ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories
Canadian authorities arrested three men for operating an SMS blaster device that mimicked a cellular tower to send phishing texts, marking the first such case in the country.
Canadian authorities have arrested three men for operating an SMS blaster device that masquerades as a cellular tower to send phishing texts to nearby phones. These tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. "An SMS blaster works by mimicking a legitimate cellular tower. When nearby phones connect to it, users receive fraudulent text messages that appear to come from trusted organizations," authorities said. "These messages often prompt recipients to click on links that lead to fake websites designed to capture personal information, including banking credentials and passwords." The three men are facing 44 charges in connection with the crime. About tens of thousands of devices were connected to the blaster over several months, the official said. This is the first time that an SMS blaster has been spotted in the country.
In a separate supply chain attack, a malicious npm package impersonating TanStack has been discovered shipping versions that exfiltrate environment variables from developers' machines during install. The package, named tanstack, is designed to "silently steal environment variable files, including .env, .env.local, and .env.production, from developers' machines at install time, exfiltrating them to an attacker-controlled endpoint," Socket said. The malicious package is maintained by a user named "sh20raj." Versions 2.0.4 through 2.0.7 are confirmed malicious. Update: In a post shared on X, Shaswat Raj (@SH20RAJ), the developer behind the package, apologized for his actions and claimed he demanded $10,000 from Tanner Linsley, creator of TanStack, as he "thought it was acceptable to ask for a bounty" for returning the name. The developer also stated the malicious code was part of "random testing" for jailbreaking Google Antigravity.
LayerX has found that multiple networks of browser extensions collect user data and resell it for profit. Unlike malicious extensions that conceal their behavior by offering some harmless functionality, the identified 80 extensions explicitly inform users in their privacy policy that they collect and sell data of users who install their extensions. "A network of 24 media extensions that are installed on 800,000 users and collect viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others," LayerX said. "12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data. Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users' browsing data."
Huntress has revealed that unknown threat actors used stolen VPN credentials to pivot into a Windows workstation belonging to an unspecified organization via Impacket's smbexec.py, and dropped a SYSTEM-level backdoor using the Komari agent, a Go-based remote-control, monitoring, and management tool. The development marks the first publicly documented case of the tool being abused in a real-world intrusion. It also illustrates how bad actors are increasingly switching to publicly available and legitimate tools to conduct attacks. "Komari is not a telemetry tool that happens to be abusable - it is a bidirectional control channel by design. The agent opens a persistent WebSocket to its server and accepts three server-to-agent event types out of the box: exec (arbitrary command execution via PowerShell / sh), terminal (interactive PTY reverse shell in the operator's browser), and ping (ICMP / TCP / HTTP probing)," Huntress said. "All three are enabled by default." Whereas other tools like Velociraptor and SimpleHelp that have been abused by threat actors typically act as means to an end, Komari gives an operator arbitrary command execution, an interactive PTY reverse shell, and network probing by default, over a TLS-fronted WebSocket.
Threat actors have detailed two new phishing kits named Saiga 2FA and Phoenix System that have been linked to emails and SMS phishing attacks. According to Barracuda, Saiga 2FA goes beyond traditional adversary-in-the-middle (AitM) features by integrating tools like FM Scanner for extracting and analyzing mailbox content. "Saiga 2FA is an example of how phishing kits are evolving into application-level platforms," the company said. "Unlike traditional phishing kits, Saiga integrates infrastructure, automation, and post-compromise capabilities into a unified system, supporting advanced and highly targeted campaigns." Phoenix System, on the other hand, has been tied to over 2,500 phishing domains since January 2025, while relying on IP-based filtering and geofencing for precision targeting. It's assessed to be the successor to the now-defunct Mouse System. "The campaigns are delivered via SMS, potentially leveraging fake Base Transceiver Station..."