Risky Bulletin: npm Attack Uses AI Prompts to Steal Creds, Crypto-Wallet Keys

Podcast: Risky Bulletin
Host: Risky.biz
Date: August 29, 2025
Read by: Amberly Jackson
Prepared by: Catalyn Campanu

Episode Overview

This episode delivers a comprehensive roundup of global cybersecurity incidents and trends from the past week. Key stories include a novel npm supply chain attack leveraging AI for credential theft, massive ransomware impact on Swedish municipalities, updates on China-linked hacking campaigns, and significant breaches and policy developments across multiple industries and governments.

Detailed Breakdown

AI-Driven npm Attack: Credentials & Crypto Keys Stolen

[00:04 – 01:15]

• Incident: A threat actor hacked the Node Package Manager (npm) account associated with the NX build automation system.
• Method: The attacker published malicious versions of several NX libraries containing hidden AI prompts. These prompts instructed AI-powered coding tools to exfiltrate credentials and crypto wallet keys from developers.
• Impact:
  • Stolen data was sent to public GitHub repositories controlled by the attacker.
  • More than 1,400 users are believed to have had their credentials and keys stolen.
  • GitHub reacted by hiding the repositories and notifying affected users.

Notable quote:
"The code contained hidden prompts that instructed AI coding tools to exfiltrate credentials and crypto wallet keys. The data was uploaded to public GitHub repositories for the attacker to collect." — Amberly Jackson, [00:25]

Chinese Hacking Campaign: Salt Typhoon Expands

[01:15 – 01:47]

• Actors: Attributed to three Chinese companies:
  • Sichuan Juxhen Network Technology
  • Beijing Wanyu Tenshon Information Technology
  • Sichuan Shixing Raishi Network Technology
• Scope: Over 80 countries targeted across telecom, government, transportation, and military sectors.
• Involvement: 13 national cybersecurity agencies jointly linked the attack.

Notable quote:
"The intrusions have targeted telecommunications, government, transportation and military networks in more than 80 countries." — Amberly Jackson, [01:24]

Google Forms Cyber Disruption Unit | US Considers 'Hack Back' Legislation

[01:47 – 02:15]

• Google: Launches a new cyber disruption unit to bolster digital defense capabilities.
• US Policy: Trump administration pushes for more aggressive US offensive cyber ops; proposed legislation would let private sector companies "hack back" against foreign threats.

Ransomware Attack Shuts Down Swedish Local Governments

[02:16 – 02:47]

• Attack: Over 200 Swedish municipalities and regional governments impacted (over 80% of city governments hit).
• Vector: Attack struck Meliodota, a shared IT service provider.
• Ransom: 1.5 Bitcoin (~$160,000).

Notable quote:
"A ransomware attack has disrupted the activity of more than 200 Swedish municipalities and regional governments. More than 80% of local city governments have been impacted." — Amberly Jackson, [02:20]

Other Major Incidents and Developments

Russian Oil Company Hacked: German Suspect Charged

[02:47 – 03:14]

• Suspect: German national accused of hacking Rosneft's German subsidiary after the Ukraine invasion in March 2022.
• Impact: Stole 20TB of data, deleted crucial systems, causing days-long outages and €9.75M in damages.

Spanish EdTech Hacked to Change Exam Grades

[03:14 – 03:35]

• Method: Hacker compromised teacher credentials to access and alter grades on the Sanaka scoring platform.
• Discovery: Teacher noticed unusual activity; police found a notebook of altered grades at the hacker's home.

Taiwanese Data Brokers Detained

[03:35 – 03:55]

• Details: Two men arrested for selling data stolen by the Chinese ransomware group Crazy Hunter from 11 Taiwanese orgs (including major hospitals).

Massive Grocery Delivery Scam in the US

[03:55 – 04:29]

• Charges: Eight men accused of defrauding Instacart and Shipt ($30+ million stolen).
• Method: Used hacked gig worker accounts to place/cancel orders, siphoning advance payments into gift cards/crypto.

Fake ID Marketplace Seized in US & Netherlands

[04:29 – 04:47]

• Operation Verif Tools: Sold forged IDs (driver's licenses, passports) since 2022; earned at least €1.3M.

SK Telecom Hacked: Record Data Breach Fine

[04:47 – 05:13]

• Incident: Hackers breached SK Telecom, stealing SIM card data from 23+ million customers.
• Penalty: $97.2 million (largest-ever data breach fine in South Korea).

EU Cybersecurity Reserve Announced

[05:13 – 05:35]

• Agency: ENISA to manage a new €36M reserve for incident response across member states.

US Lawmakers Probe Wikipedia Manipulation

[05:35 – 05:54]

• Investigation: Reps. James Comer and Nancy Mace request Wikimedia to disclose accounts involved in pro-Kremlin/anti-Israel content campaigns.

Telegram Group Sells Swatting, Intimidation

[05:54 – 06:26]

• Group: "Purgatory" runs fake active shooter hoaxes, sells intimidation (e.g., tire slashing).
• Profits: Claimed over $100K since the swatting spree began on August 21.
• Links: Connected to an online group called "the. Com".

Storm0501: Ransom Attacks on Cloud Infrastructure

[06:26 – 06:46]

• New Tactic: Group now focuses on cloud environments: data theft, deletion, ransom.
• Trend: Shift from traditional ransomware to cloud-focused hybrid attacks.

Suspected Chinese Espionage via Expired Domain

[06:46 – 07:10]

• Target: Users of Suyin (Chinese character input app).
• Victims: Several hundred, mainly East Asian dissidents, journalists, researchers.
• Method: Malware delivered via malicious updates on an expired domain.

FreePBX Zero-Day Exploited

[07:10 – 07:28]

• Action: Attacks began August 21 on exposed FreePBX telephony control panels.
• Response: Patch released the previous day.

Notable Quotes & Memorable Moments

• On the npm AI-Exfiltration Attack:
  "The code contained hidden prompts that instructed AI coding tools to exfiltrate credentials and crypto wallet keys." – Amberly Jackson, [00:25]

• On Salt Typhoon's Scale:
  "The intrusions have targeted telecommunications, government, transportation and military networks in more than 80 countries." — [01:24]

• On Swedish Municipality Ransomware:
  "More than 80% of local city governments have been impacted." — [02:23]

• On the Impact of Cybercrime-as-a-Service:
  "The Telegram group Purgatory is behind a recent series of fake active shooter warnings at US universities. The group sells swatting services as well as intimidation tactics such as tyre slashing and brick throwing." — [05:54]

Timestamps for Important Segments

• AI-Driven npm Attack: [00:04 – 01:15]
• Salt Typhoon / Chinese Campaigns: [01:15 – 01:47]
• Google Disruption Unit & 'Hack Back' Law: [01:47 – 02:15]
• Swedish Ransomware Outage: [02:16 – 02:47]
• Rosneft Hack (Germany): [02:47 – 03:14]
• Spanish Exam Grade Hack: [03:14 – 03:35]
• Taiwan Data Trafficking: [03:35 – 03:55]
• Instacart/Shipt Fraud Ring: [03:55 – 04:29]
• Fake ID Market Bust: [04:29 – 04:47]
• SK Telecom Breach Fine: [04:47 – 05:13]
• EU Cybersecurity Reserve: [05:13 – 05:35]
• Wikipedia Manipulation Probe: [05:35 – 05:54]
• Swatting-as-a-Service (Purgatory): [05:54 – 06:26]
• Cloud Data Ransom (Storm0501): [06:26 – 06:46]
• Suyin Espionage: [06:46 – 07:10]
• FreePBX Zero-Day Exploitation: [07:10 – 07:28]

Summary

This episode paints a vivid picture of an evolving threat landscape: attackers are exploiting every layer of the tech stack, from open-source developer tools using AI, to hybrid cloud environments, and even social platforms for harassment. Governments and corporations are racing to adapt, deploying new units, imposing record fines, and proposing unprecedented policy maneuvers—like legalizing "hack back." Meanwhile, cybercrime-as-a-service and state-linked campaigns continue to proliferate with broad, global impact.

Amberly Jackson’s delivery remains crisp and factual, ensuring listeners are up to date on both technical and policy developments from around the world.