Update: Malicious NPM Packages Spreading NodeCordRAT via Developer Supply Chain
Zscaler ThreatLabz identified three malicious npm packages in November 2025 that were designed to compromise developer systems and steal sensitive data: bitcoin-main-lib, bitcoin-lib-js, and bip40. The actor relied on look-alike naming tied to the legitimate BitcoinJS ecosystem to convince developers that the packages were trustworthy. Two of the packages acted as wrappers that automatically ran an install-time script, pushing victims toward installing bip40, which contained the real malware payload. The combined packages reached several thousand downloads before removal, showing the attack achieved meaningful distribution. All three packages were attributed to a single uploader account, pointing to a coordinated operation rather than random copycats. The incident highlights how routine dependency installs can become an entry point into developer workstations and build environments. The final payload, dubbed NodeCordRAT, used Discord as its command channel and set up a private channel per infected machine after generating a unique host identifier. Once active, it enabled remote control features that let an operator run commands, capture screenshots, and pull files from the system. It also focused on high-impact theft, including the collection of browser-stored credentials, environment files that often contain API tokens, and MetaMask wallet data that can enable direct financial theft. The malware attempted to keep running by launching through a process manager during the current session, reducing the chance that it would stop when installation finished. Data was then sent out through Discord’s API, blending exfiltration into normal internet traffic patterns that many environments do not tightly restrict. Recommendations include enforcing allowlisted dependencies and locked versions, requiring review for any package that triggers install scripts, scanning builds for suspicious post-install behavior, restricting outbound access to consumer messaging platforms from development and CI systems, rotating exposed secrets quickly, and adding monitoring that flags unusual file access in developer profiles and unexpected network activity during package installation.
Update: GoBruteforcer Botnet Escalation Against Exposed Linux Services
GoBruteforcer (GoBrut) is a modular botnet that is actively compromising Linux servers by brute-forcing credentials for internet-exposed services, including FTP, MySQL, PostgreSQL, and phpMyAdmin. First identified in 2023, it has matured into a coordinated infection chain that can move from initial access to deeper control using components that enable remote access, automated tool delivery, and sustained password attacks. The scale of exposure is large because millions of FTP, MySQL, and PostgreSQL services remain reachable on default ports across the internet, creating a broad hunting ground for operators. Researchers estimate that over 50,000 internet-facing servers remain vulnerable to the botnet’s credential-based intrusion attempts. Two trends are amplifying the problem: repeated deployment patterns from AI-generated setup examples that reuse predictable account names, and older web stack bundles that still ship with default credentials that are rarely changed. Campaigns also shift frequently, alternating between wide spray attempts and more focused targeting, including activity aimed at cryptocurrency and blockchain environments. The 2025 wave shows clear technical improvement and stronger operational discipline, including better persistence, harder-to-spot process masking, and continuously refreshed credential lists delivered by command-and-control infrastructure. The botnet’s scanning logic is built to keep probing at scale while avoiding ranges it does not want to touch, and on 64-bit systems, it can run many parallel brute-force attempts simultaneously. Credential analysis indicates the botnet’s password arsenal overlaps with real leaked passwords enough to translate into tens of thousands of database instances that may accept credentials already in use in the wild. In at least one investigated incident, operators deployed tooling intended to identify and drain blockchain funds, and transaction review confirmed successful theft in some cases. This aligns with broader cloud intrusion trends where weak or missing credentials remain a leading initial entry point. Organizations within these industries should urgently inventory and restrict any internet-facing FTP and database services, enforce strong authentication and remove default accounts, limit admin interfaces to trusted networks, add network segmentation to reduce the blast radius, and monitor for repeated login failures and for unusual new scheduled tasks or unexpected processes that mimic system services.
BlueDelta Impersonates Microsoft OWA, Google, and Sophos VPN to Harvest Credentials
BlueDelta’s current playbook is built around stealing login credentials for webmail and remote access portals, using Microsoft Outlook Web Access, Google sign-in, and Sophos VPN themes to pull credentials from targeted staff. The operation relies on highly tailored phishing that starts with links designed to look routine, then moves victims through a staged redirection chain that helps evade basic security checks and hides the final destination until the last moment. A key tactic is using legitimate PDF documents as the “hook” to build trust, briefly showing real content before switching the victim to a fake login page that mimics the targeted service. The infrastructure is intentionally disposable, relying on free hosting, tunneling services, and link shorteners to make blocking harder and enable rapid rebuilds when defenders respond. The phishing pages also capture tracking signals when they open, which helps the operator confirm who clicked and tune follow-up targeting. After a credential is entered, victims are often redirected back to a legitimate document or real portal to reduce suspicion and delay reporting. For 2026, the most important takeaway is not a single lure; it is a repeatable system: localized content, realistic login clones, low-cost internet services, and tight victim tracking that enable precise follow-up. Recorded Future’s assessment that BlueDelta will continue into 2026 is credible because the tooling is easy to refresh and the targeting aligns with long-term intelligence priorities in energy research, policy, and government communications. With stolen credentials, attackers can gain access to inboxes and VPN accounts, monitor internal discussions, collect sensitive attachments, and use trusted accounts to expand access through internal phishing. Expect continued experimentation with new languages, new document themes, and more convincing “security workflow” prompts designed to trigger fast compliance from busy staff. Mitigation efforts include enforcing phishing-resistant MFA for OWA and VPN access, tightening conditional access rules, blocking or alerting on unneeded free hosting and tunneling services, improving email filtering for PDF-delivered links tied to login or password prompts, and monitoring for unusual sign-ins, impossible travel, and sudden spikes in failed logins tied to targeted user groups.
Update: GitLab Security Patches Address High-Risk XSS and Access Control Gaps
GitLab released new security patch versions 18.7.1, 18.6.3, and 18.5.5 to fix multiple vulnerabilities affecting self-managed environments, and these fixes are already applied on GitLab[.]com. The issues span core areas, including GitLab Flavored Markdown, the Web IDE, Duo Workflows, AI GraphQL endpoints, import features, and runner management. The most serious flaws include both stored and reflected cross-site scripting that can run attacker-controlled JavaScript in a logged-in user’s browser, leading to session theft and unauthorized actions. Separate authorization weaknesses could allow users with limited privileges to access AI model settings outside their allowed scope or change instance-wide AI provider settings. Additional problems include a denial-of-service condition triggered by crafted external API responses and a permissions weakness that can allow users to remove runners from projects they should not control. A lower-severity information disclosure issue may expose connection details through crafted rendered content that bypasses intended protections. For most organizations, the risk is a mix of account compromise, unauthorized configuration changes, data exposure, and service disruption, all of which can directly impact developer productivity and the integrity of project workflows. These fixes apply broadly across deployment methods, including omnibus packages, source installs, and Helm-based deployments, so self-managed admins should assume action is required unless their product type is explicitly excluded. GitLab recommends upgrading to the latest patch in your supported series, and you should plan for downtime on single-node installs due to database migrations, while multi-node environments can use documented zero-downtime procedures. From a business perspective, the biggest concern is that browser-based attacks can silently abuse trusted user sessions, while access-control gaps can weaken governance over sensitive AI-related settings and shared runners. Recommendations: upgrade immediately to 18.7.1, 18.6.3, or 18.5.5, validate role permissions for AI and runner administration, reduce external exposure to GitLab interfaces where possible, and increase monitoring for unusual activity in Markdown rendering, Web IDE usage, AI settings changes, imports, and runner updates. If you cannot patch quickly, prioritize limiting access to affected features and tightening permissions until the upgrade is complete.
