In today’s cybersecurity news…
PhantomRPC flaw enables privilege escalation
A Kaspersky researcher disclosed an unpatched Windows vulnerability dubbed “PhantomRPC” that allows privilege escalation by exploiting how the OS’s Remote Procedure Call (RPC) mechanism handles connections to inactive services. The flaw lets attackers with limited access spin up rogue RPC servers that impersonate legitimate services and capture high-privilege connections, potentially escalating to SYSTEM-level control, with five exploit paths validated on recent Windows Server versions. Microsoft classified the issue as moderate severity due to required privileges and isn’t issuing a fix, so monitoring RPC activity and restricting impersonation privileges is key to reduce risk. (Dark Reading)
Checkmarx confirms GitHub data hit dark web
Checkmarx confirmed that data from its GitHub repository has been posted on the dark web following a March 23rd supply chain attack that compromised development tools and workflows. The breach involved tampered GitHub Actions and VS Code extensions distributing credential-stealing malware, with researchers linking subsequent leaks to groups like LAPSUS$ and activity attributed to TeamPCP. Exposed data may include source code and credentials, though customer environments were reportedly unaffected. The company has restricted access to the impacted repository and is continuing its investigation, noting it will notify customers of sensitive data exposure. (The Hacker News)
PyPI package hacked to push infostealer
A widely used PyPI package with more than 1.1 million monthly downloads was compromised in a supply chain attack that pushed a malicious version containing an info-stealer targeting developer credentials and crypto wallets. Researchers at StepSecurity found the attacker exploited a GitHub Actions script injection flaw to steal a workflow token, forge a legitimate release, and distribute the backdoored package and Docker image. The issue has been fixed in version 0.23.4, but affected users should rotate secrets and restore systems, since the malicious release could automatically propagate to environments using unpinned dependencies. (BleepingComputer)
Italy extradites alleged Chinese state hacker to US
Italian authorities extradited Xu Zewei to the U.S., where he faces charges tied to alleged involvement in the state-backed Hafnium (also known as Silk Typhoon) campaign that targeted Microsoft Exchange servers and thousands of global victims. U.S. prosecutors say he participated in intrusions between 2020 and 2021, including attacks on universities and researchers to steal COVID-19-related data, allegedly under direction from Chinese intelligence services. Xu denies the allegations, but could face up to 77 years in prison if convicted. China has criticized the extradition. (The Record)
Huge thanks to our sponsor, Guardsquare
US sanctions target Cambodian scams
The U.S. Treasury’s Office of Foreign Assets Control sanctioned a Cambodian cybercrime network, including Senator Kok An, over large-scale cryptocurrency scams that have defrauded Americans of millions through romance and fake investment schemes. Authorities say the operation runs from scam compounds tied to casinos, where victims send funds to fraudulent platforms, while trafficked workers carry out the scams under coercive conditions. The action was coordinated with the DOJ, FBI, and Secret Service, including domain seizures and criminal charges, intended to disrupt both the financial infrastructure and human trafficking tied to the network. (Infosecurity Magazine)
GlassWorm malware attacks return
Researchers at Socket identified a new wave of the GlassWorm supply chain campaign abusing 73 OpenVSX extensions designed to appear benign before turning malicious through later updates. Six extensions have already been activated, using loader techniques to fetch and execute hidden payloads that can steal developer credentials, crypto wallets, and sensitive environment data. The campaign reflects a shift toward stealthier “sleeper” tactics, with cloned extensions mimicking legitimate tools. Developers should remove affected packages and rotate secrets. (BleepingComputer)
Utilities tech supplier Itron discloses attack
Itron disclosed a cybersecurity breach involving unauthorized access to its IT systems, but said it has since contained and remediated the incident with no ongoing malicious activity detected. The company reported no impact to customer-hosted systems or core operations, which continued without disruption, and expects insurance to cover much of the associated costs. Itron is still investigating the scope of the breach and evaluating any required regulatory disclosures, but does not currently expect a material business impact. (Infosecurity Magazine)
Crypto money launderer given 5-year sentence
California-based Evan Tangeman was sentenced to 70 months in prison for laundering millions in stolen cryptocurrency tied to a cybercriminal group known as the Social Engineering Enterprise, which stole roughly $260 million from victims. Prosecutors say the group used social engineering and physical tactics to target high-value crypto holders, while Tangeman helped convert stolen funds into cash and assets, including luxury homes used in operations. He also attempted to cover up the scheme after arrests, and is one of nine individuals to plead guilty in the case. (The Record)