A contractor improperly accessed customer information affecting approximately 30 users.
The activity, tracked between January 28 and February 2, indicates deliberate infrastructure mapping rather than opportunistic crawling.
With valid login details, threat actors can take over accounts, gain internal access or use the data for additional follow-on fraud.
Researchers estimate that approximately 3,500 exposed React Native Metro servers are currently accessible online.
The threat actor compromised of infrastructure associated with Notepad++ to deliver a previously undocumented backdoor, dubbed Chrysalis.
The campaign, dubbed Operation Neusploit, was observed just three days after Microsoft revealed the flaw.
Masquerading as legitimate cryptocurrency trading automation tools, the packages, known as u201cskills,u201d deliver data-stealing malware.
