Tag: infostealer
All items tagged infostealer.
- PostCSS npm typosquats deliver a Nuitka-compiled Python RAT with Chrome DPAPI credential theft
- Unit 42: malicious skills on the OpenClaw "ClawHub" agent marketplace deliver macOS infostealers and weaponise AI agents for financial fraud
- macOS ClickFix evolves: `hdiutil attach -nobrowse` mounts the malicious DMG invisibly before dropping AMOS `[SINGLE-SOURCE]`
- Research: ClickFix matured into a productised malware-as-a-service supply chain
- Threat actor: DPRK Sapphire Sleet escalates npm supply-chain attacks with the Mastra compromise
- UPDATE: Mastra npm scope compromise attributed to North Korea, with the access vector our deep dive could not name
- Microsoft details a USB-LNK worm with Tor hidden-service C2 driving a cryptocurrency clipboard hijacker
- China arrests 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network
- 15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys on "Apply"
- Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain
- Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption
- Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover
- DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets
- Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave
- "Atomic Arch" supply-chain attack hijacks 400+ AUR packages to drop a credential stealer and eBPF rootkit
- NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery
- Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
- Check Point: a TDS-gated ecosystem impersonates security tools (Ghidra, dnSpy, ILSpy) to deliver SessionGate, RemusStealer and a clipboard hijacker [SINGLE-SOURCE]
- UPDATE: Shai-Hulud/Miasma supply-chain worm jumps to PyPI as "Hades" — 37 malicious wheels across 19 packages
- Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries
- FIFA World Cup 2026 pre-event threat cluster: Android banking trojans in pirated streaming apps, plus a 13,000-domain fraud layer, ahead of the 11 June kick-off
- IronWorm + Miasma AI coding-agent injection: two supply-chain worms target cloud credentials and developer toolchains simultaneously
- Miasma / TeamPCP supply-chain worm: from npm credential theft to AI coding-agent config injection across the week
- Technology / software supply chain — four concurrent worm/supply-chain threats in one week
- TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT
- SANS ISC: WeTransfer-delivered JavaScript stages a steganographic image loader ("Evil MSI background") on Cloudflare Workers and R2 `[SINGLE-SOURCE]`
- IronWorm: Rust-built npm worm ships an eBPF kernel rootkit, Tor C2 and a cloud/AI-credential sweep
- UPDATE: Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors
- Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
- Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature
- DesckVB RAT malspam launders through Google DoubleClick and blinds AMSI/ETW, with German-language lures aimed at DACH [SINGLE-SOURCE]
- SANS ISC: SVG phishing wave abuses a non-standard MIME type to slip past WAF/email pattern-matching [SINGLE-SOURCE]
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- "Miasma" worm backdoors 32 Red Hat Cloud Services npm packages via OIDC trusted-publishing abuse
- LLMShare malvertising campaign: attackers embed fake outage pages in ChatGPT share links and serve infostealer downloads via Google Ads
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel
- WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS
- Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary
- "TrapDoor" cross-ecosystem supply-chain campaign validates stolen tokens before exfil and poisons AI-assistant config files
- ACR Stealer distributed through counterfeit Claude AI download pages promoted by malicious search ads [SINGLE-SOURCE]
- UPDATE: TeamPCP / Mini Shai-Hulud — framework open-sourced, Microsoft PyPI SDK trojanised with a wiper stage, forged Sigstore badges
- CVE-2026-35616 — Fortinet FortiClient EMS pre-auth bypass, exploited to push EKZ Infostealer down the management channel
- Mini Shai-Hulud / TrapDoor — the supply-chain worm goes cross-ecosystem, open-source and destructive
- AI tooling as lure, attack surface and force-multiplier — the cross-day pattern no single daily framed whole
- Finance — Iberian retail-banking pressure from Grandoreiro plus a parallel Android MaaS
- Mini Shai-Hulud / TeamPCP — @antv npm wave and confirmed Maven Central poisoning; Cargo still un-hit
- actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit reading Runner.Worker /proc/PID/mem; linked to Mini Shai-Hulud
- Nx Console VS Code extension (2.2 M installs) compromised via stolen publisher credentials — 11-minute window 2026-05-18 12:36–12:47 UTC
- UPDATE: TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services
- TeamPCP / Mini Shai-Hulud supply-chain worm — CI/CD credential theft running all week; GitHub itself among claimed victims
- TeamPCP / Mini Shai-Hulud / Megalodon — the open-sourced supply-chain worm became commodity infrastructure this week
- `node-ipc` npm package backdoored via expired-domain account takeover — 90+ credential categories exfiltrated, three malicious versions, ~3-minute window to detection
- Unit 42: Gremlin Stealer evolved with .NET-resource XOR obfuscation, real-time crypto-clipper, and WebSocket browser-process session-hijack module [SINGLE-SOURCE]
- UPDATE: Mini Shai-Hulud — TeamPCP worm hits TanStack, UiPath, Mistral AI, OpenSearch (160+ package versions)
- DAEMON Tools Lite supply-chain compromise — China-nexus QUIC RAT delivered via signed installers; ~12 selective government / scientific / manufacturing targets
- JDownloader official site compromised — Windows and Linux installers swapped for ~48 hours
- JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours
- Sophos: "Beagle" backdoor distributed via fake Claude AI site using DonutLoader + DLL sideloading on a signed G DATA AV updater
- ClickFix campaign expands to macOS — Macsync, Shub Stealer and AMOS delivered via Base64 Terminal commands that bypass Gatekeeper
- Hunt for trojanised JDownloader installers and unsigned Python child processes
- Detect ClickFix-style Terminal-paste social engineering on macOS endpoints