Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti – Cybersecurity News [March 10, 2025]

This week’s bulletin highlights some serious incidents that could impact individuals and businesses alike. From hackers spreading malware through NPM packages to cryptocurrency-stealing schemes, cybercriminals are finding new ways to trick people and exploit vulnerabilities. You can stay informed, stay cautious, and take action to protect yourself from these threats with our detailed coverage.

Lazarus Group Spreads Malware Through NPM Packages, Infecting Hundreds

This week, researchers discovered six malicious packages on the NPM (Node Package Manager) platform that are intended to extract sensitive data from compromised systems. These packages have been downloaded 330 times and are capable of extracting account credentials, deploying backdoors, and accessing cryptocurrency information. It was actually identified by the Socket Research Team, which linked it to previous supply chain attacks involving software registries like NPM, GitHub, and PyPI. The attackers use typosquatting–where malicious packages mimic legitimate ones to trick developers into downloading them.

The 6 identified packages (is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator) were disguised as commonly used JavaScript tools. Once installed, the attackers executed malware designed to steal browser-stored credentials, cookies, and cryptocurrency wallet data. They also delivered threats, including the BeaverTail malware and the InvisibleFerret backdoor.

So how can you stay safe against this threat? Your priority should be to verify the authenticity of NPM packages before installing them. Regular security audits and monitoring dependencies are good practices that help prevent exposure to malicious software. Leveraging advanced email security solutions like DuoCircle can further fortify your defenses against supply chain attacks, safeguarding your system from potential threats.

MassJacker Malware Exploits 778,000 Wallets to Steal Cryptocurrency

There’s another newly uncovered cyber threat known as MassJacker that is using clipboard hijacking techniques to steal cryptocurrency from unsuspecting users.

CyberArk researchers found that the operation involves at least 778,531 cryptocurrency wallet addresses, redirecting funds from victims to attackers. At the time of analysis, approximately $95,300 was found in 423 wallets linked to the campaign, but historical transactions suggest much larger sums may have been stolen. Plus, the attackers appear to be funneling funds into a single Solana wallet, which has processed over $300,000 in transactions.

MassJacker operates using clipboard hijacking malware, also known as clippers, that monitor your clipboard for copied cryptocurrency wallet addresses and silently swaps them with an address controlled by the attackers. As a result, when victims attempt to send cryptocurrency, they unknowingly transfer their funds to the hackers instead. The malware is distributed through pesktop[.]com, and once a user downloads an infected file, a chain of scripts and loaders work together to install MassJacker, ultimately injecting it into a legitimate Windows process (InstalUtil.exe) to avoid detection.

That’s why you should avoid downloading software from untrusted/ pirated sources. Regularly updating your security software and running regular scans will also go a long way to help catch threats like MassJacker.

CISA Warns of Active Exploits Targeting Critical Ivanti EPM Vulnerabilities

CISA (Cybersecurity and Infrastructure Security Agency) issued a security alert this week for U.S. federal agencies about ongoing cyberattacks that are targeting Ivanti Endpoint Manager appliances.

The attackers are exploiting three critical vulnerabilities–CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161–that allow them to fully compromise affected servers remotely, and that too without authorization. These flaws were first reported back in October 2023 by a researcher at Horizon3.ai and were patched by Ivanti on 13 January 2024. But just a month later, the threat actors released PoC (Proof-of-Concept) exploits to take advantage of the vulnerabilities again.

CISA has added these to its Known Exploited Vulnerabilities catalog and has mandated that FCEB (Federal Civilian Executive Branch) agencies secure their systems by 31 March.

You should take the warning seriously and make sure to apply Ivanti’s latest security updates immediately. On top of that, regularly monitor your systems for suspicious activity and adhere to best practices for vulnerability management.

FTC to Distribute $25.5 Million to Victims of Tech Support Scams

Great news this week is that the FTC (Federal Trade Commission) will distribute over $25.5 million in refunds to consumers who were misled by tech support enterprises Restoro and Reimage.

They will start doing this starting 13 March and send 736,375 PayPal payments to people who were tricked into paying for unnecessary computer repair services. If you are eligible for a refund, you will receive an email and must redeem your PayPal payment within 30 days. The refund is a bit late but definitely good news as it is coming a year after the organizations were fined $26 million for violating the FTC Act and the TSR (Telemarketing Sales Rule).

They used deceptive online ads and pop-ups that mimicked Windows system warnings, falsely claiming that users’ computers were infected with malware or had critical performance issues. FTC’s investigation also showed people were offered a “free scan,” which always identified issues requiring repair—even when none existed.

After paying up to $58 for a “PC Repair Plan,” they were urged to call Restoro and Reimage telemarketers, who claimed that the software could not fix everything. If you ever encounter something similar, avoid clicking on it. Of course, be cautious when downloading system repair tools, and never let unknown tech support agents access your computer remotely.

Data Breach at Telecom Giant NTT Affects Nearly 18,000 Enterprises

The NTT (NTT Communications Corporation) also issued a warning for nearly 18,000 corporate customers that their information was compromised in a cybersecurity incident.

The data breach was discovered in early February 2025 when the hackers breached NTT’s Order Information Distribution System, which contained details of 17,891 organizations (no personal customer (consumer) data was affected). They made away with registered contract names, customer representative names, contract numbers, emails, phone numbers, physical addresses, and service usage information.

NTT discovered the breach on 5 February and blocked threat actor access by the next day. But once they conducted an internal investigation, they found out the attackers had moved to another device within NTT’s network. Obviously, the said device was immediately disconnected to prevent further lateral movement, and the organization is now confident that the threat has been fully contained.

You will not get individual notifications, but the organization has issued a public announcement on its website, which serves as the sole notification of the breach. If your enterprise is an NTT corporate customer, stay aware of social engineering scams and phishing emails, as cybercriminals may use stolen information to impersonate NTT.