Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Malicious Python Packages on PyPI Rack Up 39,000+ Downloads, Targeting Sensitive Data
Over 39,000 downloads later, malicious Python packages on PyPI—like “disgrasya”—are stealing payment data with carding scripts aimed at WooCommerce users. Developers, vet your libraries—supply chain attacks are hitting hard!
Key takeaways:
🦠 Widespread Threat: Three malicious PyPI packages, including “disgrasya” (37,217 downloads), “bitcoinlibdbfix,” and “bitcoinlib-dev,” were downloaded over 39,000 times, sneaking data-stealing code into developer systems.
💳 Carding Focus: “Disgrasya” hides a fully automated script targeting WooCommerce stores, testing stolen credit cards, while the bitcoinlib fakes pose as fixes to siphon sensitive info.
🕵️♂️ Deceptive Tactics: Attackers joined GitHub discussions to push fake fixes, tricking users into installing malware disguised as legit libraries—removed from PyPI only after exposure.
🛡️ Call to Action: ReversingLabs and Socket stress rigorous code checks as these packages exploit trust in open-source ecosystems for supply chain attacks.
Hackers Exploit SSRF Bugs in EC2-Hosted Sites to Swipe AWS Credentials
Hackers are targeting EC2-hosted sites with SSRF bugs, snagging AWS credentials from metadata endpoints in a campaign peaking March 13-25, 2025. Secure your IMDSv2 now. F5 Labs warns that older flaws still pack a punch; it’s time to patch up!
Key takeaways:
🕵️♂️ SSRF Campaign: A targeted attack from March 13-25, 2025, exploited Server-Side Request Forgery (SSRF) flaws in AWS EC2-hosted sites to query internal metadata and steal IAM credentials.
🔑 Credential Theft: Using IMDSv1 endpoints, attackers extracted sensitive AWS data, risking access to S3 buckets and broader service control—likely the work of a single threat actor, per F5 Labs.
🛡️ Persistent Risk: 40% of exploited CVEs are over four years old, showing outdated systems remain vulnerable. MDSv2 adoption is urged to block these attacks.
🔧 Mitigation Call: Update to IMDSv2, harden configs, and replace end-of-life gear to counter this evolving threat to cloud infrastructure.
Critical FortiSwitch Flaw Enables Remote Admin Password Takeover by Hackers
Fortinet’s FortiSwitch has a critical flaw (CVE-2024-48887) that lets hackers remotely change admin passwords. Rated 9.8/10 in severity, it’s a high-risk threat with no known exploits yet. Patch now to versions 7.4.5, 7.2.10, or 7.0.11 to lock it down!
Key takeaways:
🚨 Critical Vulnerability: CVE-2024-48887 in FortiSwitch allows unauthenticated attackers to alter admin passwords remotely, scoring a 9.8/10 on CVSS for its low-complexity, no-interaction exploit potential.
🛠️ Patch Released: Fortinet dropped fixes on April 8, 2025, for versions 7.4.5, 7.2.10, and 7.0.11—users must update fast, though no active exploitation is confirmed yet.
🔒 Workaround Option: Can’t patch? Disable HTTP/HTTPS admin access and restrict to trusted hosts to block this GUI-based attack vector.
🌍 Broad Impact: In addition to this, Fortinet patched other flaws in FortiOS, FortiProxy, and more, signaling a busy day for admins securing networks.
CISA Flags CrushFTP Flaw as Actively Exploited, Adds to KEV Catalog
CISA has added a critical CrushFTP flaw (CVE-2025-31161) to its KEV catalog after it was confirmed to have been exploited in the wild since March 30—over 815 servers are still vulnerable! Federal agencies must patch by April 28; orgs, update to v10.8.4 or v11.3.1 now!
Key takeaways:
🚨 Active Exploitation: CISA added CVE-2025-31161, an authentication bypass flaw in CrushFTP, to its Known Exploited Vulnerabilities (KEV) catalog due to attacks observed since March 30, 2025, risking full system compromise.
🔓 Vulnerability Scope: This vulnerability affects CrushFTP v10 (pre-10.8.4) and v11 (pre-11.3.1), allowing unauthenticated attackers to access admin accounts like “crushadmin” via HTTP header flaws—fixed in the latest updates.
🌍 Global Risk: As of April 6, 815 unpatched instances remain (487 in North America, 250 in Europe), with Huntress noting post-exploit use of tools like MeshCentral and AnyDesk.
🛡️ Urgent Action: Federal agencies must mitigate by April 28, 2025; all users urged to patch or enable DMZ proxy to block this critical threat.
