Image by Cottombro Studio, from Pexels

Malicious Ads On Illegal Streaming Sites Infected 1 Million PCs, Microsoft Warns

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager

Microsoft has shut down multiple GitHub repositories that were being used in a large-scale malvertising campaign affecting nearly one million devices worldwide.

In a Rush? Here are the Quick Facts!

• Cybercriminals used malicious ads on illegal streaming sites to spread malware.
• Malware stole personal data, compromised security, and allowed remote control of devices.
• The campaign, called Storm-0408, used legitimate tools to blend with system operations.

The company discovered the attack in December 2024, when its threat intelligence team noticed malware being downloaded from GitHub onto users’ devices.

According to a Microsoft analysis , cybercriminals planted malicious ads inside videos on illegal streaming websites. These ads redirected unsuspecting users to GitHub, where malware was secretly downloaded onto their systems.

Once installed, the malware deployed additional harmful programs designed to steal personal information, compromise security, and allow attackers to maintain control over infected devices.

Microsoft’s analysis revealed that the campaign was highly organized, using multiple stages to spread malware. The first step involved luring users to GitHub, Discord, or Dropbox, where the malware was hosted.

Once downloaded, the malware collected data about the infected system, including memory size, operating system details, and user information. The attackers then used this data to deploy even more harmful programs, including information-stealing malware like Lumma Stealer and Doenerium.

In some cases, a remote monitoring tool called NetSupport was also installed, allowing attackers to control infected devices remotely. The campaign, tracked by Microsoft under the name Storm-0408, was designed to be difficult to detect. Attackers used legitimate tools like PowerShell and JavaScript to blend in with normal system operations.

They also implemented persistence techniques, such as modifying registry settings and adding startup shortcuts, to ensure that the malware remained on the infected devices even after a restart.

Microsoft worked with GitHub’s security team to remove the malicious repositories, preventing further infections. However, the company warned that similar attacks could happen in the future. It urged users to be cautious when visiting illegal streaming sites and to keep their software and security protections updated.

The blog post also provided technical details for cybersecurity professionals, including ways to detect signs of infection and prevent similar threats.

Microsoft emphasized the need for organizations to stay vigilant against evolving cyber threats, especially those leveraging trusted platforms like GitHub to spread malware.

Image by Traxer, from Unsplash

Over 1,000 Users Downloaded A PyPI Package That Stole Crypto Private Keys

• Written by Kiara Fabbri Former Tech News Writer
• Fact-Checked by Sarah Frazier Former Content Manager
• Reader’s Comments 1

A malicious Python package named “set-utils” was found stealing Ethereum private keys by hijacking wallet creation functions.

In a Rush? Here are the Quick Facts!

• Attackers exfiltrated stolen keys via the Polygon blockchain to evade detection.
• Over 1,000 downloads occurred before “set-utils” was removed from PyPI.
• Compromised wallets remain vulnerable even after uninstalling the package.

The package, which mimics legitimate Python utilities, was uploaded to the Python Package Index (PyPI) on January 29, 2025, and had been downloaded over 1,000 times before its discovery. Security researchers from Socket uncovered the attack and reported their findings.

Disguised as a simple tool for working with sets in Python, set-utils tricked developers into installing it. However, once in use, it silently stole Ethereum private keys and transmitted them to attackers through the Polygon blockchain.

This method makes the attack difficult to detect since most cybersecurity tools monitor traditional network traffic but do not flag blockchain transactions as suspicious.

The attack specifically targeted blockchain developers, decentralized finance (DeFi) projects, crypto exchanges, Web3 applications, and individuals using Python scripts to manage Ethereum wallets.

The package intercepted wallet creation functions in Python-based libraries, such as eth-account, and extracted private keys in the background. These keys were then encrypted using an attacker-controlled RSA public key and sent to the Polygon network through an RPC endpoint, effectively hiding the data in Ethereum transactions.

Unlike conventional phishing attacks or malware, this method bypasses common cybersecurity defenses. Since Ethereum transactions are permanent, attackers can retrieve stolen keys at any time.

Even if a user uninstalls the package, their wallets remain compromised. Any Ethereum accounts created while set-utils was active should be considered unsafe, and users are urged to transfer their funds to a new, secure wallet immediately.

Another stealth feature of the attack was its ability to modify standard wallet creation functions without the user noticing. The malicious code wrapped around normal Ethereum account generation functions, running in the background while the user continued to work. This ensured that every newly created wallet had its private key stolen.

Following its discovery, set-utils was removed from PyPI, but the risk remains for anyone who installed it before the takedown. Security experts advise checking Python environments for the package and scanning for any unauthorized wallet access.

The incident highlights the growing threat of supply chain attacks in the open-source ecosystem, where malicious software is disguised as helpful tools, putting developers and their projects at risk.