Reading view

Shai-Hulud copycat worm infects yet another npm package

A Shai-Hulud copycat has turned up in yet another npm package just five days after TeamPCP open sourced the worm and announced a supply-chain attack competition on BreachForums. The poisoned package, chalk-tempalte, masquerades as an extension for the popular JavaScript terminal string styling library Chalk. It now contains a clone of Shai-Hulud, which TeamPCP published last week on GitHub after poisoning more than 170 npm packages with the credential-stealing malware as part of the ongoing supply chain attacks targeting open source dev tools. Plus, the same scumbag that uploaded the worm to chalk-tempalte also published three other malicious npm packages - @deadcode09284814/axios-util, axois-utils, and color-style-utils - containing infostealer code, according to Ox security researchers, which detected and reported the malware over the weekend. “The four malwares are inherently different, as the collected data varies between them, including exfiltrated IP addresses, cloud configurations, crypto wallets, environment variables, and even one malware turning the victim’s machine into a DDoS botnet – all from the same npm user,” researcher Moshe Siman Tov Bustan wrote on Sunday. Anyone installing any version of the packages is affected, he added, noting the total number of weekly downloads is 2,678. On Monday, the researchers told The Register that the npm user behind all four new stealer infections ran the supply-chain campaign from a home computer or local server farm. "The use of lhr.life is a clear indicator of a reverse proxy used to expose an internal network to the internet," they wrote in an email, adding that the miscreant(s) seem to be financially motivated as the code targets victims' cryptocurrency wallets and accounts. Plus, the DDoS botnet component "could indicate affiliation with anarchy groups looking to take down infrastructure and services, or intent to sell it as DDoS-as-a-service," they added. If you are running any of the four, immediately uninstall the malicious package and delete any related malicious configuration from IDEs and Claude Code or other coding agents. You should also rotate your keys on any affected machines, and check for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared,” the application security shop cautions. The Shai-Hulud copycat, like the original worm, steals secrets, credentials, crypto wallets, accounts, and other sensitive data, and sends all of this to a remote command-and-control server: 87e0bbc636999b[.]lhr[.]life. It also uploaded the stolen credentials to a new GitHub repository. The @deadcode09284814/axios-util malware collects and exfiltrates SSH keys, environment variables, and cloud credentials to 80[.]200[.]28[.]28:2222, and the color-style-utils stealer hoovers up IP addresses, IP geo-locations, and crypto wallets and sends them to edcf8b03c84634[.]lhr[.]life. The fourth malicious npm package (axois-utils) calls its payload a “phantom bot.” The code is written in Go, and contains a DDoS botnet that floods websites with HTTP, TCP, UDP and Reset requests. Persistence mechanisms also ensure it remains on the infected machine even after the package has been deleted. All four of these are from the same npm user, and Bustan warns that this influx of infostealers spreading across npm is “just the first phase of an upcoming wave of supply chain attacks coming.”®

  •  

Grafana Labs admits all its codebase are belong to someone who popped its GitHub account

Observability outfit Grafana Labs has revealed that an attacker accessed its GitHub repository and stole its codebase. In social media posts the company blamed the situation on an “unauthorized party” who was somehow able to obtain a token that offered access to its GitHub environment. The company thinks it has identified the source of the credential leak, and therefore “invalidated the compromised credentials and implemented additional security measures to further secure our environment against unauthorized access.” But that didn’t stop the attacker from threatening to release the company’s code unless Grafana paid a ransom. Grafana says it won’t pay. “Based on our operational experience and the published stance of the Federal Bureau of Investigation, which notes that ‘paying a ransom doesn't guarantee you or your organization will get any data back’ and only ‘offers an incentive for others to get involved in this type of illegal activity,’ we have determined the appropriate path forward is to not pay the ransom,” the company wrote. It’s not clear if that stance is entirely principled, because plenty of Grafana’s products are already open source. The company’s posts suggest that the attacker accessed code that is not freely available. The Register has sought clarification about just what the attacker accessed, because if they lifted code that’s mostly already open source there’s little reason for Grafana to pay a ransom! Grafana’s decision not to pay may also be easier than it is for other victims of cybercrime because the company says it “determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations.” The company therefore appears confident that whatever code the attackers downloaded won’t make a material different to its business, or harm customers. The same couldn’t be said for educationware giant Canvas, which last week paid extortionists after they claimed to have stolen data describing over 275 million students and faculty. The Register will update this story if we receive additional information from Grafana Labs. ®

  •  

AI is distorting the Holocaust (Lock and Code S07E10)

This week on the Lock and Code podcast…

In May of last year, a warning about AI came from somewhere unexpected: The Auschwitz-Birkenau State Museum.

Posting publicly on social media, the museum warned about a Facebook account using generative AI to create fake images of people who died in the Holocaust. Despite using AI to generate fake images, the people in said images were sometimes real. They had real names, birthplaces, and stories of deportation that the Auschwitz-Birkenau State Museum itself had shared before. They had real faces captured in real surviving photographs, which were likely abused to generate the false images. 

In other words, someone, or some team of people online, was deepfaking the Holocaust.

As the Auschwitz museum wrote online:

“These are not real photos of the victims. They are digital inventions, often stylized or sanitized, that risk turning remembrance into fictionalized performance. The history of Auschwitz is a well-documented story. Altering its visual record with AI imagery introduces distortion, no matter the intent.”

Months later, the public found out what that intent was: money.

A BBC investigation found an international network of Facebook accounts posting AI-generated images to earn money from those images’ potential virality. It’s a problem sometimes referred to as “AI slop” but it comes with a major incentive. When accounts that make these kinds of images are invited to Facebook’s content monetization program, they can make $1,000 a month for posting anything that gets clicks.

And on Facebook, the BBC found, that means several accounts posting AI-generated images about the Holocaust. As the BBC reported:

“AI spammers have posted fake images purporting to be from inside [Auschwitz], such as a prisoner playing a violin or lovers meeting at the boundaries of fences—attracting tens of thousands of likes and shares.”

The economics of lying are concrete today. People can use AI to make fake images that make people feel good about terrible things or feel scared about untrue things, and they can make money until shut down by the Big Tech platforms themselves, which, in this case, only happened because of the BBC’s investigation. In fact, it’s that type of inaction from social media platforms that compelled the German government and multiple Holocaust memorial institutions to send an open letter earlier this year that asked for better controls and restrictions against this type of content.

As the signatories warned in their letter, the economic appeal for these accounts to distort history is too high a risk to allow. You can read the full letter here.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Clara Mansfeld, a historian working on digital communications at one of the institutions signed onto the open letter—the Foundation of Hamburg Memorials and Learning Centers Commemorating the Victims of Nazi Crimes. In their conversation, Mansfeld discusses digital access to history, the manipulation of factual records through AI-generated imagery, and the threat that society faces when it becomes harder to evaluate the truth.

“What happens when the first thought we have with every historical image is, ‘Is that even real or is that AI?’ I don’t think we have really grasped what that means for us as a society.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

AI is distorting the Holocaust (Lock and Code S07E10)

This week on the Lock and Code podcast…

In May of last year, a warning about AI came from somewhere unexpected: The Auschwitz-Birkenau State Museum.

Posting publicly on social media, the museum warned about a Facebook account using generative AI to create fake images of people who died in the Holocaust. Despite using AI to generate fake images, the people in said images were sometimes real. They had real names, birthplaces, and stories of deportation that the Auschwitz-Birkenau State Museum itself had shared before. They had real faces captured in real surviving photographs, which were likely abused to generate the false images. 

In other words, someone, or some team of people online, was deepfaking the Holocaust.

As the Auschwitz museum wrote online:

“These are not real photos of the victims. They are digital inventions, often stylized or sanitized, that risk turning remembrance into fictionalized performance. The history of Auschwitz is a well-documented story. Altering its visual record with AI imagery introduces distortion, no matter the intent.”

Months later, the public found out what that intent was: money.

A BBC investigation found an international network of Facebook accounts posting AI-generated images to earn money from those images’ potential virality. It’s a problem sometimes referred to as “AI slop” but it comes with a major incentive. When accounts that make these kinds of images are invited to Facebook’s content monetization program, they can make $1,000 a month for posting anything that gets clicks.

And on Facebook, the BBC found, that means several accounts posting AI-generated images about the Holocaust. As the BBC reported:

“AI spammers have posted fake images purporting to be from inside [Auschwitz], such as a prisoner playing a violin or lovers meeting at the boundaries of fences—attracting tens of thousands of likes and shares.”

The economics of lying are concrete today. People can use AI to make fake images that make people feel good about terrible things or feel scared about untrue things, and they can make money until shut down by the Big Tech platforms themselves, which, in this case, only happened because of the BBC’s investigation. In fact, it’s that type of inaction from social media platforms that compelled the German government and multiple Holocaust memorial institutions to send an open letter earlier this year that asked for better controls and restrictions against this type of content.