Malicious VSCode Extensions Sneak Cryptominers onto Windows Systems
Beware developers! Nine fake VSCode extensions on Microsoft’s Marketplace, posing as legit tools, have infected Windows users with XMRig crypto miners. Over 300K installs and counting!
Key takeaways:
🕵️♂️ Stealthy Imposters: Nine VSCode extensions, uploaded April 4, 2025, mimic popular dev tools but secretly install XMRig to mine Ethereum and Monero on Windows systems.
📈 Massive Reach: With over 300,000 installs (likely inflated for credibility), these extensions from a single shady publisher evaded Microsoft’s initial review, per ExtensionTotal’s findings.
🦠 Sneaky Execution: A PowerShell script disables defenses, escalates privileges via DLL hijacking, and runs the miner—then installs the real extension to mask the attack.
🛡️ Still Active: Reported to Microsoft, these extensions remain on the Marketplace as of April 7, 2025, urging devs to verify sources and scan systems.
Top Tips of the Week
Threat Intelligence
- Follow intelligence-driven practices. Let CTI insights guide security decisions and responses.
Threat Hunting
- Collaborate with law enforcement. Sharing threat intelligence strengthens overall efforts against cybercrime.
- Implement threat intelligence metrics. Track and measure the effectiveness of your threat hunting efforts.
- Automate routine tasks in cyber threat hunting to focus on in-depth analysis. Leverage automation for efficiency in threat hunting processes.
- Develop a threat intelligence roadmap. A well-defined strategy guides efforts in integrating and optimizing processes.
Custom Tooling
- Document custom tools thoroughly. Clear documentation aids in maintenance, troubleshooting, and knowledge transfer.
- Secure your custom tool deployment process. Follow best practices to minimize security risks during tool distribution.
Feature Article
How do you know if your cyber threat intelligence is any good? Do you spell check, corroborate evidence, and tailor it to your audience? How do you remember to do all these things and produce consistent quality? Let me introduce you to the principles of intelligence.
The eight principles of intelligence will improve your intelligence work. They help guide you, keep your processes on track, and ensure your end product can withstand scrutiny. This guide explores each and gives you actionable advice on achieving them, from using a threat intelligence platform to structured analytical techniques to having an intelligence fusion function.
Let’s get stuck in and find out how to ensure you deliver a quality intelligence product every time!
Learning Resources
Start Testing Your Python Code!
Do you test your code? You should be if you plan on using it long-term or sharing it with others!
PyTest is a powerful testing library for Python, and this step-by-step guide will show you how to integrate it with your VSCode so you can automate your code testing. The guide explores practical test-writing tips, including creating function-specific test files, leveraging naming conventions to organize and filter tests, and much more!
If you’re not testing your code, get started today with PyTest!
Analyze Your Network Traffic Using Zeek
This detailed webinar introduces Zeek (formerly Bro), a powerful network security monitoring tool known for its rich metadata extraction capabilities. Troy Wojewoda explains how Zeek passively analyzes network traffic and logs events with high granularity, making it especially useful for digital forensics, intrusion detection, and network auditing.
The webinar covers Zeek’s logging formats (TSV and JSON), its architecture, deployment considerations (internal vs. perimeter placements), and how Zeek’s connection logs (con.log) serve as a foundational element for all other protocol-specific logs.
If you’re a network defender looking to up your skills or deploy network security monitoring, look no further than Zeek!
NotebookLM: Take Your Research and Learning to the Next Level
Google’s NotebookLM is revolutionizing the way people interact with information. The video outlines how this AI tool allows users to upload diverse sources—from websites and PDFs to YouTube videos and personal journal entries—and receive tailored content like podcast-style summaries, study guides, and FAQ formats.
This awesome AI tool can be your research assistant, highly attentive and context-aware teacher, or even vacation planner. Rather than relying on users to drive the interaction, NotebookLM offers a passive yet rich learning experience with grounded citations and the option to share AI-generated insights dynamically. It represents a leap towards intuitive, deeply personalized learning tools.
Raise Your Threat Hunting Game With Velociraptor
Velociraptor is a powerful, open-source DFIR tool for rapidly triaging and hunting malware in your environment.
Velociraptor’s strength lies in its scalability and forensic precision. This video walkthrough showcases deploying YARA rules and memory forensics across multiple endpoints to identify malware like Cobalt Strike and Qakbot. It covers extracting DLLs, investigating executable memory sections, and hunting for anomalies like .NET assembly injections.
This tool is a game changer for deploying digital forensic capabilities across enterprise networks, and this video will show you how!
