Bulletins //

NormCyber Threat Bulletin: 24th September 2025

7 Min Read

Node Package Manager has over 40 Packages Compromised

Cyber security researchers have identified a large-scale supply chain attack targeting the Node Package Manager (NPM) which has compromised more than 40 packages belonging to multiple maintainers. The attacks utilised a malicious function called “NpmModule.updatePackage” which can retrieve a package’s tarball, modify it’s package.json file, inject a javascript file labelled bundle.js, repackage it and republish it. Once the trojanised package has been published, any other downstream packages depending on it may also become infected without the maintainers knowledge.

Once a developer installs such a compromised package, the injected script executes on their machine. It uses TruffleHog (a legitimate credential-scanning tool) to search for secrets such as GitHub tokens, npm tokens, and AWS credentials. These are then exfiltrated to a server controlled by the attackers. In addition, when the attacker obtains enough credentials (e.g. a GitHub PAT), they create GitHub Actions workflows in the repository to persistently exfiltrate data, ensuring the compromise lasts beyond just the local system.

The campaign has worm-like propagation. Once an npm maintainer account (such as the identified ‘techsupportrxnt’) is compromised, any package maintained by that account can unwittingly publish new, malicious versions, thereby spreading the malware further into the npm ecosystem. The attack goes beyond npm: private repositories belonging to compromised users are allegedly duplicated (with a “-migration” suffix) to try to extract source code or secrets that might be stored there.

The campaign has been dubbed “Shai-Hulud”, taking it’s namesake from the equally dangerous sandworms found in Dune. The campaign has also utilised the “Crowdstrike Publisher” npm account to publish malicious packages. In total over 500 npm packages have been impacted by the Shai-Hulud campaign, highlighting how wide-spread this attack was able to reach.

This incident underlines how dangerous supply‐chain attacks are becoming in open-source ecosystems. Because of the high interdependency of packages and widespread trust in maintainers’ credentials, even a single compromised account can lead to cascading effect.

References:

Self-Replicating Worm Hits 180+ npm Packages to Steal Credentials in Latest Supply Chain Attack
Self-Replicating ‘Shai-hulud’ Worm Targets NPM Packages
Shai-Hulud npm Supply Chain Attack | ReversingLabs

Signed, Sealed, Compromised: Manticore’s New Playbook

Nimbus Manticore Threat Level: Very High
Impact: Espionage, data theft, possible lateral network compromise, long-term persistence
Sectors at Risk: Defence Manufacturing, Telecommunications, Aviation & Aerospace
Geographic Focus: Western Europe (Denmark, Sweden, Portugal), Middle East
Sources: Check Point Research

Nimbus Manticore, long linked to Iranian state interests, has surfaced again with a fresh campaign that signals clear evolution. This isn’t the group recycling old tradecraft. What we’re seeing is a more professional, modular approach to espionage operations, with custom malware tailored for Western European targets.

Check Point Research traces the latest activity to mid-2025, with Denmark, Sweden and Portugal singled out. The shift westwards is notable: for years, Manticore was more focused on the Middle East. The choice of lures is just as deliberate. Instead of blanket spam, the group is sending spear-phishing messages built around European themes – career portals, aerospace recruitment pitches, or sector-specific policy discussions. The aim is simple: appear credible enough to slip past basic awareness training.

The entry point often looks familiar: a document or link that quietly drops a loader, which then decrypts and launches implants. Behind the lure sits a more sophisticated front end than we usually see – Check Point highlights career-themed portals built on modern frameworks, giving the fake login sites a polish that helps sell the story. Victims hand over an email address, credentials, and in some cases even MFA tokens.

From there the chain deepens. Attackers abuse legitimate executables to side-load malicious DLLs, gaining a foothold while blending into normal processes. Persistence is kept simple and effective: scheduled tasks, registry edits, and even hijacking Windows Defender components to run code under a trusted name.

Two implants stand out in this round. MiniJunk is the successor to the older Minibike backdoor. It’s padded with junk code and compiler tricks, signed with stolen or fraudulent certificates, and designed to frustrate analysis while still providing reliable remote access. MiniBrowse, on the other hand, is lightweight and direct – a credential stealer that lifts browser-stored passwords from Chrome and Edge, giving attackers immediate access to corporate and cloud accounts.

