A sophisticated and ongoing supply-chain attack operating for the past year has been stealing sensitive login credentials from both malicious and benevolent security personnel by infecting them with Trojanized versions of open source software from GitHub and NPM, researchers said.
The campaign, first reported three weeks ago by security firm Checkmarx and again on Friday by Datadog Security Labs, uses multiple avenues to infect the devices of researchers in security and other technical fields. One is through packages that have been available on open source repositories for over a year. They install a professionally developed backdoor that takes pains to conceal its presence. The unknown threat actors behind the campaign have also employed spear phishing that targets thousands of researchers who publish papers on the arXiv platform.
Unusual longevity
The objectives of the threat actors are also multifaceted. One is the collection of SSH private keys, Amazon Web Services access keys, command histories, and other sensitive information from infected devices every 12 hours. When this post went live, dozens of machines remained infected, and an online account on Dropbox contained some 390,000 credentials for WordPress websites taken by the attackers, most likely by stealing them from fellow malicious threat actors. The malware used in the campaign also installs cryptomining software that was present on at least 68 machines as of last month.
The homes of Patrick Mahomes, Travis Kelce and Joe Burrow have all been broken into recently, but it will be tough for anyone to get into Tua Tagovailoa's place.
The Miami Dolphins quarterback said Wednesday he has "personal security" to keep him and his family safe.
Tagovailoa said he made the decision shortly after one of his cars was broken into.
"It's a little too close for my comfort with my family being in the house. So, we got personal security to take care of all that. When we're on the road, we got someone with my wife. We got someone surveying that house," he said.
He then gave a stern warning.
"They are armed, so I hope if you decide to go to my house, you think twice."
Burrow's home was burglarized while he was in Dallas facing the Cowboys Monday. The NFL recently sent out a memo regarding the incidents.
The league cautioned players to be on high alert after homes were hit last month that were believed to be tied to international organized crime.Β
NFL Networkβs Tom Pelissero reported last month that the FBI is investigating the crime spree, "which is believed to be tied to a South American crime syndicate."Β
According to the report, at least one other NFL player had his home burglarized.
In the memo, the league also urged players to take precautions, including installing home security systems. They were also encouraged not to post images of expensive items or live updates of their comings and goings on social media.Β
The burglaries have happened during players' games.
Fox News' Scott Thompson contributed to this report.
More than 58 million Americans have had packages stolen in the past year, per a recent survey.
Now, one startup is launching a service to insure against porch pirates.
PorchPals founder James Moore explains the surprisingly tricky math needed to solve the problem.
Following the largest day of online shopping ever on Cyber Monday, hundreds of millions of packages have by now reached doorsteps across the US.
But an untold number of those deliveries have also likely found themselves snatched up by someone other than the person to whom they belong.
Now, one startup is launching a service to insure shoppers against these so-called porch pirates.
"We want our service to be used by the consumer when they need us," PorchPals CEO James Moore told Business Insider, "You know, when those Christmas gifts get stolen, that or that Xbox, or that PlayStation, or that pair of Nikes that cost you $300."
The service, which officially goes live on Monday, covers up to three stolen packages a year or a maximum claim of $2,000 for an annual fee of $120. Customers link their payment card to the service and all future e-commerce purchases made with that card are covered, the company says.
As with any insurance product, there is some surprisingly tricky math that goes into putting a tidy number on such a messy problem like parcel theft.
Moore told BI that PorchPals used three separate actuarial teams working independently on the problem to reach a comparable risk profile. The teams represented some industry heavy-hitters, including Lockton Re, Pinnacle Actuarial Resources, and PorchPal's underwriters at Lloyds of London's Newline Syndicate.
Over the past year, more than 58 million Americans are estimated to have had one or more packages stolen, according to a recent survey from tech reviews website Security.org.
Of course, some households experience multiple thefts, and PorchPals estimates the number of stolen packages at around 119 million last year.
In an earlier trial in California, Moore said PorchPals users typically used the service for packages worth between $250 and $280. That figure represents an unfortunate sweet spot in the world of missing parcels: Shipments worth $2,000 or more tend to require a signature at delivery, and refunds for less than $50 can often be processed without too much hassle by retailers who want to keep their customers happy.
Once the value gets above a hundred bucks, police reports and other documentation can start complicating the picture.
The Security.org survey found the median package value that customers reported to law enforcement was $195, while the median value of unreported packages was $50.
Those higher-value losses can lead to a loop of calls to retailers, delivery companies, local police, and back again.
"At some point you've called everybody," Moore said.
Moore said shoppers may not realize how impractical other forms of protection really are in the case of package theft. For instance, homeowner and renters insurance policies typically have higher deductibles than make sense for a $250 claim. Credit card policies can have requirements that packages be reasonably protected against theft, he said.
From a risk perspective, Moore said the nature of package theft makes it different from other property crimes, such as how ZIP code crime rates can affect auto insurance premiums.
"It's not the ZIP codes that you'd think," he said. "In porch theft it's different. The thief is looking for high-dollar items."
Porch pirates may steal from all income levels, but Moore says some of the more expensive packages are snagged from wealthier doorsteps that might otherwise have "this aura of safety," such as gated communities or luxury condos with a concierge desk.
"The number of packages just sitting out there, just left to the open⦠I mean, it's vast," he said.
A TikTok influencer was arrested after an incident involving the theft of $500 of goods from Target.
Police say they identified Marlena Velez, who has 360,000+ TikTok followers, through a video she posted.
The video showed her at Target, wearing the same outfit as in the security footage, police said.
A TikTok influencer with over 360,000 followers who posts aspirational videos of her life as a stay-at-home mom has been arrested after police accused her of stealing about $500 worth of items from Target.
Authorities said the momfluencer later posted a video of the 'shopping' haul to her followers, which they said helped to identify her.
According to a news release,Β the Cape Coral Police Department in Florida responded to a report last Wednesday about a theft at a Target store in Cape Coral that occurred on October 30.
Target's loss prevention team said that an unidentified woman entered the store, selected items, and scanned false barcodes with lower prices instead of the items' actual barcodes at a self-checkout register.
Police said the woman stole 16 items, including household goods and clothing, worth $500.32.
The Cape Coral Police Department shared photographs of the woman on social media to help identify her.
According to the press statement, an anonymous tip received in response to the photos provided officers with information on 22-year-oldΒ social media influencerΒ Marlena Velez and directed them to herΒ Instagram handle.
It said that officers subsequently found Velez's TikTok account, which included a video showing Velez wearing the same outfit and glasses as the woman in the photos.
In the video, which is no longer available on her TikTok account, police said it showed Velez going to Target, selecting items, and loading them into her car before leaving.
Mercedes Phillips, a Cape Coral Police Department spokeswoman, said in a subsequent video that: "Everything was documented, even the outfit that she wore."
Phillips added, "It shows her getting ready with the outfit, and even her glasses, and all of that matches in her TikTok with the attempt-to-identify photo that we put out."
Velez did not immediately respond to a request for comment from Business Insider.
Lee County Sheriff's Office records show that a woman identified as Marlena Valez, with a different spelling but the same birthdate, was booked last Thursday morning.
Records show that she was released later that day on a cash bond of $150.