Internet Storm Center (ISC) researchers reported a self-propagating SSH worm observed by a DShield honeypot sensor that can compromise exposed Linux systems in roughly four seconds by using credential stuffing/brute force against weak SSH passwords, with a notable focus on Raspberry Pi devices left on default or common credentials (e.g., user pi with passwords such as raspberry and raspberryraspberry993311). The observed attack chain rapidly authenticates, uploads a compact 4.7 KB bash script (via SCP), executes it, and establishes persistence while removing competing malware, enabling worm-like exponential spread across vulnerable internet-connected hosts.
Technical analysis indicates the activity likely originated from an already-compromised Raspberry Pi in Germany (IP 83.135.10.12, Versatel Deutschland), using an SSH client string consistent with Raspbian (SSH-2.0-OpenSSH_8.4p1 Raspbian-5+b1) and a recorded HASSH fingerprint ae8bd7dd09970555aa4c6ed22adbbf56. Post-compromise, the malware connects to IRC-based command-and-control and includes cryptographically signed command verification; it also automates scanning and lateral movement using tools such as Zmap and sshpass, reinforcing how default/weak SSH authentication on IoT and small-form-factor Linux systems remains a high-impact botnet entry point.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
A SafeDep report identified sjs-biginteger as a malicious npm package impersonating the legitimate big.js library. The package was found to add attacker SSH keys to authorized_keys, open SSH access on port 22, and exfiltrate credentials to command-and-control infrastructure for persistent access and data theft.
Internet Storm Center researchers published analysis of a self-propagating Linux SSH worm that uses IRC-based command and control with RSA-signed command verification. They also reported the malware installs tools such as zmap and sshpass to scan roughly 100,000 random IPs and spread using common Raspberry Pi default credentials.
A DShield SSH sensor recorded an attacker logging in with weak or default SSH credentials, uploading a 4.7KB bash script via SCP, establishing persistence, and enrolling the host into a botnet within seconds. The attack traffic was traced to a compromised Raspberry Pi associated with a German ISP.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
safedep.io
Open sourceintel.breakglass.tech
Open sourcecybersecuritynews.com
Open sourceisc.sans.edu
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.