Cyware Daily Threat Intelligence, April 23, 2025
Daily Threat Briefing • April 23, 2025
One compromised package, five tainted versions, and private keys silently siphoned away. A supply chain attack hit a widely used JavaScript library for the XRP Ledger. Malicious code was slipped into several recent versions, enabling private key theft via an external domain. The incident is linked to a compromised npm account tied to a Ripple employee.
Docker containers aren’t always what they seem. A new threat named TenoBot is targeting systems running outdated Teneo Web3 node software, deploying malicious containers to hijack environments. Once inside, it enables attackers to conduct multiple actions, all while blending in with legitimate processes to avoid detection.
A hidden flaw could turn Moodle into an unintentional threat vector. A recent audit exposed a TOC-TOU bug in the LMS’s URL validation process, enabling SSRF. By tampering with DNS responses, attackers can redirect requests to internal endpoints. Features like Calendar imports and File Picker are directly impacted, potentially affecting millions of users.
Top Malware Reported in the Last 24 Hours
NPM package infected with cryptostealer
The xrpl.js, a popular JavaScript library for interacting with the XRP Ledger, was compromised in a supply chain attack. Malicious code, introduced in versions 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2, included a function to steal users' private keys and send them to an external domain. The compromise likely occurred via a hacked npm account belonging to a Ripple employee. Users of affected versions should immediately update to versions 4.2.5 or 2.14.3 and consider rotating any potentially compromised keys. The XRP Ledger itself was not affected.
Malicious LNK spread as notices
ASEC has identified a malicious LNK file targeting Korean users. This malware, disguised as notices, aims to steal user information by collecting data related to virtual assets, browsers, and email files, and it also performs keylogging. When executed, the LNK file downloads an HTA file that contains scripts for data collection and keylogging. The attack is specifically targeting Korean users, as indicated by the use of Korean comments in the scripts and the targeting of Korean web services.
Kimsuky distributes PebbleDash malware
The Kimsuky group is distributing PebbleDash malware, previously associated with the Lazarus group, using spear-phishing tactics. The initial access involves executing JavaScript via LNK files, which then runs PowerShell for persistence and malware installation. The attackers use tools like AsyncRAT alongside PebbleDash for remote control. The modification of termsrv.dll disables RDP authentication, allowing unauthorized access. Users are advised to verify file extensions, check for modified DLLs using hash comparisons, and monitor for suspicious accounts like ‘Root’.
Docker malware abuses Teneo web3 node
A new Docker malware, dubbed TenoBot, exploits vulnerabilities in Teneo Web3 node software. It deploys malicious containers that compromise system security, allowing attackers to manipulate blockchain transactions and steal sensitive information. TenoBot can execute unauthorized commands, effectively gaining control over affected systems. The malware utilizes known vulnerabilities within the Teneo software, making it particularly dangerous for users running outdated versions. The attack is characterized by its stealthy nature, as it blends in with legitimate Docker operations, complicating detection efforts.
Top Vulnerabilities Reported in the Last 24 Hours
Critical vulnerability in Moodle
A recent security audit uncovered critical vulnerabilities in Moodle (version 4.4.3), the popular learning management system. A Time-of-Check to Time-of-Use (TOC-TOU) flaw in its URL validation process allows attackers to bypass Server-Side Request Forgery (SSRF) protections. By manipulating DNS responses between Moodle checking a user-supplied URL and fetching its content, attackers can redirect requests to internal addresses, including sensitive AWS metadata endpoints. This affects features like Calendar imports and the File Picker, putting millions of Moodle instances at risk.
Bug spotted in Synology’s NFS
A critical vulnerability (CVE-2025-1021) affects Synology's Network File System (NFS) service on DiskStation Manager (DSM). This flaw allows unauthorized remote attackers to access sensitive files on vulnerable devices due to a missing authorization check. The vulnerability impacts several DSM versions and carries a CVSS score of 7.5 (Important). Synology has released patches to fix this issue.