Application security, Third-party code, Critical Infrastructure Security, Supply chain

EmEditor supply chain compromise facilitates infostealer deployment

Source PC website developer. Real software development code. JavaScript code in text editor. Computer interface. Abstract technology background. Java Software engineer concept.

SecurityWeek reports that widely used Windows text and code editing software EmEditor has been compromised in a supply chain intrusion that enabled information-stealing malware deployment.

Threat actors behind the campaign have modified the URL behind the "Download Now" button on the EmEditor homepage to redirect to a nefarious .msi file with the same name and size as the original installer but with a certificate from a different firm, according to an advisory from Emurasoft, the developer of EmEditor.

Additional findings from Chinese cybersecurity firm Qianxin revealed that the .msi file features a script that obtained not only system data but also VPN configurations, Windows and other apps' credentials, and browser-stored information.

Information gathering activities are then followed by the delivery of the infostealer under the guise of the Google Drive Caching extension, which moves to pilfer browser cookies, bookmarks, and history, as well as other system details, while conducting clipboard hijacking, keystroke logging, and Facebook ad account exfiltration.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds