The Yala protocol has suffered a devastating blow to its ecosystem: on September 14, its Bitcoin-backed stablecoin YU
The post The Yala Protocol Attack: How an Exploit Caused a Stablecoin to Crash appeared first on Penetration Testing Tools.
Google has confirmed that a bogus account was created in its Law Enforcement Request System (LERS), the portal
The post Google Confirms Fake Account in Law Enforcement System After Hacker Group’s Claims appeared first on Penetration Testing Tools.
Experts at Unit 42 have presented an analysis of vulnerabilities associated with the use of large language model–based
The post The Trojan Horse in Your IDE: How AI Assistants Can Be Tricked into Hacking Your Code appeared first on Penetration Testing Tools.
Twenty-two-year-old American Conor Brian Fitzpatrick, better known by his alias Pompompurin, has received a new sentence in the
The post Pompompurin, BreachForums Administrator, Sentenced to Three Years in Prison appeared first on Penetration Testing Tools.
Apple has released supplemental security updates for older iPhone and iPad models, addressing a zero-day vulnerability previously patched
The post Apple Patches a Zero-Day Vulnerability in Older iPhones and iPads appeared first on Penetration Testing Tools.
Cybersecurity leaders know the attack surface has been growing for years, but the latest State of Information Security Report 2025 from IO shows how fast new risks are converging. Drawing on responses from more than 3,000 security professionals in the UK and US, the report points to three areas shaping board-level conversations this year: AI, compliance, and supply chain security. AI: A tool and a target AI is now woven into security operations and business … More →
The post Shadow AI is breaking corporate security from within appeared first on Help Net Security.
Google has altered its approach to Android security updates, breaking with a decade-long tradition of monthly vulnerability disclosures.
The post Google Shifts Android Security Updates to a Risk-Based System appeared first on Penetration Testing Tools.
A dangerous worm dubbed Shai-Hulud has been uncovered in the JavaScript ecosystem, infecting at least 187 packages in
The post The Self-Propagating Shai-Hulud Worm Infects the npm Ecosystem appeared first on Penetration Testing Tools.
A sprawling advertising-fraud operation known as SlopAds hid behind a storefront of hundreds of seemingly innocuous Android apps
The post The SlopAds Operation: A New Level of Ad Fraud appeared first on Penetration Testing Tools.
Acronis researchers have reported a fresh campaign that employs a modified FileFix technique to deliver the StealC data
The post New FileFix Attack: Hiding Malware in Plain Sight appeared first on Penetration Testing Tools.
TIOBE Software has released its September ranking of programming language popularity, with the most notable development being Perl’s
The post The Unexpected Comeback of Perl: A Look at the September TIOBE Index appeared first on Penetration Testing Tools.
威胁组织WhiteCobra通过在Visual Studio应用商店和Open VSX注册表中植入24款恶意扩展程序,针对VSCode、Cursor和Windsurf代码编辑器用户发起攻击。
目前该攻击活动仍在持续——每当平台移除恶意扩展,攻击者就会立即上传新的恶意代码取而代之。
以太坊核心开发者Zak Cole在公开帖子中表示,他在使用一款看似合法的Cursor编辑器扩展程序(contractshark.solidity-lang)后,加密货币钱包遭到清空。 Cole指出,这款扩展程序具备所有“正常产品”的特征:专业设计的图标、详细的功能说明,且在Cursor官方注册表OpenVSX上的下载量达5.4万次。
终端安全服务商Koi的研究人员称,WhiteCobra正是今年7月通过伪造Cursor编辑器扩展程序窃取50万美元加密货币的同一组织。
WhiteCobra攻击详情
VSCode、Cursor和Windsurf均为支持VSIX格式扩展程序的代码编辑器——VSIX是VS Code应用商店和Open VSX平台上扩展程序的默认打包格式。
这种跨平台兼容性,加之上述平台对扩展程序提交缺乏严格的审核机制,使其成为攻击者理想的攻击载体,能够实现大范围影响。
据Koi安全团队分析,WhiteCobra打造的恶意VSIX扩展程序伪装性极强:不仅精心撰写功能描述,还伪造了高额下载量,以此骗取用户信任。
该团队发现,以下扩展程序属于WhiteCobra最新攻击活动的一部分:
Open-VSX平台(适用于Cursor/Windsurf)
1.ChainDevTools.solidity-pro
2.kilocode-ai.kilo-code
3.nomic-fdn.hardhat-solidity
4.oxc-vscode.oxc
5.juan-blanco.solidity
6.kineticsquid.solidity-ethereum-vsc
7.ETHFoundry.solidityethereum
8.JuanFBlanco.solidity-ai-ethereum
9.Ethereum.solidity-ethereum
10.juan-blanco.solidity
11.NomicFdn.hardhat-solidity
12.juan-blanco.vscode-solidity
13.nomic-foundation.hardhat-solidity
14.nomic-fdn.solidity-hardhat
15.Crypto-Extensions.solidity
16.Crypto-Extensions.SnowShsoNo
VS Code应用商店
1.JuanFBlanco.awswhh
2.ETHFoundry.etherfoundrys
3.EllisonBrett.givingblankies
4.MarcusLockwood.wgbk
5.VitalikButerin-EthFoundation.blan-co
6.ShowSnowcrypto.SnowShoNo
7.Crypto-Extensions.SnowShsoNo
8.Rojo.rojo-roblox-vscode
冒充合法项目进行钓鱼下载
恶意代码执行流程与危害
研究人员表示,钱包被盗的攻击流程始于恶意扩展程序的主文件(extension.js)——该文件“与VSCode扩展模板自带的‘Hello World’基础代码几乎完全一致”,极具迷惑性。
但其中隐藏着一段简单的调用代码,会将执行权转移至次级脚本(prompt.js),随后从Cloudflare Pages下载下一阶段的恶意载荷。该载荷具备平台针对性,分别提供适用于Windows、ARM架构macOS和Intel架构macOS的版本:
Windows系统:通过PowerShell脚本执行Python脚本,再由Python脚本运行外壳代码(shellcode),最终植入LummaStealer恶意软件。
LummaStealer是一款信息窃取工具,专门针对加密货币钱包应用、浏览器扩展程序、浏览器中存储的凭据及即时通讯软件数据发起窃取。
macOS系统:恶意载荷为Mach-O格式的恶意二进制文件,本地执行后会加载一个未知家族的恶意软件。
威胁组织运作模式与安全建议
从WhiteCobra的内部操作手册可见,该犯罪组织会设定1万至50万美元的营收目标,提供命令与控制(C2)基础设施搭建指南,并详细规划社会工程学攻击与推广策略。
泄露的WhiteCobra行动手册
这表明该组织运作高度有组织化,且不会因攻击曝光或扩展被下架而退缩。Koi安全团队指出,WhiteCobra仅需不到3小时就能部署新一轮攻击活动。
研究人员表示,当前扩展程序仓库亟需更完善的验证机制,以区分恶意扩展与合法扩展——因为评分、下载量和评论均可能被篡改,用于骗取用户信任。
针对代码编辑器扩展程序的下载,研究人员给出以下建议:
1. 仔细核查是否存在仿冒知名开发者或如相似名称混淆视听的情况;
2. 优先选择知名度高、信任记录良好的项目;
3. 对短期内突然获得大量下载量和正面评价的新项目保持警惕。