Researchers have uncovered a supply chain compromise involving cryptocurrency-related packages on the npm registry. Several long-standing packages, some over nine years old, were found to contain rogue scripts that exfiltrate environment variables and API keys to remote servers. The incident is suspected to have stemmed from compromised maintainer accounts and highlights ongoing risks in third-party package management. Researchers emphasized the need for two-factor authentication and tighter controls over software dependencies.

Splunk has issued security patches across multiple products, addressing a range of vulnerabilities including two high-severity flaws. One vulnerability allows remote code execution via file upload by low-privileged users, while another exposes user tokens that could be leveraged in phishing attacks. Updates cover both Splunk Enterprise and the Secure Gateway App. Although no active exploitation has been reported, users are strongly encouraged to apply the patches without delay.

A now-retired Microsoft Stream domain was hijacked on March 27, 2025, leading to embedded videos across SharePoint sites displaying a fake Amazon page advertising a Thailand casino. The affected domain, microsoftstream[.]com, had been deprecated in favor of SharePoint but remained active for legacy content. Following the hijack, Microsoft shut down the domain to block the spam content and is working to prevent similar issues with embedded media from deprecated services.

Top Malware Reported in the Last 24 Hours

API keys exfiltrated

Researchers found that several cryptocurrency packages on the npm registry have been hijacked to steal sensitive data, like environment variables. Some of these packages have been available for over nine years and contain rogue scripts that collect data like API keys and send them to a remote server. Per researchers, the hijacking may have occurred via compromised NPM maintainer accounts. This situation highlights the importance of using two-factor authentication (2FA) and improving supply chain security. Firms need to be vigilant about third-party software security.

SnakeKeylogger evades detection

A malicious campaign was observed using SnakeKeylogger, an advanced info-stealer malware that can avoid detection. The malware installs itself in multiple stages and works stealthily to grab sensitive data from victims. Victims receive spam emails with . img files, which, when opened, present a fake PDF but contain an executable file. This file acts as a downloader and loader, contacting a remote server to get a disguised encoded payload that is decrypted in memory. The secondary payload is a harmful .NET-based DLL that is injected into legitimate processes, enabling SnakeKeylogger to steal a wide range of data, including browser credentials and Wi-Fi settings. The campaign is part of a larger Malware-as-a-Service (MaaS) operation, using a server to frequently update malicious files, ensuring its persistent threat to security defenses.

APT36 hits Windows and Android users

A Pakistan-based APT group, APT36 (Transparent Tribe), created a fake IndiaPost website to hit Windows and Android users. A rogue Android executable was developed in the Pakistan time zone and linked to a laptop from Pakistan's Prime Minister Youth Laptop Scheme. A bogus website pretending to be the Indian Post Office was found that promotes a harmful Android app and a PDF with “ClickFix” instructions for Windows users. For desktop visitors, the site downloads a rogue PDF, guiding users to execute potentially harmful commands. For mobile users, the site offers an APK named “indiapost[. ]apk,” which requests numerous permissions to extract sensitive data. This Android app disguises itself as a non-threatening Google Accounts icon, complicating uninstallation. It provides links to legitimate India Post services but also aims to extract user data. The app maintains persistence on devices and redirects users to auto-start settings specific to certain devices. 

J-Magic and Tiny backdoors infect networking devices 

Backdoored Juniper networking devices are involved in two key cybersecurity incidents, highlighting flaws in network infrastructure. The first incident, reported in January 2025, discussed an attack campaign named J-Magic, where a backdoor resembling the open-source cd00r was placed on Juniper routers. The second incident, reported on March 11, by Mandiant, involved another backdoor based on Tiny Shell, targeting Juniper routers as well. Both attacks used customized open-source software to enable stealthy behavior. Mandiant noted that threats to network devices are increasing, complicating investigations due to the unique nature of proprietary hardware. 

Top Vulnerabilities Reported in the Last 24 Hours

Emergency patch for Chrome on Windows issued

Google released an emergency patch for Chrome on Windows to fix a serious vulnerability, CVE-2025-2783, that attackers have been using, particularly against targets in Russia. This exploit bypassed Chrome's security features, allowing potential further attacks. Mozilla also found a similar, unexploited flaw, CVE-2025-2857, in its Firefox browser, which also allowed sandbox escapes. Following this, Mozilla issued a fix for its issue. Other browsers based on Chromium, like Edge and Opera, may also need updates soon. The Tor browser also released an emergency update for Windows to address urgent security concerns.

Splunk ships security patches

Splunk announced patches for various vulnerabilities in its products, including two high-severity issues in Splunk Enterprise and Secure Gateway App. One flaw allows RCE by low-privileged users through a file upload, fixed in several Splunk Enterprise and Cloud versions. Another issue exposes user tokens, which attackers could use in phishing attempts. Patches for medium and low severity defects were also released. Users are advised to update their systems promptly, as there are no known exploits.

Top Scams Reported in the Last 24 Hours

Microsoft Stream domain hijacked

On March 27, 2025, the legacy domain for Microsoft Stream was hijacked to show a fake Amazon site promoting a Thailand casino. This resulted in all SharePoint sites with old embedded videos displaying spam content. The video content was accessed through the portal at microsoftstream[.]com, which Microsoft announced it would retire in April 2024, moving the service to SharePoint. After the hijack, SharePoint servers displaying embedded videos from the old domain showed the spam page instead. Reports from users indicated that the issue was linked to the hijacked domain. Microsoft has responded by shutting down the domain to block the spam page and is taking steps to prevent further access.

Pirated 2025 Snow White movie hits Torrent users

Disney's newest Snow White movie has a very low IMDb rating of 1.6/10 and is considered the company's biggest failure. It is not available on Disney+. Researchers reported that scammers are offering pirated versions of the movie, targeting torrent users to spread malware. A blog post on “TeamEsteem” lured users with a fake torrent link, which included malicious files. Downloading these files can disable security, install malware, and connect devices to the Dark Web, putting users' data at risk.