Top 5 Cybersecurity Events of the Week: Exploits, Malware, and Security Updates

Here’s a translated and rephrased version of the text:

Today’s Top 5 Highlights: a critical vulnerability in IOS XE has been patched, malware has been embedded in a popular npm package, a new wave of data theft malware has emerged, the Outlaw botnet is ramping up its activities, and Google has released an Android security update with essential fixes.

Cisco has patched a critical vulnerability in IOS XE

Cisco has released a patch addressing the critical vulnerability CVE-2025-20188 (CVSS: 10.0) found in IOS XE, which is utilized in wireless LAN controllers. This vulnerability stems from a hardcoded JWT token, enabling remote attackers to execute arbitrary commands with superuser privileges. The risk is present only if the Out-of-Band AP Image Download feature is enabled, which is off by default. Cisco strongly advises administrators to review their device configurations and promptly apply the necessary update to mitigate the risks.

Malicious code detected in the rand-user-agent npm package

Aikido researchers have reported that malicious code has been injected into the widely-used npm package rand-user-agent, which generates random user-agent strings and is downloaded over 45,000 times weekly. Attackers exploited an outdated automation token, which lacked two-factor authentication, to publish compromised versions of the package (2.0.83, 2.0.84, and 1.0.110) that contained a Remote Access Trojan (RAT). The malware created a hidden directory in the user’s home folder and established a persistent connection to a command server, relaying system information and awaiting further instructions. The compromise was discovered on May 5, 2025, after which the malicious versions were removed from npm. Users are urged to conduct a thorough system scan for any signs of compromise, as updating the package to a secure version does not eliminate an already installed RAT.

New data theft malware variants released by attackers

The Golden Chickens group has launched new malware tools—TerraStealerV2 and TerraLogger. The former steals data from browsers, cryptocurrency wallets, and extensions, transmitting information via Telegram. It spreads through malicious attachments and utilizes built-in Windows tools to bypass defenses. TerraLogger is a standalone keylogger that stores keystrokes locally, indicating it may still be in the testing phase. Despite its active development, TerraStealerV2 currently struggles with new data encryption in Chrome implemented in 2024.

Users are recommended to restrict the execution of unknown files, particularly email attachments and documents from unverified sources, keep browsers and security systems updated, and employ protection that monitors application behavior rather than relying solely on signatures.

The Outlaw botnet intensifies attacks on corporate systems

Kaspersky Lab analysts have noted a surge in activity from the Outlaw botnet targeting corporate networks. Attackers are using modified Perl scripts and cryptocurrency mining tools, injecting them into vulnerable servers via open ports and outdated software versions. The attacks aim to gain unauthorized access, steal data, and leverage victim resources for mining purposes. Experts recommend that system administrators update their software and enhance security measures to prevent such attacks.

Google releases May security update for Android with critical fixes

Google has published the May security bulletin for Android, which includes 50 fixes for vulnerabilities, some of which are already being actively exploited by attackers. The update features two patch levels: 2025-05-01 and 2025-05-05, addressing various system components including the kernel and drivers. Special attention is given to vulnerabilities that allow remote code execution without user interaction. It is highly recommended to install the updates as soon as possible to safeguard devices against potential threats.