Cyware Daily Threat Intelligence, December 12, 2025
The tools developers rely on are being turned against them. A new campaign has been uncovered involving 19 malicious extensions on the VSCode Marketplace, masquerading as innocent themes. Active since February, these extensions hide a Rust-based trojan inside a fake image file, automatically executing malicious code the moment the IDE is launched.
Your cloud storage might be the command center for a global espionage operation. A sophisticated Windows backdoor named NANOREMOTE is using the Google Drive API to hide its command-and-control traffic in plain sight. Linked to Chinese threat actors targeting government and telecom sectors, the malware uses a loader disguised as legitimate Bitdefender software.
Hundreds of code repositories are wide open to attack, and there is no official fix yet. Hackers are actively exploiting an unpatched zero-day vulnerability in Gogs, a self-hosted Git service, to gain remote code execution on over 700 servers.
Top Malware Reported in the Last 24 Hours
Malicious VSCode extensions hide trojan
A campaign targeting developers has been uncovered, involving 19 malicious extensions on the VSCode Marketplace that have been active since February. These extensions concealed malware within a dependency folder, utilizing a fake .PNG file to hide two harmful binaries: a living-off-the-land binary (LoLBin) named cmstp.exe and a Rust-based trojan. The attackers modified popular npm packages, such as 'path-is-absolute,' to execute malicious code automatically when the VSCode IDE was launched. All extensions were published with the version number 1.0.0 and included names like Malkolm Theme and PandaExpress Theme.
NANOREMOTE malware exploits Google Drive API
NANOREMOTE is a sophisticated Windows backdoor that utilizes the Google Drive API for command-and-control operations, enabling stealthy data theft and payload management. It shares similarities with another malware known as FINALDRAFT, linked to the REF7707 threat cluster, believed to be associated with Chinese cyber actors targeting various sectors, including government and telecommunications in Southeast Asia and South America. The malware employs a loader called WMLOADER, which disguises itself as a legitimate Bitdefender component to decrypt and execute its payload. NANOREMOTE is capable of performing reconnaissance, executing commands, and transferring files to and from Google Drive, all while communicating over encrypted HTTP. Its architecture includes 22 command handlers that facilitate a range of operations, indicating a shared development environment with FINALDRAFT due to the use of identical encryption keys.
Top Vulnerabilities Reported in the Last 24 Hours
Notepad++ patches bug
Notepad++ version 8.8.9 addresses a significant security vulnerability in its WinGUp update tool, which allowed attackers to deliver malicious updates. Reports emerged from users indicating that the updater retrieved harmful executables instead of legitimate files, leading to unauthorized access and data exfiltration. Several organizations experienced incidents linked to Notepad++, where compromised processes facilitated initial access for threat actors. The issues stemmed from potential hijacking of update URLs, enabling attackers to redirect downloads to malicious locations. In response, the Notepad++ team implemented measures to verify the signature and certificate of downloaded installers.
Hackers exploit Gogs zero-day vulnerability
An unpatched zero-day vulnerability in Gogs, a self-hosted Git service, has been exploited by hackers to gain remote code execution on over 700 servers. The vulnerability, identified as CVE-2025-8110, arises from a path traversal weakness in the PutContents API, allowing attackers to use symbolic links to overwrite files outside their intended repositories. This flaw enables them to manipulate Git configuration files, such as the sshCommand setting, to execute arbitrary commands on compromised systems. Despite the ongoing development of a patch, a second wave of attacks was observed shortly thereafter.