As the signatories warned in their letter, the economic appeal for these accounts to distort history is too high a risk to allow. You can read the full letter here.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Clara Mansfeld, a historian working on digital communications at one of the institutions signed onto the open letter—the Foundation of Hamburg Memorials and Learning Centers Commemorating the Victims of Nazi Crimes. In their conversation, Mansfeld discusses digital access to history, the manipulation of factual records through AI-generated imagery, and the threat that society faces when it becomes harder to evaluate the truth.

“What happens when the first thought we have with every historical image is, ‘Is that even real or is that AI?’ I don’t think we have really grasped what that means for us as a society.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)


Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

  •  

Canvas hack: is it ever a good idea to pay a ransom, and what happens to the data?

Businesses are advised against paying – but many are prepared to deal to protect users’ privacy

After a week of outages, hundreds of millions of students’ data stolen, delayed assignment due dates and school login pages being defaced by hackers, the US tech firm Instructure – which operates the education platform Canvas, used by education providers worldwide – announced it had “reached an agreement with the unauthorised actor” behind the ransomware attack.

Experts read the careful language as a sign that a ransom has been paid. The company has not confirmed this.

Continue reading...

© Photograph: Boonchai Wedmakawand/Getty Images

© Photograph: Boonchai Wedmakawand/Getty Images

© Photograph: Boonchai Wedmakawand/Getty Images

  •  

Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data

FEATURE When Instructure “reached an agreement” with data theft and extortion crew ShinyHunters this week, the education tech giant assured Canvas users after attackers claimed to have stolen data tied to 275 million students, teachers, and staff that their private chats and email addresses would not turn up on a dark-web marketplace, and that they would not be extorted over the incident. “We received digital confirmation of data destruction (shred logs),” Instructure assured the nearly 9,000 affected universities and K-12 schools. “We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” Not a single responder that The Register spoke with believes this is true. “Do I believe they deleted the data? No. They're criminals and scumbags,” Recorded Future threat intelligence analyst Allan Liska, aka the Ransomware Sommelier, told us. “But, this is part of what Max Smeets calls ‘The Ransomware Trust Paradox,’” he added. “Ransomware groups have to, minimally, not post data they claimed to have deleted or no one will pay them in the future, but this is done knowing that the data is likely not deleted.” Halcyon Ransomware Research Center SVP Cynthia Kaiser, who previously spent two decades at the FBI, said she doesn’t think that anyone who studies ransomware groups’ operations believes the gang actually destroyed the stolen files. “‘We destroyed the data’ is a standard line from extortion groups once a payment is made or negotiations conclude, but time after time it has proven untrue,” Kaiser told The Register. “ShinyHunters in particular has a documented history of recycling, reselling, and re-leveraging stolen data across campaigns – data they claimed was contained from earlier intrusions has resurfaced on criminal forums months and years later.” Kaiser also doesn’t think this is the last threat that the schools will face from the Canvas breach. “Halcyon expects targeted phishing waves against staff, students, and parents over the next six to 12 months using leaked names, email addresses, and Canvas chat context to make the lures convincing,” she said. To be clear: Instructure execs never directly said the company paid the ransom, and we don’t know the exact amount of money the criminals demanded from the digital learning biz. We do know, however, that “reached an agreement” is corporate-speak for the victim paid up. Alliance Risk CEO David Vainer estimates the figure sits somewhere between $5 million and $30 million. Meanwhile, this latest extortion attack illustrates the impossible choice facing organizations entrusted with protecting people’s data when digital thieves breach their networks and steal sensitive information. “The FBI says don’t pay,” Doug Thompson, chief education architect at cybersecurity firm Tanium, told The Register. “But the operational reality at 3 a.m. during finals week or enrollment season can push institutions toward a very different calculation. Until that incentive structure changes, education is likely to remain unusually vulnerable to extortion pressure.” To pay, or not to pay? The US federal government, law enforcement agencies, and private-sector threat intelligence analysts all advise victims not to pay a ransom. “Paying ransoms rewards and incentivizes the criminals, funding their search for new victims, and I’ve long advocated before for a ban on ransomware payments,” Emsisoft threat analyst Luke Connolly told us. “But in the absence of regulation applying to all organizations, the stark reality is that Instructure faced a crisis, and they negotiated to try to minimize risk and harm.” No company wants to pay a ransom to its attackers, and most say they won’t – at least in principle – because they don’t want to fund criminal operations and incentivize the crooks. There’s also no guarantee that paying will guarantee the return of their data or prevent additional extortion attempts. CrowdStrike surveyed 1,100 global security leaders last summer, and of the 78 percent who said they experienced a ransomware attack in the past year, 83 percent of those that paid ransoms were attacked again. Plus 93 percent lost data regardless of payment. While data suggests that fewer organizations are paying