40629
The largest collection of malware source, samples, and papers on the internet. Password: infected https://vx-underground.org/
TeamPCP has done ANOTHER supply chain attack.
My Brother in Christ, how many of these fuckin' things are you going to do? YOU'VE DONE 50 FUCKING SUPPLY CHAIN ATTACKS. 50 SUPPLY CHAIN ATTACKS IN EIGHT FUCKING DAYS.
March 19th:
- Trivy
March 20th:
- EmilGroup (28 packages)
- OpenGov (16 packages)
- Teale-io (eslint-config)
- AIRTM (uuid-base32)
- PypeSteam (floating-ui-dom)
March 23rd:
- Checkmarx
March 24th:
- LiteLLM
March 27th:
- Telnyx
Masquerading malware is malicious software that disguises itself as something legitimate to avoid detection and trick users or security systems into trusting it.
For example: this is not a bumble bee. It is a kitty cat. The cat is masquerading as a bumble bee.
> ShinyHunters has leaked BreachForums v5 database
Version FIVE?
Was he a hardcore cyber criminal? Yes
Did he enable crime? Yes
Did he help facilitate crime? Yes
Did he aid and abet criminals? Yes
Did he give a platform to other criminals? Yes
But, did he have good taste in silly kitty cat pictures? Yes, he had very silly kitty cat pictures.
> be olafkswg
> some dude on the internet
> does stuff with cs2 or something idfk
> some other dude arrested for terrorism or something
> court doc releases
> uses same discord picture as olafkswg
> cs2 nerds freak out
> OMG HE WAS A TERRORIST
no lol same pfp tho, bad luck
> "hey smelly i found this on my wordpress site. is this malware?"
> wordpress? what year is it?
> okie dokie
> look inside
> .php file with hardcoded key, verification hash, data to be decrypted
> aes256
> decrypt with shrimple python script
> owl php mailer
> f tier malware
The past couple of months I've personally witnessed a few changes in malware that are so significant that it blatantly sticks out.
1. Malware written in more esoteric languages. I've witnessed a shift away from languages like C/C++ to languages that are heavily abstracted, most notably NodeJS with Electron.
2. A MASSIVE shift toward targeting open source solutions. While this isn't new, the past couple of months its been every single day someone is targeting a supply chain via masquerading or directly targeting the open source provider.
3. AI has assisted with the shift in the malware landscape ... toward higher level languages. I've witnessed a spike in multi staged malware using a lot of LOLBIN-like methods. Again, this isn't anything new, but I've witnessed such a dramatic spike I believe it is the result of AI making it much easier to create and use high level languages
4. The introduction of new threat landscapes: Clawdbot (or whatever it's called now). This has resulted in a shift toward MacOS malware which is referencing bulletin point 3. Heavy usage of ClickFix with high level multi staged languages (bash script to Js)
5. AI being used for social engineering. Historically I've seen really crappy malware lures and phishing pages. I suspect AI is helping polish pages and making them look more realistic, possess no typos, use good grammar, etc.
The LiteLLM supply chain attack is big shenanigans. I have to explain the whole thingie though so you can get the full context of the shenanigans. TeamPCP (the people who probably did it) is unironically swinging a big ass fuck off baseball bat, they're swinging for the moon.
tl;dr see picture of cat as summary
I also want to preface this with I DID NOT PERFORM THIS ANALYSIS. I almost never do open-source solutions malware stuff and this is also more in the line of work with DFIR (Digital Forensics and Incident Response). This summary comes from various peers and colleagues of mine who have been discussing TeamPCP the past couple of days.
DFIR nerds I sourced:
- ramimacisabird
- InsiderPhD
Non DFIR nerds I sourced:
- IceSolst
- IntCyberDigest
Yeah, so pretty much this group of nerds named TeamPCP bamboozled an open-source security product called Trivy. TeamPCP sent a pull request on GitHub but did it with "pull_request_target".
