Malicious Chrome extensions can spoof password managers in new attack - Related to spoof, managers, key, helps, 1,000

Ethereum private key stealer on PyPI downloaded over 1,000 times

A malicious Python Package Index (PyPI) package named "set-utils" has been stealing Ethereum private keys through intercepted wallet creation functions and exfiltrating them via the Polygon blockchain.

The package disguises itself as a utility for Python, mimicking the popular "python-utils," which has over 712 million downloads, and "utils," which counts over [website] million installs.

Researchers from the developer cybersecurity platform Socket discovered the malicious package and reported that set-utils had been downloaded over a thousand times since its submission on PyPI on January 29, 2025.

The open- the attacks primarily target blockchain developers utilizing 'eth-account' for wallet creation and management, Python-based DeFi projects, Web3 apps with Ethereum support, and personal wallets using Python automation.

As the malicious package is targeting cryptocurrency projects, even though there were only a thousand downloads, it could impact a far larger number of people who used the applications to generate wallets.

The malicious set-utils package embeds the attacker's RSA public key to be used for encrypting stolen data and an Ethereum sender account controlled by the attacker.

The package hooks into standard Ethereum wallet creation functions like 'from_key()' and 'from_mnewmonic()' to intercept private keys as they are generated on the compromised machine.

It then encrypts the stolen private key and embeds it in the data field of an Ethereum transaction before it's sent to the attacker's account via the Polygon RPC endpoint "rpc-amoy.polygon.technology/."

Compared to traditional network exfiltration methods, embedding stolen data in Ethereum transactions is far stealthier and more challenging to distinguish from legitimate activity.

Firewalls and antivirus tools typically monitor HTTP requests but not blockchain transactions, so this method is unlikely to raise any flags or get blocked.

Also, Polygon transactions have very low processing fees, no rate limiting applies to small transactions, and offer free public RPC endpoints, so the threat actors do not need to set up their own infrastructure.

Once the exfiltration process is done, the attacker can retrieve the stolen data at any time, as the stolen information is permanently stored on the blockchain.

The set-utils package was removed from PyPI following its discovery. However, customers and software developers who incorporated it into their projects should uninstall it immediately and assume that any Ethereum wallets created are compromised.

If the noted wallets contain funds, it is recommended to move them to another wallet as soon as possible, as they are at risk of getting stolen at any moment.

Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in......

The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics......

Targeted attacks on Twilio and Cloudflare employees are tied to a massive phishing campaign that resulted in 9,931 accounts at over 130 organizations ......

Malicious Chrome extensions can spoof password managers in new attack

A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information.

The attack was devised by SquareX Labs, which warns of its practicality and feasibility on the latest version of Chrome. The researchers have responsibly disclosed the attack to Google.

The attack begins with the submission of the malicious polymorphic extension on Chrome's Web Store.

SquareX uses an AI marketing tool as an example, which offers the promised functionality, tricking victims into installing and pinning the extension on their browser.

To get a list of other installed extension, the malicious extension abuses the the 'chrome.management' API, which it was given access to during installation.

If the malicious extension doesn't have this permission, SquareX says there's a second, stealthier way to achieve the same, involving resource injection onto web pages the victim visits.

The malicious script attempts to load a specific file or URL unique to targetted extensions, and if it loads, it can be concluded that the extension is installed.

The list of installed extensions is sent back to an attacker-controlled server, and if a targeted one is found, the attackers command the malicious extension to morph into the targeted one.

In SquareX's demonstration, the attackers impersonate the 1Password password manager extension by first disabling the legitimate one using the 'chrome.management' API, or if the permissions aren't available, user interface manipulation tactics to hide it from the user.

Simultaneously, the malicious extension switches its icon to mimic that of 1Password, changes its name accordingly, and displays a fake login popup that matches the appearance of the real one.

To force the user into entering their credentials, when attempting to log in to a site, a fake "Session Expired" prompt is served, making the victim think they were logged out.

This will prompt the user to log back into 1Password through a phishing form that sends inputted credentials back to the attackers.

Fake prompt (left) and phishing popup (right).

Once the sensitive information is sent to the attackers, the malicious extension reverts to its original appearance, and the real extension is re-enabled, so everything appears normal again.

A demonstration of this attack can be seen below, where the malicious extension impersonates 1Password.

SquareX recommends that Google implement specific defenses against this attack, such as blocking abrupt extension icons and HTML changes on installed extensions or at least notifying clients when this happens.

However, at the time of writing, there are no measures to prevent this kind of deceptive impersonation.

SquareX researchers also noted that Google wrongfully classifies the 'chrome.management' API as "medium risk," and it is extensively accessed by popular extensions such as page stylers, ad blockers, and password managers.

BleepingComputer has contacted Google to request a comment on the topic, and we will improvement this post as soon as we hear back.

Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Hap......

Starting mid-March 2025, Microsoft will start prompting clients of its Microsoft 365 apps for Windows to back up their files to OneDrive.

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks a......

Open-source tool 'Rayhunter' helps users detect Stingray attacks

The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), also known as IMSI catchers or Stingrays.

Stingray devices mimic legitimate cell towers to trick phones into connecting, allowing them to capture sensitive data, accurately geolocate customers, and potentially intercept communications.

With the release of the Rayhunter, EFF seeks to give customers the power to detect these instances, allowing them to protect themselves and also help draw a clearer picture of the exact deployment scale of Stingrays.

Rayhunter is an open-source tool designed to detect Stingrays by capturing control traffic (signaling data) between the mobile hotspot and the cell tower it is connected to, but without monitoring user activity.

"Rayhunter works by intercepting, storing, and analyzing the control traffic (but not user traffic, such as web requests) between the mobile hotspot Rayhunter runs on and the cell tower to which it's connected," reads EFF's announcement.

"Rayhunter analyzes the traffic in real-time and looks for suspicious events, which could include unusual requests like the base station (cell tower) trying to downgrade your connection to 2G which is vulnerable to further attacks, or the base station requesting your IMSI under suspicious circumstances."

Compared to other Stingray detection methods that require rooted Android phones and expensive software-defined radios, Rayhunter runs on a $20 Orbic RC400L mobile hotspot device (portable 4G LTE router).

EFF chose this hardware for its testing of Rayhunter due to its affordability, widespread availability (Amazon, eBay), and portability, but notes that their software may work well on other Linux/Qualcomm devices too.

When Rayhunter detects suspicious network traffic, Orbic's default green/blue screen turns red, informing clients of a potential Stingray attack.

The individuals may then access and download the PCAP logs kept on the device to get more information about the incident or use them to support forensic investigations.

For more instructions on how to install and use Rayhunter, check out EFF's GitHub repository.

The EFF includes a legal disclaimer noting that the software is likely not illegal to use in the United States. However, before attempting to use this project, it is advisable to check with a lawyer to determine if it's legal to use in your country.

BleepingComputer has not tested Rayhunter and cannot guarantee its safety or effectiveness, so use it at your own risk.

Wenn Angreifer erfolgreich an einer Schwachstelle in Kibana ansetzen, können sie Systeme mit Schadcode verseuchen. Attacken sind aber nicht in jedem F......

The [website] Federal Bureau of Investigation (FBI) formally linked the record-breaking $[website] billion Bybit hack to North Korean threat actors, as the compa......

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud serv......