«Киберугрозы недели: Новые атаки на экосистему JavaScript и утечка данных Gucci» Translation: Cyber Threats of the Week: New Attacks on the JavaScript Ecosystem and Data Breach of Gucci

We have gathered the most significant cybersecurity news from the past week.

Software developers are increasingly attracting crypto thieves. According to cybersecurity researchers from Koi Security, the hacking group WhiteCobra has targeted users of the code development environments VSCode, Cursor, and Windsurf. They have uploaded 24 malicious extensions to the Visual Studio Marketplace and the Open VSX registry.

One of the victims of these «wallet drainers» was Ethereum’s lead developer, Zak Cole.

He reported that cybercriminals stole cryptocurrency using an AI code editor plugin named Cursor. Cole explained that the extension bore all the hallmarks of a benign product: a professionally designed logo, detailed descriptions, and 54,000 downloads on OpenVSX—the official Cursor registry.

Koi Security believes that WhiteCobra is linked to the same group that stole digital assets worth $500,000 from a Russian blockchain programmer in July, as reported earlier.

«Cross-compatibility and the lack of proper vetting during publication on these platforms make them ideal for malicious actors looking to conduct widespread campaigns,” the Koi Security report states.

The wallet draining process begins with the execution of the main file extension.js, which closely resembles the standard Hello World template provided with every VSCode extension template. The malware then unpacks a stealer program depending on the operating system type.

WhiteCobra is targeting digital asset holders with amounts ranging from $10,000 to $500,000. Analysts believe this group can launch a new campaign in less than three hours.

Currently, it is challenging to stop the attackers: while malicious plugins are removed from OpenVSX, new ones appear almost immediately in their place.

Researchers recommend using only well-known projects with good reputations and being cautious with new releases that accumulate a large number of downloads and positive reviews in a short time.

The Royal Canadian Mounted Police (RCMP) conducted the largest cryptocurrency seizure in Canadian history. This was noted by the on-chain detective ZachXBT.

Law enforcement seized over 56 million Canadian dollars (~$40.5 million) in digital assets from the trading platform TradeOgre. The closure of the cryptocurrency exchange platform marked Canada’s first such case.

The investigation, which began in June 2024 based on a tip from Europol, revealed that the platform was violating Canadian laws and had not registered with the Financial Transactions and Reports Analysis Centre as a money exchange service provider.

Investigators have reason to believe that most of the funds being processed on TradeOgre came from criminal sources. The platform attracted criminals due to the lack of mandatory user identity verification.

According to the police statement, transaction data obtained from TradeOgre will be analyzed to facilitate potential charges. The investigation is ongoing.

After an attack on the NPM platform for injecting malware into JavaScript packages, attackers transitioned to a strategy centered around deploying a full-blown «worm.» The incident is escalating, with reports of more than 500 compromised NPM packages at the time of writing.

The coordinated campaign Shai-Hulud commenced on September 15 with the compromise of the NPM package @ctrl/tinycolor, which is downloaded more than 2 million times weekly.

According to analysts at Truesec, the campaign has significantly expanded since then and now includes packages published under CrowdStrike’s namespace.

Experts explain that the compromised versions contain a function that extracts the package’s tar archive, modifies the package.json file, injects a local script, reconstructs the archive, and republishes it. Upon installation, the script automatically runs, downloading and executing TruffleHog—a legitimate tool for scanning secrets and finding tokens.

Truesec believes that the attack is scaling up significantly and becoming more sophisticated. While the attackers are using many old tactics, they have significantly improved their approach, turning it into a fully autonomous «worm.» Malware actions include:

A notable feature of this attack is its style. Instead of relying on a single infected object, it proliferates automatically across all NPM packages.

For the third consecutive week, Jaguar Land Rover (JLR) has been unable to resume production due to a cyber attack. The luxury car manufacturer announced that its production lines will remain halted at least until September 24.

The company confirmed that cybercriminals stole information from its network, but it has not yet attributed the attack to any specific hacker group.

According to BleepingComputer, the cybercriminal group Scattered Lapsus$ Hunters claimed responsibility for the cyber attack, posting screenshots of JLR’s internal system on their Telegram channel. The message asserts that the hackers also deployed ransomware within the compromised company infrastructure.

According to estimates from BBC, each week of downtime costs the company at least £50 million (~$68 million). Meanwhile, The Telegraph estimates the losses for the same period at approximately $100 million. JLR’s suppliers are worried they may not cope with the unexpected crisis and fear bankruptcy.

On September 12, researchers from the Great Firewall Report announced the largest data leak in the history of the «Great Chinese Firewall.»

Approximately 600 GB of internal documents, source codes, and internal communications used for developing and maintaining the Chinese national traffic filtering system were leaked online.

The researchers stated that the leak includes complete build systems for traffic monitoring platforms as well as modules responsible for identifying and slowing down certain circumvention tools. A significant portion of the stack is aimed at detecting VPNs that are banned in China.

According to the Great Firewall Report specialists, part of the documentation refers to the Tiangou platform—a commercial product intended for use by providers and border gateways. Experts believe that early iterations of the program were deployed on HP and Dell servers.

Additionally, the leaked documents mention the installation of this software in 26 data centers in Myanmar. The system was reportedly managed by the state telecommunications company and integrated into major internet traffic exchange points, enabling both mass blocking and selective filtering.

According to Wired and Amnesty International, the infrastructure has also been exported to Pakistan, Ethiopia, Kazakhstan, and other countries, where it is used alongside other lawful traffic interception platforms.

On September 15, Kering, the owner of numerous luxury brands, confirmed a data breach affecting customers of its subsidiaries, including Gucci, Balenciaga, Alexander McQueen, and Yves Saint Laurent.

According to BBC, the hackers stole personal data, including names, email addresses, phone numbers, home addresses, and the total amount spent by customers in stores worldwide.

The attack is believed to be linked to the hacker group ShinyHunters, which claims to have stolen personal data from at least 7 million individuals; however, the actual number of affected persons is likely much higher.

The group is also suspected of involvement in the theft of numerous databases hosted on Salesforce. Several companies, including Allianz Life, Google, Qantas, and Workday, have confirmed the data theft resulting from these large-scale breaches.