In this episode, the host Jim Love discusses the increasing sophistication of supply chain attacks, starting with an account of a blockchain developer who lost $500,000 due to a malicious extension in a popular AI-powered coding tool. The episode also covers a significant cyber emergency in St. Paul, Minnesota, which required National Guard support, and the City’s struggle to comprehend the full scope of the hack. Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has released a new eviction strategies tool to help cybersecurity teams remove persistent threats. The episode concludes with an update on the Ingram Micro breach, where the Safe Pay ransomware gang has threatened to leak 35 terabytes of stolen data. Listeners are encouraged to focus on preventative measures even when ransomware attacks do not involve encryption.
00:00 Introduction and Headlines
00:25 The $500,000 Crypto Heist
01:26 Supply Chain Attack on Open VSX
04:50 Lessons from the Attack
06:16 Oyster Backdoor Threat
07:54 Cyber Attack on St. Paul
09:09 CISA's New Eviction Strategies Tool
10:43 Ingram Micro Data Breach Update
12:18 Conclusion and Contact Information
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:01):
Supply chain attacks continuewith increasing sophistication.
CISA releases a neweviction strategies tool.
The City of St. Paul has tocall in the National Guard to
deal with a cyber emergency, andIngram Micro is back in the news.
As Safe Pay Ransomware Group threatensto leak 35 terabytes of customer data.
(00:21):
This is cybersecurity today.
I'm your host, Jim Love.
This story came to me via a YouTubechannel called Java Brains, because I
don't believe everything I see on YouTube.
Big surprise.
I did a back check andvalidated the story.
Here's how it goes.
In June or July of 2025, a persondescribed as a highly skilled blockchain
(00:42):
developer had $500,000 in crypto currencestolen after he installed a malicious
solidity language extension in the cursor.
IDE, an AI based code editor and a VS.
Code Fork.
Cursor.
AI has over 1 million users, includingapproximately 360,000 paying customers.
(01:05):
It's widely adopted by developersand has high profile tech companies
like OpenAI, Shopify, and Perplexity.
Working with it.
Cursor's Rapid Growth has made itone of the most popular AI powered
coding tools, one of the leading idesin 2025, especially for developers
seeking integrated AI support.
(01:26):
Likewise, the community that he usedto download the extension open VSX is
a reputable, well-established registryfor VS coder extensions, hosted and
governed by the Eclipse Foundation.
A respected not-for-profitopen source organization.
It has links to major companies likeGoogle, Salesforce, Siemens, and Huawei.
(01:47):
They all participate in itsgovernance and development.
Open VSX is used by atleast 8 million developers.
The developer reportedly usinga clean system and careful
practices installed what appearedto be a legitimate extension.
Solidity from Cursors built-inExtension Marketplace, and
(02:07):
Solidity is a popular extension.
It's well known, and it provideslanguage support for writing, editing,
and managing Solidity code, whichis the main programming language for
creating smart contracts on Ethereumand EVM compatible blockchains.
So the Solidity extension hedownloaded had 54,000 downloads,
(02:28):
looked professional, had the name ofthe original developer, and was top
of the list on recommended extensions.
What could possibly go wrong?
A lot, apparently, and that'swhat this developer found when he
saw $500,000 had disappeared froma crypto wallet he controlled.
(02:48):
What happened?
The extension planted a JavaScript file,extension js, so every time the IDE
started, it would download and execute aPowerShell script from a remote server.
this script installed legitimateremote access software Screen Connect,
(03:09):
but configured that for attackercontrol, allowing full remote takeover.
Attackers use this access toupload additional malware like
Quasar Rat and Pure Log Steeler andSystematically Exfiltrated wallet,
credentials, passwords, and ultimatelythe developer's crypto assets.
And how did this happen?
(03:31):
Open
VSX A Community Run Open extensionregistry is popular, but apparently
has looser controls than Microsoft'sproprietary store, which apparently
makes it possible for attackers to uploadfake, malicious, or cloned extensions.
The extension looked exactly likethe real Solidity extension and
it used a nearly identical publisher nameonly with a capital I for a lowercase l.
(03:58):
And then it manipulated the ranking anddownload statuses to appear legitimate.
it turns out that even well-establishedcommunities may not be safe for high
value or commercial implementations.
They might be too big a risk,although in fairness, I'm
taking part of this on faith.
(04:19):
Microsoft's proprietary products arereportedly more secure, but even Microsoft
is not immune to vulnerabilities.
So take that with a grain of salt, butit is something we need to think about.
And in fairness, the open VSXcommunity did take action.
The malicious extension was removed,although reportedly the attackers
(04:40):
re-uploaded a new variant the next day.
So despite the quick response,hundreds or thousands of
developers may have been impacted.
The developer followed mosttraditional recommendations.
Beware of new non-functionalextensions and uninstall
anything suspicious immediately.
Scrutinize publisher details.
Avoid early adoption, but to that, Ithink you have to add another point.
(05:05):
If you are relying on high rankingsas evidence of authenticity, you
have to understand the rankingalgorithm in this case, open vs.
X's algorithm increases theranking of extensions that
have been recently updated.
The malicious extension was updatedjust days before the victim searched.
While the legitimate extension hadn'tbeen updated in weeks, this freshness
(05:30):
boost pushed the fake extension abovethe authentic one in search results, even
though it had marginally fewer downloads.
Some have pointed out that the developermay have failed in maintaining rigorous
compartmentalization for sensitivework, and some have commented on
the wisdom of leaving half a milliondollars in a hot wallet instead of in
(05:52):
cold storage, which is more secure.
you can make up your own mind on that.
many in the open source community aregetting beyond blame and are looking
for solutions to these incrediblysophisticated supply chain attacks.
We've covered one solution earlier thisyear, and hopefully we'll get some ideas
in our weekend show, but if you have othersuggestions or ideas on this, let us know.
(06:16):
And On a similar note, the blog GB Hackersis reporting another supply chain issue.
This week, A stealthy backdoorcalled oyster is spreading through
Trojan versions of common toolslike Putty and KeyPass, and it's
targeting unsuspecting windows users.
In this case, the attackers usetricks like search engine entries
(06:38):
and even ads, which featureinstallers for these popular tools.
So when people are downloading these adsor paid links, attackers are disguising
oyster as legitimate installers forapps like Firefox seven Zip, and
even apparently Microsoft Edge, onceinstalled, oyster creates a hidden
connection back to a command server.
(07:00):
It can execute remote commands,exfiltrate files, and download additional
modules to expand its capabilities.
It uses signed binaries,encrypted payloads, and DLL
side loading to avoid detection.
This type of campaign is especiallydangerous because it abuses trust.
Most users assume apps like puttyand KeyPass are safe, especially
(07:22):
if they've used them before and thesites they load them from are well
done, look authentic, and many haveeven captured expired certificates to
further bolster their authenticity.
It's another key reminder that wehave to be extremely cautious about
tools that are downloaded fromapproved or even reliable sources.
But until we get a better solution, wehave to regard downloading tools and
(07:46):
extensions with zero trust approaches.
Unless we can prove they'resafe, they shouldn't be trusted.
A cyber attack has crippledthe city of St. Paul Minnesota
prompting officials to call in theNational Guard for Digital support.
The breach affected multiple municipalsystems, including those responsible for.
(08:07):
payroll licensing and otherthings like remote work access.
The city confirmed that the hackers gainedaccess to internal IT infrastructure with
investigators describing the intrusion.
As deep and widespread officials saythey don't yet know the full scope or
whether any personal data was compromised.
(08:28):
The Minnesota National Guard's 177th CyberProtection Team has been deployed to help
contain and assess the damage the teamspecializes in helping state and local
agencies recover from cyber attacks,often working alongside federal agencies.
City officials have not yet said whois behind the breach or what methods
were used, but one source told Ars,Technica, that the attack may have been
(08:53):
ongoing for months before detection,But St. Paul is only the most recent of
a growing list of municipalities thathave been hit by ransomware and other
forms of cyber crime, and municipalitiesthat often have increasingly limited
IT resources to defend themselves.
And in other news, CISA, the USCybersecurity and Infrastructure
(09:14):
Security Agency has released a newtool designed to help defenders
kick attackers out for good.
