A new Shai-Hulud supply chain attack has hit nearly 500 npm packages with a total of 132 million monthly downloads. The latest campaign follows one in September that infected nearly 200 npm packages with more than 2 billion weekly downloads. The new campaign targeting the packages used to run JavaScript outside of a show more ...
browser was reported by Aikido and other security firms. Aikido noted that a total of 492 packages have been affected by the self-replicating worm, and more than 25,000 compromised repositories labeled “Sha1-Hulud: The Second Coming” have been created containing sensitive information like passwords, API keys, cloud tokens, and GitHub or npm credentials. “The timing is notable, given npm’s recent announcement that it will revoke classic tokens on December 9 after the wave of supply-chain attacks,” Aikido’s Charlie Eriksen said. “With many users still not migrated to trusted publishing, the attacker seized the moment for one more hit before npm’s deadline.” Shai-Hulud Attack Affects Packages from Zapier, AsyncAPI and Others Shai-Hulud, named after the giant sandworms from Dune, is a self-replicating npm worm built to spread quickly through compromised developer environments. The latest attack has hit major npm packages from the likes of Zapier, ENS, AsyncAPI, PostHog, Browserbase, and Postman. “Once it infects a system, it searches for exposed secrets such as API keys and tokens using TruffleHog and publishes anything it finds to a public GitHub repository,” Eriksen said. “It then attempts to push new copies of itself to npm, helping it propagate across the ecosystem, while exfiltrating data back to the attacker.” If a developer installs one of these malcicious packages, the malware runs quietly during installation before anything even finishes installing, giving the malware access to the developer’s machine, build systems, or cloud environment, he said. If stolen secrets include access to code repositories or package registries, attackers can use those secrets to break into additional accounts and publish more malicious packages, spreading the attack even further. “Because trusted ecosystems were involved and millions of downloads are affected, any team using NPM should immediately check whether they were impacted and rotate any credentials that may have leaked,” Eriksen said. Shai-Hulud Worm Details Ashish Kurmi of Step Security noted that the latest evolution of the malware “disguises the entire payload as a helpful Bun installer.” The core payload - bun_environment.js - is 10MB and uses “extreme obfuscation techniques,” Kurmi added. These include “a massive hex-encoded string array containing thousands of entries,” an anti-analysis loop “that performs millions of arithmetic operations,” and every string in the code is retrieved through an obfuscated function. The malware delays full execution on developer machines by “forking itself into the background,” Kurmi said. “The user’s terminal returns instantly, giving the illusion of a normal install, while seconds later a completely detached process begins exfiltration.” “It executes a sophisticated, multi-stage pre-install attack that targets both CI/CD runners and developer workstations with equal effectiveness,” Kurmi said. Wiz noted that the malware targets AWS, Azure and Google Cloud Platform (GCP) by “bundling official SDKs to operate independently of host tools.”
Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with show more ...
Salesforce rather than any vulnerability in the Salesforce core platform. Salesforce Confirms Expanded Investigation In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption] Gainsight Products and Connectors Temporarily Impacted According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process. No Indication of Salesforce Platform Vulnerability Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators. Indicators of Compromise Published As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw. CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function show more ...
vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle. Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post. Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update. Oracle Identity Manager Vulnerability CVE-2025-61757 Explained CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager. The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587. In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code. “Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE. “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters. “Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.” Oracle EBS Victims Climb Past 100 Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week. Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.
Grafana Labs has issued a warning regarding a maximum-severity security flaw, identified as CVE-2025-41115, affecting its Enterprise product. The vulnerability can allow attackers to impersonate administrators or escalate privileges if certain SCIM (System for Cross-domain Identity Management) settings are enabled. show more ...
