New self-replicating malware infects npm packages.

Summary

By the CyberWire staff

New self-replicating malware infects npm packages.

A new supply chain attack campaign has compromised more than 180 npm packages with a self-replicating malware, SecurityWeek reports. Researchers at JFrog, Orca Security, Wiz, Palo Alto Networks, Arctic Wolf, and others are tracking the campaign. One of the infected packages, @ctrl/tinycolor, has more than two million weekly downloads, while others, including ngx-bootstrap and ng2-file-upload, receive hundreds of thousands of downloads per week.

Orca explains, "A function called NpmModule[.]updatePackage was inserted into the affected packages to perform several actions: download a package tarball, modify package.json, inject a local script (bundle.js), repack the archive, and republish it. This means any other packages or apps that use the newly published packages automatically get infected too." The researchers add that the apparent goal of the campaign is to "find secrets on developer machines, such as GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY, using TruffleHog’s credential scanner, and publishing the collected secrets to a public GitHub repository called 'Shai-Hulud.'"

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Microsoft seizes websites used by RaccoonO365 phishing kit.

Microsoft’s Digital Crimes Unit (DCU) obtained a court order from the Southern District of New York to seize 338 websites used by the popular phishing kit RaccoonO365. The phishing kit was widely used for stealing Microsoft 365 credentials.

Microsoft also accuses a Nigerian national named "Joshua Ogundipe" of developing and maintaining the kit, and has referred the individual to law enforcement. Microsoft stated, "Ogundipe and his associates each have specialized roles within the cybercriminal organization, and together they develop, and sell the service, while providing customer support to help other cybercriminals steal information from Microsoft users. To mask their criminal enterprise and evade detection, they registered Internet domains using fictitious names and physical addresses that are purportedly located in multiple cities and countries. Based on Microsoft’s analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code."

Are You Future Ready? Secure Your Machine Future With Confidence.

CyberArk is the leader behind the world’s most comprehensive machine identity security solution. With capabilities that span secrets, certificate management and workload identities, we enable customers to secure more machine identity use cases with the right level of privilege control. Find out exactly how we’re helping modern organizations secure their machine future.

BreachForums founder resentenced to three years in prison.

BreachForums founder Conor Brian Fitzpatrick has been resentenced to three years in prison after a court ruled that his previous sentencing of time served (17 days) was too lenient. Fitzpatrick, who lives in New York, had pleaded guilty to one count of access device conspiracy, one count of access device solicitation, and one count of possession of child sexual abuse material.

Notes.

Today's issue includes events affecting , and Nigeria the United States.

Attacks, Threats, and Vulnerabilities

UK telco Colt’s cyberattack recovery seeps into November (The Register) Pentesters confirm key system is safe but core products remain unavailable

SlopAds’ Highly Obfuscated Android Malware Scheme Makes a Mess of the Internet Before Satori Cleanup (HUMAN Security) Fraudsters are being forced to get increasingly sophisticated to get fraud schemes off the ground. The Satori Threat Intelligence and Research Team’s most

Trends

Executives Adopt AI at Nearly Twice the Rate of Other Workers, Study Finds (Bospar) New Data from Bospar Reveals C-Suite Decision-Makers Lead AI Adoption vs. 49% for Other Workers [San...

Legislation, Policy, and Regulation

House lawmakers move to extend two key cyber programs, for now (The Register) The measure from the House Appropriations Committee would extend the life of the 2015 Cybersecurity Information Sharing Act (CISA 2015) and the State and Local Cybersecurity Grant Program — both of which are slated to expire September 30 — until November 21.

Senators, FBI Director Patel clash over cyber division personnel, arrests (CyberScoop) FBI cyber division cuts under President Donald Trump will reduce personnel there by half, a top Democratic senator warned Tuesday, while FBI Director Kash Patel countered that arrests and convictions have risen under the Trump administration.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

DMV Rising '25 (Washington, DC, USA, Sep 18, 2025) Join us on September 18, 2025 to celebrate the remarkable accomplishments of the DMV's cybersecurity community, connect with the brilliant minds shaping the future of the field, and experience firsthand why the DMV region is the beating heart of cyber innovation. Register now to secure your spot.

HackAICon 2025 (Lisbon, Portugal, Sep 25, 2025) The first conference dedicated to combining AI and Ethical Hacking. We're bringing together OffSec pros, hackers, and leading researchers to find practical ways of using AI to secure the internet. Learn about the latest AI Hacking cosmic trends and connect with fellow professionals in engaging conversations. We banned sales pitches from the event - just knowledge sharing, leadership and technical insights.

Open Source Security Summit 2025 (Virtual, Sep 25, 2025) The sixth annual Open Source Security Summit brings together business leaders, industry visionaries, and technology users to chart a path forward and highlight the future of open source security solutions at this free virtual event. Register now to explore advancements in open source security and how using open source tools can build trust with customers and consumers.

Don’t miss Jen Easterly, former CISA Director, headlining HIP Conf 25 (Charleston, SC, USA, Oct 7 - 9, 2025) Jen Easterly, former CISA Director, keynotes HIP Conf 2025. A globally recognized cybersecurity leader, Easterly brings unmatched insight into hybrid identity security and resilience. Register now for this must-attend event.

Uniting Women in Cyber 2025 (Crystal City, Virginia, USA, Oct 9, 2025) UWIC is the premier event for cybersecurity leaders, professionals, and aspiring practitioners. Connect with a vibrant community focused on emerging global trends, technological advancements, and workforce development. Attend UWIC 2025 to learn, share ideas, and expand your professional network!

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 09.17.25

Top stories.

New self-replicating malware infects npm packages.

Microsoft seizes websites used by RaccoonO365 phishing kit.

BreachForums founder resentenced to three years in prison.

Notes.

Attacks, Threats, and Vulnerabilities

Trends

Legislation, Policy, and Regulation

Events