Normally a pull request isn't a big deal. Nerds do it all the time. "pull_request_target" though is designed to copy secrets, tokens, etc. pull_request_target is a legit thing. People do it all the time. It should only be performed by people you trust. TeamPCP impersonated a legitimate GitHub contributor.
Trivy was caught slippin'. When TeamPCP did pull_request_target they stole access tokens to a place called Aqua Security.
Aqua Security was like, "lol gosh dang it" and did what you were supposed to do. They rotated access tokens and passwords and stuff. However, Aqua made an oopsie and forgot to rotate the stuff for one of their automation bots.
Once TeamPCP had access they injected malicious code which steal environment variables, SSH keys, cloud credentials, cryptotokens, etc into three things.
- Trivy
- Trivy GitHub actions
- Trivy Docker stuff
As is tradition, once TeamPCP put malware into Trivy stuff, anyone who did anything with Trivy was given malware. TeamPCP got a metric poop ton of stolen data and began using it to move to NPM projects. The projects they infected next was infected with a malware people named "CanisterWorm".
In extreme summary, CanisterWorm placed stuff in package.json from the infected NPM project. Every new infected NPM project would download malware to the machine that (unsurprisingly) stole your data.
TeamPCP seems to have been inspired by the North Korean government, or ALPHV ransomware group, because instead of stealing data to their server they store it on the blockchain ... making it virtually impossible to takedown.
LiteLLM takes place somewhere between Trivy and CanisterWorm. As of this writing the exact way TeamPCP got access to LiteLLM is unknown, however it's heavily speculated it is from Trivy. TeamPCP also stated very bluntly they got access from Trivy but ... they could also be lying. This may come as a surprise, but sometimes criminals lie to cover their tracks.
LiteLLM infection though was a few more degrees amplified than the previous stuff. LiteLLM infection also attempts lateral movement by automating Kubernetes stuff. LiteLLM infection also steals a ton more data than previous stuff. Here is the big ass list of stuff it steals:
- SSH keys
- AWS credentials and configurations
- GCP credentials and configurations
- Azure environment variables
- Kubernetes credentials and configurations
- Environment configurations
- Shell History
- Git credentials and configurations
- Docker credentials and configurations
- Database instances
- IaC / CI/DI
- SSL private keys
- Solana keys
- Crypto wallets
- VPN credentials and configurations
- Hashicorp vault (?)
- NPM configurations
- SMTP credentials
TeamPCP is unironically putting in big moves. What makes them unusual is how profoundly aggressive they are. It isn't uncommon for Threat Actors to attempt things like this, but TeamPCP is doing something more akin to "smash and grab" rather than "stay silent and watch".
Chat, I'll tell you one thing right now, this LiteLLM supply-chain attack is one big stinky mess.
No information has been released publicly (yet) on vendors impacted, but the stink I've been sniffing suggests this is very serious shenanigans and DFIR nerds are not happy
> be me
> crash out over LiteLLM supply chain attack
> get dm
> look inside
You are correct. It was a success. I apologize. I was wrong. You have indeed committed aggravated identify theft at an international level.
Whoa whoa whoa. Everyone CLAM down for a second.
Earlier today someone broke the news that there was a supply chain attack impacting LiteLLM which had over 97 MILLION installs. Initially it was reported the payload was vibe coded which resulted in the payload failing.
HOWEVER, this has been determined to be NOT TRUE. The payload was a SUCCESS. The payload failed in specific edge cases (currently unknown). The Threat Actor(s) managed to exfiltrate data from 500,000 infected machines (approx. 300gb of data).
I have confirmed this from three different sources. The initially news which is spreading all over social media is incorrect and this is actually a very big bamboozle.
They had one short, one opportunity, and did indeed seize it (but only failing in specific and unknown edge cases).
It's all over for LLM-dependency nerds. Also, in a bit of irony, LiteLLM is SOC2 certified by Delve.
This is very big shenanigans for a Tuesday.
Yesterday the United States government banned all non-US produced computer networking equipment from the United States over security concerns.
Network stuff currently in use can stay, however moving forward they must be produced in the United States or be given special approval ... or stop selling in the United States.
> download kali linux
> the mostest 1337 hacker tool
> super dangerous
> over 9000 hackinging tools
> can hack anything, even cows
> age verification at os level becomes law
> dont age verify 1337 hacker os
> arrested
Is hacking illegal and for nerds?
Leonid Radvinsky, founder of MyFreeCams and majority owner of OnlyFans, has died of cancer.
Читать полностью…
Today Handala, a suspected Iranian-based Threat Actor Group, successfully compromised the personal e-mail address of Kash Patel, the current Director of the United States Federal Bureau of Investigation
The e-mails have a date range from 2010 to 2022. It appears to be primarily photos from Mr. Patel. The dump is 1.06GB.
While this compromising is probably deeply embarrassing to Patel and the FBI, the e-mails are relatively benign. The photos present are:
- Him being goofy
- Photos of his family members
- Updates on family stuff
- Some kind of ice hockey thing
- Traveling stuff
Basically, Kash Patel looks like a regular guy who wants updates on what his family is doing.
From a public-relations perspective, this makes Kash Patel look like a family man and a goofy dork. Unfortunately, some mistakes were made and it resulted in his e-mail be compromised. That is embarrassing.
From a security perspective, to people who are enemies of the United States, this potentially endangers him or his family members who can now be easily identified.
I'm so tired of people on social media complaining about the Strait of Hormuz.
All we need to do is send over a bunch of people and dig a new strait. It's really not that complicated
Then in the middle of the two straits we open a WalMart or something idk
A lot of people don't know this but I'm actually an expert in military strategy. I have over four "chicken dinners" in a hyper-realistic military strategy "game" called "P.U.B.G.". Additionally, I have a chess ELO rating of 1214.
Many people believe Iran cannot defeat the United States, but they're incorrect. Iran has failed to utilize advanced guerilla warfare the likes of which has not been witnessed since an important war that took place somewhere.
If the Iranian government wants to win they need to use asymmetrical antiheuristic dogfooding guerilla warfare with telemetry.
Here's what they need to do NOW:
1. Make an Etsy account
2. Purchase as many pro-America flags and memorabilia as possible
3. Plaster said purchases all over critical infrastructure
The Etsy items MUST contain things such as, but not limited to, "9/11 NEVER FORGET", "GO WOKE GO BROKE", "TRUMP 2028", "LET'S GO BRANDON", "BACK THE BLUE".
Furthermore, the Iranian government needs to purchase the largest Bluetooth speakers available on the market and begin playing this playlist:
- "Courtesy of the Red, White and Blue" - Toby Keith
- "Try That in a Small Town" - Jason Aldean
- Anything from Kid Rock, Aaron Lewis, or Hank Williams Jr
When the United States military is deployed they physically will be unable to attack. If they attack then they're actually WOKE and HATE FREEDOM. They'll see how unbelievable BASED and AMERICA-PILLED the Iranian government is and drop to their knees. They'll say, "Oh my sweet sweet, Blonde Hair, Blue Eye'd, sweet Baby Jesus"
Hegseth and the Trump administration in totality will begin violently convulsing on the floors.
They will be physically, emotionally, intellectually, sexually, financially, psychologically, hypothetically, and theoretically unable to combat such a BASED enemy.
LeakBase admin "Chucky" was arrested.
For those unfamiliar, LeakBase was this big ass fuck off website which sold, traded, auctioned, and freely distributed stolen data from compromised websites or companies.
LeakBase audience was primarily Eastern European.
Despite the wide spread identify theft, credit card fraud, extortion, initial access brokering, and money laundering that "Chucky" enabled, he was a nice guy.
