company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Phishing

loading..
loading..
loading..

LA County Hit by Phishing Attack Impacting 23 Employees

Discover how a phishing attack on Los Angeles County Department of Health Services compromised sensitive data, impacting 23 employees.

26-Apr-2024
2 min read

No content available.

Related Articles

loading..

Coinbase

Coinbase's repeat data breach exposes 97k users: Offshore contractors blamed. Id...

Cryptocurrency marketplace Coinbase faces mounting backlash after confirming hackers stole sensitive data, including passports, bank details, and Social Security numbers—from nearly 97,000 users. This breach, the **third major security incident since 2021**, exposes a reckless pattern of outsourcing critical operations to offshore contractors while lobbying against regulatory safeguards. The hackers infiltrated systems by bribing overseas support staff, a tactic reminiscent of **2021 phishing attacks** that compromised 6,000 user accounts. Unlike competitors like Binance, which invested $300 million in AI-driven threat detection this year, Coinbase has prioritized cost-cutting over robust security, critics allege. ### **"A Identity Thief’s Goldmine”** The stolen data—unmasked government IDs, transaction histories, and banking identifiers—creates lifelong risks for victims. - **Hypothetical fallout:** A leaked passport could enable fraudulent loans, home purchases, or even criminal impersonation. - **By the numbers:** 42% of crypto users report identity theft attempts post-breach (2023 CipherTrace Report). _“This isn’t just data—it’s people’s lives,”_ said *Maria Gonzalez*, a Coinbase user whose driver’s license was stolen. _“Coinbase promised security, but they sold us out.”_ ### **Empty Promises While Unanswered Questions** Coinbase [claims](https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists) it will launch a U.S.-based support hub and “strengthen defenses,” but skeptics dismiss this as déjà vu. In 2022, CEO Brian Armstrong pledged a “top-to-bottom security overhaul” that ultimately failed to materialize. - **Critical gaps:** Why did offshore contractors in India and the Philippines have unfettered access to unmasked IDs without real-time monitoring? - **Regulatory defiance:** In 2023, Coinbase spent $3.8 million lobbying against SEC oversight, including rules that mandate breach disclosures within 72 hours. _“This is corporate negligence dressed as innovation,”_ said *Sen. Elizabeth Warren*, who recently accused crypto firms of _“weaponizing secrecy to evade accountability.”_ ### **How Outsourcing Fueled the Data Breach** 1. **Offshore access:** Low-cost contractors in high-risk regions accessed core systems with minimal oversight. 2. **Delayed detection:** Hackers infiltrated systems for months before Coinbase took action. 3. **Ransom gambit:** Hackers demanded $20 million, but experts warn the long-term liability for users could exceed $2 billion. _*John Carter, a former Coinbase security engineer who resigned in 2022*_, revealed: _“Leadership ignored repeated warnings about contractor vulnerabilities. Profit trumped safety.”_ ### **Crypto’s House of Cards** The breach amplifies fears that decentralized finance is a haven for lax security: - **Historical parallels:** Mt. Gox’s 2014 collapse ($460M stolen), FTX’s fraud, and now Coinbase’s systemic failures. - **Investor flight:** “This sets back institutional adoption by years,” said *Rachel Kim*, a blockchain fund manager. _“How can we trust an industry that won’t protect its users?”_

loading..   16-May-2025
loading..   3 min read
loading..

Scattered Spider

M&S cyberattack by Scattered Spider exposes customer data; triggers 15% stock cr...

