Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.

In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.

Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.

Detailed research results

In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.

Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.

Here are the most common flaws found in the GitHub Actions we reviewed:

• implicitly defined or overly broad access permissions,
• lack of version pinning for used dependances,
• configuration settings applied at the workflow level.

In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.

How can you stay safe?

Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.

Searching for misconfigurations in GitHub Actions.

The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.

Kaspersky official blog – ​Read More

Lack of alert context makes it difficult for Security Operations Centers (SOC) to distinguish actual threats from false positives. ANY.RUN’s integration with Torq, a no-code/AI SOC automation platform, bridges this gap by delivering conclusive malware & phishing verdicts and actionable intelligence.  

The result for your team is faster incident resolution, reduced alert fatigue, and proactive threat detection. 

ANY.RUN & Torq Integration 

Unlike legacy SOAR approaches that often require custom code and months of implementation, Torq allows SOC and MSSP teams to build response logic visually. The ANY.RUN integration adds a critical layer of malware analysis, phishing detection, and IOC enrichment to these workflows. 

At launch, users have access to 5 ready-to-use templates designed to accelerate time-to-verdict and standardize the investigation process. 

• Threat Intelligence Enrichment with TI Lookup 

• File & URL Analysis with Interactive Sandbox 

Teams can edit the current templates to fit their specific processes, adding actions, changing conditions, or using ANY.RUN as one specific step in a complex, multi-tool automation. 

Available on ANY.RUN Threat Intelligence and Interactive Sandbox plans with API access, the integration helps analysts streamline their workflows, gaining full alert or threat context quickly with an average reduction in MTTR of 21 minutes.  

Interactive Sandbox Templates in Torq 

The Interactive Sandbox workflows allow analysts to detonate suspicious objects in real-time environments (Windows, Linux, macOS or Android) to uncover evasive behaviors. There are two types of templates available for sandbox analysis: 

1. Case-Based Workflows 

These are triggered directly from a Torq Case, where observables and attachments are automatically ingested from sources like EDR, SIEM, XDR, or email security tools. 

• Process: The analyst opens a case and launches the workflow. The system automatically retrieves observables or attachments, filtering for supported objects such as URLs or files. Analysts can then select specific objects for detonation. 

• Result: Analysis data is added to the case notes in real-time. This includes a brief context, reputation, threat names or tags, and a structured JSON response. Additionally, a direct link is provided, allowing the analyst to jump into the ANY.RUN session to continue a manual, interactive analysis. 

The list of case-based templates: 

• Enrich Case with URL Analysis in ANY.RUN Sandbox 

• Enrich Case with File Analysis in ANY.RUN Sandbox 

2. Sandbox Analysis Workflows 

These templates are designed to be embedded as a specific step within a larger, custom incident response flow. 

• Process: Unlike case-based templates, these function independently of a specific case. They accept a URL or File as an input parameter and initiate the ANY.RUN Sandbox analysis. 

• Result: The workflow waits for the analysis to complete and returns a structured JSON object containing the final verdict, analysis metadata, a list of IOCs, and a link to the full report. This data can then be passed further down the custom automation chain. 

The list of sandbox analysis templates: 

• Analyze URLs with ANY.RUN Sandbox 

• Analyze Files with ANY.RUN Sandbox 

Threat Intelligence Lookup Templates in Torq 

The Threat Intelligence (TI) Lookup integration focuses on rapid enrichment of “raw” observables found in alerts, such as IPs, domains, hashes, and URLs. 

• Automation at Scale: When a case contains suspicious indicators, the TI Lookup workflow queries ANY.RUN’s vast database of threat data—continuously updated from millions of sandbox sessions. 

• Instant Context: The workflow returns high-fidelity data including the reputation of the indicator, threat names, and specific tags. This allows analysts to immediately understand the nature of a threat and decide whether to block the indicator or escalate the incident. 

• Enrichment Integration: Much like the sandbox workflows, TI Lookup results are delivered directly into the Torq interface as JSON data or case notes, ensuring that the analyst never has to leave their primary workspace to gather intelligence. 

Explore the TI Lookup template. 

How to Integrate ANY.RUN in Torq 

Setting up the integration is straightforward and requires no custom coding: 

1. Navigate to Integrations within Torq and locate ANY.RUN. 

2. Click Add, create a new instance, and enter your API key. 

3. Go to the Templates tab and search for ANY.RUN templates. 

4. Select your previously configured ANY.RUN integration to begin using the workflows. 

By default, these playbooks are configured to be launched manually. This is a deliberate design choice to ensure that only appropriate objects are sent for analysis.  

However, for high-volume environments, these templates can be easily integrated into broader, fully automated playbooks. 

Key SOC & MSSP Benefits of Integrating ANY.RUN in Torq 

ANY.RUN’s deep behavioral visibility with Torq’s hyper-automated orchestration levels up the efficiency of modern security operations, moving beyond simple automation toward maximizing security ROI. 

• Faster incident resolution (MTTR): Automating sandbox analysis and threat intelligence correlation allows you to cut incident resolution time by tens of percent. Analysts get clear verdicts in seconds, enabling them to block threats before they spread. 

• Operational scaling: You can handle a growing volume of alerts with your current staff. By automating routine Tier 1 tasks, your team can focus on complex threats without a proportional increase in headcount. 

• Zero development overhead: Unlike custom integrations that require months of engineering, this no-code setup is ready in minutes. You get a functional automation foundation without the cost of writing or maintaining scripts. 

• Standardized investigation logic: Every alert is checked using the same high-fidelity criteria. This ensures consistent results and reduces the risk of human error, regardless of an analyst’s experience level. 

• Higher ROI on existing tools: ANY.RUN works as an enrichment layer inside Torq, making your SIEM, EDR, and other security investments more effective by providing them with immediate, actionable context. 

• Reduced analyst burnout: By eliminating manual data entry and constant switching between tools, you allow your team to focus on meaningful security work, which improves overall SOC productivity. 

About ANY.RUN 

Trusted by over 600,000 cybersecurity professionals and 15,000+ organizations worldwide, ANY.RUN helps security teams investigate threats faster and with greater accuracy. 

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, while our Threat Intelligence solutions (TI Lookup and TI Feeds) provide the necessary context to anticipate and stop today’s most advanced attacks. 

The integration of ANY.RUN with Torq adds a specialized layer of malware analysis, phishing detection, and IOC enrichment to your security operations. By utilizing these automated workflows, SOC teams can seamlessly embed ANY.RUN’s deep visibility into their existing triage and incident response flows. 

The post ANY.RUN & Torq Integration: Scale Triage & Respond with Confidence appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

There are dozens of ways to break into someone else’s Telegram account. We’ve frequently covered phishing in Telegram Mini Apps, scams with bots, gifts, and giveaways, and many other tactics. Today, we’re looking at yet another account hijacking method, one that relies on a PowerShell script.

The script, deceptively named “Windows Telemetry Update”, actually serves as a tool for hijacking Telegram sessions. It harvests data from completely defenseless user computers and forwards it to the attackers via a Telegram bot.

An evil script with a stealer inside

Cybercriminals frequently rely on PowerShell scripts to covertly download malware or harvest data. This time, researchers uncovered a script on Pastebin masquerading as a routine Windows update. In reality, it was an infostealer designed to hijack Telegram for Windows session data and allow hackers to take over accounts without a password or verification code.

What’s a PowerShell script anyway? Think of it as a text file packed with commands for a Windows computer. Instead of a human spending time clicking through tasks manually, the computer follows these quick instructions to get everything done automatically in a matter of seconds.

This PowerShell script steals Telegram for Windows session data, letting hackers hijack accounts without a password or verification codes

Right at the top of the script, researchers immediately spotted a Telegram bot token and a chat ID, alongside multiple references to the tdata folder. This specific folder is where Telegram for Windows keeps the authorization keys used to log users in to its servers. If attackers grab this data, they can access the victim’s Telegram account without a password or verification code. Once inside, they maintain access until the victim checks their active sessions in the app and manually terminates the suspicious ones.

How the stealer works

The malware lands on the victim’s computer disguised as a PowerShell script for a Windows telemetry update. As soon as it runs, it gathers basic system information: the username, hostname, and public IP address. It then checks if Telegram Desktop is installed. If it is, the script forces the app to close so it can unlock Telegram files for editing.

From there, the rest is simple: the script zips up the entire contents of the tdata folder into a temporary directory, forwards the archive straight to the attackers, and wipes the file from the computer to erase its tracks.

The good news is that the stealer likely hasn’t compromised any accounts yet, as experts found no evidence of actual data transfers. It appears researchers caught this malicious PowerShell script while it was still in the prototype testing phase.