Technically, this is a step up from the group’s past efforts. The implants are bulked out, obfuscated, and signed to slip past traditional detection. Infrastructure is hidden behind services like Azure App Services and Cloudflare, with a rotation of career-themed domains adding to the disguise.

For the organisations on the receiving end – defence manufacturers, telecoms, energy and aerospace – the risk is obvious. This isn’t just about one compromised inbox. Once inside, Manticore can persist, move laterally, and exfiltrate sensitive data quietly. The use of signed binaries and hijacked executables muddies the waters further, leaving defenders with blind spots in systems that should look clean.

Defence against this level of campaign requires more than ticking the basics. Hardware-based MFA (FIDO2, tokens) helps blunt phishing. Proactive hunting for DLL sideloading and suspicious library loads is critical. So is checking the provenance of signed code, monitoring browser credential access, and flagging unusual outbound traffic – particularly HTTPS sessions to new domains fronted by Cloudflare or Azure.

The bottom line is clear: Nimbus Manticore has grown more capable. The sloppy phishing kits are gone. In their place is a well-structured, persistent intrusion set designed to blend in and buy time. For European telecoms, energy and defence operators, the challenge isn’t whether Manticore will come knocking – it’s whether their presence will be spotted before the implants make themselves at home.

References:

Nimbus Manticore Deploys New Malware Targeting Europe – Check Point Research

Scattered Spider Resurfaces from “Retirement”

The cyber crime group known as Scattered Spider has re-emerged with fresh attacks aimed at the financial sector, undermining its earlier claims of having “gone dark”. According to Threat Intelligence firm ReliaQuest, there has been an increase in lookalike domains relating to financial services, with at least one intrusion into a United States banking firm attributed to the group.

Their methodology employed the use of social engineering, targeting an executive’s account and resetting the password through Azure Active Directory’s self-service password reset feature. From there, they gained access to IT- and security-related documents, moved laterally via Citrix and VPN access, compromised VMware ESXi infrastructure, dumped credentials, and attempted to infiltrate further into the company systems.

In order to escalate their privileges, Scattered Spider reportedly utilised a password reset for a Veeam service account, granting themselves Global Administrator privileges within Azure, after which point they, relocated the virtual machines to avoid detection.  Evidence of data exfiltration was also observed, with attempts seen from Cloud Services including Amazon Web Services and Snowflake.

The recent activity calls into question Scattered Spider’s statement earlier that they, alongside other groups such as LAPSUS$, were ceasing their operations. Rather than a genuine retirement, it is believed that these groups were simply taking an operational hiatus for a multitude of potential reasons including Tactics, Techniques & Procedures refinement, avoiding law enforcement attention or even rebranding. It’s a rare occurrence for threat actor groups to truly retire from operating, moreso these groups rebrand or evolve.

This investigation from ReliaQuest also highlights activity from ShinyHunters, who are believed to be leveraging members of Scattered Spider and the broader network known as “The Com” in voice phishing (vishing) attacks. A number of these attacks have been observed incorporating AI platforms including Bland AI to generate dynamic, adaptive phone-calls so as to trick victims more convincingly. The compromised data from these attacks is then used to steal data from systems like Salesforce and to impersonate single sign-on (SSO) login pages.

References:

ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration
Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims

Get Norm’s threat bulletin direct to your inbox

Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below:


Insights //

More of the latest insights & articles.

desktops with code on the screens

A Wake-Up Call for the C-Suite: Cyber Resilience Just Became Commercial

Blog
cybersecurity event logo with a background of image people networking

NormCyber to spotlight digital resilience at the Cyber Security in Financial Services Summit, London, 27 November

News

NormCyber Threat Bulletin: 20th November 2025

image of dominoes falling over

When Cyber Hits the Balance Sheet: The Domino Effect in Financial Services

Blog
image with norm logo and clanmil logo

NormCyber and Clanmil Housing invite public sector leaders to interactive cyber resilience-building event at the Belfry Hotel, Warwickshire

News

NormCyber Threat Bulletin: 06th November 2025

See All Insights