- within Antitrust/Competition Law, Insolvency/Bankruptcy/Re-Structuring and About Mondaq topic(s)
Malware Activity
Fake Repositories and Social Engineering Attacks
Recent cybersecurity incidents highlight the growing sophistication of cybercriminals targeting developers and organizations. One attack involved creating fake coding projects on trusted platforms like GitHub, designed to trick developers into running malicious scripts that give hackers remote control over their machines, risking data theft and network breaches. Meanwhile, a Russian-linked group known as UAC-0050 or Mercenary Akula has targeted European financial institutions with convincing fake emails impersonating Ukrainian courts, leading to malware infections that grant remote access. These tactics, blending social engineering and stealthy malware delivery, show the increasing use of deception to infiltrate sensitive systems. Experts advise organizations and developers to be vigilant, adopt strong security practices, and monitor suspicious activity to defend against these complex threats that threaten both individual users and critical institutions. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
BleepingComputer: Fake Next.js Job Interview Tests Backdoor Developer's Devices article
Threat Actor Activity
New Phishing Operation Targeting Freight, Cargo, and Logistics Industries in US, Europe
The Diesel Vortex group, a financially motivated threat actor, has been targeting freight and logistics operators in the U.S. and Europe using phishing attacks across fifty-two (52) domains since September 2025. This campaign resulted in the theft of 1,649 unique credentials from key industry platforms such as DAT Truckstop and Penske Logistics. The group's phishing infrastructure was designed to mimic logistics platforms, capturing sensitive data like credentials, PINs, and two-factor authentication codes. They employed techniques like voice phishing (vishing) and Telegram channel infiltration, using Cyrillic homoglyphs to evade security filters. Researchers from Have I Been Squatted uncovered the operation through an exposed repository containing a phishing project database and Telegram logs. Analysis revealed that Diesel Vortex, likely Armenian speaking with Russian ties, operated a sophisticated criminal enterprise complete with a call center and mail support. The operation involved freight impersonation, mailbox compromise, and double-brokering, where stolen carrier identities were used to divert cargo. The infrastructure supporting Diesel Vortex was dismantled following a coordinated effort by GitLab, Cloudflare, Google Threat Intelligence Group, and others. The operation's ties to Russian companies were established through domain registration data and corporate filings. The campaign highlights the growing threat of cargo theft increasing in the digital logistics sector, with estimated annual losses around $35 billion. The U.S. is responding with legislative measures like the "Combatting Organized Retail Crime Act of 2025" to address cargo theft and related crimes.
Bleeping Computer: Diesel Vortex Article
The Record: Diesel Vortex Article
Vulnerabilities
Configuration-Based Flaws in Anthropic Claude Code Enable RCE and API Key Exfiltration
Researchers from Check Point have disclosed multiple vulnerabilities in Anthropic's Claude Code AI coding assistant that could allow remote code execution (RCE) and theft of sensitive API credentials when developers open untrusted repositories. The issues stem from configuration abuse involving Hooks, Model Context Protocol (MCP) servers, and environment variables, enabling attackers to execute arbitrary shell commands and exfiltrate Anthropic API keys without meaningful user interaction. The flaws include a consent-bypass code injection vulnerability tied to project hooks (fixed in v1.0.87),
allowing automatic command execution during tool initialization in untrusted directories (fixed in v1.0.111), and
, which exposes API keys through manipulated project-load behavior (fixed in v2.0.65). Exploitation could occur simply by opening a malicious repository that redirects API traffic to attacker-controlled infrastructure, enabling credential capture, unauthorized data access, cloud data manipulation, and unexpected API usage costs. Researchers emphasized that AI development environments expand the traditional supply-chain threat model, as configuration files and automation layers now directly influence execution behavior, making the act of opening untrusted projects itself a significant security risk.
The Hacker News: Claude Code Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