Another giveaway is its surprisingly suspicious name. Cybercriminals typically use neutral names to hide their bots and apps. In this case, when researchers found it, the bot was running under the burner handle afhbhfsdvfh_bot with a dead-honest description: Telegram attacker. Researchers noted that while the bot had likely undergone functional testing, it hadn’t yet been deployed at scale, which explains the placeholder name.

How to defend against PowerShell scripts

Defending against this nameless stealer requires a layered approach to security. First, it helps to understand how a PowerShell script ends up on your PC in the first place. Usually, they slip in unnoticed through malicious email attachments, software vulnerabilities, infected apps, or social engineering tricks. That’s why we recommend installing a robust security suite on your device and staying highly cautious about the links you click and the files you download.

• Be careful what you download. Always double-check the websites you use to download files. Stick to trusted, official sources — and remember that Telegram and Discord channels, and sketchy, fly-by-night websites definitely don’t fit that description.
• Watch out for email links and attachments. Keep in mind that email remains a favorite delivery method for cybercriminals. They might drop a PowerShell script directly into your inbox as an attachment or bait you into clicking a link that triggers an automatic download.
• Keep your apps and OS updated. Software vulnerabilities pop up unexpectedly, but patches are usually released very quickly. We recommend installing updates as soon as they become available. To make life easier, just turn on automatic updates wherever possible.

Make sure to install Kaspersky Premium on every device where you run Telegram. Our security solution will block malware, malicious attachments, spam, phishing attempts, and sketchy websites. Kaspersky Premium subscription additionally includes a password manager. It’ll generate and securely store strong and unique passwords, stop you from entering your credentials on fake sites, and come in handy for tightening your Telegram security, which we’ll cover next.

How to secure your Telegram account

To protect your Telegram account from these types of hijacking schemes, make sure to:

• Regularly monitor your Telegram activity. Ultimately, hackers steal accounts to blast out spam and run scams. It’s a good idea to periodically check your chat history to ensure no new conversations or messages have appeared that you didn’t send yourself.
• Immediately terminate unrecognized sessions. If you suspect you’ve fallen victim to this infostealer or any other cyberattack, terminate all other Telegram sessions as soon as possible by going to Settings → Devices → Terminate all other sessions.

If your Telegram account has already been hijacked, you have a strict 24-hour window to kick the attackers out by terminating their sessions. We broke down exactly why this rule exists — and mapped out every possible way to reclaim your account — in our detailed guide: What to do if your Telegram account is hacked.

In the meantime, beefing up your account security is a must. First, set up a cloud password by heading to Settings → Privacy and Security → Two-Step Verification. Just any password won’t cut it — you need something unique and unhackable. We recommend reading our post on the subject: Creating an unforgettable password.

Better yet, make the switch to passkeys — a passwordless technology that offers top-tier protection against leaks and phishing. To set up that login method, go to Settings → Privacy and Security → Passkeys. The easiest way to manage your passkeys is with Kaspersky Password Manager. Our cross-platform app ensures you can seamlessly log in to Telegram using your saved passkeys whether you are on Windows, Android, iOS, or macOS.

To learn more about how cybercriminals can breach your Telegram account and how to lock it down, check out our other posts:

• Phishing in Telegram Mini Apps: what’s Habib’s papakha got to do with it?
• Telegram scams with bots, gifts, and crypto
• WhatsApp and Telegram account hijacking: How to protect yourself against scams
• You’ve been sent a “gift” — a Telegram Premium subscription
• What to do if your Telegram account is hacked

Kaspersky official blog – ​Read More

In early June, cybersecurity researchers discovered that a compromised version of the Israel-based Hola Browser for Windows (version 1.251.91.0) was secretly downloading a Monero crypto miner to users’ devices. Shortly after the discovery, Hola confirmed that it had fallen victim to a supply chain attack. In this article, we break down how the attack went down, how the crypto miner works, and what it means for affected users.

What is Hola Browser, and how was the malware discovered?

The Israeli company Hola is best known for its VPN service, which users primarily rely on to bypass geo-restrictions and access region-locked content. In addition to the VPN, the company develops Hola Browser — a Chromium-based browser that comes with built-in VPN and proxy features.

Researchers first spotted signs of trouble during a standard compliance check for the AppEsteem Windows Certified Application program. As part of this certification process, independent cybersecurity firms audit software to ensure it only contains the components it claims to have and is free of unwanted or malicious features. Even after a certificate is granted, apps are regularly re-evaluated to ensure they continue to meet AppEsteem’s strict guidelines.

