Targeting blockchain developers by publishing fake code packages on official package repositories has become a standard tactic for attackers these days, with frequent reports of such attacks happening. The latest example involves two fake packages that were published on the Node Package Manager (npm) repository, which claims to be “the world’s largest software registry.”

These packages were named ethers-provider2 and ethers-providerz, the names chosen to lead potential victims into thinking they are somehow associated it with the official “ethers” package which is a popular (over 1.6 million weekly downloads) package designed to make life easier for developers who wish to build apps that interact with the Ethereum blockchain.

If these packages are installed, they pull down additional malicious code and then launch into a loop, periodically searching for the presence of the official ethers package. If they find it, they will attempt to replace one of the files (provider-jsonrpc.js) from the legitimate ethers package with a Trojanized version. The tainted version contains extra code that downloads and runs additional malicious code that provides a reverse shell for the attackers to gain access to the compromised computer.

Attempts to clean up by removing the fake packages may not be successful, as once the official ethers package has been patched, it can reinfect the system, and access to the compromised computer will remain due to the patched code.

Once again, users of npm are reminded to carefully check potential packages that they intend to install to ensure they are downloading the official versions instead of fakes

Dozens of vulnerabilities in products from three leading makers of solar inverters could be exploited to control devices or execute code remotely on the vendor’s cloud platform.

Researchers at cybersecurity firm Forescout found 46 vulnerabilities in solar power systems from Sungrow, Growatt, and SMA. The researchers noted that the impacted products are used in the energy sector worldwide.

In the case of the SMA product, Forescout discovered a vulnerability that allows an attacker to upload a malicious file that will enable arbitrary code execution on the cloud platform server. In Growatt products, they discovered 30 vulnerabilities that can be exploited for cross-site scripting (XSS) attacks, to obtain potentially valuable information, take over devices, and cause physical damage to the system. The researchers found over a dozen flaws in Sungrow products, including insecure direct object reference (IDOR) issues, which can lead to sensitive information disclosure, as well as vulnerabilities allowing denial of service (DoS) attacks and remote code execution (RCE).

“We can hypothesize that an attacker that gained control of a large fleet of Sungrow, Growatt, and SMA inverters using the newly discovered vulnerabilities could control enough power to cause instability to [power grids],” Forescout warned. In addition, the vulnerabilities could allow an attacker to obtain the personal information of these products’ users, exploit compromised devices to hijack other devices on the same network, and cause financial impact to grid operators through energy price manipulation and ransomware attacks.

The impacted vendors have been notified. SMA and Sungrow patched all the vulnerabilities, while the majority of Growatt’s vulnerabilities remain unpatched.

A hacker has claimed to have stolen a trove of “highly sensitive” data from Check Point and is offering it for sale, along with network access to the Israeli cybersecurity company.

A cybercrime forum member using the handle CoreInjection said the allegedly stolen data contained internal network maps and architectural diagrams, user credentials (including hashed and plaintext passwords), employee contact information, and proprietary source code.

Screenshots provided by CoreInjection appear to show the hacker inside a Check Point admin Infinity (security management) portal, supposedly granting themselves the ability to change users’ two-factor authentication settings.

CoreInjection published their claims on Sunday, March 30, 2025, placing a ““firm and non-negotiable” price of 5 Bitcoin ($434,570) on the data.

In response to the alleged hack, Check Point said the claim relates to an “old, known and very pinpointed event” that affected a limited number of organizations and did not touch any core systems. “This was handled months ago and didn’t include the description detailed on the dark forum message,” the company said in a statement. “These organizations were updated and handled at that time, and this is not more than the regular recycling of old information.”

If, as Check Point claims, this is related to an old event, it is unclear why it was not disclosed at the time of the event.

Researchers have observed a significant surge in scanning activity targeting Palo Alto Network GlobalProtect login portals, with 23,800 unique IP addresses behind the scans.

“This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” threat intelligence firm GreyNoise said.

The activity began on March 17, 2025, peaking at 20,000 unique IP addresses per day, and continuing until March 26. Of those IPs, 23,800 are classified as “suspicious,” while 154 were validated by GreyNoise as “malicious.” Most of the scanning attempts originate from the U.S. and Canada, with most targeted systems based in the U.S., though other countries are targeted too.

“Over the past 18 to 24 months, we’ve observed a consistent pattern of deliberate targeting of older vulnerabilities or well-worn attack and reconnaissance attempts against specific technologies,” explained Bob Rudis, VP of Data Science at GreyNoise. “These patterns often coincide with new vulnerabilities emerging 2 to 4 weeks later.”

GreyNoise believes that the activity could be part of an effort to test network defenses before attempting targeted exploitation.

A new ransomware group called Arkana Security claims to have compromised U.S. telecommunications provider WideOpenWest (WOW!).

Arkana Security claims to be performing penetration testing, hacking networks by exploiting vulnerabilities in corporate systems. The ransomware group also steals data and uses it as leverage to persuade victims into paying a “fee” for their “pen-testing” services.

However, the group’s real motivation becomes clear when looking at its Tor-based leak site where it lists victims and threatens to sell or make public stolen data if the group’s ransom demands are not met. Arkana also appears to engage in doxxing, publishing sensitive personal information on the breached organization’s leadership on the leak site.

This week, Arkana posted its first victim, WOW!, to its leak site. WOW! is a U.S. cable, broadband, phone, and internet services provider that serves nearly two million business, residential, and wholesale customers in 19 markets, mainly in Michigan, Alabama, Tennessee, South Carolina, Georgia, and Florida.

Arkana claims to have gained access to critical internal systems within WOW!’s environment, which enabled the group to allegedly steal two databases containing information such as usernames, account IDs, passwords, security information, names, emails, permissions, and Firebase integration details.

