< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

2998 articles

Injective SDK npm package used to steal wallet keys

🔒 Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
read more →

Dormant GitHub Accounts Exploited to Scrape Orgs

🔎 Datadog Security Labs warns of coordinated campaigns using dormant or compromised GitHub accounts and exposed personal access tokens to enumerate organizations via the GitHub API. Operators use automated scraping tools, aged "ghost" accounts, and legitimate-sounding user agents to blend into normal API traffic, primarily collecting public data but occasionally cloning private repositories. The activity leverages unauthenticated API surfaces and GraphQL queries to map repos, memberships, followers, and other artifacts for reconnaissance.
read more →

GigaWiper: Multipurpose Windows backdoor and wiper

🛡️ Microsoft dissected a destructive Windows backdoor dubbed GigaWiper, which bundles three older wipers into a single Go-based platform offering selectable destructive commands. The implant can wipe entire disks, overwrite the Windows drive, or run fake ransomware that encrypts files without saving keys, and also provides remote control capabilities like screenshots, VNC access, and process management. Microsoft and Binary Defense observed the same file hashes and command servers, with Binary Defense linking the samples to an Iran-linked actor while Microsoft refrains from attributing a country. Defenders should monitor for a OneDrive Update scheduled task, RabbitMQ/Redis traffic from desktops, and suspicious use of takeown/icacls, and apply tamper protection, endpoint blocking, and blocklisted server addresses.
read more →

Winning 54% of the Time: SOC Decisions and Threats

🎾 This week’s Threat Source reflects on decision-making in cybersecurity through a tennis analogy, arguing defenders need context and resilience rather than perfection. Cisco Talos details the China-nexus actor UAT-7810 expanding ORB networks by exploiting Ruckus and ASUS router vulnerabilities and deploying new backdoors like LONGLEASH and DOGLEASH. Additional briefs cover an AI-assisted ransomware incident, AirDrop/Quick Share flaws, a Tenda firmware backdoor, Estonia’s AI agent IDs, and new phishing and coinminer detections.
read more →

Helix vishing group targets SharePoint data theft

🔒 A new extortion group dubbed Helix uses vishing, device-code phishing, and MFA abuse to access and exfiltrate files from SharePoint environments. Operators impersonate managers via phone calls and spoofed caller IDs to trick employees into granting access, then register authenticators for persistence and bulk-download content. ReliaQuest links Helix tactics and infrastructure to prior groups like ShinyHunters and BlackFile, and recommends disabling device-code authentication and restricting SharePoint to managed devices.
read more →

Forg365 PhaaS Targets Microsoft 365 with AI

🛡️ Forg365 is a phishing-as-a-service platform that targets Microsoft 365 accounts by combining adversary-in-the-middle (AiTM) and device-code phishing with integrated AI-assisted lure generation. The service offers an admin dashboard for campaign management, OAuth and SMTP configuration, token handling, and a browser extension called ForgCookie for persistent cookie harvesting. Researchers at ZeroBEC found the operation uses legitimate delivery services like Amazon SES and SendGrid-hosted resources to blend malicious emails into normal traffic.
read more →

Meta’s NameTag controversy raises privacy alarms

🕶️ Meta’s Ray‑Ban smart glasses, boosted by AI, have sparked privacy concerns after leaked documents revealed a facial‑recognition feature called NameTag. The tool could match faces seen by the glasses to contacts or public profiles across Meta platforms and store unmatched faces in a “Pending” folder. Wired later reported that NameTag code and third‑party facial recognition components from Rank One Computing were embedded in the Meta AI companion app before being partially removed following public outcry.
read more →

Phishing job interviews steal Google credentials

🔒 Security teams have uncovered a targeted phishing campaign impersonating over 30 major brands to lure candidates into fake job interviews and harvest Google account passwords. Attackers use realistic recruiter names, photos and PeopleForce-sent messages to appear legitimate, and links redirect through trusted domains to a calendar booking page that prompts a Google sign-in. The scheme leverages a browser-in-the-browser trick where a fake Google auth pop-up captures credentials, though password managers can often block autofill. The campaign has operated for months and highlights growing sophistication in recruitment scams amid workplace uncertainty.
read more →

AI gateway compromise raises cloud security concerns

🔒 Researchers report an AWS EC2 instance acting as a LiteLLM proxy for Amazon Bedrock was compromised and used to deploy XMRig cryptomining malware. The intrusion highlights risk from AI gateways that centralize identities, permissions, and model access, making them high-value targets. Analysts observed SSH exposure, probable brute-force attempts, and suspicious IAM activity tied to model enumeration and persistence efforts. Darktrace assisted in timely detection and containment while urging tighter controls and telemetry correlation.
read more →

Global Operation First Light 2026 Targets Cybercrime

🛡️ A global anti-fraud operation, Operation First Light 2026, ran from January 15 to April 30, 2026, coordinated by Interpol with support from regional partners and funding from China’s Ministry of Public Security. The crackdown targeted social engineering scams such as romance fraud and BEC, leading to over 5,800 arrests, identification of 15,606 suspects and interception of $293m in illicit assets. Actions included raids, freezing 31,014 bank accounts, seizing devices and using Interpol’s I-GRIP stop-payment mechanism.
read more →

