#malware
#malware

5 hours ago

Information security

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Information security

TrueConf Zero-Day Exploited in Asian Government Attacks

In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware

New Android malware targets banking users, Italy fines Intesa Sanpaolo for data breach, Apple updates Mac security against ClickFix attacks.

14 hours ago

Information security

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Operation REF1695 uses fake installers to deploy RATs and cryptocurrency miners, monetizing infections through CPA fraud since November 2023.

Sophisticated CrystalX RAT Emerges

CrystalX RAT is a new malware-as-a-service combining spyware, stealer, and remote access capabilities, promoted on Telegram and YouTube.

5 hours ago

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

TA416 has intensified cyberattacks on European government and diplomatic organizations since mid-2025, utilizing advanced malware delivery techniques.

TrueConf Zero-Day Exploited in Asian Government Attacks

Chinese hackers exploited a zero-day vulnerability in TrueConf software to attack government entities in Asia, allowing execution of malicious code.

In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware

New Android malware targets banking users, Italy fines Intesa Sanpaolo for data breach, Apple updates Mac security against ClickFix attacks.

14 hours ago

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

A new version of SparkCat malware targets cryptocurrency users on mobile platforms, concealing itself in benign apps and evolving its technical capabilities.

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Operation REF1695 uses fake installers to deploy RATs and cryptocurrency miners, monetizing infections through CPA fraud since November 2023.

Sophisticated CrystalX RAT Emerges

CrystalX RAT is a new malware-as-a-service combining spyware, stealer, and remote access capabilities, promoted on Telegram and YouTube.

Fake Claude Code source downloads actually delivered malware

Leaked Claude Code source code led to malware downloads, including credential-stealing Vidar and proxy tool GhostSocks, via a malicious GitHub repository.

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

fromBleepingComputer

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

fromInfoQ

Axios npm Package Compromised in Supply Chain Attack

A significant supply chain attack on Axios introduced a Remote Access Trojan via hijacked maintainer accounts, affecting numerous developer environments.

fromBleepingComputer

Hackers compromise Axios npm package to drop cross-platform malware

Hackers compromised the Axios npm account to distribute remote access trojans across multiple operating systems.

Top npm package backdoored to drop dirty RAT on dev machines

A widely used npm library, axios, was compromised to deliver malware through a maintainer's hijacked account.

Information security

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

Information security

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

Major phishing campaign on GitHub using fake security alerts

A large-scale phishing campaign targets developers on GitHub, exploiting Discussions to spread fake security alerts about Visual Studio Code and distribute malware.

Information security

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

A phishing campaign targets French-speaking corporations with fake resumes, deploying malware for credential theft and cryptocurrency mining.

Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Microsoft warns of phishing campaigns exploiting the U.S. tax season to steal credentials and deliver malware.

CERT-UA Impersonation Campaign Spread AGEWHEEZE Malware to 1 Million Emails

A phishing campaign impersonating CERT-UA distributed malware called AGEWHEEZE targeting various organizations in Ukraine.

Casbaneiro Phishing Targets Latin America and Europe Using Dynamic PDF Lures

A phishing campaign targets Spanish-speaking users in Latin America and Europe, delivering banking trojans via malware called Horabot.

Major phishing campaign on GitHub using fake security alerts

A large-scale phishing campaign targets developers on GitHub, exploiting Discussions to spread fake security alerts about Visual Studio Code and distribute malware.

AitM Phishing Targets TikTok Business Accounts Using Cloudflare Turnstile Evasion

Threat actors are using AitM phishing to compromise TikTok for Business accounts, targeting business accounts for malvertising and malware distribution.

Hackers Use Fake Resumes to Steal Enterprise Credentials and Deploy Crypto Miner

A phishing campaign targets French-speaking corporations with fake resumes, deploying malware for credential theft and cryptocurrency mining.

Microsoft Warns IRS Phishing Hits 29,000 Users, Deploys RMM Malware

Microsoft warns of phishing campaigns exploiting the U.S. tax season to steal credentials and deliver malware.

more#phishing

#north-korea

fromwww.cybersecuritydive.com

Axios open-source library targeted in sophisticated supply chain attack

A North Korean threat actor compromised the axios library, introducing a malicious dependency that deploys a backdoor across multiple operating systems.

fromDevOps.com

North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project - DevOps.com

North Korean hackers hijacked the npm account of an axios maintainer, publishing malicious versions that installed a remote access trojan.