The eviction strategies tool is aimedat helping cybersecurity teams remove
persistent threats from their networks.
It walks responders through stepsneeded to fully evict an attacker,
even if they've dug in with stolencredentials or backdoor access.
(09:36):
Better than anything, it's free to use.
CISA developed the tool based on yearsof incident response experience, and one
of the key lessons, timing is everything.
If you clean up one compromisedaccount while leaving another
active, the attackers may noticeand retaliate or simply reenter.
The tool is interactive.
(09:56):
It guides users through questions likewhat kind of access the attacker has,
whether they've moved laterally, whatpersistence methods they're using, and
Based on your answers, it buildsa customized eviction strategy.
It also emphasizes coordinated action,taking down all compromised access at once
to avoid tipping off the threat actor.
(10:18):
The tool is part of a growingset of practical resources from
CISA, including their deciderand incident response playbook.
Even experienced defenders canbenefit, but for under-resourced
teams this could be a great asset.
And for those with a lot ofexperience in this area, CISA
is actively soliciting comments.
(10:39):
you can find a link in the show notes.
Finally an update on a past story.
IT Giant Ingram Micro is back in the news.
Safe Pay ransomware gang claims tohave stolen 35 terabytes of data
and is threatening to leak it.
It turns out that Safe Paymay not have encrypted any
systems, just exfiltrated data.
(11:00):
Which might explain how Ingram Microwas able to recover so quickly.
They provided journalists withsamples showing internal emails,
financial records, HR files,custom data, and proprietary tools.
They also claim to have already sold someof the data, This is a serious threat.
Ingram Micro is one of the world'slargest technology distributors
(11:22):
with ties to thousands of resellers,service providers and vendors.
A breach of this scale could havemajor downstream implications.
Ingram appears on the group'sleak site, so we can assume
that they didn't pay the ransom.
Along with, we note many other companiesthat are on that site, which supposedly
features only companies who did not pay.
(11:45):
The use of extortion withoutencryption is part of a growing trend.
It's a reminder that stoppingransomware isn't only about backups.
If attackers can quietly steal datathat can still hold a company hostage
for defenders, this means investingin outbound traffic monitoring,
anomaly detection, and tightercontrols on access to sensitive files.
(12:07):
And if you're a partner or customer ofIngram Micro, it's worth staying alert.
Ingram is a well-known and reputablebrand, and we hope they'll be
responding to this shortly.
And that's our show.
You can find show notes@technewsday.comor.ca, and you can use the
Contact us form there if you wannashare opinions or advice on this
(12:28):
wave of supply chain attacks.
And of course, if you're watching this onYouTube, leave a comment under the video.
I'm your host, Jim Love.
Thanks for listening.
Supply chain attacks continuewith increasing sophistication.
CISA releases a neweviction strategies tool.
The City of St. Paul has tocall in the National Guard to
deal with a cyber emergency, andIngram Micro is back in the news.
As Safe Pay Ransomware Group threatensto leak 35 terabytes of customer data.
(00:21):
This is cybersecurity today.
I'm your host, Jim Love.
This story came to me via a YouTubechannel called Java Brains, because I
don't believe everything I see on YouTube.
Big surprise.
I did a back check andvalidated the story.
Here's how it goes.
In June or July of 2025, a persondescribed as a highly skilled blockchain
(00:42):
developer had $500,000 in crypto currencestolen after he installed a malicious
solidity language extension in the cursor.
IDE, an AI based code editor and a VS.
Code Fork.
Cursor.
AI has over 1 million users, includingapproximately 360,000 paying customers.
(01:05):
It's widely adopted by developersand has high profile tech companies
like OpenAI, Shopify, and Perplexity.
Working with it.
Cursor's Rapid Growth has made itone of the most popular AI powered
coding tools, one of the leading idesin 2025, especially for developers
seeking integrated AI support.
(01:26):
Likewise, the community that he usedto download the extension open VSX is
a reputable, well-established registryfor VS coder extensions, hosted and
governed by the Eclipse Foundation.
A respected not-for-profitopen source organization.
It has links to major companies likeGoogle, Salesforce, Siemens, and Huawei.
(01:47):
They all participate in itsgovernance and development.
Open VSX is used by atleast 8 million developers.
