Угроза в мире кибербезопасности: «червь» в JavaScript, утечка данных Kering и кибератака на Jaguar Land Rover Translation: Threats in Cybersecurity: JavaScript Worm, Kering Data Breach, and Cyber Attack on Jaguar Land Rover

We have gathered the most significant cybersecurity news from the past week.

Software developers are increasingly attracting crypto thieves. According to cybersecurity researchers from Koi Security, the hacker group WhiteCobra targeted users of the VSCode, Cursor, and Windsurf development environments. They published 24 malicious extensions on the Visual Studio Marketplace and in the Open VSX registry.

One of the notable victims was prominent Ethereum developer Zach Cole. He reported that cybercriminals stole cryptocurrency using a plugin for the AI code editor Cursor. Cole explained that the extension appeared to be a harmless product: it featured a professionally designed logo, detailed description, and garnered 54,000 downloads on OpenVSX — the official Cursor registry.

Koi Security is convinced that WhiteCobra belongs to the same group that, in July, stole digital assets worth $500,000 from a Russian blockchain programmer.

“Cross-compatibility and the lack of proper checks when publishing on these platforms make them an ideal target for attackers seeking to run widespread campaigns,” the Koi Security report states.

The wallet drain begins with the execution of a main file named extension.js, which closely resembles the standard Hello World template provided with each VSCode extension template. The malware then unpacks a stealer based on the operating system.

WhiteCobra’s targets are digital asset holders with balances ranging from $10,000 to $500,000. Analysts believe the group can launch a new campaign in less than three hours.

Currently, the attackers are difficult to counter: while malicious plugins are removed from OpenVSX, new ones immediately surface in their place.

Researchers recommend using only well-known projects with good reputations and exercising caution towards new releases that accumulate a large number of downloads and positive reviews in a short time.

The Royal Canadian Mounted Police conducted the largest cryptocurrency seizure in Canadian history, noted by blockchain detective ZachXBT.

Law enforcement agencies confiscated digital assets worth more than 56 million Canadian dollars (~$40.5 million) from the TradeOgre platform. The closure of this cryptocurrency exchange platform marks the first incident of its kind in the country.

The investigation began in June 2024 following a tip-off from Europol. It revealed that the platform violated Canadian laws and had not registered with the Financial Transactions and Reports Analysis Centre of Canada as a money service business.

Investigators have grounds to believe that a significant portion of the funds traded through TradeOgre originated from criminal sources. The platform attracted criminals due to its lack of mandatory user identity verification.

According to police statements, transaction data obtained from TradeOgre will be analyzed for potential charges. The investigation is ongoing.

After the attack on the NPM platform aimed at injecting malware into JavaScript packages, the attackers moved to a strategy of deploying a full-fledged “worm.” The incident is escalating: as of the time of writing, over 500 compromised NPM packages are known.

A coordinated campaign dubbed Shai-Hulud kicked off on September 15 with the compromise of the NPM package @ctrl/tinycolor, which is downloaded over 2 million times weekly.

According to analysts from Truesec, the campaign has significantly expanded and now includes packages published in the CrowdStrike namespace.

Experts noted that the compromised versions contain a function that extracts a tar archive of the package, modifies the package.json file, embeds a local script, repackages it, and publishes it again. Upon installation, this script automatically executes and downloads and runs TruffleHog — a legitimate tool for scanning secrets and token searches.

Truesec believes that this attack is scaling up and becoming more sophisticated. Although the attackers rely on many old techniques, they have significantly enhanced their approach, turning it into a completely autonomous “worm.” The malware performs the following actions:

A remarkable feature of this attack is its method of propagation. Instead of relying on a single infected object, it spreads automatically across all NPM packages.

Jaguar Land Rover (JLR) has been unable to resume production for three consecutive weeks due to a cyberattack. The luxury car manufacturer reported that its assembly lines will remain halted at least until September 24.

The company confirmed that data had been stolen from its network, but currently, it does not attribute the attack to a specific hacker group.

According to BleepingComputer, the cybercriminal group Scattered Lapsus$ Hunters claimed responsibility for the cyberattack, posting screenshots of JLR’s internal systems on their Telegram channel. The post alleges that the hackers also deployed ransomware on the compromised infrastructure.

According to BBC, each week of downtime costs the company at least £50 million (~$68 million). Meanwhile, The Telegraph estimates the losses during this period to be around $100 million. JLR’s suppliers are worried they won’t be able to cope with the unexpected crisis and fear bankruptcy.

On September 12, researchers from the Great Firewall Report reported the largest data leak in the history of the “Great Chinese Firewall.”

Approximately 600 GB of internal documents, source codes, and internal correspondence from developers involved in the creation and maintenance of China’s national traffic filtering system were leaked online.

According to researchers, the leak includes complete assembly systems for traffic monitoring platforms, as well as modules responsible for recognizing and slowing down specific tools used to bypass censorship. Much of the stack targets the detection of banned VPNs in China.

Great Firewall Report specialists state that part of the documentation relates to the Tiangou platform — a commercial product intended for use by providers and border gateways. Experts believe that the early iterations of the program were deployed on HP and Dell servers.

Furthermore, leaked documents mention the installation of this software in 26 data centers in Myanmar. The system was reportedly operated by a state telecommunications company and was integrated into key internet traffic exchange points, allowing for both mass blocking and selective filtering.

According to Wired and Amnesty International, the infrastructure was also exported to Pakistan, Ethiopia, Kazakhstan, and other countries, where it is used alongside other lawful traffic interception platforms.

On September 15, the Kering group, owner of several luxury brands, confirmed a data leak affecting customers of its subsidiaries Gucci, Balenciaga, Alexander McQueen, and Yves Saint Laurent.

According to BBC, hackers stole personal information including names, email addresses, phone numbers, home addresses, and the total amount of money spent by customers in stores worldwide.

The attack is believed to be linked to the hacker group ShinyHunters, which claims to have stolen personal data from at least 7 million individuals, though the actual number of victims is likely much higher.

The group is also suspected of being involved in the theft of numerous databases hosted on Salesforce. Several companies, including Allianz Life, Google, Qantas, and Workday, have confirmed data theft as a result of these mass hacks.