Discovered: September 8th, 2025

Impacted Tech: NPM packages – specifically backslash, chalk-template, supports-hyperlinks, has-ansi, simple-swizzle, color-string, error-ex, color-name, is-arrayish, slice-ansi, color-convert, wrap-ansi, ansi-regex, supports-color, strip-ansi, chalk, debug, and ansi-styles

Summary:
On September 8, 2025, Aikido Security detected and disclosed that 18 highly popular npm packages, totaling over 2 billion weekly downloads, were tampered with malicious code immediately after the maintainer’s account was compromised via phishing. The injected code silently intercepts Web3/browser wallet interactions (e.g., MetaMask, Phantom), rewriting transaction destinations so stolen funds are redirected to attacker-controlled accounts. A developer who updated one of these packages could be exposing users to wallet hijacking attacks.

Verify Exposure:
Aikido’s threat intelligence feed detected abnormal package updates and deobfuscated injected payloads within index.js files. Additionally, independent researchers and maintainers – via GitHub issues, npm audit, and community reports – confirmed the presence of malicious code in affected versions such as chalk@5.6.1.

Interim Mitigation Measures:

• Developers are advised to roll back to known safe versions prior to September 8th, 2025, and run npm audit to detect any flagged versions.
• Ensure known, malicious versions (like chalk@5.6.1 and debug@4.4.2) are removed from build caches. The npm team has removed some, but not all compromised package versions.
• Clear or isolate affected environments and rebuild cleanly. The known, affected versions are listed here: https://news.ycombinator.com/item?id=45169657
• The following command can be used to check whether any compromised packages have been installed (requires ripgrep): rg -u –max-columns=80 _0x112fa8

Urgency: Currently, no attacker-controlled wallets appear to have received funds, however, this vulnerability enables silent financial theft via compromised wallets. The extremely high install base makes this a high-risk vulnerability.

Additional Resources:
Aikido Blog – NPM Debug & Chalk Packages Compromised

BleepingComputer – npm Supply-Chain Attack

Hacker News – Maintainer Post

Discovered: July 14th, 2025

Impacted Tech: Microsoft SharePoint Servers (on-premises, e.g., MS SharePoint Server 2019 and Subscription Edition; patch for 2016 pending)

Summary:
A critical unauthenticated remote code execution (RCE) vulnerability chain – referred to as “ToolShell” – is being actively exploited in the wild. CVE‑2025‑49706 and CVE‑2025‑49704 allow attackers to bypass authentication and execute arbitrary code within the SharePoint web application process. Exploitation impacts not only SharePoint, but potentially connected services such as OneDrive, Outlook, and Teams due to shared credentials.

Verify Exposure:
These vulnerabilities apply to on-premises SharePoint Servers only.

The risk is critical for internet-exposed SharePoint servers – systems directly accessible from outside the network perimeter.

Interim Mitigation Measures:

• Use or upgrade to supported versions of on-premise MS SharePoint Server (2016, 2019, Subscription Edition).
• Download and apply the latest security updates (2019 and Subscription Edition). SharePoint 2016 remains unpatched – until a fix is released, it is recommended to take affected systems offline or block external access via network controls.
• Configure AMSI integration in SharePoint, Deploy MS Defender for Endpoint, and rotate SharePoint Server ASP.NET machine keys

Urgency: This unauthenticated RCE chain is being actively exploited and poses a high risk to externally facing SharePoint servers. Successful compromise may result in complete takeover of SharePoint and extended access to connected Microsoft services.

Additional Resources:
Microsoft Blog – Customer guidance for SharePoint vulnerability CVE-2025-53770  

Bleeping Computer – Microsoft SharePoint zero-day exploited in RCE attacks, no patch available TechCrunch – New zero-day bug in Microsoft SharePoint under widespread attack

Discovered: 8/11/2024

Impacted Tech: All Iterations of Windows Server (2000-2025)

Summary:
CVE-2024-38077, also known as “MadLicense,” is a critical 0-click
remote code execution (RCE) vulnerability in the Windows
Remote Desktop Licensing Service (RDL). It affects all versions of
Windows Server from 2000 to 2025, allowing attackers to gain full
control of servers without any user interaction.

