Hello and welcome to the Monday, June 9th, 2025 edition of the Sands Internet Storm Centers.

Stormcast, my name is Johannes Ulrich, and this episode brought you by the Sands.edu graduate certificate program in Purple Team Operations is recorded in Jacksonville, Florida.

Well, and in Diaries this weekend, we had an update to pngdump.p.i by DDA.

This update was, well, as so often prompted by some malware that Xavier was looking at a few

days ago. In that particular example, we had a PNG file with some additional data appended to the end.

Now, this data followed the I-end marker in the PNG.

And PNG dump will display a list of all the sections in the PNG, including the I-end marker.

So then it's easy to spot, hey, there's some unexpected data here following that I-end

marker, and that's the data that you can then save into a separate file.

So if this is helpful for people and makes Malware analysis a little bit simpler.

Well, and then we do have yet another significant compromise of the NPM ecosystem. This time it particular targeted some React

native packages for CluStack. CluStack delivers interface components, and a number of them were compromised last week.

This attack happened June 6, June 7th, so just Friday, Saturday, I guess.

It's also difficult there for people to pay attention, and the attack did deliver back door to the systems. Now, the write-up

I'm going by here comes from Aikido. They actually detected a similar compromise back in May,

very similar. Malware deployed back then with all the minor changes being deployed here,

but for the last month, they were fairly,

not very active, but now apparently sort of hit the big jackpot with these NPM packages

that have aggregated about a million downloads a week. What interesting thing here is

that you actually don't see the compromised code easily.

They use, well, white spaces to basically push it off the screen,

and that way, again, sort of escape some cursory detection.

...