It was during one of these routine follow-up checks that experts noticed an unauthorized file bundling itself with version 1.251.91.0 of Hola Browser for Windows. Once installed, the file saved itself to the hard drive at C:Program FilesHolame{.}exe. The file immediately raised red flags for researchers due to a laundry list of suspicious characteristics: it wasn’t on the list of approved application files, lacked a timestamp, and had no digital signature. On top of that, its code was heavily obfuscated, and it possessed the ability to inject itself directly into system memory.

Interestingly, researchers noted that the file didn’t show up in every single installation. Because the infection wasn’t widespread across all users, experts suspected early on that a specific stage in the Hola Browser distribution pipeline had been compromised. Hola later confirmed this theory, admitting it had fallen victim to a supply chain attack.

As for the suspicious me{.}exe file itself, closer analysis revealed that it was a stealthy crypto miner configured to mine Monero. We’ll now dive into the technical details of how it works.

How did attackers use Hola Browser to mine Monero?

Crypto miners are programs that harness a computer’s processing power to mine cryptocurrency. While some users install this software intentionally to generate a bit of income, miners that run on a machine without the owner’s knowledge are typically classified as unwanted.

Running a hidden miner can noticeably slow down the device, spike the user’s electricity bill, and shorten the hardware’s lifespan. That being said, it’s worth noting that a crypto miner infection will not actually steal the owner’s cryptocurrency; the damage is strictly limited to the hijackers leeching your computer’s hardware resources to line their own pockets.

As we mentioned above, the malicious download bundled with Hola Browser sneaked a Monero crypto miner onto victims’ devices. Launched in 2014 and built on the CryptoNote protocol, Monero currently trades at around US$330 per coin.

Compared to heavyweights like Bitcoin or Ethereum, Monero is a bit exotic and lesser-known to the general public. This niche status shows in its relatively modest price growth and smaller market capitalization — which is roughly 200 times lower than Bitcoin’s. However, Monero has one defining feature: privacy. While Bitcoin and Ethereum operate on fully transparent, public blockchains, where anyone can trace transactions, Monero is a “privacy coin”. It uses advanced cryptographic mechanisms to mask the sender, receiver, and transaction amounts. This extreme anonymity is exactly why hackers love hidden Monero miners — it makes it difficult for law enforcement and cybersecurity professionals to follow the money trail.

Additionally, Monero’s underlying algorithm is explicitly designed to mine efficiently using standard computer processors (CPUs). This stands in stark contrast to many other popular cryptocurrencies, which require specialized ASIC hardware or high-end graphics cards (GPUs) to be profitable.

But let’s look closer at how this played out with Hola Browser. When researchers dissected the malicious me{.}exe code, they found it was automatically adding its own files to the Microsoft Defender exclusion list. By allowlisting itself, the malware successfully blinded Windows’ built-in antivirus, allowing the crypto miner to run in the background completely unhindered.

Once inside, the program made a copy of itself under the name HolaMonitorService{.}exe, and set up a persistent Windows background service called hola_monitor_svc. This maneuver allowed the malware to entrench itself in the system, automatically launching every time the computer restarted. To avoid raising any red flags with sudden massive performance drops, the miner was programmed to stay dormant, kicking into gear only when the computer was idle.

How to protect your device from crypto miners and malware

To their credit, Hola’s development team responded swiftly to the initial reports of the suspicious file. They confirmed the supply chain breach, but stated that the incident only impacted 0.1% of their user base. The company has since tightened up security around its update distribution pipeline to guarantee that users only receive approved, certified, and digitally-signed software components moving forward.

In light of this incident, we highly recommend that all Hola Browser users update to the latest version immediately — especially those running the application on Windows.

More broadly, this situation is a textbook reminder of why it’s so critical to keep all your software up to date and run a robust cybersecurity solution on all your gadgets. For instance, Kaspersky Premium provides real-time alerts about suspicious software behavior and blocks threats instantly. As an added bonus, a Kaspersky Premium subscription includes a secure and reliable VPN.

Don’t forget that malicious crypto miners don’t just target PCs; they also go after smartphones, often disguising themselves as anything from popular mobile games to official government service apps. Check out our previous posts to learn more:

• Android Trojan posing as government services and Starlink apps
• What happens if you download a cracked program?
• Miner inconvenience: how cybercriminals blackmail YouTubers into promoting malware
• Mario Forever, malware too: a free game with a miner and Trojans inside

Kaspersky official blog – ​Read More