Verify Exposure:
This vulnerability is present in Windows Server 2000-2025: that
have RDL enabled. All versions are vulnerable. Attackers can
exploit a heap overflow in the “CDataCoding::DecodeData”
function to execute arbitrary code, bypassing even the latest
security mitigations.

Interim Mitigation Measures:

• -Patch Immediately:
  • Microsoft has released a patch as part of the July security update. Apply this patch without delay.
• -Disable RDL:
  • If RDL is not required, disable it to reduce exposure.
• -Enhanced Monitoring:
  • Implement enhanced logging and monitoring to detect any suspicious activity related to RDL services.

Urgency: Given the widespread exposure and the availability of
proof-of-concept (PoC) exploit code, immediate action is
necessary to protect your systems from potential attacks.

Additional Resources:
Exploitable PoC Released for CVE-2024-38077: 0-Click RCE
Threatens All Windows Servers (securityonline.info)
August 12, 2024 Advisory: Windows Remote Desktop Licensing
Service RCE [CVE-2024-38077] | Censys
Blog: CVE-2024-38077: A Critical Zero-Click RCE Threat to All
Windows Servers (alchemytechgroup.com)

Overview

A critical security update has been released to address a vulnerability (CVE-2024-24919) in Check Point Network Security gateways. This vulnerability potentially allows an attacker to read certain information on Internet-connected gateways with remote access VPN or mobile access enabled. The affected configurations include scenarios with old local accounts using password-only authentication.

Verify Exposure

To determine if your system is at risk, follow these steps:

1. Check for old local accounts: Navigate to your security gateway’s account management interface to identify any old local accounts.
2. Authentication Method: Verify the authentication method used by these accounts. If password-only authentication is in place, consider updating it.

Recommendations for Action

A fix has been released and must be installed on Check Point Network Security gateways to remain protected. Customers should follow these steps:

1. Install the Fix: Apply the fix provided by Check Point to your security gateways to prevent exploitation of this vulnerability.
2. Enhance Authentication Methods: If you have local accounts that use password-only authentication, add another layer of security, such as certificate-based authentication.
3. Disable Unused Accounts: If local accounts are not in use, it is recommended to disable them.

Interim Mitigation Measures

Until the fix is applied, customers can take the following interim measures to mitigate potential risks:

1. Monitor for Unauthorized Access: Enable logging and monitoring for any unauthorized access attempts on your VPN.
2. Strengthen Account Security: Ensure that all local accounts have strong, complex passwords and consider implementing multi-factor authentication (MFA).

Additional Resources:

For additional information, view the links below:

https://blog.checkpoint.com/security/enhance-your-vpn-security-posture

https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/#/

https://support.checkpoint.com/results/sk/sk182336

Overview: Multiple vulnerabilities have been discovered in Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) affecting versions:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300 (End-of-Life)

Summary of Vulnerabilities: These vulnerabilities in NetScaler ADC and NetScaler Gateway result in unauthenticated buffer-related flaws, leading to sensitive information disclosure and denial of service under specific configurations (e.g., VPN virtual servers, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers). They have been classified under CWE-119 and have respective CVSS scores of 9.4 and 8.2.

Recommendations for Action: Cloud Software Group urges immediate action for users of affected versions:

• Install updated versions addressing these vulnerabilities:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
• NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Upgrading to supported versions is recommended.

If updating is not possible, follow Mandiant’s guidlines on remediation

•  https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf

Additional Resources: Further information is available in Cloud Software Group’s published blogs:

• CVE-2023-4966 Critical Security Update
• Investigation Recommendations for CVE-2023-4966

Date: 11/7/2023

Impacted Tech: TEMU App Software

Introduction:

Grizzly Research LLC, a research firm specializing in providing insights on publicly traded companies, has raised serious concerns regarding the shopping app TEMU, labeling it as “covert spyware with alarming implications for U.S. national security.” You can access the complete report here. 

