Category Archives: Virus & Malware

Checkmarx Jenkins AST Plugin Compromised (14th May 2026)

May 14, 2026 admin Leave a comment

Preface: Jenkins’ popularity and its rich plugin ecosystem are the main reasons for integrating event monitoring tools with it. While there isn’t a single “API plugin,” Jenkins has a powerful built-in remote access API (supporting XML, JSON, and Python), which many external monitoring tools use to retrieve data.

Background: With its unparalleled flexibility, vast plugin ecosystem, and vendor neutrality, Jenkins remains the preferred tool for cloud applications, especially in DevOps environments. Despite the emergence of many newer cloud-native tools, Jenkins remains the preferred solution for complex, hybrid, or highly customized CI/CD pipelines.

The TanStack incident and the Checkmarx Jenkins AST plugin intrusion incident were actually part of a well-planned coordinated supply chain attack campaign by the same threat group, TeamPCP.

Security researchers from Wiz, Snyk, and Socket have dubbed this large-scale, multi-targeted attack campaign (expected to launch in May 2026) the “Mini Shai-Hulud” worm attack. While the two incidents targeted different environments and used different initial entry points, they both originated from the same threat group, malware family, infrastructure, and ultimate target.

Incident details: The previous version of the Checkmarx Jenkins AST plugin (specifically version 2026.5.09) was compromised as part of an ongoing supply chain attack by the threat actor group TeamPCP, following their earlier compromise of Checkmarx infrastructure in March 2026.

The attack appears to be another TeamPCP incident because the attackers used the same techniques—gaining unauthorized access to Checkmarx’s GitHub repositories—to inject credential-stealing “Dune-themed” malware, similar to the previous KICS and GitHub Actions attacks.

Official announcement: Please refer to the link for details. – https://checkmarx.com/blog/ongoing-security-updates/

Virus & Malware

Shai-Hulud operates as a multi-vector, self-propagating worm. It routinely changes its entry points to compromise environments. Stay vigilant! (14th May 2026)

May 13, 2026 admin Leave a comment

Preface: The TanStack incident was a highly sophisticated software supply-chain compromise that occurred on May 11, 2026. An attacker successfully hijacked TanStack’s legitimate GitHub Actions release pipeline to publish 84 malicious versions across 42 @tanstack/* npm packages, including widely used tools like @tanstack/react-router.

Background: Both @tanstack/react-router and @tanstack/react-query are client-side frontend libraries and K8s is a backend orchestration platform. In normal circumstances, Frontend applications running inside Kubernetes (K8s)-managed containers are typically containerized web assets (static files or server-side rendered apps) packaged with a lightweight web server (like Nginx or Apache). But @tanstack/react-router and @tanstack/react-query are highly relevant to building robust frontend applications that run inside a K8s-managed containerized. These tools handle frontend data fetching and routing, while Kubernetes manages the infrastructure, pods, and scaling of the APIs they consume. TanStack Query handles caching and server state synchronization, reducing unnecessary API calls to backend services running on K8s. You can call @tanstack/react-router and @tanstack/react-query part of a suite. They are core components of the TanStack suite, a collection of high-quality, open-source libraries designed for modern web development.

Incident details: A supply chain attack, dubbed as “Mini Shai-Hulud”, is affecting well-known projects including TanStack, Mistral AI, UiPath, and OpenSearch.

Official announcement: Please refer to the link for details – https://digital.nhs.uk/cyber-alerts/2026/cc-4781

Potential Risk of CVE, System, Under our observation, Virus & Malware

About CVE-2023-29345 and CVE-2023-33143, Microsoft released Security Updated of the Chromium project (6th June 2023)

June 5, 2023 admin Leave a comment

Preface: Windows has traditionally run on machines that are powered by x86 / x64 processors. Windows 11 adds the capability to run unmodified x64 Windows apps on Arm devices! This capability to run x86 & x64 apps on Arm devices gives end-users confidence that the majority of their existing apps & tools will run well even on new Arm-powered devices. For the best of result, it can exploit Arm-native Windows apps theoretically, as a result, developers cope with trend , thus built or port Arm-native Windows apps.

Background: Codenamed “Anaheim”, on December 6, 2018, Microsoft announced its intent to base Edge on the Chromium source code, using the same browser engine as Google Chrome but with enhancements developed by Microsoft. The new Microsoft Edge (Chromium) is built on the same underlying technology as Google Chrome. During the Ignite 2021 conference, Microsoft revealed plans to align the codebase of the Edge browser on all supported platforms.

Vulnerability details:
CVE-2023-29345 Microsoft Edge Remote Code Execution – A vulnerability was found in Microsoft Edge (Web Browser) (version unknown).
CVE-2023-33143 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
For details, please refer to the link – https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

2023, Cell Phone (iPhone, Android, windows mobile), Under our observation, Virus & Malware

What is the value of the Trusted Execution Environment (TEE) ? (20th JAN 2023)

January 20, 2023 admin Leave a comment

Preface: Some said, found malware lets cybercriminal remotely manipulate your Android.

Background: The full name of TEE is trusted execution environment, which is an area on the CPU of mobile devices (smart phones, tablets, smart TVs). The role of this area is to provide a more secure space for data and code execution, and to ensure their confidentiality and integrity.

Other TEE operating systems are traditionally supplied as binary blobs by third-party vendors or developed internally. Developing internal TEE systems or licensing a TEE from a third-party can be costly to System-on-Chip (SoC) vendors and OEMs.

Trusty is a secure Operating System (OS) that provides a Trusted Execution Environment (TEE) for Android. A Trusty application is defined as a collection of binary files (executables and resource files), a binary manifest, and a cryptographic signature. At runtime, Trusty applications run as isolated processes in unprivileged mode under the Trusty kernel.

Technical details: According to headline news, a new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). said bleepingcomputer news.

For details, please refer to URL – https://www.bleepingcomputer.com/news/security/new-hook-android-malware-lets-hackers-remotely-control-your-phone/

Speculation: If this reported malware achieves their goals, do you think they will relies on vulnerability such as CVE-2023-21420?

Solution: To avoid Android malware, you should only install apps from the Google Play Store.

Here’s wishing you a Happy Chinese New Year 2023.

2021, Ransomware, Virus & Malware

The evasion technique of Ring 3 continues to improve. Since this is the entry point. Therefore Layer 7 with deep packet inspection is the bases for defensive technique. (6th Dec 2021)

December 6, 2021 admin Leave a comment

Preface: In fact, despite the excel icon, the XLL file is a Dynamic Linked Library, a binary executable file.

Background: The number of data breaches as of September 30, 2021 has exceeded 17% of the total number of incidents in 2020 (1,291 breaches in 2021, and 1,108 breaches in 2020).

The fundamental objective of MS office products goal to increase the office automation efficiency. Before MS product born, type writer, carbon copy and copy machine coverage is fully utilized. When virus appear in early 90s. The evolution of cyber attack from disruption extend to suspend the office operation. Fundamentally, the role of automation software are operations. Perhaps there is no prefect things in our world. From certain view point, cyber criminals exploit the product design weakness is misused. On the other hand design weakness can be group to mis-config. When cyber criminals abuse above two matters. The software is a weapon. Heard some of the domain expert separate I.T and O.T. But MS office also become one of the operation components in their backend operation. What if MS office suddenly become a cyber attack tools. What they can be do?

If the different in between I.T and O.T are safety and longer product life cycle. Apart from safety, the soft ware product life cycle is shorter comparing ten years ago. However hardware is driven by software driver under industrial automation. So it is clear to understand that if O.T product life cycle longer than traditional I.T. Therefore the product end of life and end of support require to focus in this area. Otherwise, when similar of incident occurs, the benefits will give to cyber attacker.

Security Focus: Mshta.exe is a signed Microsoft application that runs Microsoft HTML Applications (HTA) files. These are HTML files that execute JavaScript or VBScript outside of the browser, with the full permission of the executing user.

Furthermore HTA files will run automatically if a user double clicks on them, because of this HTA files are excellent for Phishing, Malvertising, or Waterhole attacks where the user will click on the file and infect themselves. As a matter of fact, lack of security awareness is the potential weakness. If you are interested of HTA attack scenario. Please refer to attached diagram.

But who wants to know a simple way to set up compensation control in your office or industrial area?
If the system infrastructure had integrate to internet, clean DNS service, SIEM and defense including managed security service, local defense (antivirus) will be the defense baseline.
Be my guest, see whether you have time to think it over of this topic.

Virus & Malware

Stay alert: Recently, an unknown trojan attack in the Linux environment, a malicious ELF file with UPX compression (11th Oct, 2021)

October 11, 2021 admin Leave a comment

Preface: Antivirus software isn’t entirely useless on Linux. If you are running a Linux-based file server or mail server, you will probably need antivirus help.

Background: ELF file extension, an acronym for Executable and Linkable Format, is a common standard file extension used for executable, object code, core dumps and shared libraries. It was being chosen as the standard binary file format for Unix and Unix-based systems.

Observation and synopsis: Cyber criminal will send a email to you lure that to download a ELF binary file because of the following reason. An ELF file is an executable file meant to be used with a Nintendo Wii or Nintendo Wii emulator. It contains a video game or other Wii application. ELF files may contain official Wii applications or homebrew applications. For above reasons, you will click to downloading ELF binary files.

Perhaps, you have not installed antivirus software on the Linux platform. But you can use a simple Linux command to check whether the ELF binary file is embedded with UPX compression. Maybe this is a malicious file.

Hints: Suspicious ELF binary with UPX compression
In the source code to UPX, there’s a function int PackW32Pe::canUnpack() which is first ran as a test right when you do a upx -d (unpack executable). Magic or strings can detect whether UPX compressed file is embedded in elf binary file. It shows which offsets are to be tested to detect if a file was packed with UPX.

