Update: IndonesianFoods Worm Overwhelms npm With Automated Package Flooding
Researchers have identified a large-scale npm supply-chain attack involving a self-propagating package known as IndonesianFoods, which has flooded the registry with more than 100,000 auto-generated packages. The worm publishes new packages every few seconds using randomized Indonesian-themed names, overwhelming security scanners and crowding the ecosystem with junk entries. While the current payload does not compromise developer machines, the replication logic demonstrates the capability to weaponize rapidly. Investigators have linked the activity to dozens of purpose-built npm accounts, reflecting a coordinated operation that began as early as 2023 and evolved into its present worm-like behavior in 2025. The attack has overloaded multiple security systems with tens of thousands of automated advisories, illustrating how bulk package publication can destabilize the software supply chain. Although the worm currently focuses on registry pollution, the volume and interconnectedness of its packages create opportunities for threat actors to introduce harmful updates at scale later. The campaign also shows signs of financial motivation, with some packages containing configuration files tied to a blockchain-based rewards program for open-source contributions, enabling attackers to boost their impact scores artificially. Its long-term automation, widespread account usage, and escalating publication rate align with a broader trend of high-volume, automation-driven attacks targeting open-source ecosystems. Similar incidents in recent years highlight how attackers increasingly leverage scale rather than sophistication to overwhelm registries and blend malicious activity into the noise. Developers and organizations are urged to pin dependencies, validate package integrity, and monitor for suspicious publishing patterns to avoid ingesting polluted packages. As the IndonesianFoods campaign continues to expand, the event signals a growing shift in supply-chain threats toward ecosystem-level disruption rather than targeted compromise.
Kraken Ransomware Benchmarks Victim Systems to Maximize Encryption Speed
Researchers have analyzed recent Kraken ransomware activity and found that the group is using an uncommon performance-benchmarking technique to optimize how it encrypts victim environments. Kraken tests each compromised machine by generating and encrypting a temporary file, measuring throughput, and selecting either full or partial encryption based on the system’s capabilities, thereby maximizing speed while avoiding resource spikes that could trigger detection. The operation inherits traits from the former HelloKitty ransomware cartel, including similar ransom note structures and messaging, and now targets Windows, Linux, and ESXi systems in big-game hunting campaigns. Intrusions typically begin with the exploitation of exposed SMB services, followed by credential theft and re-entry via remote desktop connections. Attackers deploy persistence tools such as reverse-tunneling utilities and rely on SSH-based file access to exfiltrate data before distributing the ransomware payload across reachable systems. Victims listed on the group’s leak site span multiple countries, and ransom demands have reached seven-figure payouts. The ransomware’s cross-platform encryptors include modules for databases, network shares, local drives, and virtualized environments. On Windows, Kraken disables filesystem redirection, modifies token privileges, and executes multi-threaded encryption using RSA and ChaCha20, while terminating backup mechanisms and deleting restore points to reduce recovery options. On Linux and ESXi, the encryptor identifies the underlying platform, terminates running virtual machines to unlock disk files, and performs multi-threaded encryption using the same benchmarking logic as on Windows. Both variants implement anti-analysis controls, such as control-flow obfuscation, execution delays, exception suppression, and staged cleanup routines that erase logs, shell histories, and the ransomware binary itself. The group also recently launched an underground forum intended to support anonymous communication within the cybercrime ecosystem, signaling an ambition to expand both its operational infrastructure and influence. As Kraken continues maturing its tooling and operational cadence, its benchmarking capability represents a notable evolution in ransomware efficiency and stealth.
Fake Invoice Lures Used to Deliver XWorm RAT Through Legacy VBS Attack Chain
Cybercriminals are conducting targeted phishing campaigns that impersonate routine invoice communications to deliver the XWorm remote-access trojan. The emails use professional business language, referencing payment processing and invoice verification, but contain several social-engineering red flags, including generic greetings, vague job titles, and an attached Visual Basic Script file, a legacy format rarely used in modern business environments. When executed, the VBS file launches a multi-stage infection chain, dropping an obfuscated batch script into the temporary directory and restarting it in a hidden window to mask activity. The batch file then copies itself into the user profile and executes a PowerShell loader that decrypts and decompresses embedded payload data directly in memory, enabling a fileless infection that bypasses traditional disk-based defenses. The final stage deploys XWorm, a commercially available malware-as-a-service platform that grants attackers full remote control of the system, including credential theft, keylogging, file exfiltration, and the ability to deploy ransomware. This campaign demonstrates how threat actors are reviving outdated scripting formats, such as VBS, to evade modern email defenses while relying on layered obfuscation, in-memory execution, and stealthy persistence to evade endpoint detection. The infection chain relies heavily on padding, encoded payloads, and self-replicating logic to conceal the true PowerShell instructions that unpack and run XWorm. Once active, the RAT operates with no visible user interface and uses fileless techniques to make it difficult to analyze or remove. Researchers note that the use of generic business workflows, combined with disguised executable attachments and hidden double-extension filenames, increases the likelihood of user execution in busy corporate environments. Defenders are urged to enforce strict executable attachment filtering, enable file extension visibility, deploy behavioral monitoring capable of detecting script-to-PowerShell loaders, and continue end-user training on invoice-themed phishing lures, which remain a dominant delivery vector for credential-stealing malware and ransomware loaders.
Top Vulnerabilities of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