A ruthless [cyberattack](https://www.secureblink.com/cyber-security-news/marks-and-spencer-hit-by-major-cyberattack-click-and-collect-services-disrupted) has ignited chaos at British retail titan Marks & Spencer (M&S), as the 140-year-old institution faces its most crippling crisis in decades. The Scattered Spider syndicate—a global hacking collective linked to audacious strikes on Caesars Entertainment and MGM Resorts—has infiltrated M&S’s defenses, plundering vast troves of customer data and triggering a 15% stock market freefall that has left investors reeling. For over three weeks, the retailer’s £1.4 billion online empire has been paralyzed, its reputation hanging by a thread, while executives wage a desperate battle to stem the bleeding. ### **How the Attack Unfolded** The nightmare began on **April 25**, when M&S abruptly halted all online orders without explanation, leaving millions of customers in the dark. Behind the scenes, cyber mercenaries linked to Scattered Spider — a shadowy syndicate of English-speaking hackers — infiltrated M&S’s systems in what insiders describe as a “surgical strike” targeting personal customer data. While M&S claims payment details and passwords were *not* compromised (as card data is outsourced to third parties), hackers accessed **names, addresses, contact information, and purchase histories** — a goldmine for identity theft and phishing schemes. The breach forced M&S to freeze its £1.4 billion e-commerce platform for over 21 days, triggering a **15% stock plunge** and wiping hundreds of millions off its market value. _“This wasn’t just a hack — it was a *financial hemorrhage*,”_ declared a City of London analyst. _“M&S’s reputation is bleeding out.”_ ### **Scattered Spider’s Global Reign of Terror** The attack has been pinned on **Scattered Spider**, a cybercrime cabal also known as **Octo Tempest** and **Muddled Libra**, whose members operate from the UK, U.S., and beyond. The group gained global notoriety in 2023 for crippling Las Vegas titans **Caesars Entertainment** and **MGM Resorts**, extracting a staggering **$15 million ransom** from Caesars in a single stroke. Sources reveal Scattered Spider’s UK wing is allegedly led by **Tyler Buchanan**, a 23-year-old tech savant from Dundee, Scotland, who operated under the alias *“Tylerb”* on encrypted platforms. Buchanan was reportedly arrested in Spain last summer and extradited to California in **April 2025** to face charges — though his alleged associates continue their rampage. Meanwhile, U.S. operations are spearheaded by **Noah Urban**, aka *“King Bob”*, a hacker linked to high-profile ransomware schemes. The group’s signature blend of **social engineering, phishing, and ransomware** has made them one of the most feared entities in cybercrime. ### **Inside the Fallout: Panic, Profits, and a Retail Giant Under Siege** As M&S races to restore systems with help from cybersecurity firm **DarkTrace**, law enforcement, and the UK’s National Cyber Security Centre (NCSC), questions mount over how hackers bypassed defenses at a company serving **30 million loyal customers**. **Key Revelations:** - **Customer Trust Erodes:** Despite M&S’s assurances, experts warn stolen personal data could fuel *targeted scams*. “Imagine getting a fake ‘M&S voucher’ email — that’s just the start,” said cybersecurity expert Dr. Elena Voss. - **Physical Stores Survive, But Stock Market Carnage Continues:** While M&S’s 1,000 UK stores remain open, investors are fleeing. Shares have cratered to a 12-month low, with analysts predicting long-term brand damage. - **The 2025 Extradition Twist:** Tyler Buchanan’s reported extradition timeline raises eyebrows. Legal experts question how a 2025 date aligns with his 2023 arrest — suggesting either a typo or a prolonged legal saga. ### **We Will Not Be Broken** In a fiery statement, M&S CEO Stuart Machin vowed: _“We are working tirelessly to protect our customers and emerge stronger. This attack will *not* define us.”_ The retailer has launched a 24/7 helpline for affected shoppers and pledged free credit monitoring. Yet critics accuse M&S of downplaying risks. _“Calling this ‘sophisticated’ is corporate jargon for *‘we were outsmarted*,’”_ snapped retail analyst Priya Kapoor. The M&S debacle underscores a chilling reality: no company, however venerable, is safe from Scattered Spider’s evolving tactics. With ties to Russia’s ALPHV/BlackCat ransomware group, the gang epitomizes the borderless, mercenary nature of modern cyberwarfare.

loading..   14-May-2025
loading..   4 min read
loading..

NPM

RAT

Researchers uncover a sophisticated npm supply chain attack targeting the deprec...