According to the company, the issue arises only when SCIM provisioning is activated and configured. Specifically, both the enableSCIM feature flag and the user_sync_enabled option must be set to true. Under these conditions, a malicious or compromised SCIM client could create a user with a numeric externalId that directly maps to an internal account, potentially even an administrative account. SCIM Mapping Flaw (CVE-2025-41115) Enables Impersonation Risks In SCIM systems, the externalId attribute functions as a bookkeeping field used by identity providers to track user records. Grafana Labs’ implementation mapped this value directly to the platform’s internal user.uid. Because of this design, a numeric external ID such as “1” could be interpreted as an existing Grafana account. This behavior opens a door for impersonation or privilege escalation, enabling unauthorized users to assume the identity of legitimate internal accounts. Grafana Labs notes in its documentation that SCIM is intended to simplify automated provisioning and management of users and groups, particularly for organizations relying on SAML authentication. The feature, available in Grafana Enterprise and certain Grafana Cloud plans, remains in Public Preview. As a result, breaking changes may occur, and administrators are encouraged to test the feature thoroughly in non-production environments before deployment. SAML Alignment Required to Prevent Authentication Mismatches A major security requirement highlighted by Grafana Labs involves the alignment between the SCIM externalId and the identifier used in SAML authentication. SCIM provisioning relies on a stable identity provider attribute, such as Entra ID’s user.objectid, which becomes the external ID in Grafana. SAML authentication must use the same unique identifier, delivered through a SAML claim, to ensure proper account linkage. If these identifiers do not match, Grafana may fail to associate authenticated SAML sessions with the intended SCIM-provisioned accounts. This mismatch can allow attackers to generate crafted SAML assertions that result in unauthorized access or impersonation. The company recommends using the assertion_attribute_external_uid setting to guarantee that Grafana reads the precise identity claim required to maintain secure user associations. To reduce risk, Grafana requires organizations to use the same identity provider for both user provisioning and authentication. Additionally, the SAML assertion exchange must include the correct userUID claim to ensure the system can link the session to the appropriate SCIM entry. Configuration Requirements, Supported Workflows, and Automation Capabilities Administrators can set up SCIM in Grafana through the user interface, configuration files, or infrastructure-as-code tools such as Terraform. The UI option, available to Grafana Cloud users, applies changes without requiring a restart and allows more controlled access through restricted authentication settings. Grafana’s SCIM configuration includes options for enabling user synchronization (user_sync_enabled), group synchronization (group_sync_enabled), and restricting access for accounts not provisioned through SCIM (reject_non_provisioned_users). Group sync cannot operate alongside Team Sync, though user sync can. Supported identity providers include Entra ID and Okta. SCIM provisioning streamlines user lifecycle tasks by automating account creation, updates, deactivation, and team management, reducing manual administrative work and improving security. Grafana notes that SCIM offers more comprehensive, near real-time automation than alternatives such as Team Sync, LDAP Sync, Role Sync, or Org Mapping. Grafana Labs is urging organizations to review their SCIM and SAML identifier mappings immediately, warning that inconsistencies may lead to unauthorized access scenarios tied to CVE-2025-41115. In parallel, cybersecurity intelligence leaders such as Cyble continue tracking identity-related risks and misconfigurations across global environments. Security teams looking to strengthen visibility, detect threats earlier, and reduce exposure can explore Cyble’s capabilities, book a free demo to see how Cyble’s AI-driven threat intelligence enhances defense across cloud, endpoints, and identity systems.
Cybersecurity firm CrowdStrike confirmed the termination of a “suspicious insider” who allegedly shared internal information with hackers. The move came after an internal investigation revealed that the individual had leaked images of his computer screen externally, potentially exposing sensitive company show more ...