WOW! has yet to make a statement on Arkana’s claims.

Mozilla has warned Firefox users to update their browser to patch a critical security vulnerability that could let attackers escape the web browser’s sandbox on Windows systems.

The flaw, which is tracked as CVE-2025-2857, is described as an “incorrect handle [that] could lead to sandbox escapes”. It is fixed in Firefox 136.0.4 and Firefox ESR versions 115.21.1 and 128.8.1.

Mozilla didn’t share technical details about the flaw but said it is similar to the Chrome zero-day (CVE-2025-2783) that was exploited in attacks targeting Russian government agencies and journalists, and which was patched by Google earlier this week.

“Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process could cause the parent process to return an unintentionally powerful handle, leading to a sandbox escape,” Mozilla said in its advisory about the bug. “This only affects Firefox on Windows. Other operating systems are unaffected.”

Splunk recently issued patches for dozens of vulnerabilities across its products, including two high-severity bugs in Splunk Enterprise and Secure Gateway App.

CVE-2025-20229 (CVSS score of 8.0) is a remote code execution (RCE) vulnerability caused by a missing authorization check. The flaw could be exploited by low-privileged users by uploading a file to the ‘$SPLUNK_HOME/var/run/splunk/apptemp’ directory. The issue has been addressed with the release of Splunk Enterprise versions 9.4.0, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208.

Patches were also issued for a high-severity information disclosure issue (CVE-2025-20231 — CVSS score: 7.1) impacting Splunk Enterprise and the Splunk Secure Gateway app on Splunk Cloud Platform. The vulnerability is also exploitable by low-privileged users. “The Splunk Secure Gateway exposes user session and authorization tokens in clear text in the splunk_secure_gateway.log file when it calls the /services/ssg/secrets REST endpoint,” Splunk explained. An attacker could exploit this vulnerability as part of a phishing attack that convinces the victim into “initiating a request within their browser.” Patches were included in Splunk Enterprise versions 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and in Secure Gateway versions 3.8.38 and 3.7.23.

Splunk addressed medium-severity vulnerabilities in Splunk Enterprise that could lead to maintenance mode modifications, safeguard bypass, information disclosure, and manipulation of other user data.

A breach of healthcare software-as-a-service (SaaS) company Oracle Health by an unknown actor has impacted multiple U.S. hospitals and healthcare institutions.

Oracle Health, formerly known as Cerner, said it became aware of a breach of Cerner legacy data on February 20, 2025. Oracle said the threat actor used compromised customer credentials to breach the servers sometime after January 22, 2025, and copied data to a remote server. According to BleepingComputer, this data included information from patients’ health records.

Oracle hasn’t yet publicly disclosed the breach, and it is not known if the attacker deployed ransomware as well as stealing the data. The threat actor behind this breach has the online moniker “Andrew” and has not been linked with any known threat groups. The attacker is looking for millions of dollars in ransoms, or they say they will publish and sell the stolen data.

Microsoft has uncovered 20 previously unknown vulnerabilities in several open-source bootloaders.

Using its AI-powered Security Copilot, Microsoft researchers discovered flaws in GRUB2 (GRand Unified Bootloader), which is the default boot loader for most Linux distributions, and U-Boot and Barebox, which are commonly used in embedded and IoT devices.

GRUB2 contained 11 vulnerabilities, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Meanwhile, nine buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were uncovered in U-Boot and Barebox.

“While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker,” explained Microsoft.

GRUB2, U-boot, and Barebox released updates for the vulnerabilities in February 2025.

Drivers associated with several Canon production printers, office multifunction printers, and laser printers are affected by a critical out-of-bounds vulnerability.

The flaw, tracked as CVE-2025-1268 (CVSS score: 9.4), impacts the EMF recode processing of Generic Plus PCL6, UFR II, LIPS4, LIPSXL, and PS printer drivers, specifically versions 3.12 and earlier.

The vulnerability can allow an attacker to prevent printing or potentially execute arbitrary code “when the print is processed by a malicious application,” according to Canon.

Users are advised to check Canon websites for patched versions of the vulnerable printer drivers.

Cisco is warning admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability that is being used in attacks.

The vulnerability, tracked as CVE-2024-20439 (CVSS score: 9.8), exposes a built-in backdoor admin account. The flaw, which was patched in September 2024, is described as “an undocumented static user credential for an administrative account” that lets unauthenticated attackers log into unpatched systems remotely with admin privileges over the CSLU app’s API.

Just two weeks after Cisco patched the vulnerability, technical details, including the decoded hardcoded static password, were made public. Now, Cisco is warning that it has observed “attempted exploitation of this vulnerability in the wild.” The company said it “continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.”

On Monday (March 31), the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-20439 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to secure their systems against active exploitation by April 21.

Royal Mail has launched an investigation after a threat actor leaked 144 GB of data allegedly stolen from the company’s systems.

“We are aware of an incident which is alleged to have affected Spectos, a supplier of Royal Mail. We are working with the company to investigate the issue and establish what impact there may be regarding their data,” a spokesperson for the UK postal service said. “We can confirm there has been no impact on Royal Mail operations and services continue to function as normal.”

Spectos confirmed that its systems were breached on March 29 and that unauthorized actors gained access to customer data. Spectos has also launched an investigation into the incident.

A threat actor using the handle GHNA on BreachForums released 16,549 files allegedly containing Royal Mail customers’ personally identifiable information and other confidential documents.

According to Hudson Rock researchers, GHNA gained access to Royal Mail systems using the credentials of a Spectos employee compromised in a 2021 info stealer malware incident.