--- title: "Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News [March 10, 2025] | DuoCircle" description: "This week’s bulletin highlights some serious incidents that could impact individuals and businesses alike." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/" --- Quick Answer Week ending March 10, 2025 covered: six malicious npm packages tied to the Lazarus group (is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, auth-validator) with 330 downloads, deploying BeaverTail malware and the InvisibleFerret backdoor through typosquatting; the MassJacker clipboard-hijacker tied to 778,531 wallet addresses and roughly $300,000 funneled into a single Solana wallet, distributed via pesktop\[.\]com and injected into InstalUtil.exe; a CISA security alert on active exploitation of three critical Ivanti Endpoint Manager flaws (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) with FCEB agencies required to patch by March 31; the FTC distributing $25.5 million in PayPal refunds to 736,375 victims of the Restoro and Reimage tech-support scams (which used fake $58 'PC Repair Plans' triggered by Windows-style pop-ups); and an NTT Communications breach in early February 2025 exposing data on 17,891 corporate customers (contract names, representative names, contract numbers, emails, phone numbers, addresses, service usage). Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-12-of-2025%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Lazarus%20Infects%20NPM%2C%20MassJacker%20Steals%20Crypto%2C%20CISA%20Alerts%20Ivanti%2C%20Cybersecurity%20News%20%5BMarch%2010%2C%202025%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-12-of-2025%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-12-of-2025%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-12-of-2025%2F&title=Lazarus%20Infects%20NPM%2C%20MassJacker%20Steals%20Crypto%2C%20CISA%20Alerts%20Ivanti%2C%20Cybersecurity%20News%20%5BMarch%2010%2C%202025%5D "Share on Reddit") [ ](mailto:?subject=Lazarus%20Infects%20NPM%2C%20MassJacker%20Steals%20Crypto%2C%20CISA%20Alerts%20Ivanti%2C%20Cybersecurity%20News%20%5BMarch%2010%2C%202025%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-12-of-2025%2F "Share via Email") ![cybersecurity news](https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-3428.jpg) This week’s bulletin highlights some serious incidents that could impact individuals and businesses alike. From hackers spreading malware through [NPM packages](https://thehackernews.com/2025/01/russian-speaking-attackers-target.html) to cryptocurrency-stealing schemes, cybercriminals are finding new ways to trick people and exploit vulnerabilities. You can stay informed, stay cautious, and **take action to protect yourself** from these threats with our detailed coverage. ## Lazarus Group Spreads Malware Through NPM Packages, Infecting Hundreds This week, researchers discovered six malicious packages on the **NPM (Node Package Manager)** platform that are intended to extract sensitive data from compromised systems. These packages have been downloaded 330 times and are capable of extracting account credentials, deploying backdoors, and accessing cryptocurrency information. It was actually [identified by the Socket Research Team](https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages), which linked it to previous [supply chain attacks](https://www.darkreading.com/ics-ot-security/concerns-supply-chain-attacks-us-seaports-grow) involving software registries like NPM, GitHub, and PyPI. _The attackers use typosquatting-where malicious packages mimic legitimate ones to trick developers into downloading them_. The 6 identified packages (is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator) were disguised as commonly **used JavaScript tools**. Once installed, the attackers executed malware designed to [steal browser-stored credentials](https://www.infosecurity-magazine.com/news/qilin-steal-credentials-google/), cookies, and [cryptocurrency wallet data](https://www.infosecurity-magazine.com/news/scammers-drain-500m-crypto-wallets/). They also delivered threats, including the [BeaverTail malware](https://cybersecuritynews.com/north-korean-hackers-acquire-remote-jobs/) and the InvisibleFerret backdoor. [![crptocurrency wallet](https://media.mailhop.org/duocircle/images/2025/03/SMTP-email-7845.jpg)](https://media.mailhop.org/duocircle/images/2025/03/SMTP-email-7845.jpg) _So how can you stay safe against this threat? Your priority should be to verify the authenticity of NPM packages before installing them_. **Regular security** **audits and monitoring** dependencies are good practices that help prevent exposure to malicious software. Leveraging advanced [email security](/content/email-security-services) solutions like [DuoCircle](/) can further fortify your defenses against supply chain attacks, safeguarding your system from potential threats. ## MassJacker