Удар по кибербезопасности: от атак на JavaScript до утечки данных клиентов Gucci Translation: Cybersecurity Under Siege: From JavaScript Attacks to Data Breaches of Gucci Customers

We have compiled the most significant cybersecurity headlines from the past week.

Software developers are increasingly attracting cryptocurrency thieves. According to cybersecurity researchers from Koi Security, the hacking group WhiteCobra has targeted users of the coding environments VSCode, Cursor, and Windsurf. They uploaded 24 malicious extensions to the Visual Studio Marketplace and the Open VSX registry.

One of the victims of this devastation was key Ethereum developer Zach Cole.

He reported that cybercriminals stole cryptocurrency via an AI code editor plugin for Cursor. Cole explained that the extension appeared to be harmless, featuring a professionally designed logo, a detailed description, and 54,000 downloads on OpenVSX—the official registry for Cursor.

Koi Security believes that WhiteCobra is related to the same group that, in July, stole $500,000 worth of digital assets from a Russian blockchain developer.

“The cross-platform compatibility and lack of adequate verification during publication on these platforms make them ideal for attackers looking to run large-scale campaigns,” the Koi Security report states.

The wallet drain begins with executing the primary file extension.js, which closely resembles the standard Hello World template provided with every VSCode extension template. It then unpacks stealer software based on the type of OS.

WhiteCobra’s focus is on holders of digital assets valued between $10,000 to $500,000. Analysts believe that the group can launch a new campaign in less than three hours.

Currently, it is challenging to stop the attackers: while the malicious plugins are removed from OpenVSX, new ones appear almost immediately.

Researchers advise sticking to well-known projects with solid reputations and treating new releases that garner a substantial number of downloads and positive reviews in a short time cautiously.

The Royal Canadian Mounted Police conducted the largest cryptocurrency seizure in the country’s history. This was noted by on-chain detective ZachXBT.

Law enforcement seized over 56 million Canadian dollars (about $40.5 million) in digital assets from the TradeOgre platform. The closure of the cryptocurrency exchange platform marks the first case of its kind in Canadian history.

The investigation, which began in June 2024 on the tip from Europol, revealed that the platform violated Canadian laws and failed to register with the Financial Transactions and Reports Analysis Centre as a money transfer service provider.

Investigators have reason to believe that a significant portion of the funds traded on TradeOgre originated from criminal sources. The platform attracted cybercriminals due to the lack of mandatory user identification.

According to police, transaction data obtained from TradeOgre will be analyzed to support charges. The investigation is ongoing.

After an attack on the NPM platform to inject malware into JavaScript packages, the attackers have shifted to a strategy of deploying a full «worm.» The incident is escalating, with over 500 compromised NPM packages identified at the time of writing.

The coordinated campaign, dubbed Shai-Hulud, began on September 15 with the compromise of the NPM package @ctrl/tinycolor, which is downloaded over 2 million times weekly.

According to analysts from Truesec, the campaign has significantly expanded, including packages published in the CrowdStrike namespace.

Experts note that the compromised packages contain a function that extracts the tar.gz package, modifies the package.json file, injects a local script, rebuilds the archive, and republishes it. Upon installation, a script runs automatically, downloading and executing TruffleHog—a legitimate tool for scanning secrets and searching for tokens.

Truesec believes the attack is scaling up and becoming more sophisticated. While the attackers are using many old techniques, they have significantly enhanced their approach, transforming it into a fully autonomous «worm.» The malware performs the following actions:

A defining characteristic of this attack is its style. Rather than relying on a single infected object, it automatically propagates across all NPM packages.

For the third consecutive week, Jaguar Land Rover (JLR) has been unable to resume production due to a cyberattack. The luxury car manufacturer announced that its production lines would remain halted at least until September 24.

The company confirmed that cybercriminals stole information from its network but have not attributed the attack to a specific hacking group.

According to BleepingComputer, the cybercriminal group Scattered Lapsus$ Hunters has claimed responsibility for the attack, releasing screenshots of JLR’s internal system on a Telegram channel. The post alleges that the hackers also deployed ransomware on the compromised company infrastructure.

BBC estimates that each week of downtime costs the company a minimum of £50 million (~$68 million). In contrast, The Telegraph estimates that the losses for the same period are about $100 million. JLR suppliers are concerned that they will not be able to cope with the unexpected crisis and fear bankruptcy.

On September 12, researchers from the Great Firewall Report team reported the largest data leak in the history of the «Great Chinese Firewall.»

Approximately 600 GB of internal documents, source codes, and internal correspondence regarding the development and maintenance of China’s national traffic filtering system were leaked online.

According to researchers, the leak contains complete platform build systems for tracking traffic, as well as modules responsible for recognizing and throttling specific circumvention tools. A significant portion of the stack is aimed at detecting VPNs banned in China.

The Great Firewall Report specialists assert that some of the documentation pertains to the Tiangou platform—a commercial product intended for use by providers and border gateways. Experts believe that early iterations of the program were deployed on HP and Dell servers.

Furthermore, the leaked documents mention the installation of this software in 26 data centers in Myanmar. The system was allegedly managed by the state telecommunications company and integrated into major internet traffic exchange points, allowing for both mass blocking and selective filtering.

According to Wired and Amnesty International, the infrastructure was also exported to Pakistan, Ethiopia, Kazakhstan, and other countries, where it is used alongside other lawful traffic interception platforms.

On September 15, Kering, owner of multiple luxury brands, confirmed a data leak affecting customers of its subsidiaries Gucci, Balenciaga, Alexander McQueen, and Yves Saint Laurent.

According to BBC, hackers stole personal information, including names, email addresses, phone numbers, home addresses, and overall spending amounts made by buyers in stores worldwide.

The attack is alleged to have been carried out by the hacker group ShinyHunters, which claims to have stolen personal data from at least 7 million individuals; however, the actual number of victims is likely significantly higher.

The group is also suspected of involvement in the theft of several databases hosted on Salesforce. Multiple companies, including Allianz Life, Google, Qantas, and Workday, have confirmed data theft resulting from these massive breaches.