Cyware Daily Threat Intelligence, October 30, 2025

A new software supply chain campaign named PhantomRaven has been identified, involving 126 malicious npm packages. These packages, which have been downloaded over 86,000 times, are designed to steal developer credentials and CI/CD secrets.

Researchers have discovered a sophisticated malware loader that deploys two separate backdoors, TorNet and PureHVNC. The loader uses a rare API hashing technique with MurmurHash2 to hide its activities from static analysis.

A vulnerability has been discovered in a WordPress plugin, affecting over 100,000 sites. The flaw allows low-privileged users like subscribers to access sensitive server files. This includes the wp-config.php file, which contains the website's database credentials.

Top Malware Reported in the Last 24 Hours

PhantomRaven attack targets npm packages 

A new campaign named PhantomRaven has emerged, involving 126 malicious npm packages that have collectively garnered over 86,000 downloads. These packages are designed to stealthily steal sensitive information, including npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. Utilizing advanced evasion techniques, such as Remote Dynamic Dependencies (RDD), the attackers have managed to bypass traditional security measures, allowing malicious code to execute without detection. By exploiting AI-generated package names, they mislead developers into installing these harmful packages, further compromising security. The attack exemplifies the growing sophistication of software supply chain threats, emphasizing the need for greater vigilance in the open-source ecosystem. 

PolarEdge botnet compromises 25,000 IoT devices

Researchers uncovered the PolarEdge botnet, which has compromised over 25,000 IoT devices and established 140 C2 servers. This sophisticated botnet exploits vulnerable edge devices and uses a novel RPX relay system to obscure attack sources, making detection difficult. Since its initial detection in May, the botnet has shown a sustained upward trend in infections, particularly in Southeast Asia and North America, with South Korea being the most affected. The malware employs a client-server architecture that facilitates remote command execution and proxy services, allowing attackers to maintain control and evade traditional security measures. 

Stealthy dual malware loader discovered 

Researchers from IIJ discovered a sophisticated malware loader capable of simultaneously deploying two malware families, TorNet and PureHVNC, using advanced obfuscation techniques like API hashing with MurmurHash2. The loader disguises itself as a legitimate program within a ZIP file, using hidden files and DLL sideloading to execute malicious components. Persistence is achieved by copying itself to the %LOCALAPPDATA% directory and creating a registry Run key for automatic execution. The loader employs MurmurHash2 for API hashing, a rare technique in malware loaders, offering faster computation and greater resistance to static analysis. TorNet operates as a downloader using the TOR network for secure communication, while PureHVNC functions as a RAT with capabilities like keystroke logging and system control.

Top Vulnerabilities Reported in the Last 24 Hours

Google rolls out Chrome 142

Google has released Chrome version 142, addressing 20 security vulnerabilities, including critical flaws in the V8 JavaScript engine that could lead to remote code execution. This update, which affects Windows, Mac, and Linux, includes five high-severity vulnerabilities in the V8 engine, with researchers awarded over $120,000 in bug bounties for their responsible disclosures. Notable issues include type confusion and race conditions that could allow attackers to execute arbitrary code through crafted JavaScript. Additionally, vulnerabilities were identified in Chrome’s media, extensions, and user interface components.

WordPress plugin vulnerability exposes private data

A vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, used by over 100,000 sites, allows subscribers to access sensitive files on the server, including the wp-config.php file, which contains critical database credentials. Identified as CVE-2025-11705, the flaw arises from inadequate capability checks in the GOTMLS_ajax_scan() function, enabling low-privileged users to read arbitrary files. Although the vulnerability is not deemed critical since authentication is necessary for exploitation, many sites with user subscriptions are at risk.