BleepingComputer reports that threat actors have been exploiting the trending "Invisible Challenge" in TikTok to facilitate the distribution of the WASP Stealer malware, which could enable the theft of Discord accounts, cryptocurrency wallets, and computer files, as well as browser-stored passwords, credit cards.
With the challenge involving the use of TikTok's "Invisible Body" filter to mask nude bodies with a blurry background, videos made by now-suspended TikTok users @learncyber and @kodibtc that promoted a software app for removing the said filter linked to a Discord server that pointed to GitHub repository with the malware, a report from Checkmarx revealed. Trending status received by the malicious repository has indicated the attack's success.
"It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name. These attacks demonstrate again that cyber attackers have started to focus their attention on the open-source package ecosystem; We believe this trend will only accelerate in 2023," said Checkmarx.