BlockThreat - Week 48, 2025
Bybit | Shai Hulud | MegaETH | MixPanel | Cointracker | CoinDCX
Greetings!
Just one major compromise this week involving Upbit, resulting in the theft of $36.8M. The compromise happened on November 27, which was the same date the exchange was hacked for $50M in 2019. Lazarus, which was responsible for both incidents, appears to be sending a message exactly six years later.
Shai Hulud returned with a revised and more effective mass compromise campaign. The attack spread across more than 25,000 repositories and hundreds of npm packages. By moving its execution into preinstall flows, it penetrated CI and CD environments such as GitHub Actions, enabling large scale theft of credentials and secrets. As attackers review the stolen data we should be prepared for follow on compromises that may involve major projects.
Speaking of supply chains, the Mixpanel breach resulted in user data leaks across several crypto platforms including CoinTracker, CoinDCX and others. Prepare for the next wave of phishing campaigns similar to the ones that followed the Ledger and Kroll breaches.
Let’s dive into the news!
News
Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised. You can find additional details from Wiz, SlowMist, GitGuardian, Jfrog and Socket.
Crime
DPRK Detector - How North Korean is your Twitter feed?
The DPRK’s Violation and Evasion of UN Sanctions via Cyber and IT Worker Activities by SlowMist.
Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks by Socket.
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ by Krebs on Security.
The Upbit hacker is laundering funds through Railgun and has passed their “ZK proof of innocence” by dethective.
Thief Posing as Delivery Driver Ties Up Homeowner, Steals $11M in Crypto.
Bitcoin Heist: Family Members Waterboarded, Sexually Assaulted as Attackers Steal $1.6 Million.
Policy
China’s central bank reaffirms crypto ban, flags stablecoin risks following multi-agency meeting.
Japan Moves to Mandate Reserves for Crypto Exchanges as Hacks Mount.
Phishing
Against all odds: security awareness campaign at Devconnect by The Red Guild.
Malware
Malicious PyPI Package Embeds Multi-Layer Encrypted Backdoor to Steal Users’ Cryptocurrency Information by HelixGuard.
Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps by Kush Pandya (Socket).
Media
The Immunefi Show Episode 3 - How to Protect Billions on Solana.
Atrium Academy - Building with a Focus on Security w/ Cyfrin.
Bankless Summit - The Bot Economy: When AI & MEV Collide with Shea Ketsdever
SEC-T 0x11: Simon Gerst - Attacking and defending GitHub Actions.
Research
Mastering Ethereum 2nd Edition. An updated classic.
The Security Researcher’s Guide to Mathematics by Bernhard Mueller.
Blockchain bridge security - Part 3: Arbitrary call execution by Caliber.
The Fundamentals of Cryptocurrency Transaction Tracing by TRM.
Shielded Pools with on-chain Retroactive Anonymity Control by Damian Straszak.
SmartPoC: Generating Executable and Validated PoCs for Smart Contract Bug Reports.
Price manipulation schemes of new crypto-tokens in decentralized exchanges.
Tools
Herd Contract Visualizer allows you to see all the functions and variable relationships in a nice graph view.
Anchor Constraints Analyzer by Decurity. This tool analyzes security of constraints in Solana programs written with Anchor.
Enjoy reading BlockThreat? Consider sponsoring the next edition or becoming a paid subscriber to unlock the premium section with detailed information on hacks, vulnerability, indicators, special reports, and searchable newsletter archives.