DoubleClickjacking: A New Exploit That Defeats Clickjacking Protections

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the emergence of a new exploit: DoubleClickjacking, which bypasses traditional protections and has been demonstrated on platforms like Spotify, Slack and Salesforce. The NPM library being extensively used by a variety of threat actors to deliver malicious payloads including Quasar RAT malware, widely used npm packages @rspack/core and @rspack/cli being embedded with cyrpto currency mining malware, and a new malware “Ottercookie” that uses social engineering tactics to lure victims. In other news, the Ficora and Capsaicin botnets are exploiting vulnerabilities in outdated D-Link routers to launch distributed denial-of-service (DDoS) attacks. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. DoubleClickjacking: A New Exploit That Defeats Clickjacking Protections

DoubleClickjacking is an advanced clickjacking technique exploiting double-click mouse events to trick users into performing sensitive actions, such as authorizing OAuth apps or approving MFA requests, on legitimate websites. This method bypasses traditional protections like X-Frame-Options and iframe restrictions. Cybersecurity researchers have demonstrated its effectiveness on platforms like Shopify, Slack, and Salesforce.

The attack involves users interacting with an attacker-controlled page (e.g., solving a CAPTCHA) on the first click, followed by triggering a sensitive action on a legitimate site through a redirected second click. Challenges for attackers include timing disruptions and dynamic URLs.

Developers can counteract this exploit by randomizing or removing ID attributes, requiring gestures or delays before button activation, and using JavaScript-based protections. Organizations should monitor for abuse and educate users, while browser vendors are encouraged to develop defenses against rapid context-switching and unauthorized overlays.

2. Hackers Exploit PHP Frameworks with Their New Glutton

Cybersecurity researchers have uncovered a malicious npm package, ethereumvulncontracthandler, falsely claiming to detect Ethereum smart contract vulnerabilities. Instead of delivering its promised functionality, the package deploys Quasar RAT, a remote access trojan, onto developer systems, granting attackers full control via a command-and-control (C2) server.

The malware employs obfuscation techniques like Base64 and XOR encoding to evade detection, executing PowerShell commands to deploy the RAT. Once installed, it enables persistence through Windows Registry modifications, catalogs infected machines, exfiltrates sensitive data, and communicates with the C2 server at captchacdn[.]com:7000. The package has been downloaded 66 times, exploiting developers’ trust in niche tools.

Organizations can mitigate this threat by scrutinizing third-party libraries, using dependency scanners, and restricting PowerShell usage. Organizations must monitor network traffic for suspicious activity, maintain updated threat intelligence, and deploy EDR solutions to detect and block threats in real-time.

3. Supply Chain Attack Targets Rspack npm Libraries with Malicious Code

Two widely used npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. The affected library is the default package manager for the JavaScript runtime environment Node. Js. Malicious versions (1.1.7) embedded cryptocurrency mining malware, transmitted sensitive data to a remote server, and deployed an XMRig miner on Linux systems. The attack, which exploited npm publishing credentials, targeted specific countries like China, Russia, and Belarus. Safe versions (1.1.8) have been released, and the malicious versions were removed.

The malware collected sensitive cloud credentials, IP addresses, and location data. It executed a cryptocurrency miner via a postinstall script in package.json, running automatically during installation. The attack affected organizations such as Amazon, Alibaba, and Microsoft, emphasizing the critical risks in the software supply chain.

Organizations must update to version 1.1.8, audit dependencies, and monitor for mining activity. Maintainers are advised to strengthen access controls, use MFA, and implement code signing, while ecosystem managers should enforce stricter safeguards and detect suspicious publishing patterns.

4. Ficora and Capsaicin Botnets Leverage Outdated D-Link Firmware

The Ficora and Capsaicin botnets are exploiting vulnerabilities in outdated D-Link routers (e.g., DIR-645, DIR-806, GO-RT-AC750) to launch distributed denial-of-service (DDoS) attacks. They target routers with unpatched flaws like CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112, leveraging default credentials and advanced propagation techniques. Ficora, a Mirai variant, targets Japan and the US, while Capsaicin, linked to the Keksec group, focuses on East Asia during short attack bursts.

Ficora uses scripts like multi to exploit D-Link’s firmware and management interface, performing UDP, TCP, and DNS amplification attacks. Capsaicin, a Kaiten variant, employs bins.sh to disable rival botnet payloads, exfiltrate data, and execute DDoS attacks.

Recommendations to mitigate this threat include updating router firmware and replacing unsupported devices. Organizations are urged to strengthen credentials, disable unnecessary remote access, and use network segmentation and firewalls

5. NK Hackers Use OtterCookie Malware in Sophisticated Social Engineering Attacks

The North Korean hacking group behind the Contagious Interview campaign is deploying a new malware, OtterCookie, to target developers and software professionals. Disguising themselves as recruiters, attackers use social engineering to lure victims into downloading malware through compromised videoconferencing apps, npm packages, or GitHub-hosted libraries. Delivered via a custom loader, OtterCookie fetches and executes malicious JavaScript from JSON data.

OtterCookie performs reconnaissance, exfiltrates clipboard data (e.g., passwords), and gathers system/network information, potentially enabling lateral movement. It operates alongside or replaces the BeaverTail payload, reflecting a modular and adaptive approach.

The malware is distributed through npm packages, Node.js projects, and malicious Qt/Electron applications. These infection pathways exploit the trust of technical users in legitimate platforms.

Recommendations to mitigate this threat include verification of job offers, avoid untrusted software, and use sandbox environments. Organizations must enhance software supply chain security, deploy EDR solutions, and block identified indicators of compromise.