Security gone viral
Last month, the NPM ecosystem was ablaze with hundreds of NPM packages compromised. After the first half of the month, every security researcher seemed to be hunting for issues in the NPM ecosystem, trying to find the next viral story.
Sept. 8–9: NPM chalk, debug, and duck packages compromised
- More than 20 NPM packages, with a combined two billion weekly downloads, contained malicious code.
- The most popular packages included chalk, debug, and duck.
- The root cause was a successful spear phishing attack against a maintainer.
- The attacker’s motive was financial: finding and redirecting crypto payments.
- NPM quickly removed the compromised package versions, but users had to update their packages or revert to old, secure versions.
- Sysdig’s response: Customers had same-day access to vulnerable package identification on the Threat Intelligence dashboard and received a threat bulletin on September 12.
Sept. 15: The Shai-Hulud worm
- Approximately 200 packages were compromised, including @ctrl/tinycolor.
- The attack was believed to be by an attacker who had compromised Nx packages in late August.
- This time, the attacker used an advanced worm to steal secrets from compromised packages, published them publicly on GitHub, and attempted to make victim repositories public.
- Sysdig’s response: Customers were able to review any impact on the same day via the Threat Intelligence dashboard, received a threat bulletin on Sept. 16, and Sysdig TRT published a blog that included an open source Falco rule.
Sept. 22: Fezbox
- A malicious package was reported by the Socket Threat Research Team.
- It’s designed to steal usernames and passwords from browser web cookies.
- It also embeds malicious code into a QR code.
- Don’t assume popular = safe. Even the most trusted packages can be compromised.
- What you can do: Scan your environment for the package dist.fezbox.cjs, contain and remove it if found, and review and monitor logs for credential exfiltration attempts.
Security lesson for the month
Supply chains are always a prime target for attackers. Audit your dependencies, reduce bloat (the things you don’t need), and always be monitoring for and alerting on unusual behavior in builds, CI/CD, or runtime environments.
Sysdig Threat Research Team novel findings
Sept. 9: ZynorRAT
- An advanced malware was discovered and analyzed by the team while it was still in the development phase.
- Written in Go, of Turkish origin, it provides a custom suite of C2 capabilities to target Linux and Windows environments.
- The malware developer was actively working to improve detection evasion and seemed to be focused on the Linux version, with the Windows version of ZynorRAT still needing customization.
- Sysdig’s response: Technical blog published with IOCs and multiple detection methods.
Also in the news
- New rowhammer-style attacks on DDR5 memory chips: The new Phoenix exploit (CVE-2025-6202) is able to flip bits, steal SSH keys, and escalate privileges.
- Google zero-days actively exploited: Google quickly patched two Android zero-days and a Chrome V8 zero-day that were being exploited in the wild.
- Cisco patches 14 vulnerabilities: Some of these vulnerabilities were being actively exploited, which triggered an emergency directive from CISA. CVE-2025-20352 was said to have impacted up to two million devices.
- Operational disruptions: A cyberattack on Collins Aerospace disrupted check-in systems at major European airports. Jaguar Land Rover was forced to shut down production in the UK for the whole month of September following an attack on Aug. 31.
Closing thoughts
From the NPM compromises and ZynorRAT to new and active exploits, September reinforced one thing: The threat landscape never stops evolving, nor should we. As we head into October, Cybersecurity Awareness Month, remain focused on detections, intelligence, and tools that work in real time.
Don’t wait for next month’s wrap up! Get the latest news from the Sysdig Threat Research Team.
Register for our webinar on Shai-Hulud here.