dashboards. The hacker collective known as Scattered Lapsus$ Hunters later posted screenshots on a public Telegram channel, claiming insider access to CrowdStrike systems. The images reportedly included dashboards with links to internal resources, such as employees’ Okta dashboards, which are used to access company applications. The CrowdStrike Insider Threat Incident In a statement to The Cyber Express, a CrowdStrike spokesperson clarified the situation: “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies.” The hackers alleged that they gained access to CrowdStrike through a recent breach at Gainsight, a customer relationship management platform used by Salesforce clients to manage customer data. According to their claims, the stolen information from from this was leveraged to breach the cybersecurity company's internal systems. However, CrowdStrike rejected these as “false” claims. Understanding Scattered Lapsus$ Hunters The Scattered Lapsus$ Hunters collective operates as a “supergroup,” combining the capabilities of multiple cybercriminal organizations. Its members draw expertise from Scattered Spider, LAPSUS$, and ShinyHunters to conduct high-impact campaigns targeting high-value enterprise environments, particularly SaaS platforms, as well as companies in retail, aviation, fashion, and insurance. Scattered Spider, also known under aliases such as UNC3944, 0ktapus, and Octo Tempest, focuses on IT help desks, telecommunications, and large enterprise environments. Its members, often aged 19–22, are known for advanced social engineering tactics including SMS phishing (smishing), phone-based help-desk impersonation, and SIM swapping. LAPSUS$ first drew attention with a ransomware attack on the Brazilian Ministry of Health in December 2021, which compromised millions of COVID-19 vaccination records. Since then, it has targeted major technology companies. ShinyHunters is a financially motivated group specializing in data theft and extortion rather than ransomware. Active from 2020, it primarily exploits SaaS and cloud platforms via social engineering, including vishing (voice phishing), followed by large-scale data exfiltration. The group has continued operations, introducing a ransomware variant called shinysp1d3r that targets VMware ESXi hosts. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on this insider threat incident or any additional information on Scattered Lapsus$ Hunters. The CrowdStrike insider incident highlights the risk of suspicious insiders who break the organizations from the inside. Groups like Scattered Lapsus$ Hunters take advantage of such insiders to steal information from big organizations. While CrowdStrike confirmed no systems were compromised, the case denotes the importance of proactive threat intelligence and continuous monitoring. Platforms like Cyble, with AI-powered threat detection and autonomous cybersecurity capabilities, demonstrate how organizations can identify exposed assets, track insider activity, and mitigate risks before they escalate. Experience Cyble firsthand—book a free demo to uncover vulnerabilities and detect suspicious insiders right now.
Indian authorities recovered Rs. 14 lakh (approximately $16,500) along with 52 laptops containing incriminating digital evidence when they arrested Vikas Kumar Nimar, a key cybercrime kingpin and fugitive who had evaded capture for two months while continuing to operate an illegal call center defrauding American show more ...
citizens. The arrest by India's Central Bureau of Investigation (CBI) marks the latest disruption in Operation Chakra, a coordinated international crackdown targeting transnational tech support scam networks that have stolen more than $40 million from victims in the United States, United Kingdom, Australia, and European Union countries. The CBI registered the case against Nimar on September 24, 2024, conducting extensive searches at multiple locations in September that dismantled four illegal call centers operated by the accused in Pune, Hyderabad, and Visakhapatnam. Nimar, who was instrumental in establishing and operating the illegal call center VC Informetrix Pvt. Ltd at Pune and Visakhapatnam, went into hiding following the initial raids. Read: CBI’s Coordinated Strike Takes Down Transnational Cybercrime Network in India Discovery of Fifth Call Center Operation The CBI obtained an arrest warrant from the Chief Judicial Magistrate Court in Pune and tracked Nimar to his residential premises in Lucknow. Searches conducted during the November 20, 2025, arrest led to recovery of cash, mobile phones, and incriminating documents pertaining to the crimes. During search