Google Patches Chrome Zero-Day Vulnerability Used In Espionage Campaign - 1

Photo by Growtika on Unsplash

Google Patches Chrome Zero-Day Vulnerability Used In Espionage Campaign

  • Written by Andrea Miliani Former Tech News Expert
  • Fact-Checked by Sarah Frazier Former Content Manager

A new vulnerability in Google Chrome has been spotted by the cybersecurity firm Kaspersky. Google has confirmed the threat and issued an update including a security fix. Attackers targeted Russian journalists and educators for espionage purposes, as suggested by experts.

In a rush? Here are the quick facts:

  • A new Chrome zero-day vulnerability, CVE-2025-2783, was found and patched after Kaspersky reported targeted attacks.
  • Russian journalists and educators were targeted using phishing links tied to a fake conference invite.
  • Windows users are encouraged to update the Chrome browser to the 134.0.6998.177/.178 version.

“We immediately reported to Google; the company promptly released a patch to fix it,” states the announcement. “It’s too early to talk about technical details, but the essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser’s sandbox protection.”

Kaspersky explained that Russian users from educational institutions and media professionals received a fake invitation to the Primakov Readings international economic and political science forum that included personalized phishing links. The URLs redirected users to a legitimate Primakov Readings website, but malicious actors could change the behavior of the links to start a new attack at any time.

Google thanked Kaspersky’s team for the quick notice and assured that the threat has been managed. “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” wrote Google. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

Windows users are encouraged to update the Chrome browser to the 134.0.6998.177/.178 version to avoid similar attacks.

A few days ago, Microsoft warned users about StilachiRAT malware used on Google Chrome extensions to access cryptocurrency wallets.

Stealthy Npm Malware Backdoors Popular Ethereum Library - 2

Image by AltumCode, from Unsplash

Stealthy Npm Malware Backdoors Popular Ethereum Library

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Sarah Frazier Former Content Manager

Security researchers at ReversingLabs have discovered a sophisticated malware campaign targeting the npm package repository.

In a rush? Here are the quick facts:

  • Malicious npm packages ethers-provider2 and ethers-providerz create a backdoor in infected systems.
  • The malware uses multi-stage attacks, modifying ethers to embed a hidden reverse shell.
  • Attackers maintain persistence by creating loader.js, ensuring infection even after package removal.

The malicious packages, ethers-provider2 and ethers-providerz, secretly modify a widely used npm package, ethers, to create a backdoor on infected systems. The malware differs from standard npm malware because it uses complex multi-stage attacks to function.

These packages present themselves as real tools by duplicating the SSH2 package, which has received more than 350 million downloads, as noted by the researchers. The malware installs itself by stealing more harmful code, which transforms ethers to embed a concealed reverse shell feature for remote hacker access.

ReversingLabs detected the threat using its Spectra platform. The infection process begins when ethers-provider2 is installed. The downloaded script executes a second-stage malware file which self-deletes following its execution to prevent detection.

The malware checks for the presence of ethers until it detects the package then swaps provider-jsonrpc.js with a fake version that contains hidden malicious code.

The attack doesn’t stop there. The malware creates another file named loader.js that keeps the infection active after the removal of ethers-provider2.

The attackers establish a reverse shell connection during the third phase of their attack, which enables hackers to execute commands remotely through compromised SSH clients. ReversingLabs described this approach as evidence of advanced threat actor capabilities that requires additional investigation.

The researchers identified ethers-providerz as a potential test version because its coding contained multiple errors but it followed the same pattern as the first malicious package.

The security experts discovered that ethers-provider2 remained accessible on npm at the time of reporting, even though ethers-providerz had been eliminated.

Developers need to check their systems for infection signs while exclusively using trusted npm packages according to security experts.