Malware Exploits 778,000 Wallets to Steal Cryptocurrency There’s another newly uncovered cyber threat known as [MassJacker](https://www.techradar.com/pro/security/massjacker-malware-targets-those-looking-for-pirated-software) that is using clipboard hijacking techniques to steal cryptocurrency from unsuspecting users. [CyberArk researchers found](https://www.cyberark.com/resources/threat-research-blog/captain-massjacker-sparrow-uncovering-the-malwares-buried-treasure) that the operation involves at least [778,531 cryptocurrency wallet](https://www.secureblink.com/cyber-security-news/300-k-cryptojacking-attack-750-k-wallets-hacked-in-mass-jacker-breach) addresses, redirecting funds from victims to attackers. At the time of analysis, approximately $95,300 was found in **423 wallets linked** to the campaign, but historical transactions suggest much larger sums may have been stolen. Plus, the attackers appear to be funneling funds into a single Solana wallet, which has processed over $300,000 in transactions. _MassJacker operates using clipboard hijacking malware, also known as clippers, that monitor your clipboard for copied cryptocurrency wallet addresses and silently swaps them with an address controlled by the attackers_. As a result, when victims attempt to send cryptocurrency, they unknowingly transfer their funds to the hackers instead. The malware is distributed through pesktop\[.\]com, and once a user downloads an infected file, a chain of scripts and loaders work together to install MassJacker, ultimately injecting it into a **legitimate Windows process** (InstalUtil.exe) to avoid detection. That’s why you should avoid downloading software from untrusted/ pirated sources. **Regularly updating your security software** and running regular scans will also go a long way to help catch threats like MassJacker. ## CISA Warns of Active Exploits Targeting Critical Ivanti EPM Vulnerabilities [CISA (Cybersecurity and Infrastructure Security Agency)](https://www.cisa.gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog) issued a security alert this week for U.S. federal agencies about ongoing cyberattacks that are targeting Ivanti Endpoint Manager appliances. _The attackers are exploiting three critical vulnerabilities-CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161-that allow them to fully compromise affected servers remotely, and that too without authorization_. These flaws were first reported back in October 2023 by a researcher at Horizon3.ai and were patched by Ivanti **on 13 January 2024**. But just a month later, the [threat actors](/phishing-protection/threat-actors-exploit-google-calendar-for-phishing-and-spoofing/) released [PoC (Proof-of-Concept)](https://www.techtarget.com/searchcio/definition/proof-of-concept-POC) exploits to take advantage of the vulnerabilities again. **CISA has added** these to [its Known Exploited Vulnerabilities catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) and has mandated that [FCEB (Federal Civilian Executive Branch)](https://www.scworld.com/resource/strengthening-americas-backbone-the-center-for-federal-civilian-executive-branch-fceb-resiliences-role-in-national-security) agencies secure their systems by 31 March. You should take the warning seriously and make sure to apply Ivanti’s latest security updates immediately. On top of that, **regularly monitor your systems** for suspicious activity and adhere to best practices for vulnerability management. ## FTC to Distribute $25.5 Million to Victims of Tech Support Scams Great news this week is that the [FTC (Federal Trade Commission) will distribute over $25.5 million](https://www.ftc.gov/news-events/news/press-releases/2025/03/ftc-sends-more-255-million-consumers-impacted-tech-support-firms-scam) in refunds to consumers who were misled by tech support enterprises **Restoro and Reimage**. They will start doing this starting 13 March and send 736,375 PayPal payments to people who were tricked into paying for unnecessary computer repair services. If you are eligible for a refund, you will receive an email and must redeem your PayPal payment within 30 days. The refund is a bit late but definitely good news as it is coming a year after the organizations were fined $26 million for violating the **FTC Act** and the [TSR (Telemarketing Sales Rule](https://www.ftc.gov/legal-library/browse/rules/telemarketing-sales-rule)). They used deceptive **online ads and pop-ups** that [mimicked Windows system warnings](https://hackread.com/linux-malware-perfctl-hit-millions-mimick-system-files/), falsely claiming that users’ computers were infected with malware or had critical performance issues. FTC’s investigation also showed people were offered a “free scan,” which always identified issues requiring repair, even when none existed. [![computer malicious activity](https://media.mailhop.org/duocircle/images/2025/03/hosted-email-server-3652.jpg)](https://media.mailhop.org/duocircle/images/2025/03/hosted-email-server-3652.jpg) After