operations, investigators discovered Nimar had established another illegal call center in Lucknow continuing to target US nationals despite being a fugitive. The CBI immediately dismantled this fifth operation, seizing 52 laptops containing digital evidence used in the cybercrime network's operations. The agency said investigations continue with efforts to identify additional accomplices and trace stolen funds through cryptocurrency channels. [caption id="attachment_107086" align="aligncenter" width="350"] Source: CBI on X platform[/caption] Pattern of Tech Support Scams The cybercrime networks dismantled through Operation Chakra employ social engineering tactics to defraud victims. Criminals contact targets claiming their bank accounts have been compromised, exploiting fear of financial loss to manipulate victims into taking immediate action. Under the guise of providing technical assistance, fraudsters gain remote access to victims' computers and convince them to transfer money into cryptocurrency wallets they control. The operations targeted US nationals from 2023 to 2025, with one network alone defrauding American citizens of more than $40 million through these tactics. Read: Indo-U.S. Agencies Dismantle Cybercrime Network Targeting U.S. Nationals The illegal call centers operate under legitimate-sounding company names to establish credibility. Previous raids uncovered operations running as "M/s Digipaks The Future of Digital" in Amritsar, "FirstIdea" in Delhi's Special Economic Zone, and VC Informetrix Pvt. Ltd in Pune and Visakhapatnam. Operation Chakra represents extensive collaboration between Indian authorities and international law enforcement agencies. The CBI works closely with INTERPOL, the US Federal Bureau of Investigation, the UK's National Crime Agency, Homeland Security Investigations, and private sector partners including Microsoft Corporation. Intelligence sharing from US authorities triggered the earlier investigation that led to raids uncovering the large-scale illegal call center in Amritsar. That operation intercepted 34 individuals engaged in active fraud, seizing 85 hard drives, 16 laptops, and 44 mobile phones loaded with incriminating digital evidence. Operation Chakra-III's September raids last year across Mumbai, Kolkata, Pune, Hyderabad, Ahmedabad, and Visakhapatnam resulted in 26 arrests and seizure of 57 gold bars, Rs. 60 lakh in cash, 951 electronic devices, and three luxury vehicles. The coordinated strikes targeted call centers where over 170 individuals engaged in various forms of online fraud primarily targeting US citizens. Cryptocurrency Laundering Networks The networks rely heavily on cryptocurrency to launder stolen funds, presenting challenges for traditional financial crime investigations. Virtual asset transactions allow criminals to quickly move funds across borders with perceived anonymity, complicating recovery efforts. One investigation revealed that key suspect Vishnu Rathi's group had scammed a US citizen into transferring nearly half a million dollars into cryptocurrency wallets under the guise of tech support services. The victim, led to believe her bank account was compromised, unknowingly handed control to criminals who manipulated her into making the large transfer. The CBI coordinates with INTERPOL and foreign law enforcement bodies to follow money trails through virtual asset transactions, working to dismantle associated laundering networks alongside the operational infrastructure. The CBI reiterated its commitment to rapidly identifying and taking action against organized technology-enabled crime networks. Authorities arrested individuals face charges under India's Information Technology Act of 2000 and the BNSS Act of 2023. Previous Operation Chakra actions included the August arrest of a fugitive kingpin at Delhi's international airport while attempting to flee to Kathmandu, Nepal. Immigration officers intercepted the suspect based on CBI intelligence, preventing escape through a route previously exploited by wanted fugitives. The multi-phase operation demonstrates India's strengthening cybersecurity posture through real-time intelligence sharing with global counterparts, moving beyond domestic law enforcement to tackle cybercriminals exploiting technological vulnerabilities across borders.
Black Friday has evolved into one of the most attractive periods of the year, not just for retailers, but for cybercriminals too. As shoppers rush to grab limited-time deals, attackers exploit the surge in online activity through malware campaigns, phishing scams, payment fraud, and impersonation attacks. With threat show more ...
