Supply Chain Persistence and Shai-Hulud
The commonality of supply chain-focused malware has seen remarkable growth in the past 24 months, with Shai-Hulud, aptly named after the giant sandworms in Frank Herbert’s Dune, taking much of the spotlight. First detected in September 2025, Shai-Hulud is a self-propagating worm that targets the npm JavaScript package registry. Now in its third iteration, Shai-Hulud…
The “MongoBleed” Crisis
Across the board, Casmer Labs has recorded the relative re-emerge of the “bleed” class of vulnerabilities, a category of memory safety errors made infamous by Heartbleed. At a high level, MongoBleed occurs because the MongoDB server trusts a client’s assertion of data size during the network message compression process. By claiming a payload is large…
Prompt Injection and Agentic Browsers
AI-powered agentic browsers and web-based chat assistants are currently susceptible to prompt injection. Attackers are embedding instructions into pages, documents, images, or even crafted URLs, causing the agents to ingest attacker-controlled text and act on it as if the user had given them those instructions. Prompt-Based Attacks: How They Work Let’s look at a relatively…
Malware Injection Via Steganography
The Shift Towards Browser=Based Exploitation In 2025, Casmer Labs has observed a marked increase in “trust-based” attacks, where threat actors exploit the inherent trust users place in official browser marketplaces. The GhostPoster campaign, recently identified by researchers at Koi Security, exemplifies this trend. Rather than exploiting a software vulnerability, the attackers utilized functional lures—VPNs, ad…
Critical React & Next.js Vulnerability Enables Full Server Takeovers
A newly disclosed flaw in React Server Components (RSC) and the frameworks built upon them—most notably Next.js—has exposed a massive attack surface across the modern web. Tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this vulnerability allows attackers to execute arbitrary code on vulnerable servers without authentication. While the immediate threat is Remote Code Execution (RCE),…
The (Crypto-Stealing) Man in the Browser
A few weeks ago on November 19, Casmer Labs published a blog post exploring malicious browser extensions. In the article, we covered how malicious browser extensions manage to get listed in marketplaces as well as a few examples of specific pieces of malicious software. Before reading further, check out the article so you understand how…
Analyzing the November 18 Cloudflare Outage
On November 18, 2025, the world experienced a massive disruption as Cloudflare, a foundational infrastructure provider serving nearly 20% of the web’s traffic, suffered a global control plane failure for approximately 6 hours. Casmer Labs has compiled an analysis of the incident, including the root cause, its effects within the Cloudflare architecture, and how it…
The Man In The Browser
The browser extension ecosystem, while convenient and useful, is also a significant and rapidly evolving threat vector in the modern IT landscape. Even in official marketplaces, malicious browser extensions can execute phishing, keylogging, spying, generalized data theft, and session hijacking attacks. How it Works Let’s briefly discuss how a malicious browser extension can even make…
Large-Scale Malware Download Campaigns Utilizing WhatsApp
A massive campaign targeting Brazilian financial institutions has been identified, with over 62000 infection attempts blocked within the first 10 days since discovery. Attributed to the “Water Saci” threat actor, the “Maverick” banking trojan is designed to capture credentials through a combination of remote access, keylogging, and phishing overlay injection. Unlike most pieces of malware,…
Attackers Weaponizing Internal OAuth Apps to Persist Past Password Resets
Adversaries are exploiting Microsoft’s OAuth model to maintain persistent access — even after users change passwords or enable MFA. First reported late in October by ProofPoint, attackers are utilizing malicious internal OAuth applications within a victim’s tenant to maintain access to systems, including email and files, without detection. Unlike external third-party apps, these in-tenant applications appear…
Casmer Labs 