The developer reportedly usinga clean system and careful
practices installed what appearedto be a legitimate extension.
Solidity from Cursors built-inExtension Marketplace, and
(02:07):
Solidity is a popular extension.
It's well known, and it provideslanguage support for writing, editing,
and managing Solidity code, whichis the main programming language for
creating smart contracts on Ethereumand EVM compatible blockchains.
So the Solidity extension hedownloaded had 54,000 downloads,
(02:28):
looked professional, had the name ofthe original developer, and was top
of the list on recommended extensions.
What could possibly go wrong?
A lot, apparently, and that'swhat this developer found when he
saw $500,000 had disappeared froma crypto wallet he controlled.
(02:48):
What happened?
The extension planted a JavaScript file,extension js, so every time the IDE
started, it would download and execute aPowerShell script from a remote server.
this script installed legitimateremote access software Screen Connect,
(03:09):
but configured that for attackercontrol, allowing full remote takeover.
Attackers use this access toupload additional malware like
Quasar Rat and Pure Log Steeler andSystematically Exfiltrated wallet,
credentials, passwords, and ultimatelythe developer's crypto assets.
And how did this happen?
(03:31):
Open
VSX A Community Run Open extensionregistry is popular, but apparently
has looser controls than Microsoft'sproprietary store, which apparently
makes it possible for attackers to uploadfake, malicious, or cloned extensions.
The extension looked exactly likethe real Solidity extension and
it used a nearly identical publisher nameonly with a capital I for a lowercase l.
(03:58):
And then it manipulated the ranking anddownload statuses to appear legitimate.
it turns out that even well-establishedcommunities may not be safe for high
value or commercial implementations.
They might be too big a risk,although in fairness, I'm
taking part of this on faith.
(04:19):
Microsoft's proprietary products arereportedly more secure, but even Microsoft
is not immune to vulnerabilities.
So take that with a grain of salt, butit is something we need to think about.
And in fairness, the open VSXcommunity did take action.
The malicious extension was removed,although reportedly the attackers
(04:40):
re-uploaded a new variant the next day.
So despite the quick response,hundreds or thousands of
developers may have been impacted.
The developer followed mosttraditional recommendations.
Beware of new non-functionalextensions and uninstall
anything suspicious immediately.
Scrutinize publisher details.
Avoid early adoption, but to that, Ithink you have to add another point.
(05:05):
If you are relying on high rankingsas evidence of authenticity, you
have to understand the rankingalgorithm in this case, open vs.
X's algorithm increases theranking of extensions that
have been recently updated.
The malicious extension was updatedjust days before the victim searched.
While the legitimate extension hadn'tbeen updated in weeks, this freshness
(05:30):
boost pushed the fake extension abovethe authentic one in search results, even
though it had marginally fewer downloads.
Some have pointed out that the developermay have failed in maintaining rigorous
compartmentalization for sensitivework, and some have commented on
the wisdom of leaving half a milliondollars in a hot wallet instead of in
(05:52):
cold storage, which is more secure.
you can make up your own mind on that.
many in the open source community aregetting beyond blame and are looking
for solutions to these incrediblysophisticated supply chain attacks.
We've covered one solution earlier thisyear, and hopefully we'll get some ideas
in our weekend show, but if you have othersuggestions or ideas on this, let us know.
(06:16):
And On a similar note, the blog GB Hackersis reporting another supply chain issue.
This week, A stealthy backdoorcalled oyster is spreading through
Trojan versions of common toolslike Putty and KeyPass, and it's
targeting unsuspecting windows users.
In this case, the attackers usetricks like search engine entries
(06:38):
and even ads, which featureinstallers for these popular tools.
So when people are downloading these adsor paid links, attackers are disguising
oyster as legitimate installers forapps like Firefox seven Zip, and
even apparently Microsoft Edge, onceinstalled, oyster creates a hidden
connection back to a command server.
(07:00):
It can execute remote commands,exfiltrate files, and download additional
modules to expand its capabilities.
It uses signed binaries,encrypted payloads, and DLL
side loading to avoid detection.
This type of campaign is especiallydangerous because it abuses trust.
