Cynalysis Cyber Watch

North Korean Malware Distribution: The North Korean threat actors have expanded their Contagious Interview campaign by uploading 197 malicious npm packages designed to distribute an updated version of OtterCookie malware, which has been downloaded over 31,000 times (Security Affairs, 2025-11-30).

Exploited Vulnerabilities: CISA has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, to its Known Exploited Vulnerabilities catalog, indicating active exploitation (The Hacker News, 2025-11-30).

RomCom's Targeting of U.S. Firms: The Russia-aligned RomCom group has targeted U.S. firms involved in Ukraine support, using fake software updates to deploy the Mythic Agent, marking a shift in their operational tactics (CSO Online, 2025-11-28).

OtterCookie Malware: The ongoing deployment of OtterCookie malware by North Korean actors poses a significant threat to software developers and organizations using npm packages (Security Affairs, 2025-11-30).

CVE-2021-26829 Exploitation: The active exploitation of the XSS vulnerability in OpenPLC ScadaBR could lead to severe security breaches in industrial control systems (The Hacker News, 2025-11-30).

RomCom's Mythic Agent Delivery: The use of fake software updates to deliver sophisticated payloads like the Mythic Agent signifies a new tactic in cyber operations against U.S. entities (CSO Online, 2025-11-28).

Monitor npm Packages: Organizations should implement strict monitoring and vetting processes for npm packages to mitigate risks from malicious uploads like those seen in the Contagious Interview campaign.

Patch Known Vulnerabilities: Immediate attention should be given to patching CVE-2021-26829 and other known vulnerabilities to prevent exploitation, especially in critical infrastructure.

User Education on Phishing: Strengthening user awareness and training regarding phishing tactics, particularly those involving fake software updates, is essential to safeguard against credential theft.