actors using increasingly advanced methods, understanding the risks is essential for both shoppers and businesses preparing for peak traffic. This cybersecurity survival guide breaks down the most common Black Friday threats and offers practical steps to stay secure in 2025’s high-risk threat landscape. Why Black Friday Is a Goldmine for Cybercriminals Black Friday and Cyber Monday trigger massive spikes in online transactions, email promotions, digital ads, and account logins. This high-volume environment creates the perfect disguise for malicious activity. Attackers know users are expecting deal notifications, promo codes, and delivery updates, making them more likely to click without verifying legitimacy. Retailers also face increased pressure to scale infrastructure quickly, often introducing misconfigurations or security gaps that cybercriminals actively look for. Common Black Friday Cyber Threats Phishing & Fake Deal Emails: Cybercriminals frequently impersonate major retailers to push “exclusive” deals or false order alerts. These emails often contain malicious links aimed at stealing login credentials or credit card data. Malware Hidden in Apps and Ads: Fake shopping apps and malicious ads spread rapidly during Black Friday. Fake Retail Websites: Dozens of cloned websites appear each year, mimicking popular brands with nearly identical designs. These sites exist solely to steal payment information or personal data. Payment Card Fraud & Credential Stuffing: With billions of login attempts occurring during Black Friday, attackers exploit weak or reused passwords to take over retail accounts, redeem loyalty points, or make fraudulent purchases. Marketplace Scams: Fraudulent sellers on marketplaces offer unrealistic discounts, harvest information, and often never deliver the product. Some also use sophisticated social engineering tactics to manipulate buyers. Cybersecurity Tips for Shoppers Verify Before You Click: Check URLs, sender domains, and website certificates. Avoid clicking on deal links from emails or messages. Enable Multi-Factor Authentication (MFA): MFA prevents unauthorized access even if an attacker steals your password. Avoid Public Wi-Fi: Unsecured networks can expose your transactions. Use mobile data or a VPN. Use Secure Payment Options: Virtual cards and digital wallets limit your exposure during a breach. Download Apps Only from Official Stores: Stay away from third-party downloads or promo apps not approved by Google or Apple. Best Practices for Retailers Strengthen Threat Detection & Monitoring: Retailers must monitor unusual login behavior, bot traffic, and transaction spikes. Cyble’s Attack Surface and Threat Intelligence solutions help businesses identify fake domains, phishing lures, and malware campaigns targeting their brand. Secure Payment Infrastructure: Ensure payment systems are PCI-compliant, updated, and protected from card-skimming malware. Educate Customers: Proactively notify customers about known scams and impersonation risks, especially during high-traffic sales periods. With malware, phishing, and fraud attempts rising sharply during the shopping season, awareness and proactive defense are essential. By staying vigilant and leveraging trusted cybersecurity tools, both shoppers and businesses can navigate Black Friday securely. See how Cyble protects retailers during high-risk shopping seasons. Book your free 20-minute demo now.
On the surface, the Superbox media streaming devices for sale at retailers like BestBuy and Walmart may seem like a steal: They offer unlimited access to more than 2,200 pay-per-view and streaming services like Netflix, ESPN and Hulu, all for a one-time fee of around $400. But security experts warn these TV boxes show more ...
require intrusive software that forces the user’s network to relay Internet traffic for others, traffic that is often tied to cybercrime activity such as advertising fraud and account takeovers. Superbox media streaming boxes for sale on Walmart.com. Superbox bills itself as an affordable way for households to stream all of the television and movie content they could possibly want, without the hassle of monthly subscription fees — for a one-time payment of nearly $400. “Tired of confusing cable bills and hidden fees?,” Superbox’s website asks in a recent blog post titled, “Cheap Cable TV for Low Income: Watch TV, No Monthly Bills.” “Real cheap cable TV for low income solutions does exist,” the blog continues. “This guide breaks down the best alternatives to stop overpaying, from free over-the-air options to one-time purchase devices that eliminate monthly bills.” Superbox claims that watching a stream of movies, TV shows, and sporting events won’t violate U.S. copyright law. “SuperBox is just like any other Android TV box on the market, we can not control what software customers will use,” the company’s website maintains. “And you won’t encounter a law issue unless uploading, downloading, or broadcasting content to a large group.” A blog post from the Superbox website. There is nothing illegal about the sale or use of the Superbox itself, which can be used strictly as a way to stream content at providers where users already have a paid subscription. But that is not why people are shelling out $400 for these machines. The only way to watch those 2,200+ channels for free with a Superbox is to install several apps made for the device that enable them