TEMU is a shopping application owned by PDD (Pinduoduo) Holdings Inc, a prominent Chinese online retailer. Notably, TEMU has achieved significant global popularity, with nearly 40.54 million downloads recorded as of September 2023.

Highlights:

A closer examination of TEMU’s application reveals numerous alarming features that have set off immediate warning signals. Grizzly’s experts have identified and outlined 18 software functions that are both “inappropriate and potentially hazardous,” typically associated with intrusive applications. TEMU incorporates all of these functions. Here is a breakdown of these functions:

These functions grant the application overly extensive permissions, enabling it to perform actions such as:

• Compiling and executing new programs on local devices.
• Querying, modifying, and transferring files from users’ devices.
• Accessing precise user locations within an approximate 10-foot radius.
• Checking for root access.
• Encrypting and decrypting data.
• Reading users’ system logs.

Additionally, it is worth noting that Chinese companies are generally required to provide access to their entire databases to Chinese government agencies (source).

Pinduoduo, a well-known Chinese budget shopping app, now under the umbrella of PDD Holdings, faced suspension from the Google Play Store in March 2023 due to the discovery of malware in certain app versions. Reports indicated that PDD had assembled a team of 100 programmers to identify and exploit OEM customizations of the Android operating system. It appears that TEMU and previous (malicious) versions of Pinduoduo share similar underlying codebases.

In line with a Wired report, TEMU is believed to be incurring losses of $30 per order, primarily due to substantial expenditures on advertising and shipping costs. Coupled with manipulative user practices, affinity scams to boost sign-ups, and an aggressive advertising scheme, Grizzly suspects that TEMU may already possess or plan to illicitly trade stolen data from Western country users to sustain a profitable business model.

Sources:

We believe PDD is a Dying Fraudulent Company and its Shopping App TEMU is Cleverly Hidden Spyware that Poses an Urgent Security Threat to U.S. National Interests

https://www.cyberclick.net/numericalblogen/top-10-most-downloaded-apps-of-2020-so-far

https://time.com/6243738/temu-app-complaints/

https://apnews.com/article/technology-business-china-data-privacy-1d3fcbac4549c6968c07897900c96cc3

https://www.cnn.com/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html

ZDI-23-1578

ZDI-23-1579 

ZDI-23-1580

ZDI-23-1581

Discovered: 9/7/2023

Impacted Tech: Microsoft Exchange

Attacker Requirements: Authentication

Highlights:

Trend Micro’s Zero Day Initiative (ZDI) has recently disclosed four zero-day vulnerabilities that can be exploited by attackers to remotely execute arbitrary code or disclose sensitive information on affected installations.

Microsoft has decided to delay the release of fixes for these vulnerabilities, citing that the flaws were not deemed severe enough to warrant immediate servicing.

The first vulnerability, ZDI-23-1578, is a remote code execution (RCE) flaw that allows attackers to deserialize untrusted data. A successful exploitation of this vulnerability would grant an attacker the ability to execute arbitrary code with the highest level of privileges on Windows, known as ‘SYSTEM.’ Fortunately, this vulnerability has been patched in the August 2023 security update.

ZDI-23-1579 can enable an attacker to access sensitive information on Exchange servers due to insufficient URI validation.

Both ZDI-23-1580 and ZDI-23-1581 also stem from improper URI validation, which can potentially lead to unauthorized information disclosure.

Mitigation:

ZDI recommends restricting interaction with Exchange applications as a precautionary measure. Additionally, customers are strongly advised to implement multi-factor authentication to prevent attackers from accessing Exchange accounts, particularly if credentials have been compromised.

References:

https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-zero-days-allow-rce-data-theft-attacks/