Cyware Daily Threat Intelligence, December 23, 2025

That helpful library you just downloaded might be spying on your most private conversations. A malicious npm package named lotusbail has been caught masquerading as a WhatsApp Web API tool, tricking over 56,000 developers into installing it.

Silence doesn't always mean safety; sometimes, it just means the enemy is regrouping. The Iranian APT group Infy has reemerged after a five-year hiatus with a dangerous new toolkit. It is using updated malware hidden in Excel documents to target victims across Europe, India, and the Middle East.

The very tool designed to automate your business could be the key to destroying it. A critical vulnerability has been discovered in the popular n8n workflow automation platform. With over 100,000 instances potentially exposed worldwide, the flaw allows attackers to execute arbitrary code.

Top Malware Reported in the Last 24 Hours

Malicious npm package steals WhatsApp data

A malicious npm package named lotusbail, masquerading as a WhatsApp Web API library, has been found to contain sophisticated malware that compromises user security. With over 56,000 downloads, this package functions effectively, allowing it to evade detection. It captures authentication tokens, session keys, complete message histories, contact lists, and media files, while also establishing persistent backdoor access to victims' WhatsApp accounts. The malware intercepts all communications by wrapping the legitimate WebSocket client, duplicating data for exfiltration, and employing custom RSA encryption to conceal stolen information. Additionally, it embeds a hardcoded pairing code that links the threat actor's device to the victim's account, ensuring ongoing access even after the package is uninstalled. With 27 anti-debugging traps, the malware is designed to resist analysis.

Iranian APT Infy resurfaces with malware

Iranian APT group Infy, also known as Prince of Persia, has reemerged with new malware activity after nearly five years of silence. This group, one of the oldest APT actors, has been active since 2004 and is recognized for its stealthy operations. Recent investigations reveal that Infy has updated its malware strains, Foudre and Tonnerre, which are now being used to target victims in regions including Iran, Iraq, Turkey, India, Canada, and Europe. The group employs sophisticated techniques such as phishing emails, domain generation algorithms, and RSA signature verification to enhance its command-and-control infrastructure. Notably, Infy has shifted its attack methods, embedding executables within Microsoft Excel documents and utilizing Telegram for communication. 

New MacSync malware evades Gatekeeper checks

A new variant of the MacSync information stealer targets macOS systems, delivered as a digitally signed, notarized Swift application. This sophisticated distribution method allows it to evade macOS Gatekeeper checks, which typically protect against unauthorized software. The malware's installer, named zk-call-messenger-installer-3.9.2-lts.dmg, had a valid digital signature associated with Developer Team ID GNJLS3UYZ4, although this certificate has since been revoked. The malware employs various evasion techniques, such as inflating the disk image size by including decoy PDFs and conducting internet connectivity checks to avoid detection in sandboxed environments. MacSync can steal sensitive information, including iCloud keychain credentials and cryptocurrency wallet data.

Top Vulnerabilities Reported in the Last 24 Hours

Critical n8n bug identified

A critical vulnerability, tracked as CVE-2025-68613, has been discovered in the n8n workflow automation platform, posing a significant security risk with a CVSS score of 9.9. This flaw allows for arbitrary code execution under certain conditions and affects all versions from 0.211.0 to below 1.120.4, with patches available in versions 1.120.4, 1.121.1, and 1.122.0. Approximately 103,476 instances are potentially vulnerable, predominantly located in the U.S., Germany, France, Brazil, and Singapore. If exploited, this vulnerability could lead to full compromise of the affected instances, enabling unauthorized access to sensitive data and manipulation of workflows.

Linksys router vulnerability allows remote access

A critical zero-day vulnerability, identified as CVE-2025-52692, has been discovered in the Linksys E9450-SG router, enabling attackers within the local network to bypass authentication and gain full control of the device. This flaw arises from logic errors in the router's URL parsing, allowing unauthorized access to restricted endpoints without valid credentials. By manipulating the URL, attackers can activate the router’s hidden Telnet server, granting them root command-line access to execute commands with elevated privileges. Although the vulnerability is not remotely exploitable over the internet by default, it poses significant risks to home networks, as attackers must first gain access to the router’s administrative web interface. The issue has been verified in firmware version 1.2.00.052, which is the only version released for this model.