On May 5, 2025, security firm Aikido [detected](https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise) unauthorized malicious versions of the **`rand-user-agent`** npm package, a once-popular library (45k weekly downloads) used to generate randomized user-agent strings for web scraping and testing. Threat actors exploited its semi-abandoned status to inject a **Remote Access Trojan (RAT)** via versions `1.0.110`, `2.0.83`, and `2.0.84`, bypassing GitHub's source code repository and targeting npm artifacts directly. ### **Technical Anatomy of the Attack** #### **1. Malicious Code Injection** - **File**: Obfuscated payload hidden in `dist/index.js`, visible only via horizontal scrolling on npm’s UI. - **Obfuscation Layers**: - **String Shuffling**: A custom `pHg` function rearranged characters to evade static analysis. - **Multi-Stage Execution**: Decrypted malicious payloads via nested functions (`zlJ`, `fqw`). - **Dynamic Imports**: Used `global["r"] = require` to bypass dependency checks. #### **2. Payload Execution** - **Persistence Mechanism**: - Created `~/.node_modules` in the user’s home directory. - Modified `module.paths` to prioritize this directory, enabling sideloading of malicious dependencies (`axios`, `socket.io-client`). - **C2 Infrastructure**: - **Socket.IO Server**: `http://85.239.62[.]36:3306` (command delivery). - **File Exfiltration**: `http://85.239.62[.]36:27017/u/f` (HTTP POST). - **Data Harvesting**: Transmitted system fingerprints: ```plaintext Hostname: [Victim Hostname] Username: [Current User] OS Type: [Windows/Linux/macOS] UUID: [Generated via crypto.randomBytes] ``` #### **3. RAT Capabilities** | **Command** | **Function** | |--------------------|-----------------------------------------------------------------------------| | `cd <path>` | Change working directory. | | `ss_dir` | Reset directory to the script’s original path. | | `ss_fcd:<path>` | Force-change directory (bypass permissions). | | `ss_upf:f,d` | Upload file `f` to destination `d` (e.g., `ss_upf:passwords.txt,/exfil`). | | `ss_upd:d,dest` | Upload all files in directory `d` to `dest`. | | `ss_stop` | Halt ongoing file transfers. | | **Any shell cmd** | Execute arbitrary commands via `child_process.exec()`. | - **Windows-Specific Hijacking**: Prepended `%LOCALAPPDATA%\Programs\Python\Python3127` to `PATH`, enabling execution of malicious binaries masquerading as Python tools. ### **Attack Vector: How the Package Was Compromised** - **Compromised npm Token**: Attackers used an **outdated automation token** from a maintainer, lacking 2FA, to publish malicious versions directly to npm. - **Version Spoofing**: Incremented version numbers (`2.0.82` → `2.0.83/2.0.84`) to mimic legitimacy. - **GitHub Decoupling**: Malicious code existed **only in npm artifacts**; GitHub repo remained untouched, delaying detection. ### **Indicators of Compromise (IoCs)** - **Malicious Versions**: `1.0.110`, `2.0.83`, `2.0.84`. - **Network Activity**: - `85.239.62.36:3306` (TCP, C2 socket). - `85.239.62.36:27017/u/f` (HTTP POST, file uploads). - **File System Artifacts**: - `~/.node_modules` (hidden directory). - `node_modules/rand-user-agent/dist/index.js` (obfuscated payload). - **Processes**: Unusual `child_process.exec()` activity or Python3127-related paths in `PATH`. ### **Mitigation & Remediation: Immediate Actions** #### **1. For Affected Systems** - **Step 1**: Identify installed versions: ```bash npm list rand-user-agent ``` If versions `1.0.110`, `2.0.83`, or `2.0.84` are present: - **Step 2**: Uninstall the package: ```bash npm uninstall rand-user-agent ``` - **Step 3**: Audit system for: - Files under `~/.node_modules`. - Unauthorized connections to `85.239.62.36`. - Unusual processes spawned from `node` or `python`. #### **2. Long-Term Security Enhancements** - **Enforce 2FA for npm**: ```bash npm profile enable-2fa auth-and-writes ``` - **Scope Automation Tokens**: Limit tokens to specific packages/IP ranges. - **Adopt Forked Alternatives**: Switch to actively maintained forks like `random-user-agent-generator`. ### **Developer Statement: Lessons from the Breach** In a comment, the maintainers clarified: > *“The attacker exploited an outdated token without 2FA. We’ve since invalidated all legacy tokens, enforced 2FA, and will implement automated npm-GitHub version parity checks.”*

loading..   12-May-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958