BlockThreat - Week 48, 2025

Greetings!

Just one major compromise this week involving Upbit, resulting in the theft of $36.8M. The compromise happened on November 27, which was the same date the exchange was hacked for $50M in 2019. Lazarus, which was responsible for both incidents, appears to be sending a message exactly six years later.

Shai Hulud returned with a revised and more effective mass compromise campaign. The attack spread across more than 25,000 repositories and hundreds of npm packages. By moving its execution into preinstall flows, it penetrated CI and CD environments such as GitHub Actions, enabling large scale theft of credentials and secrets. As attackers review the stolen data we should be prepared for follow on compromises that may involve major projects.

Speaking of supply chains, the Mixpanel breach resulted in user data leaks across several crypto platforms including CoinTracker, CoinDCX and others. Prepare for the next wave of phishing campaigns similar to the ones that followed the Ledger and Kroll breaches.

Let’s dive into the news!

News

• Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised. You can find additional details from Wiz, SlowMist, GitGuardian, Jfrog and Socket.

Crime

• DPRK Detector - How North Korean is your Twitter feed?
• The DPRK’s Violation and Evasion of UN Sanctions via Cyber and IT Worker Activities by SlowMist.
• Inside the GitHub Infrastructure Powering North Korea’s Contagious Interview npm Attacks by Socket.
• Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ by Krebs on Security.
• The Upbit hacker is laundering funds through Railgun and has passed their “ZK proof of innocence” by dethective.
• Thief Posing as Delivery Driver Ties Up Homeowner, Steals $11M in Crypto.
• Bitcoin Heist: Family Members Waterboarded, Sexually Assaulted as Attackers Steal $1.6 Million.
• Six men, including two minors, were arrested on Saturday in Chalon-sur-Saône, France for planning to kidnap a man and rob him of cryptocurrency.

Policy

• China’s central bank reaffirms crypto ban, flags stablecoin risks following multi-agency meeting.
• Japan Moves to Mandate Reserves for Crypto Exchanges as Hacks Mount.
• Jack Mallers Got Debanked. You Could Be Next.

Phishing

• Against all odds: security awareness campaign at Devconnect by The Red Guild.

Malware

• Malicious PyPI Package Embeds Multi-Layer Encrypted Backdoor to Steal Users’ Cryptocurrency Information by HelixGuard.
• Malicious Chrome Extension Injects Hidden SOL Fees Into Solana Swaps by Kush Pandya (Socket).

Media

• The Immunefi Show Episode 3 - How to Protect Billions on Solana.
• Atrium Academy - Building with a Focus on Security w/ Cyfrin.
• Bankless Summit - The Bot Economy: When AI & MEV Collide with Shea Ketsdever
• SEC-T 0x11: Simon Gerst - Attacking and defending GitHub Actions.

Research

• Mastering Ethereum 2nd Edition. An updated classic.
• The Security Researcher’s Guide to Mathematics by Bernhard Mueller.
• Blockchain bridge security - Part 3: Arbitrary call execution by Caliber.
• The Fundamentals of Cryptocurrency Transaction Tracing by TRM.
• Shielded Pools with on-chain Retroactive Anonymity Control by Damian Straszak.
• ART: A Graph-based Framework for Investigating Illicit Activity in Monero via Address-Ring-Transaction Structures.
• Securing Smart Contract Languages with a Unified Agentic Framework for Vulnerability Repair in Solidity and Move.
• SmartPoC: Generating Executable and Validated PoCs for Smart Contract Bug Reports.
• Price manipulation schemes of new crypto-tokens in decentralized exchanges.

Tools

• Herd Contract Visualizer allows you to see all the functions and variable relationships in a nice graph view.
• Anchor Constraints Analyzer by Decurity. This tool analyzes security of constraints in Solana programs written with Anchor.

Hacks

MegaETH

Date: November 25, 2025
Attack Vector: Misconfiguration
Impact: Assets Stolen
Chain: Ethereum

References:

https://rekt.news/megaoops
https://x.com/megaeth/status/1994165259171397882
https://x.com/megaeth/status/1993395774164488361
https://x.com/hrkrshnn/status/1993465014712516736
https://x.com/0xblanker/status/1993341901077201085

Exploit:

https://etherscan.io/tx/0x7884fe71f118d2b2570de41e2f3becd127c04bf07471a373a601d95325979967

Upbit

Date: November 27, 2025
Attack Vector: Hot Wallet Compromise
Impact: $36,800,000
Chain: Solana

References:

https://upbit.com/service_center/notice?id=5800&view=share
https://x.com/upbitglobal/status/1993864055459860906
https://x.com/PeckShieldAlert/status/1993891142484808060
https://x.com/SlowMist_Team/status/1993891910906466468
https://x.com/BeosinAlert/status/1993893452883673297
https://x.com/BeosinAlert/status/1994034038755954727
https://x.com/exvulsec/status/1993986914169573616
https://www.theblock.co/post/380764/upbit-says-emergency-audit-of-30m-hack-uncovered-flaw-that-could-expose-private-keys