criminals’ ransom demands - Chainalysis found the percentage of paying victims in 2025 dropped to an all-time low of 28 percent, despite attacks hitting record highs - when faced with extortion or a ransomware infection, the "to pay or not to pay" debate becomes much more complicated. “Most organizations still say publicly that they won't pay, and many genuinely don't, but when the alternative is mass downstream harm to students, parents, and thousands of customer institutions, the calculus shifts,” Kaiser said. “Pay-or-leak groups like ShinyHunters specifically engineer that calculus by creating intense financial and reputational pressure, and when demands go unmet, they escalate to direct harassment of victim companies, employees, and clients.” ShinyHunters did just that. The crew initially compromised Instructure in late April, and after the initial pay-or-leak deadline passed on May 6, ShinyHunters switched tactics to school-by-school extortion. They injected a ransom message into about 330 Canvas school login portals, causing Instructure to take the platform offline for a day - during final exams and Advanced Placement testing for many. Other ransomware scum have gone to horrifying extremes, posting pictures and addresses of preschool children in an effort to get a payday, leaking cancer patients’ nude photos and threatening them with swatting attacks. Mandiant Consulting CTO Charles Carmakal previously told The Register that ransomware infections have morphed into "psychological attacks” with crooks SIM swapping executives’ kids to pressure their parents into paying. Calculating risk In addition to responding to criminals directly harassing their students, patients, customers and employees, victim organizations also have to take into account potential lawsuits if the crooks dump individuals’ personal or health data, and the reputational hit from seeing all of this protected information published online. The decision about what to do in a ransomware attack revolves around risk reduction, Liska said. “Not paying a ransom means an increased risk of data exposure, which in this case could cause serious harm,” he told us. “While there is no good decision in most ransomware negotiations, the idea is to protect as many people as possible and that may mean that paying is the least bad option.” While he didn’t respond to or investigate the Instructure case, “protecting children's data is absolutely a critical factor in these types of decisions, especially when the attacks originate from one of the groups associated with The Com,” Liska added. The Com, a loosely knit group of primarily English speakers who are also involved in several interconnected networks of hackers, SIM swappers, and extortionists such as ShinyHunters and Scattered Lapsus$ Hunters, has been known to blackmail kids and teens into carrying out shootings, stabbings, and other real-life criminal acts. “These groups are known to coerce victims using threats of physical harm, including bricking and swatting," he said. "Not paying may have increased the risk of serious harm to the children whose data was exposed.” A representative of ShinyHunters contacted The Register to "deny any and all association, affiliation, and/or linkage with 'The Com' including 'Scattered Lapsus Hunters'" The rep said "There is no actual concrete evidence to support that we are associated, affiliated, or linked to the aforementioned. These are baseless allegations and industry propaganda surrounding 'The Com.'" The Shiny one admitted that some of their crew's tactics are similar to those the other gangs use but suggested it's lazy to assume a link. "If China or North Korea used vishing to infiltrate organizations networks would they also immediately become associated with “The Com?'" the representative asked. Ed sector 'more likely to pay' Instructure’s intrusion follows several other high-profile attacks against education-sector software providers. In December 2024, PowerSchool suffered a breach, affecting tens of millions of students. The company reportedly paid about $2.85 million in bitcoin in exchange for a video supposedly showing the attackers destroying the data. But about five months later, in May 2025, the ed-tech provider’s school district customers received individual extortion threats from either the same ransomware crew that hit PowerSchool or someone connected to the crooks. Earlier this year, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. “Education keeps emerging as one of the sectors where organizations are still more likely to pay under pressure,” Thompson said. In addition to students’ – especially minors’ – data containing highly sensitive personal details, and therefore presenting an attractive target for attackers, this is also driven in part by market pressure and economics. It’s costly and inconvenient for schools to switch learning management systems, and they are typically locked into multi-year contracts with these software vendors, according to Thompson. “The other issue is concentration,” he said. “A relatively small number of vendors hold data for enormous portions of the education system. PowerSchool, Infinite Campus, Canvas, Blackboard; those four hold records on something close to every American student, and hackers know it. Three of the four have been breached at a multi-million-record scale in the last 18 months.” Thompson said he expects to see additional attacks against major education platforms to follow. “The economics are good. Instructure paid. PowerSchool paid last year. Every other ed-tech vendor's board just had a conversation about what their number would be,” he told us. “The pattern is established.” According to Connolly, the universities and K-12 schools affected by the Canvas hack shouldn’t consider their data safe, regardless of Instructure’s assurances or the crooks' promises to delete it. “There will be future attacks, without a doubt.” ® Correction: The estimate of $5 million to $30 million comes from Alliance Risk CEO David Vainer.

