Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits.

Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT.

A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.

Top Malware Reported in the Last 24 Hours

Malicious npm packages target JavaScript frameworks

Socket identified malicious npm packages targeting JavaScript frameworks such as React, Vue.js, Vite, and Quill Editor, which remained undetected for over two years, accumulating over 6,200 downloads. The threat actor, using the alias "xuxingfeng," published both malicious and legitimate packages to build trust and evade detection. Attackers used typosquatting and mimicry to trick developers into installing malicious packages by mimicking legitimate plugin names like vite-plugin-react-extend and quill-image-downloader. 

Cloudflare infection targets WordPress sites

A fake Cloudflare verification page is used to trick users into executing malicious commands, leading to malware infection. The malware spreads through WordPress themes and plugins, embedding malicious code in theme files like header.php. Obfuscated PowerShell commands are used to download and execute further payloads, evading antivirus detection. The final payload includes a ZIP file with an executable that bypasses Windows Defender and executes malicious actions. 

Malicious extensions in Chrome Web Store

A campaign has been discovered involving over 100 malicious Chrome extensions that impersonate legitimate tools like VPNs and YouTube to steal browser cookies and execute remote scripts. These extensions, promoted through fake domains, request risky permissions to hijack accounts and modify network traffic. Despite Google's removal of many extensions, some remain accessible, posing significant threats to users. The malicious extensions can retrieve and send cookies to remote servers, enabling attackers to breach corporate networks and access sensitive information.

Fake Kling AI Facebook ads deliver RAT

Cybercriminals impersonated Kling AI, a popular AI media generation platform, through fake Facebook ads and websites to distribute malware. The malicious campaign uses filename masquerading, where files appear as media files but are actually executables. The malware employs .NET Native AOT compilation to complicate analysis and evade traditional detection methods. The infection chain begins with social media malvertising, directing users to spoofed Kling AI websites. The fake websites prompt users to upload images or generate media, delivering disguised executables in zip archives. The second-stage payload, PureHVNC RAT, includes extensive stealing capabilities targeting browser extensions and cryptocurrency wallets. Vietnamese threat actors are suspected due to references in the code and other indicators like language and phone numbers.

Top Vulnerabilities Reported in the Last 24 Hours

Critical auth bypass bug in Samlify

A critical vulnerability (CVE-2025-47949) in the Samlify authentication library allows attackers to impersonate admin users by injecting unsigned malicious assertions into signed SAML responses. The flaw involves a Signature Wrapping issue where Samlify fails to verify all parts of the XML document, enabling privilege escalation without user interaction. Exploitation requires access to a valid signed XML blob, making it relatively simple for attackers to bypass SSO and gain unauthorized admin access. Users are advised to upgrade to Samlify version 2.10.0 to mitigate the risk.

Chrome fixes eight vulnerabilities

Google released Chrome version 137.0.7151.40/.41, addressing eight security vulnerabilities. The most critical is CVE-2025-5063, a high-severity use-after-free flaw in the Compositing component. Other vulnerabilities include CVE-2025-5064 in Background Fetch, CVE-2025-5065 in the FileSystemAccess API, CVE-2025-5066 in the Messages component, and CVE-2025-5067 in the Tab Strip UI. Users are encouraged to update Chrome to the latest version for security enhancements.