strong security practices, such as multi-factor authentication, to protect against future phishing campaigns.
GOLD SALEM Expands Warlock Ransomware Campaign
Since March 2025, CTU researchers have tracked the Warlock Group, designated as GOLD SALEM and also referred to by Microsoft as Storm-2603. The group has compromised enterprise networks across North America, Europe, and South America, with victims ranging from small commercial firms to government agencies and multinationals. By mid-September, GOLD SALEM had listed 60 victims on its Tor-hosted dedicated leak site, placing it in the mid-range of ransomware operations in terms of volume. Of these, only 19 had their data directly exposed, while 27 were reportedly sold to private buyers, a figure that is likely inflated but consistent with extortion tactics. Until recently, GOLD SALEM avoided targeting Russian and Chinese entities, but on September 8, the group posted a Russian engineering services provider in the energy sector, signaling either a shift in targeting or confirmation that the operators are based outside those jurisdictions. The leak site batches victim listings and assigns countdown timers of 12–14 days to increase ransom pressure. Earlier underground forum posts show GOLD SALEM actively seeking exploits for Veeam, ESXi, and SharePoint, as well as tools to disable endpoint defenses, suggesting either direct operations or preparation for a ransomware-as-a-service model. Technical investigations revealed that GOLD SALEM relies on exploiting Microsoft SharePoint using the ToolShell exploit chain to install ASPX web shells for remote command execution. The group reinforced persistence with a Golang-based WebSocket server downloaded from filebin[.]net, while bypassing endpoint detection through a Bring Your Own Vulnerable Driver (BYOVD) technique that renamed a Baidu Antivirus driver to terminate security processes. Once inside, they conducted credential theft using Mimikatz against LSASS, performed lateral movement with PsExec and Impacket, and deployed large-scale Warlock ransomware through Group Policy Objects. In August, GOLD SALEM further demonstrated flexibility by abusing the Velociraptor DFIR tool to establish Visual Studio Code tunnels, blending malicious access with legitimate administrative tooling. Defenders are urged to prioritize rapid patching of internet-facing services, monitor for suspicious web shell activity, driver abuse, and unexpected GPO modifications, and leverage endpoint monitoring solutions. Sophos has released protections identifying GOLD SALEM’s activity as Troj/WebShel-F and Troj/Warlock-B; however, long-term defense depends on proactive attack surface monitoring and swift incident response.
Raven Stealer Expands Its Reach With Stealthy Credential Theft
Raven Stealer is a new information-stealing malware first observed in mid-2025, built in Delphi and C++ with a modular design that facilitates easy customization and deployment. It primarily targets Chromium-based browsers, including Chrome, Edge, and Brave, pulling stored credentials, cookies, payment data, and autofill entries. To obtain this data, it examines browser storage paths and utilizes the AES keys stored in Local State files to decrypt credentials into plain text. The malware is often spread through cracked software bundles and underground forums, making it a threat to both individuals and organizations. Researchers note that Raven Stealer avoids dropping files to disk by embedding resources into its binary and executing them in memory, a technique that helps it evade traditional antivirus tools. Once active, it organizes stolen data into structured folders within the user’s AppData directory, making it easier for attackers to exfiltrate all data in bulk. What sets Raven Stealer apart is its integration with Telegram for command-and-control operations. Each build embeds a bot token and chat ID directly into the payload, letting stolen data flow straight into an attacker-controlled Telegram channel. Exfiltrated data includes login credentials, session cookies that can be used for hijacking, stored credit card details, and even desktop screenshots, all of which are compressed into archives before transmission. To remain hidden, the malware employs encrypted payload injection and reflective process hollowing, launching Chrome in a suspended state and injecting its DLL so that it appears to run under a trusted process. The accessibility of its builder tool, complete with a simple user interface, enables even low-skilled actors to generate new payloads, thereby expanding its reach in cybercriminal circles. Defenders are advised to monitor Telegram traffic, review system behavior for unusual browser activity, and prioritize user education to prevent infections from cracked software or phishing lures.