Reference: For more information, see Virustotal – https://www.virustotal.com/gui/file/efbd281cebd62c70e6f5f1910051584da244e56e2a3228673e216f83bdddf0aa/detection

Cell Phone (iPhone, Android, windows mobile), Virus & Malware

About GriftHorse Malware (30th Sep 2021)

September 30, 2021 admin Leave a comment

Preface: Large portion of smartphone will not installed antivirus software. Even though it is installed. The antivirus vendor similar doing racing campaign with cyber criminals. Nowadays, vendor established malware sinkhole to find zero day vulnerability and existing cyber attack. If cyber criminals relies on software design limitation hiding itself on phone. Perhaps sinkhole not easy to figure it is a malicious acclivities. Therefore certain amount of personal data will be go to unknown area.

Ref: Sinkholes are most often used to seize control of botnets by interrupting the DNS names of the botnet that is used by the malware.

Background: Headline News (Bleepingcomputer) report today that there is a malware nickname GriftHorse. It did the infiltration to Android and causes hundred of million smartphones become a victims. According to the article by Bleepingcomputer expert. A mobile security solution firm (Zimperium) observe malware (GriftHorse) exploiting the software flexibility of Apache Cordova. And hunting over 10 million victims globally.

Details: The Trojans are developed using the mobile application development framework named Apache Cordova, Zimperium said. They uncovered more than 130 GriftHorse apps being distributed through both Google Play and third-party application stores, across all categories. Some of them have basic functionality, and some of them do nothing. Before you read the details of the article. Perhaps you can quickly read the attached picture to understand that there are many ways to exploits Apache Cordova feature to sniff the data on the endpoint.

Ref: Cordova wraps your HTML/JavaScript app into a native container which can access the device functions of several platforms. Apache Cordova is an open source framework that enables web developers to use their HTML, CSS, and JavaScript content to create a native application for a variety of mobile platforms.

Reference article, please refer to the link:

Bleepingcomputer – https://www.bleepingcomputer.com/news/security/new-android-malware-steals-millions-after-infecting-10m-phones/

Zimperium – https://blog.zimperium.com/grifthorse-android-trojan-steals-millions-from-over-10-million-victims-globally/

Under our observation, Virus & Malware

Stealth attack of UEFI bootkit (29th Sep 2021)

September 29, 2021 admin Leave a comment

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

Impact:
– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details – https://securelist.com/finspy-unseen-findings/104322/#iocs

Potential Risk of CVE, Under our observation, Virus & Malware

Another flaw prompted an urgent U.S. government warning and providing Guidance (Azure Cosmos DB) – 29th Aug 2021

August 30, 2021 admin Leave a comment

Preface: Data scientists are big data wranglers, gathering and analyzing large sets of structured and unstructured data. Jupyter Notebooks allow data scientists to create and share their documents, from codes to full blown reports (Help them streamline their work).

Background: Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and Azure Cosmos DB accounts, let data scientists easy to use. The Jupyter Notebook is an open-source web application that allows you to create and share documents that contain live code, equations, visualizations and narrative text. Uses include: data cleaning and transformation, numerical simulation, statistical modeling, data visualization, machine learning, and much more.

Speculation related to this matter: A trojan malware campaign found November last year (2020) is targeting businesses and higher education in what appears to be an effort to steal usernames, passwords and other private information as well as creating a persistent backdoor onto compromised systems.

Vulnerability details: A misconfiguration vulnerability in Microsoft’s Azure Cosmos DB that may have exposed customer data. In the first step, the attacker will gained access to the client’s Cosmos DB primary key. For example, exploit the vulnerability on Jupyter Notebook (virtual machine) to get the key.

Ref: Primary keys are long-lived and allow full READ/WRITE/DELETE access to customer data.

Workaround: Navigate to your Azure Cosmos DB account on the Azure portal and Regenerate Secondary Key. Please refer to url for details – https://docs.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key#primary-keys

CISA announcement – https://us-cert.cisa.gov/ncas/current-activity/2021/08/27/microsoft-azure-cosmos-db-guidance

Ransomware, Under our observation, Virus & Malware

Are there other ways to avoid ransomware infection? (6th Jul, 2021)

July 5, 2021 admin Leave a comment

Preface: A ransomware attack paralyzed the networks of at least 200 U.S. companies, said headline News. President Biden announces investigation into international ransomware attack on 3rd Jul, 2021.

Background analysis: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk.

Malware tricks you into installing software, allowing scammers to access your files and track your actions.
Ransomware is a form of malware goal to locks the user out of their files or their device.

However, whether it is malware or ransomware, they all rely on working with C&C servers. Cybercriminals use C&C servers to host ransomware. If the computer cannot access the infected server and/or malicious website. Therefore, ransomware infections will be reduced.

How DNS Sinkholing reduce the infection hit rate? In fact, the firewall cannot see the originator of the DNS query. When the client tries to connect to a malicious domain, the existing solution is likely to wait for the download and let the anti-virus and malware protection mechanisms isolate the malicious file.

Sinkholing can be done at different levels. Both ISPs and Domain Registrars are known to use sinkholes to help protect their clients by diverting requests to malicious or unwanted domain names onto controlled IP addresses.

Question: If the solution is mature and well-defined. But why the service provider does not implement it. Is it a cost factor?

Cyber security technical information