GodDamn ransomware uses signed PoisonX kernel driver

🛡️ GodDamn is a newly observed ransomware family that employs a signed PoisonX kernel driver and a Symantec‑masquerading user‑mode tool to disable endpoint protections. First spotted on May 21, 2026, Broadcom's Threat Hunter Team attributes the lineage to the Hyadina developer and links it to earlier Beast and Monster variants. Attacks used AnyDesk, PsExec, credential harvesters and lateral movement to compromise multiple hosts before deploying the encryptor.
read more →

INTERPOL-led Operation First Light nets global arrests

🕵️ Law enforcement agencies coordinated Operation First Light 2026 across 97 countries, arresting 5,811 suspects and seizing $293 million in illicit assets. The operation targeted social engineering fraud — including BEC, sextortion, impersonation, romance, and investment scams — and associated money laundering between January 15 and April 30. Authorities identified over 142,000 victims, blocked 31,014 bank accounts, and analyzed 152,808 cases while additional suspects were identified. INTERPOL coordinated the effort with regional policing bodies and funding support from China's Ministry of Public Security.
read more →

AssuranceAmerica breach exposes millions of driver records

🔒 AssuranceAmerica disclosed a data breach impacting 6,998,886 individuals after detecting suspicious activity on March 17, 2026. The incident began with a targeted attack on an employee that allowed unauthorized access and copying of data files. Stolen records include names, contact details, policy and claims information, driver and vehicle data, and driver's license numbers. The insurer has disabled compromised credentials, isolated affected systems, notified law enforcement, and strengthened security controls.
read more →

Mount Royal University confirms data breach incident

🔒 Mount Royal University in Calgary reported a cyberattack on June 17 that disrupted online services and internal systems, and led to theft and deletion of files from university storage drives. External cybersecurity experts have been engaged to investigate and assist recovery efforts. The attackers claimed responsibility as CMD Organization, posted samples of stolen documents, and demanded a 30 BTC ransom. MRU is notifying affected individuals and offering credit monitoring for certain employees.
read more →

Fake Paysafe, Skrill SDKs on npm and PyPI steal creds

🔒 Malicious packages impersonating Paysafe, Skrill, and Neteller SDKs were published to npm and PyPI, delivering credential-stealing malware to developers and applications. Socket discovered 17 packages that expose expected APIs but return fake success responses while searching for and exfiltrating secrets such as API keys, tokens, and AWS credentials. Developers who installed these packages are urged to rotate secrets, inspect dependency trees and CI logs, and block the malicious package names at registry proxies.
read more →

Vishing campaign abuses Entra passkey enrollment

🔔 A threat actor is using voice-based fake security calls to trick Microsoft 365 users into enrolling a malicious Entra passkey. The attacker directs victims to realistic phishing pages that mimic the Microsoft enrollment flow and uses an operator-controlled PHP kit to capture credentials and MFA responses in real time. Okta attributes the campaign to O-UNC-066, linked to the extortion group Pink, which targets multiple industries and quickly exfiltrates data after account takeover.
read more →

China-linked APT expands relay network and malware

🔍 Cisco Talos reports a China-nexus APT tracked as UAT-7810 has expanded a network of hijacked routers and devices called Operational Relay Boxes (ORBs) to hide other attackers' traffic. The group maintained a long-running LapDogs relay infrastructure and exploited unpatched Ruckus and ASUS router vulnerabilities to recruit devices. Researchers uncovered an upgraded backdoor, LONGLEASH, plus two new tools, DOGLEASH and JARLEASH, with evidence suggesting Chinese-speaking operators. Talos says the group's servers and malware remain active.
read more →

Convicted Operators Run Controversial Cybersecurity Startup

🛡️ A cybersecurity startup called IRIS C2, linked to Calvexa Group LLC, is publicly recruiting researchers and offering large payouts for zero-day exploits. The venture is tied to convicted felons and far-right activists Jack Burkman and Jacob Wohl, who have a history of fake intelligence firms, robocall schemes, and legal penalties. IRIS C2 claims to sell offensive capabilities to governments and says it hires junior talent regardless of formal credentials.
read more →

AI-Accelerated Cloud Attack Exploits Management Gaps

🔎 A Sygnia report details how a lone threat actor leveraged AI to complete in 72 hours what would normally take weeks, using established cloud attack techniques rather than novel exploits. The attacker obtained an AWS access key via an internet-facing app and used agentic AI workflows to search for secrets, establish persistence, exfiltrate RDS data, and perform impact actions. The report highlights gaps in secrets management, identity governance, deployment workflows and visibility, and provides containment recommendations for defenders.
read more →

Dual‑RAT phishing targets India tax filers this season

🛡️ Researchers at Cyderes uncovered a phishing campaign impersonating the Indian Tax Department that delivers two remote access trojans via a multi-stage infection chain. Victims receive fake tax assessment emails that prompt them to download a seemingly legitimate ITR utility, which abuses signed Windows binaries to sideload malicious DLLs and perform in-memory execution and process injection. The campaign deploys a Gh0st RAT derivative and a .NET implant related to the QuasarRAT/AsyncRAT family, each communicating with separate C2 servers, providing redundant access even if one implant is blocked.
read more →