paying up to $58 for a “PC Repair Plan,” they were urged to call [Restoro and Reimage telemarketers](https://www.ftc.gov/system/files/ftc%5Fgov/pdf/1-ComplaintagainstRestoro.pdf), who claimed that the software could not fix everything. If you ever encounter something similar, avoid clicking on it. Of course, be cautious when **downloading system repair tools**, and never let unknown tech support agents access your computer remotely. ## Data Breach at Telecom Giant NTT Affects Nearly 18,000 Enterprises The [NTT (NTT Communications Corporation)](https://en.wikipedia.org/wiki/NTT%5FCommunications) also issued a warning for **nearly 18,000 corporate customers** that their information was compromised in a cybersecurity incident. The [data breach](https://securityintelligence.com/news/national-public-data-breach-publishes-private-data-billions-us-citizens/) was discovered in early February 2025 when the hackers breached NTT’s **Order Information Distribution System**, which contained details of 17,891 organizations (no personal customer (consumer) data was affected). They made away with registered contract names, customer representative names, contract numbers, emails, phone numbers, physical addresses, and service usage information. [![Hacker Breaches](https://media.mailhop.org/duocircle/images/2025/03/dkim-record-check-6543.jpg)](https://media.mailhop.org/duocircle/images/2025/03/dkim-record-check-6543.jpg) _NTT discovered the breach on 5 February and blocked threat actor access by the next day_. But once they conducted an internal investigation, they found out the attackers had moved to another device within NTT’s network. Obviously, the said device was immediately disconnected to **prevent further lateral movement**, and the organization is now confident that the threat has been fully contained. You will not get individual notifications, but [the organization has issued a public announcement](https://www.ntt.com/about-us/press-releases/news/article/2025/0305%5F2.html) on its website, which **serves as the sole notification** of the breach. If your enterprise is an NTT corporate customer, stay aware of [social engineering](https://www.securityweek.com/how-agentic-ai-will-be-weaponized-for-social-engineering-attacks/) scams and phishing emails, as cybercriminals may use stolen information to impersonate NTT. ## Topics cyber securityemail securityNewsSecurityUpdates ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ News 4m Cambodia Targets Cybercriminals, Traditional Security Insufficient, AI Against Phishing, Cybersecurity News \[March 09, 2026\] Mar 16, 2026 ](/blog/announcements/cyber-security-news-update-week-11-of-2026/)[ News 6m RedCurl Ransomware Targets, CS2 Steam Phishing, Fake Converter Cyberattacks , Cybersecurity News \[March 24, 2025\] Apr 1, 2025 ](/blog/announcements/cyber-security-news-update-week-14-of-2025/)[ News 5m Essential Check Secures, Prevention Beats Recovery, Treasury Cyber Breach- Cybersecurity News \[December 30, 2024\] Jan 6, 2025 ](/blog/announcements/cyber-security-news-update-week-2-of-2025/)[ News 6m Ransomware EDR Bypass, Apache Parquet Exposure, CISA Oil Threats, Cybersecurity News \[May 05, 2025\] May 13, 2025 ](/blog/announcements/cyber-security-news-update-week-20-of-2025/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News [March 10, 2025]","description":"This week’s bulletin highlights some serious incidents that could impact individuals and businesses alike.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/","datePublished":"2025-03-17T14:31:01.000Z","dateModified":"2025-04-08T13:33:54.000Z","dateCreated":"2025-03-17T14:31:01.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/"},"articleSection":"announcements","keywords":"cyber security, email security, News, Security, Updates","wordCount":1104,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-3428.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News [March 10, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News [March 10, 2025]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"Lazarus Infects NPM, MassJacker Steals Crypto, CISA Alerts Ivanti, Cybersecurity News [March 10, 2025]","description":"This week’s bulletin highlights some serious incidents that could impact individuals and businesses alike.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/","datePublished":"2025-03-17T14:31:01.000Z","dateModified":"2025-04-08T13:33:54.000Z","dateCreated":"2025-03-17T14:31:01.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-12-of-2025/"},"articleSection":"announcements","keywords":"cyber security, email security, News, Security, Updates","wordCount":1104,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/03/spf-permerror-3428.jpg","caption":"cybersecurity news","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```