Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 48/2025

Be vigilant on the web! Recognise and prevent digital scams – public event at Oodi on 2 December

What kinds of scams carried out by criminals might we encounter online and on social media? How have the techniques used by fraudsters changed and developed over the past year, and what can we expect in 2026? How are online scams being tackled, and what can each of us do to protect ourselves?

These themes will be discussed at the “Be vigilant on the web! Recognise and prevent digital scams” public event organised by the NCSC-FI at Traficom, the police, the Digital and Population Data Services Agency, and Aalto University. The event will take place in Maijansali, at the Helsinki Central Library Oodi, on 2 December from 11:30 to 13:00.

The event is open to everyone and will also be streamed on Yle Areena. Helsinki Central Library Oodi is located at Töölönlahdenkatu 4.

The event will begin at 11:30 with a discussion on cybersecurity in literature, featuring authors Helena Immonen and Christian Rönnbacka, interviewed by Marianne Lindroth from Aalto University.

At 12:00, the programme continues with insights into fraudsters and fraud, where Merja Mähkä and Sonja Nylander share their experiences. The discussion will be moderated by Kimmo Rousku from the Digital and Population Data Services Agency. 

To conclude the event, from 12:30 to 13:00, authorities will present up-to-date tips for a safe Christmas season, with experts from the NCSC-FI at Traficom, the police, Aalto University, and the Digital and Population Data Services Agency.

Online shop payment pages targeted by attacks – how digital skimming works

In digital skimming, malicious code is inserted into an online shop to secretly collect customers’ payment information without their knowledge. The attack is often enabled through a script injected into the site or through a compromised e-commerce plug-in. Once present on the site, the malicious code activates when the customer moves to the payment page and transmits the payment details directly to the criminals.

The widespread use of plug-ins on e-commerce platforms and inadequate update processes can allow criminals to inject harmful code. What makes this phenomenon difficult to detect is that customers usually notice nothing unusual during the payment process. An online purchase may appear to have been completed normally even though payment information has been stolen in the background.

Owners of online shops should use tools that monitor website files and detect changes, such as modified or newly added files. It is also worth watching for other signs, such as payment details being directed to an unknown domain or unusual HTTP requests. In addition, both the e-commerce platform and its plug-ins should be kept up to date.

Read more about ways to prevent digital skimming in this week’s Information Security Now! article:

The invisible thief in your online shop – Digital skimming can have significant financial impacts (External link) (in Finnish)

Devices exposing users to BadBox 2.0 malware also sold in well-known US retail chains

Android smart devices pre-infected with malware have been detected on the consumer market. The issue particularly concerns Android-based televisions, TV boxes and other end-user devices commonly used in home networks. To enable malware installation, a backdoor has been embedded into these devices during the production phase – and it cannot be removed. The most significant malware of this type this year has been BadBox 2.0.

BadBox 2.0 is a threat that begins even before the user switches on the device. It is a malware campaign in which malicious code is pre-installed on Android devices—such as Android TV boxes, tablets or smart devices—sold via various online shops and distribution channels.

These malware-containing products have now also reached well-known US retailers such as Walmart and Best Buy. These chains sell various Android TV devices that are not Google-certified and offer “free” streaming services. However, such devices bypass the security measures of official Android TV products and can enable the device to become part of a botnet.

The NCSC-FI recommends that consumers carefully examine any device before purchasing and favour reputable retailers and manufacturers operating in the EU market. Telecommunications operators also actively contact subscription holders if harmful traffic is detected on their network connection. If a device sounds too good or too cheap to be true, it may carry risks — including malware.

New Shai Hulud worm spreads in developer environments and steals access credentials

This week, widespread reports have emerged about a new piece of malware spreading in the NPM ecosystem. This npm worm spreads rapidly in developer environments when a user installs an infected npm library. The malicious code executes automatically during package installation, without any action required from the user.

Once established, the worm searches for secrets — such as API keys, GitHub and npm credentials, and cloud service access tokens — using techniques similar to the TruffleHog tool. Any information it finds is published to a randomly named public GitHub repository. After doing so, the worm attempts to spread further.

Targets are not selected based on individual characteristics; exposure occurs if a project uses infected dependencies. Infections have been found in packages published by, among others, Zapier, ENS Domains, PostHog, and Postman, and new cases are being identified continuously.

To detect and prevent infections, organisations should review their entire development infrastructure for suspicious indicators. In particular, they should scan for known compromised packages. Any infected packages should be removed immediately, and automatic package updates should be temporarily disabled. 

If an infection is suspected, administrators should rotate all access credentials. We recommend enabling multi-factor authentication on all developer and automation accounts and using short-lived, scope-limited access tokens.

The NCSC-FI welcomes any observations related to this phenomenon. 

Alert on Microsoft 365 account breaches withdrawn

Microsoft 365 accounts belonging to Finnish organisations continue to be compromised as a result of phishing. Due to a significant increase in cases, the NCSC-FI issued a severe alert on the matter on 9 September 2025. 

 Phishing messages can be extremely difficult to recognise, and organisations must therefore protect themselves against account breaches by enabling security features in their M365 environments at the organisational level.

The number of M365 account breach reports submitted to the NCSC-FI has now stabilised, and the alert is being withdrawn. However, the threat of M365 account breaches remains. In August 2025, 71 cases were reported, in September 117, in October 125, and in November around 70. The NCSC-FI has published guidance on improving security in M365 environments.

Weekly malware review: PromptLock

PromptLock represents a new type of ransomware that uses generative artificial intelligence and has the potential to significantly change cybercriminal methods. The malware uses a locally run language model to generate malicious Lua scripts in real time and autonomously selects which files it searches for, copies or encrypts. The scripts produced by PromptLock run on multiple platforms — including Windows, Linux and macOS — increasing its versatility and potential for spread.

PromptLock is based on predefined text prompts, which determine the task to be carried out, such as data exfiltration or encryption. Technically, PromptLock uses the SPECK 128 encryption algorithm and is written in Golang. Early variants have already been detected in the VirusTotal service, indicating active development.

For now, PromptLock remains at the conceptual stage and has not been observed in active use. However, malware enabled by artificial intelligence — including tools like PromptLock — is being actively developed. The use of AI automates the production of malicious code and reduces the need for highly skilled criminal groups.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.