to stream this content. Superbox’s homepage includes a prominent message stating the company does “not sell access to or preinstall any apps that bypass paywalls or provide access to unauthorized content.” The company explains that they merely provide the hardware, while customers choose which apps to install. “We only sell the hardware device,” the notice states. “Customers must use official apps and licensed services; unauthorized use may violate copyright law.” Superbox is technically correct here, except for maybe the part about how customers must use official apps and licensed services: Before the Superbox can stream those thousands of channels, users must configure the device to update itself, and the first step involves ripping out Google’s official Play store and replacing it with something called the “App Store” or “Blue TV Store.” Superbox does this because the device does not use the official Google-certified Android TV system, and its apps will not load otherwise. Only after the Google Play store has been supplanted by this unofficial App Store do the various movie and video streaming apps that are built specifically for the Superbox appear available for download (again, outside of Google’s app ecosystem). Experts say while these Android streaming boxes generally do what they advertise — enabling buyers to stream video content that would normally require a paid subscription — the apps that enable the streaming also ensnare the user’s Internet connection in a distributed residential proxy network that uses the devices to relay traffic from others. Ashley is a senior solutions engineer at Censys, a cyber intelligence company that indexes Internet-connected devices, services and hosts. Ashley requested that only her first name be used in this story. In a recent video interview, Ashley showed off several Superbox models that Censys was studying in the malware lab — including one purchased off the shelf at BestBuy. “I’m sure a lot of people are thinking, ‘Hey, how bad could it be if it’s for sale at the big box stores?'” she said. “But the more I looked, things got weirder and weirder.” Ashley said she found the Superbox devices immediately contacted a server at the Chinese instant messaging service Tencent QQ, as well as a residential proxy service called Grass IO. GET GRASSED Also known as getgrass[.]io, Grass says it is “a decentralized network that allows users to earn rewards by sharing their unused Internet bandwidth with AI labs and other companies.” “Buyers seek unused internet bandwidth to access a more diverse range of IP addresses, which enables them to see certain websites from a retail perspective,” the Grass website explains. “By utilizing your unused internet bandwidth, they can conduct market research, or perform tasks like web scraping to train AI.” Reached via Twitter/X, Grass founder Andrej Radonjic told KrebsOnSecurity he’d never heard of a Superbox, and that Grass has no affiliation with the device maker. “It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass,” Radonjic said. “The point of grass is to be an opt-in network. You download the grass app to monetize your unused bandwidth. There are tons of sketchy SDKs out there that hijack people’s bandwidth to help webscraping companies.” Radonjic said Grass has implemented “a robust system to identify network abusers,” and that if it discovers anyone trying to misuse or circumvent its terms of service, the company takes steps to stop it and prevent those users from earning points or rewards. Superbox’s parent company, Super Media Technology Company Ltd., lists its street address as a UPS store in Fountain Valley, Calif. The company did not respond to multiple inquiries. According to this teardown by behindmlm.com, a blog that covers multi-level marketing (MLM) schemes, Grass’s compensation plan is built around “grass points,” which are earned through the use of the Grass app and through app usage by recruited affiliates. Affiliates can earn 5,000 grass points for clocking 100 hours usage of Grass’s app, but they must progress through ten affiliate tiers or ranks before they can redeem their grass points (presumably for some type of cryptocurrency). The 10th or “Titan” tier requires affiliates to accumulate a whopping 50 million grass points, or recruit at least 221 more affiliates. Radonjic said Grass’s system has changed in recent months, and confirmed the company has a referral program where users can earn Grass Uptime Points by contributing their own bandwidth and/or by inviting other users to participate. “Users are not required to participate in the referral program to earn Grass Uptime Points or to receive Grass Tokens,” Radonjic said. “Grass is in the process of phasing out the referral program and has introduced an updated Grass Points model.” A review of the Terms and Conditions page for getgrass[.]io at the Wayback Machine shows Grass’s parent company has changed names at least five times in the course of its two-year existence. Searching the Wayback Machine on getgrass[.]io shows that in June 2023 Grass was owned by a company called Wynd Network. By March 2024, the owner was listed as Lower Tribeca Corp. in the Bahamas. By August 2024, Grass was controlled by a Half Space Labs Limited, and in November 2024 the company was owned by Grass OpCo (BVI) Ltd. Currently, the Grass website says its parent is just Grass OpCo Ltd (no BVI in the name). Radonjic acknowledged that Grass has undergone “a handful of corporate clean-ups over the last couple of years,” but described them as administrative changes that had no operational impact. “These reflect normal early-stage restructuring as the project moved from initial development…into the current structure under the Grass Foundation,” he said. UNBOXING Censys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined. She also discovered the streaming boxes included powerful network analysis and remote access tools, such as Tcpdump and Netcat. “This thing DNS hijacked my router, did ARP poisoning to the point where things fall off the network so they can assume that IP, and attempted to bypass controls,” she said. “I have root on all of them now, and they actually have a folder called ‘secondstage.’ These devices also have Netcat and Tcpdump on them, and yet they are supposed to be streaming devices.” A quick online search shows various Superbox models and many similar Android streaming devices for sale at a wide range of top retail destinations, including Amazon, BestBuy, Newegg, and Walmart. Newegg.com, for example, currently lists more than three dozen Superbox models. In all cases, the products are sold by third-party merchants on these platforms, but in many instances the fulfillment comes from the e-commerce platform itself. “Newegg is pretty bad now with these devices,” Ashley said. “Ebay is the funniest, because they have Superbox in Spanish — the SuperCaja — which is very popular.” Superbox devices for sale via Newegg.com. Ashley said Amazon recently cracked down on Android streaming devices branded as Superbox, but that those listings can still be found under the more generic title “modem and router combo” (which may be slightly closer to the truth about the device’s behavior). Superbox doesn’t advertise its products in the conventional sense. Rather, it seems to rely on lesser-known influencers on places like Youtube and TikTok to promote the devices. Meanwhile, Ashley said, Superbox pays those influencers 50 percent of the value of each device they sell. “It’s weird to me because influencer marketing usually caps compensation at 15 percent, and it means they don’t care about the money,” she said. “This is about building their network.” A TikTok influencer casually mentions and promotes Superbox while chatting with her followers over a glass of wine. BADBOX As plentiful as the Superbox is on e-commerce sites, it is just one brand in an ocean of no-name Android-based TV boxes available to consumers. While these devices generally do provide buyers with “free” streaming content, they also tend to include factory-installed malware or require the installation of third-party apps that engage the user’s Internet address in advertising fraud. In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud. Google said the BADBOX 2.0 botnet, in addition to compromising multiple types of devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces. Some of the unofficial Android devices flagged by Google as part of the Badbox 2.0 botnet are still widely for sale at major e-commerce vendors. Image: Google. Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites. For example, searching for the “X88Pro 10” and the “T95” Android streaming boxes finds both continue to be peddled by Amazon sellers. Google’s lawsuit came on the heels of a June 2025 advisory from the Federal Bureau of Investigation (FBI), which warned that cyber criminals were gaining unauthorized access to home networks by either configuring the products with malicious software prior to the user’s purchase, or infecting the device as it downloads required applications that contain backdoors, usually during the set-up process. “Once these compromised IoT devices are connected to home networks, the infected devices are susceptible to becoming part of the BADBOX 2.0 botnet and residential proxy services known to be used for malicious activity,” the FBI said. The FBI said BADBOX 2.0 was discovered after the original BADBOX campaign was disrupted in 2024. The original BADBOX was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase. Riley Kilmer is founder of Spur, a company that tracks residential proxy networks. Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network. Kilmer and others say IPidea is merely a rebrand of 911S5 Proxy, a China-based proxy provider sanctioned last year by the U.S. Department of the Treasury for operating a botnet that helped criminals steal billions of dollars from financial institutions, credit card issuers, and federal lending programs (the U.S. Department of Justice also arrested the alleged owner of 911S5). How are most IPidea customers using the proxy service? According to the proxy detection service Synthient, six of the top ten destinations for IPidea proxies involved traffic that has been linked to either ad fraud or credential stuffing (account takeover attempts). Kilmer said companies like Grass are probably being truthful when they say that some of their customers are companies performing web scraping to train artificial intelligence efforts, because a great deal of content scraping which ultimately benefits AI companies is now leveraging these proxy networks to further obfuscate their aggressive data-slurping activity. By routing this unwelcome traffic through residential IP addresses, Kilmer said, content scraping firms can make it far trickier to