  •  

Foxconn confirms cyberattack after ransomware crew claims it stole confidential Apple, Nvidia files

Foxconn, a critical supplier for major hardware companies like Apple and Nvidia, on Tuesday confirmed a cyberattack affecting its North American operations after the Nitrogen ransomware gang listed the electronics manufacturer on its data leak site. “Some of Foxconn's factories in North America suffered a cyberattack,” a Foxconn spokesperson told The Register. “The cybersecurity team immediately activated the response mechanism and implemented multiple operational measures to ensure the continuity of production and delivery. The affected factories are currently resuming normal production.” Nitrogen ransomware criminals on Monday claimed to have breached the Taiwan-based company and stolen 8 TB of data comprising more than 11 million files. The miscreants say the leaks include confidential instructions, internal project documentation, and technical drawings related to projects at Intel, Apple, Google, Dell, and Nvidia, among others. Foxconn declined to confirm that these - or any - customers’ information was hoovered up in the digital intrusion. Nitrogen, which has been around since 2023, is believed to be one of the various ransomware offshoots that borrowed code from the leaked Conti 2 builder. And, in what may be very bad news for its latest victim, even paying the ransom demand may not guarantee recovery of encrypted files. In February, Coveware researchers warned that a programming error prevents the gang's decryptor from recovering victims' files, so paying up is futile. The finding specifically concerns the group's malware that targets VMware ESXi. This isn’t the first time Foxconn has been targeted by ransomware gangs. In 2024, LockBit claimed to have infected Foxsemicon Integrated Technology, a semiconductor equipment manufacturer within the Foxconn Technology Group. The same criminal crew also hit a Foxconn subsidiary in Mexico in 2022. ®

  •  

Cache-poisoning caper turns TanStack npm packages toxic

An attacker has published 84 malicious versions of official TanStack npm packages, with the impact including credential theft, self-propagation, and complete disk wipe of an infected host. The attack is part of a wave of attacks across npm and PyPI, continuing the Mini Shai-Hulud campaign. Supply chain security company Socket reports that other compromised packages include the OpenSearch client, Mistral AI, UiPath, and Guardrails AI. Malicious npm packages for TanStack, an open source application stack, were published between 19:20 and 19:26 UTC on May 11. The attack was detected and reported within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub published a security advisory at 21:30 UTC, including a list of affected packages. TanStack founder Tanner Linsley published a postmortem describing how the attacker used a malicious commit on a fork to create a pull request on the TanStack repository, causing scripts to auto-run and build the malware. This poisoned the GitHub Actions cache in what Linsley said is a variant of a known GitHub Action vulnerability discovered in 2024. The malware then extracted the npm OpenID Connect (OIDC) token, used for trusted npm publishing, from runner memory using the same code used to compromise tj-actions in an attack last year. No TanStack maintainers were compromised. StepSecurity has a detailed analysis of the attack, noting that the payload "reads files from over 100 hardcoded paths" including those that may contain cloud credentials, SSH (secure shell) keys, developer tool configuration files, crypto wallets, VPN configurations, messaging credentials, and shell history. Shell history may contain tokens and passwords pasted into the terminal. Security researcher Nicholas Carlini warned the payload "installs a dead-man's switch… as a system user service." The service checks whether a stolen GitHub token has been revoked and, if it has, runs a command to wipe the local disk completely. Socket's write-up includes recommended actions such as rotating all secrets on any affected system. GitHub's advisory suggests "any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised." The Mistral AI has also been reported on GitHub, and at the time of writing, the Mistral AI project is quarantined on PyPI. This attack is still evolving and will likely have a far-reaching impact. It confirms again that running everyday commands like npm install is unsafe, that for all their efforts major package repositories including npm and PyPI are still not secured, and that software development is now best done in isolated, ephemeral environments. ®

  •  
❌