#malware

Researchers at SafeDep discovered a malicious npm package named "microsoftsystem64" that exfiltrates credentials and system info to HuggingFace. The package uses a known SSRF vulnerability to steal cloud metadata from cloud environments, posing a significant supply chain risk.

A Romanian national known as "Dort" has been arrested and charged in both the U.S. and Canada for allegedly operating the "kimwolf" botnet, which was used to launch distributed denial-of-service (DDoS) attacks and other cybercrimes. The botnet infected thousands of devices worldwide.

A large-scale NPM supply chain campaign involving 176 malicious packages targeted internal dependency systems. The packages were designed to evade detection by mimicking legitimate internal modules, aiming to compromise private registries and exfiltrate sensitive data from organizations.

A fake malware website appears as the first result when searching Google for "OpenAI Codex app," posing a security risk to users looking for the legitimate tool.

A malware developer who created malicious NPM packages targeting Claude AI users' secrets accidentally leaked their own GitHub private token in the process. The attack was part of a supply chain campaign, but the developer's sloppiness exposed their identity and credentials. The incident highlights ongoing risks in the open-source ecosystem.

Threat actors exploited a Ghost CMS vulnerability to compromise hundreds of websites and deploy ClickFix attacks, a social engineering technique that tricks users into executing malicious actions. The campaign targeted both site operators and visitors, leveraging the compromised platforms to spread malware or steal sensitive information.

A malware developer attempting to steal secrets from Claude AI users inadvertently leaked their own GitHub private token, exposing their own data and operations.

CrowdStrike disrupted Glassworm, a botnet that targeted developers by poisoning open-source packages. The takedown involved sinkholing domains and seizing servers to cut off stolen credentials and backdoors.

Fake ChatGPT installers hosted on GitHub and SourceForge are distributing a remote access trojan known as Deno RAT. The malware, disguised as legitimate software, allows attackers to remotely control infected systems. Users are advised to verify the authenticity of software sources before downloading.

A developer describes being targeted in a sophisticated malware campaign likely linked to North Korea (DPRK), involving fake job offers and malicious code designed to compromise their system.

A new wave of the Shai-Hulud malware campaign has compromised approximately 600 NPM packages, targeting developers by embedding malicious code into open-source dependencies to steal credentials and sensitive data.

Researchers discovered a new supply chain attack targeting 34 packages across NPM, PyPI, and crates.io, with over 100 malicious versions published. The packages deploy a "TrapDoor" crypto stealer designed to exfiltrate cryptocurrency wallet credentials and sensitive data from infected systems.

The TrapDoor supply chain attack was discovered on PyPI, npm, and crates.io, using malicious packages to steal cryptocurrency from developers. The trojanized libraries exfiltrate wallet credentials and sensitive data, exploiting trust in open-source registries.

Security researchers have identified "TrapDoor," a cross-ecosystem crypto-stealer campaign that targets both Android and iOS users. The malware disguises itself as legitimate apps and uses social engineering to trick victims into granting accessibility permissions, ultimately stealing cryptocurrency wallet credentials and funds across mobile platforms.

Hackers hijacked popular Laravel translation packages (laravel-lang) to inject credential-stealing malware. The compromised packages, hosted on GitHub and Packagist, targeted developers by stealing environment variables, database credentials, and API keys. Users are advised to update to the latest patched versions immediately.

APKPure, a third-party app store, is reportedly distributing a malicious version of the Telegram messaging app that contains malware, posing a security risk to users who download it from that platform instead of official sources.

A threat actor hijacked several popular Laravel language packages on Packagist to deploy credential-stealing malware. The compromised packages, including 'laravel/lang' and others, contained malicious code that exfiltrated environment files and sensitive data. Users who recently installed updates are advised to rotate all secrets and credentials.

A supply chain attack targeting Laravel-Lang packages was discovered, where malicious code was injected to steal credentials from developers. The compromised packages exfiltrated environment variables and sensitive data, highlighting risks in the PHP ecosystem's dependency chain.

Security researchers discovered a malicious postinstall hook embedded in over 700 GitHub repositories, including legitimate Node.js projects. The script exfiltrates sensitive data such as system environment variables and API keys to an external server, posing a significant supply chain risk to developers who clone or install these packages.

FBI Director Kash Patel's Based Apparel site hosted a "ClickFix" attack tricking visitors into installing malware via a fake error prompt. The malicious script has been removed; the site was likely compromised.

CypherLoc is an advanced browser-locking scareware that targets millions of users by freezing their browsers and displaying fake alerts to trick them into paying for unnecessary services or support.

Kash Patel's official merchandise website was compromised by hackers who altered it to trick visitors into downloading malware instead of purchasing items, according to cybersecurity reports.

A hacking group called TeamPC has been conducting a widespread software supply chain attack by poisoning open source code on GitHub with malware, impacting thousands of repositories. The campaign, which has been ongoing for months, involves injecting malicious code into popular open source projects to compromise downstream users at an unprecedented scale.

Valve has removed a free horror game called Sniper: Phantom's Resolution from Steam after players discovered it contained malware designed to steal user data, including browser credentials and cryptocurrency wallet information.

A suspected Russian botmaster known as "Dort" has been arrested in Canada and charged in both the U.S. and Canada for allegedly operating "Kimwolf," a sophisticated malware botnet used to deploy ransomware and steal sensitive data from hundreds of victims worldwide.

A team that was hit by malicious npm packages built Computer Police, a local registry proxy that intercepts npm/PyPI installs to block confirmed-malicious packages before they reach disk. It focuses only on known malware, avoids CVEs or heuristics, and works locally, in CI, and in agent sandboxes.

Zimperium researchers uncovered a global Android carrier billing fraud campaign, dubbed "Premium Deception," that uses malicious apps to secretly subscribe users to premium services without their consent. The campaign has impacted victims across multiple countries and mobile carriers, leveraging stealthy techniques to evade detection and siphon charges through carrier billing systems.

GitHub confirmed that attackers breached 3,800 repositories by exploiting a malicious Visual Studio Code extension. The extension was crafted to steal authentication tokens from developers, enabling unauthorized access to their private code repositories. GitHub has revoked compromised tokens and is notifying affected users.

A malware dubbed Fast16, designed to sabotage nuclear weapons simulations by manipulating data to produce false results, has been uncovered. The tool targets high-performance computing clusters used in nuclear research, potentially allowing attackers to cause undetected errors in weapons simulation data.

Interpol's 'Operation Ramz' has resulted in the seizure of 53 servers used for malware distribution and phishing attacks, disrupting cybercriminal infrastructure across multiple countries. The operation targeted platforms hosting malicious content and stealing sensitive data.