filter out. “Web crawling and scraping has always been a thing, but AI made it like a commodity, data that had to be collected,” Kilmer told KrebsOnSecurity. “Everybody wanted to monetize their own data pots, and how they monetize that is different across the board.” SOME FRIENDLY ADVICE Products like Superbox are drawing increased interest from consumers as more popular network television shows and sportscasts migrate to subscription streaming services, and as people begin to realize they’re spending as much or more on streaming services than they previously paid for cable or satellite TV. These streaming devices from no-name technology vendors are another example of the maxim, “If something is free, you are the product,” meaning the company is making money by selling access to and/or information about its users and their data. Superbox owners might counter, “Free? I paid $400 for that device!” But remember: Just because you paid a lot for something doesn’t mean you are done paying for it, or that somehow you are the only one who might be worse off from the transaction. It may be that many Superbox customers don’t care if someone uses their Internet connection to tunnel traffic for ad fraud and account takeovers; for them, it beats paying for multiple streaming services each month. My guess, however, is that quite a few people who buy (or are gifted) these products have little understanding of the bargain they’re making when they plug them into an Internet router. Superbox performs some serious linguistic gymnastics to claim its products don’t violate copyright laws, and that its customers alone are responsible for understanding and observing any local laws on the matter. However, buyer beware: If you’re a resident of the United States, you should know that using these devices for unauthorized streaming violates the Digital Millennium Copyright Act (DMCA), and can incur legal action, fines, and potential warnings and/or suspension of service by your Internet service provider. According to the FBI, there are several signs to look for that may indicate a streaming device you own is malicious, including: -The presence of suspicious marketplaces where apps are downloaded. -Requiring Google Play Protect settings to be disabled. -Generic TV streaming devices advertised as unlocked or capable of accessing free content. -IoT devices advertised from unrecognizable brands. -Android devices that are not Play Protect certified. -Unexplained or suspicious Internet traffic. This explainer from the Electronic Frontier Foundation delves a bit deeper into each of the potential symptoms listed above.
This campaign introduces a new variant that executes malicious code during preinstall, significantly increasing potential exposure in build and runtime environments, researchers said.
A threat actor is leveraging a flaw in the Ray framework to hijack AI infrastructure worldwide and distribute a self-propagating cryptomining and data theft botnet.
The exploitation of CVE-2025-61757 follows a breach of Oracle Cloud earlier this year as well as a recent extortion campaign targeting Oracle E-Business Suite customers.
Donbas Post, which operates in the Russian-controlled parts of Donetsk and Luhansk, said the incident affected its corporate network, web platform and email systems. The company had restricted access to several services to contain the breach and was working to restore operations.
A lack of liability for software vendors is putting Britain’s economic and national security at risk, an influential committee of lawmakers warned on Monday.
More than 70 civil liberties advocacy groups, academics and legal experts are calling for an investigation into a “collapse in enforcement activity” by the United Kingdom’s principal data protection regulator.
A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. "The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access," AhnLab Security Intelligence Center (ASEC) said in a report published last week. "They then used PowerCat, an open-source
Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, Koi Security, Socket, and Wiz. "The campaign introduces a new variant that executes malicious
This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates. Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI
New research from CrowdStrike has revealed that DeepSeek's artificial intelligence (AI) reasoning model DeepSeek-R1 produces more security vulnerabilities in response to prompts that contain topics deemed politically sensitive by China. "We found that when DeepSeek-R1 receives prompts containing topics the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it
Cybersecurity researchers have discovered five vulnerabilities in Fluent Bit, an open-source and lightweight telemetry agent, that could be chained to compromise and take over cloud infrastructures. The security defects "allow attackers to bypass authentication, perform path traversal, achieve remote code execution, cause denial-of-service conditions, and manipulate tags," Oligo Security said in
International cybercrime-fighting agencies, co-ordinated by Europol, took down over 1000 servers and seized 20 domains earlier this month as part of Operation Endgame 3.0. Their target? Three major malware platforms: the infostealer known as Rhadamanthys, the VenomRAT remote access trojan, and the Elysium botnet. Read more in my article on the Hot for Security blog.