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean threat actors use StoatWaffle malware via malicious VS Code projects to steal data and execute commands on infected systems.

fromwww.cybersecuritydive.com

Axios open-source library targeted in sophisticated supply chain attack

A North Korean threat actor compromised the axios library, introducing a malicious dependency that deploys a backdoor across multiple operating systems.

fromDevOps.com

North Korean Hackers Suspected in Supply Chain Attack on Popular Axios Project - DevOps.com

North Korean hackers hijacked the npm account of an axios maintainer, publishing malicious versions that installed a remote access trojan.

North Korean Hackers Abuse VS Code Auto-Run Tasks to Deploy StoatWaffle Malware

North Korean threat actors use StoatWaffle malware via malicious VS Code projects to steal data and execute commands on infected systems.

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

Information security

Don't open that WhatsApp message, Microsoft warns

WhatsApp messages are being exploited to deliver malicious files that allow attackers to control victims' machines and access their data.

fromTechRepublic

Microsoft: Hackers Are Using WhatsApp to Deliver Malware to Windows PCs

WhatsApp messages are being exploited to deliver malware to Windows users, creating significant security risks.

Don't open that WhatsApp message, Microsoft warns

WhatsApp messages are being exploited to deliver malicious files that allow attackers to control victims' machines and access their data.

more#whatsapp

Privacy professionals

FBI Warns of Data Security Risks From China-Made Mobile Apps

Foreign-developed mobile applications pose significant data security risks, particularly those from China, according to an FBI alert.

North Korea behind social engineering attack on Axios project

Attackers compromised the Axios maintainer's account through social engineering, publishing malicious versions that installed a Remote Access Trojan on victims' systems.

Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious Axios NPM library versions were distributed in a supply chain attack by North Korean hackers, affecting millions of users.

fromAxios

North Korean hackers implicated in major supply chain attack

A compromised maintainer account for the Axios npm package led to the publication of malicious software versions targeting various operating systems.

fromSiliconANGLE

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios HTTP client library was hacked to distribute malware via a compromised npm account, affecting multiple operating systems.

Axios npm package compromised, posing a new supply chain threat

Malicious versions of axios were published on npm, installing a Remote Access Trojan on multiple operating systems.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios experienced a supply chain attack due to malicious dependencies in two npm package versions.

North Korea behind social engineering attack on Axios project

Attackers compromised the Axios maintainer's account through social engineering, publishing malicious versions that installed a Remote Access Trojan on victims' systems.

Axios NPM Package Breached in North Korean Supply Chain Attack

Malicious Axios NPM library versions were distributed in a supply chain attack by North Korean hackers, affecting millions of users.

fromAxios

North Korean hackers implicated in major supply chain attack

A compromised maintainer account for the Axios npm package led to the publication of malicious software versions targeting various operating systems.

fromSiliconANGLE

Hackers compromise popular Axios Javascript library with hidden malware - SiliconANGLE

Axios HTTP client library was hacked to distribute malware via a compromised npm account, affecting multiple operating systems.

Axios npm package compromised, posing a new supply chain threat

Malicious versions of axios were published on npm, installing a Remote Access Trojan on multiple operating systems.

Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios experienced a supply chain attack due to malicious dependencies in two npm package versions.

Information security

PyPI Supply Chain Attack Compromises LiteLLM, Enabling the Exfiltration of Sensitive Information

Information security

Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers

Information security

GlassWorm malware surfaces in development environments

fromInfoQ

PyPI Supply Chain Attack Compromises LiteLLM, Enabling the Exfiltration of Sensitive Information

A supply chain attack on LiteLLM led to over 40,000 downloads of a compromised package that harvested sensitive information.

Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers

Speagle malware hijacks Cobra DocGuard infrastructure to harvest and exfiltrate sensitive data while masking communications as legitimate server traffic.

GlassWorm malware surfaces in development environments

GlassWorm operation compromised over 400 software components across GitHub, npm, and development marketplaces using supply-chain attacks and blockchain-based command-and-control infrastructure.

more#supply-chain-attack

#litellm

Information security

Popular AI gateway startup LiteLLM ditches controversial startup Delve | TechCrunch

Silicon Valley

Delve did the security compliance on LiteLLM, an AI project hit by malware | TechCrunch

fromInfoWorld

Information security

PyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentials

Popular AI gateway startup LiteLLM ditches controversial startup Delve | TechCrunch

LiteLLM is terminating its relationship with Delve for security certifications after a malware incident and will seek a new compliance auditor.

Silicon Valley

Delve did the security compliance on LiteLLM, an AI project hit by malware | TechCrunch

Malware was discovered in the popular open source project LiteLLM, compromising user credentials and causing significant security concerns.

fromInfoWorld

PyPI warns developers after LiteLLM malware found stealing cloud and CI/CD credentials

Compromised LiteLLM packages executed a three-stage payload targeting sensitive data in cloud environments before being removed from PyPI.

DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials

DeepLoad malware uses ClickFix tactics and AI-assisted obfuscation to evade detection and steal credentials immediately.

6 days ago

Cloudflare-Themed ClickFix Attack Drops Infiniti Stealer on Macs

macOS users are targeted by a ClickFix campaign delivering a Python-based information stealer through a fake Cloudflare verification page.

6 days ago

TA446 Deploys Leaked DarkSword iOS Exploit Kit in Targeted Spear-Phishing Campaign

Russian state-sponsored group TA446 is using the DarkSword exploit kit to target iOS devices through phishing emails.

ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits & 20 More Stories

A sophisticated malware campaign targets Web3 support teams using deceptive links to deliver malicious executables and establish persistent communication with threat actors.

US news

Alleged RedLine Malware Administrator Extradited to US

Hambardzum Minasyan has been extradited to the US for his alleged involvement in the RedLine malware operation.

Privacy technologies

fromZDNET

5 telltale signs that your phone has been compromised (and how to combat them)

Phone hacking can be detected through signs like battery drain, slow performance, unfamiliar logins, and reduced storage space.

fromTechRepublic

Nearly 7M Email Addresses Exposed in Crunchyroll Third-Party Breach

Crunchyroll was breached through a third-party vendor, compromising user data and internal systems via a support agent's account.

Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks

A Russian national was sentenced to two years for managing a botnet used in ransomware attacks against U.S. companies.

Silicon Valley

fromwww.theguardian.com

We Know You Can Pay a Million by Anja Shortland review the terrifying new world of ransomware

Ransomware originated from a 1989 stunt by Joseph L Popp Jr, who used a Trojan virus to extort money under the guise of HIV prevention.

Russian Hacker Sentenced to 2 Years for TA551 Botnet-Driven Ransomware Attacks

A Russian national was sentenced to two years for managing a botnet used in ransomware attacks against U.S. companies.

Silicon Valley

fromwww.theguardian.com

We Know You Can Pay a Million by Anja Shortland review the terrifying new world of ransomware

Ransomware originated from a 1989 stunt by Joseph L Popp Jr, who used a Trojan virus to extort money under the guise of HIV prevention.

more#ransomware

Self-propagating malware poisons open source software and wipes Iran-based machines

CanisterWorm, as Aikido has named the malware, targets organizations' CI/CD pipelines used for rapid development and deployment of software. Every developer or CI pipeline that installs this package and has an npm token accessible becomes an unwitting propagation vector.

Information security

Roam Research

fromInfoWorld

New 'StoatWaffle' malware autoexecutes attacks on developers

StoatWaffle malware communicates with a C2 server to execute various commands and targets browser data and Keychain databases on macOS.

Stryker Says Malicious File Found During Probe Into Iran-Linked Attack

Stryker identified a malicious file used in a cyberattack by the Iran-linked group Handala, disrupting operations but finding no evidence of malware or ransomware.

FBI says Iranian hackers are using Telegram to steal data in malware attacks | TechCrunch

Iranian government hackers exploit Telegram to steal data from dissidents and journalists through malware disguised as legitimate apps.

fromComputerworld

Chrome encryption bypass discovered: New malware steals passwords and cookies

The bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods.

Information security

Widely used Trivy scanner compromised in ongoing supply-chain attack

Aqua Security's Trivy vulnerability scanner has been compromised, affecting developers and organizations using it.

Information security

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy, an open-source vulnerability scanner, was compromised twice in a month, delivering malware that stole sensitive CI/CD secrets.

Widely used Trivy scanner compromised in ongoing supply-chain attack

Aqua Security's Trivy vulnerability scanner has been compromised, affecting developers and organizations using it.

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy, an open-source vulnerability scanner, was compromised twice in a month, delivering malware that stole sensitive CI/CD secrets.

The Importance of Behavioral Analytics in AI-Enabled Cyber Attacks

AI is transforming cybercrime by enabling personalized phishing, deepfakes, and malware that evade traditional security measures.

Law enforcement shuts down botnet made of tens of thousands of hacked routers | TechCrunch

Law enforcement agencies globally shut down SocksEscort, a botnet compromising over 369,000 routers across 163 countries used for financial crimes, ransomware, DDoS attacks, and CSAM distribution.

14,000 routers are infected by malware that's highly resistant to takedowns

A 14,000-device botnet called KadNap primarily compromises unpatched Asus routers to create a takedown-resistant proxy network for cybercrime using peer-to-peer Kademlia architecture.

Information security

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Information security

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown

Roam Research

14,000 routers are infected by malware that's highly resistant to takedowns

A 14,000-device botnet called KadNap primarily compromises unpatched Asus routers to create a takedown-resistant proxy network for cybercrime using peer-to-peer Kademlia architecture.

Information security

KadNap Malware Infects 14,000+ Edge Devices to Power Stealth Proxy Botnet

Information security

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown

China-Linked Hackers Use TernDoor, PeerTime, BruteEntry in South American Telecom Attacks

A China-linked APT group targets South American telecommunications infrastructure with three new implants across Windows, Linux, and edge devices since 2024.

fromComputerworld

4 weeks ago

The Coruna exploit: Why iPhone users should be concerned

Coruna is a sophisticated nation-state malware toolkit exploiting 23 vulnerabilities across five chains to steal data, cryptocurrency, and personal information while respecting Apple's Lockdown Mode.

4 weeks ago

APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine

Russian state-sponsored APT28 deployed two new malware families, BadPaw and MeowMeow, targeting Ukrainian entities through phishing emails with Ukrainian-language lures about border crossing appeals.

Crims hit a $20M jackpot via malware-stuffed ATMs

ATM jackpotting malware enabled thieves to steal over $20 million by forcing compromised ATMs to dispense cash without bank authorization.

Tech industry

AI platforms open new route for malware campaigns

AI assistants with web access can be abused as covert command-and-control intermediaries, allowing malware to receive commands and exfiltrate data while evading detection.

30+ Chrome extensions disguised as AI chatbots steal secrets

Malicious Chrome extensions posing as AI assistants steal API keys, emails, and personal data while using a shared codebase and remote iframe control.

fromZDNET

Is spyware hiding on your phone? How to find out and remove it - fast

Spyware is one of the top threats to your mobile security and can severely impact your handset's performance if you are unlucky enough to become infected. It is a type of malware that typically lands on your iPhone or Android phone through malicious mobile apps or through phishing links, emails, and messages. While appearing to be a legitimate software package or useful utility, spyware will operate quietly in the background to monitor your movements,

Privacy technologies

North Korea-Linked UNC1069 Uses AI Lures to Attack Cryptocurrency Organizations

The North Korea-linked threat actor known as UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data from Windows and macOS systems with the ultimate goal of facilitating financial theft. "The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim," Google Mandiant researchers Ross Inman and Adrian Hernandez said.

Information security

fromThe Verge

OpenClaw's AI 'skill' extensions are a security nightmare

OpenClaw's skill marketplace contains hundreds of malicious add-ons that can deliver malware and exfiltrate crypto and device credentials.

fromAxios

Exclusive: Suspected Chinese hackers impersonate U.S. briefings in phishing lure

China-linked Mustang Panda used file-based phishing to infect diplomatic and election officials with data-stealing persistent malware, detected by an AI agent at Dream.

Artificial intelligence

fromFortune

Researchers say viral AI social network Moltbook is a 'live demo' of how the new internet could fail | Fortune

Moltbook's AI-agent social platform exposed security failures, malware, and data leaks, revealing risks of low-oversight agent ecosystems that can enable attacks and societal harm.

Notepad++ updater was compromised for 6 months in supply-chain attack

Notepad++ update/download traffic can be intercepted at ISP/TLS-intercept level, enabling redirection and tampered downloads; verify version 8.8.8+ from the official site and consider blocking.

fromKotaku

Steam Hit People Playground Gets Hit With A Save Wiping Virus

People Playground's Steam Workshop was infected by a malicious mod that spread to other mods, wiping in-game saves and prompting immediate updates and mod deletion.