I used to send silly pictures of kitty cats to him.
Windows Defender is very silly and I am flabbergasted.
I always keep Windows Defender off. As a person who collects malware, writes malware, and pokes malware with a stick, Windows Defender is a big stinky dork who isn't cool and gets in my way.
Earlier today I was doing big brain intellectual stuff that you wouldn't understand (watching police chase videos on YouTube) and suddenly Windows Defender began screaming obnoxiously loud into my headphones that it has detected hundreds of malwares on my machine.
Windows Defender turning itself on is no big deal. I keep my several terabytes of malware segregated (it's in a special folder that is whitelisted, I pray I don't accidentally detonate it). However, Windows Defender was screaming malware was in my C drive.
This is sort of weird ... I write malware, maybe it's flagging one of my proof-of-concepts as malware? Maybe?
I look inside and this fucking piece of shit is flagging my anti-malware project I'm working on as malware. That makes literally zero sense. Nothing in my anti-malware static analysis goofy project is even remotely malicious. What the fuck is this piece of shit yapping about?
In my malware static analysis project I extracted the YARA rules from Windows Defender. I use those same rules for identification.
Windows Defender flagged IT'S OWN RULES as malware because of the strings present in THEIR OWN YARA RULES
You dumb son of a bitch. I HATE YOU. Now I have to spend an extra FOUR MINUTES re-extracting your YARA rules and recompiling them for my project. HOW DARE YOU
And for a bit of nuance, this is MY perspective. This is anecdotal. It's totally possible this is just what I'm seeing and it's possible the shift is much smaller than what I've personally seen.
We would need for a larger sampling size and study to be performed.
Someone also made a video if you're lazy and don't want to read
https://www.youtube.com/watch?v=i9o4aWxAnLk
People asking me for the anime lore on this LiteLLM compromise.
I'll do it tomorrow. It's got some filler episodes, but they're still lowkey important for later references.
The first episode is kind of cool, it slows down, but then toward the end of the anime it gets crazy.
In extreme summary, nerds compromised a thingie, used it to compromise other thingies, used that to compromise other thingies, then did the big thingie with LiteLLM
It's a big cluster fuck because now you're like, what did they steal? Do they have access to anything else? How long is season 1 of this anime? It's wild stuff
Big news for Threat Actors
Windows 11 powering the Nuclear Power Plant
Nuclear Copilot
> malware analyst goes on x
> says supply chain attack failed
> everyone calms down
> supply chain was actually a success
> panic intensified by 150%
More information
https://www.theverge.com/news/899172/fcc-foreign-router-ban
> be cow
> cow, but online
> IoT? IoC
> Internet of Cow
> no security
> cows compromised
> cow botnet
> use cows for ddos attacks
> critical infrastructure taken down by cows
> hijack cow sensor
> tell cows to attack at dawn
> open front door
> 1000 cows pooping outside house
Hello,
Thank you to the many people who have given me malware to poke with a stick. Unfortunately right now I am extremely busy with a one year old and my work-work.
Between juggling a big stinky baby, my many malware development and research projects, work-work, malware archive stuff, and people requests to bonk stuff with a big stick, I am busy and with very limited time.
I will get around to stuff eventually... or I won't, I don't know. Whatever.
Pic unrelated
🚨‼️ BREAKING: Crunchyroll breached through outsourcing partner in India.
A threat actor exfiltrated data from Crunchyroll's ticketing system and also managed to pull 100 GB of personally identifiable customer analytics data.
We've analyzed sample data and it includes IP addresses, email addresses, credit card details, and more.
An employee of their outsourcing partner Telus had executed malware on his system, which gave a threat actor access to Crunchyroll's environment.
The threat actor told us the breach happened on March 12, 2026. Crunchyroll revoked their access after 24 hours.
They also said Crunchyroll is ignoring all messages and still hasn't publicly disclosed the breach.