Most users assume apps like puttyand KeyPass are safe, especially
(07:22):
if they've used them before and thesites they load them from are well
done, look authentic, and many haveeven captured expired certificates to
further bolster their authenticity.
It's another key reminder that wehave to be extremely cautious about
tools that are downloaded fromapproved or even reliable sources.
But until we get a better solution, wehave to regard downloading tools and
(07:46):
extensions with zero trust approaches.
Unless we can prove they'resafe, they shouldn't be trusted.
A cyber attack has crippledthe city of St. Paul Minnesota
prompting officials to call in theNational Guard for Digital support.
The breach affected multiple municipalsystems, including those responsible for.
(08:07):
payroll licensing and otherthings like remote work access.
The city confirmed that the hackers gainedaccess to internal IT infrastructure with
investigators describing the intrusion.
As deep and widespread officials saythey don't yet know the full scope or
whether any personal data was compromised.
(08:28):
The Minnesota National Guard's 177th CyberProtection Team has been deployed to help
contain and assess the damage the teamspecializes in helping state and local
agencies recover from cyber attacks,often working alongside federal agencies.
City officials have not yet said whois behind the breach or what methods
were used, but one source told Ars,Technica, that the attack may have been
(08:53):
ongoing for months before detection,But St. Paul is only the most recent of
a growing list of municipalities thathave been hit by ransomware and other
forms of cyber crime, and municipalitiesthat often have increasingly limited
IT resources to defend themselves.
And in other news, CISA, the USCybersecurity and Infrastructure
(09:14):
Security Agency has released a newtool designed to help defenders
kick attackers out for good.
The eviction strategies tool is aimedat helping cybersecurity teams remove
persistent threats from their networks.
It walks responders through stepsneeded to fully evict an attacker,
even if they've dug in with stolencredentials or backdoor access.
(09:36):
Better than anything, it's free to use.
CISA developed the tool based on yearsof incident response experience, and one
of the key lessons, timing is everything.
If you clean up one compromisedaccount while leaving another
active, the attackers may noticeand retaliate or simply reenter.
The tool is interactive.
(09:56):
It guides users through questions likewhat kind of access the attacker has,
whether they've moved laterally, whatpersistence methods they're using, and
Based on your answers, it buildsa customized eviction strategy.
It also emphasizes coordinated action,taking down all compromised access at once
to avoid tipping off the threat actor.
(10:18):
The tool is part of a growingset of practical resources from
CISA, including their deciderand incident response playbook.
Even experienced defenders canbenefit, but for under-resourced
teams this could be a great asset.
And for those with a lot ofexperience in this area, CISA
is actively soliciting comments.
(10:39):
you can find a link in the show notes.
Finally an update on a past story.
IT Giant Ingram Micro is back in the news.
Safe Pay ransomware gang claims tohave stolen 35 terabytes of data
and is threatening to leak it.
It turns out that Safe Paymay not have encrypted any
systems, just exfiltrated data.
(11:00):
Which might explain how Ingram Microwas able to recover so quickly.
They provided journalists withsamples showing internal emails,
financial records, HR files,custom data, and proprietary tools.
They also claim to have already sold someof the data, This is a serious threat.
Ingram Micro is one of the world'slargest technology distributors
(11:22):
with ties to thousands of resellers,service providers and vendors.
A breach of this scale could havemajor downstream implications.
Ingram appears on the group'sleak site, so we can assume
that they didn't pay the ransom.
Along with, we note many other companiesthat are on that site, which supposedly
features only companies who did not pay.
(11:45):
The use of extortion withoutencryption is part of a growing trend.
It's a reminder that stoppingransomware isn't only about backups.
If attackers can quietly steal datathat can still hold a company hostage
for defenders, this means investingin outbound traffic monitoring,
anomaly detection, and tightercontrols on access to sensitive files.
(12:07):
And if you're a partner or customer ofIngram Micro, it's worth staying alert.
Ingram is a well-known and reputablebrand, and we hope they'll be
responding to this shortly.
And that's our show.
You can find show notes@technewsday.comor.ca, and you can use the
Contact us form there if you wannashare opinions or advice on this
(12:28):
wave of supply chain attacks.
And of course, if you're watching this onYouTube, leave a comment under the video.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.