Arch Linux pulls AUR packages that installed Chaos RAT malware

Source: https://www.bleepingcomputer.com/news/security/arch-linux-pulls-aur-packages-that-installed-chaos-rat-malware/

The reported security threat involves the discovery and subsequent removal of malicious packages from the Arch User Repository (AUR) that were found to install the Chaos RAT malware. Chaos RAT is a Remote Access Trojan that enables attackers to gain unauthorized control over infected systems, potentially allowing them to exfiltrate data, execute arbitrary commands, and maintain persistence within the compromised environment. The threat was identified through community monitoring and reported on a trusted cybersecurity news platform, BleepingComputer, with corroboration from discussions on the InfoSecNews subreddit. Although the AUR is a community-driven repository that allows users to share and install packages not officially maintained by Arch Linux, this incident highlights the risk of malware distribution through unofficial channels. The malicious packages were promptly pulled from the AUR to prevent further infections. There is no indication of known exploits in the wild beyond the discovery, and the discussion level remains minimal, suggesting early-stage awareness. However, the potential for widespread impact exists given the popularity of Arch Linux among advanced users and developers who may rely on AUR packages for software installation. The threat underscores the importance of verifying package integrity and source authenticity when using community repositories. The lack of affected version details and patches indicates that mitigation relies primarily on repository hygiene and user vigilance rather than software updates.

Reddit InfoSec News

Detailed information about Arch Linux pulls AUR packages that installed Chaos RAT malware. Get real-time updates, technical details, and mitigation strategies.

Arch Linux pulls AUR packages that installed Chaos RAT malware - Live Threat Intelligence - Threat Radar | OffSeq.com

Arch Linux pulls AUR packages that installed Chaos RAT malware

Reddit Discussion: Arch Linux pulls AUR packages that installed Chaos RAT malware

New CrushFTP zero-day exploited in attacks to hijack servers

Source: https://www.bleepingcomputer.com/news/security/crushftp-zero-day-exploited-in-attacks-to-gain-admin-access-on-servers/

A newly discovered zero-day vulnerability affecting CrushFTP, a widely used file transfer server software, has been reported to be actively exploited in attacks aimed at hijacking servers. CrushFTP is known for its robust file transfer capabilities supporting multiple protocols such as FTP, SFTP, HTTP, and WebDAV, and is commonly used by enterprises for secure file sharing and transfer. The zero-day vulnerability allows attackers to gain administrative access to affected servers, effectively bypassing authentication controls. This unauthorized admin access can enable attackers to fully control the server, manipulate files, deploy malware, exfiltrate sensitive data, or use the compromised server as a pivot point for further attacks within an organization’s network. Although specific technical details such as the exact nature of the vulnerability, affected versions, or exploitation vectors have not been disclosed publicly yet, the critical severity rating and the fact that it is a zero-day indicate that the flaw is both serious and currently unpatched. The lack of a patch or mitigation guidance at this time increases the risk to organizations running CrushFTP servers. The threat is corroborated by a trusted cybersecurity news source, BleepingComputer, and discussed in InfoSec communities, underscoring its credibility and urgency. No known exploits in the wild have been confirmed at the time of reporting, but the active exploitation claim suggests attackers are already leveraging this vulnerability in targeted campaigns.

Detailed information about New CrushFTP zero-day exploited in attacks to hijack servers. Get real-time updates, technical details, and mitigation strategies.

New CrushFTP zero-day exploited in attacks to hijack servers - Live Threat Intelligence - Threat Radar | OffSeq.com

New CrushFTP zero-day exploited in attacks to hijack servers

Reddit Discussion: New CrushFTP zero-day exploited in attacks to hijack servers

A vulnerability, which was classified as problematic, has been found in PHPGurukul Apartment Visitors Management System 1.0. This issue affects some unknown processing of the file /manage-newvisitors.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.

CVE-2025-7815 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the PHPGurukul Apartment Visitors Management System, specifically within the /manage-newvisitors.php file that handles HTTP POST requests. The vulnerability arises from improper sanitization or validation of the 'visname' parameter, which allows an attacker to inject malicious scripts. When exploited, this can lead to the execution of arbitrary JavaScript code in the context of the victim's browser. The attack can be initiated remotely without authentication, though the CVSS vector indicates that some privileges are required (PR:H) and user interaction is necessary (UI:P). The vulnerability is classified as medium severity with a CVSS score of 4.8. While the exploit has been publicly disclosed, there are no known active exploits in the wild at this time. The vulnerability may also affect other parameters, suggesting a broader input validation issue within the application. XSS vulnerabilities typically enable attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, thereby compromising confidentiality and integrity of user data. Given the nature of the affected system—a visitor management platform used in apartment complexes—successful exploitation could lead to unauthorized access to visitor information or manipulation of visitor records, potentially impacting residents' security and privacy.

CVE Database V5

Detailed information about CVE-2025-7815: Cross Site Scripting in PHPGurukul Apartment Visitors Management System affecting PHPGurukul Apartment Visitors Manage

CVE-2025-7815: Cross Site Scripting in PHPGurukul Apartment Visitors Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7815: Cross Site Scripting in PHPGurukul Apartment Visitors Management System

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function.  Because there is no check on the URL’s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

CVE-2025-6997 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ThemeREX Addons plugin for WordPress, specifically versions up to and including 2.35.1.1. The vulnerability arises from improper input sanitization and output escaping in the plugin's handling of SVG file uploads. The core issue lies in the function trx_addons_get_svg_from_file(), which processes an 'svg' parameter supplied via shortcode or Elementor widget settings without validating the URL's origin, scheme, or the SVG content itself. This parameter is then rendered using trx_addons_show_layout(), allowing an attacker with Contributor-level or higher privileges to supply a remote SVG containing malicious scripts. These scripts are stored and executed whenever any user accesses the affected page, leading to persistent XSS. The vulnerability requires authenticated access with at least Contributor privileges, does not require user interaction for exploitation once the malicious SVG is uploaded, and affects all versions of the plugin up to 2.35.1.1. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No known exploits in the wild have been reported yet, and no patches are currently linked, indicating that mitigation may require manual intervention or updates from the vendor. Stored XSS in WordPress plugins is particularly dangerous as it can lead to session hijacking, defacement, or further exploitation of site visitors and administrators.

Detailed information about CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addon

CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addons - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6997: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in ThemeREX ThemeREX Addons

Authorities released free decryptor for Phobos and 8base ransomware

Source: https://securityaffairs.com/180108/malware/authorities-released-free-decryptor-for-phobos-and-8base-ransomware.html

Detailed information about Authorities released free decryptor for Phobos and 8base ransomware. Get real-time updates, technical details, and mitigation strateg

Authorities released free decryptor for Phobos and 8base ransomware

Authorities released free decryptor for Phobos and 8base ransomware

Description

Technical Details

Related Threats

Arch Linux pulls AUR packages that installed Chaos RAT malware

New CrushFTP zero-day exploited in attacks to hijack servers

ThreatFox IOCs for 2025-07-18

Anne Arundel Dermatology data breach impacts 1.9 million people

Hackers scanning for TeleMessage Signal clone flaw exposing passwords

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility