All news in category “Incidents and Data Breaches”

🐍 Securonix has identified a stealthy Python-based backdoor, Deep#Door, that uses an obfuscated batch loader to install a persistent implant on Windows systems. The self-contained dropper embeds and reconstructs its Python payload at runtime, disables security controls such as Windows Defender, and leverages multiple persistence mechanisms to maintain access. It uses public TCP tunneling for C2 and supports credential theft, keylogging, media capture and optional destructive actions, complicating detection and remediation.

🛡️ A Brazilian DDoS-mitigation firm, Huge Networks, was implicated in enabling a Mirai-based botnet that launched sustained DDoS attacks against regional Brazilian ISPs. An exposed archive contained Portuguese Python attack scripts, private SSH keys belonging to CEO Erick Nascimento, and tooling that mass-scanned for TP-Link Archer AX21 devices vulnerable to CVE-2023-1389. The CEO says the malicious activity followed a January 2026 intrusion, that affected droplets were wiped and keys rotated, and that a third-party forensics firm has been engaged.

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.

🚨 Dubai-led authorities shut down nine cryptocurrency investment fraud centers and arrested 276 suspects in a coordinated international operation. Investigators said the networks ran pig-butchering (romance baiting) schemes that built trust with victims and pushed them to fake crypto platforms where funds were quickly seized and laundered. Several individuals now face wire fraud and money-laundering charges, and U.S. agencies linked millions in losses through FBI IC3 complaints.

🔍 Researchers have reverse-engineered a sophisticated malware strain called Fast16, concluding it is almost certainly state-sponsored and likely of US origin. The malware was reportedly deployed against Iranian targets years before Stuxnet, and it propagates automatically across networks while avoiding overt disruption. Instead of crashing systems, Fast16 silently tampers with numerical computations inside specialized simulation and engineering applications, altering results in ways that can turn routine analyses into faulty designs or trigger catastrophic equipment failures.

🔎 Europol announced arrests and seizures after a two‑year probe into professionalised Albanian scam call centres that ran an investment fraud operation estimated to have cost victims at least €50m. Authorities arrested 10 suspects and searched three call centres and nine homes, seizing nearly €900,000, 443 computers, 238 mobile phones and multiple storage devices. Victims were lured via misleading ads and pressured by retention agents posing as investment advisors.

🔒 A supply-chain campaign dubbed "mini Shai-Hulud" infected SAP-related npm packages in late April, inserting install-time malware that harvested developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials across AWS, Azure, GCP and Kubernetes. Researchers identified affected packages including mbt@1.2.48 and several @cap-js modules. The malicious releases were later replaced with safe versions.

🚨 US Marines stationed near the Persian Gulf reported receiving chilling WhatsApp messages beginning Monday that urged them to call home and make final goodbyes. The messages were signed by the Iran-linked Handala hacking group and allegedly originated from a Bahraini phone number that was likely spoofed or hijacked. A day later, Handala posted that it had published names and phone numbers of 2,379 Marines and boasted of possessing addresses, family details and daily routines. While authorities caution that such claims may rely on scraped or recycled data rather than a fresh breach, the campaign’s intent to intimidate service members is clear.

🧩 Researchers at SentinelOne uncovered a modular malware framework compiled in 2005 that targeted engineering modeling software by corrupting high‑precision floating‑point arithmetic. The framework uses an embedded Lua VM inside a malicious service loader (svcmgmt.exe) and includes a kernel rootkit, fast16.sys, which applies 101 pattern rules to modify infected executables. The implant appears crafted for strategic sabotage, selectively altering simulation outputs and spreading across network shares to compromise multiple workstations.

🔒 A developer at an AI startup downloaded a dubious Roblox script onto a work laptop, a single error that cascaded into a costly breach and caused roughly $2 million in remediation. The episode also highlights the long-standing SS7 telecom weakness that enables pervasive mobile tracking and interception. Host Graham Cluley and guest James Ball interview Rob Edmondson of CoreView about how to lock down Microsoft 365 before misconfigurations are exploited.

🔒 Multiple official SAP npm packages were recently compromised in a supply-chain operation that installs a malicious preinstall script during package installation. The script downloads the Bun runtime and executes an obfuscated payload that harvests a wide range of secrets — including npm and GitHub tokens, SSH keys, cloud credentials, Kubernetes configs, and CI/CD environment variables — and exfiltrates them to public GitHub repositories. Researchers attribute the campaign with medium confidence to TeamPCP and warn it includes self-propagation logic to modify other packages using stolen credentials.

🛡️ The Quick Page/Post Redirect WordPress plugin, installed on more than 70,000 sites, contained a hidden backdoor introduced through a malicious self-update mechanism in versions 5.2.1 and 5.2.2. Researcher Austin Ginder discovered the issue after multiple infections on his Anchor hosting fleet led to a security alert; WordPress.org has temporarily pulled the plugin pending review. A tampered 5.2.3 build, delivered from an external anadnet[.]com server, added a passive backdoor that only triggers for logged-out users and appears to have been used for cloaked SEO spam. Impacted sites should uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available.

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.

🚨 Ukrainian police arrested three individuals accused of hacking and selling over 610,000 Roblox accounts, reportedly generating about $225,000 in proceeds. The Lviv authorities executed ten searches, seizing $35,000 in cash and multiple devices including 37 mobile phones, 11 desktop PCs, seven laptops, five tablets, and four USB drives. Prosecutors say the suspects — aged 19, 21, and 22 — used info‑stealing malware disguised as a game-enhancer, harvested credentials, categorized accounts by value, and sold high‑value profiles via a Russian website and closed online communities.

⚠️ Researchers have uncovered a supply-chain campaign dubbed the "mini Shai-Hulud" that poisoned multiple SAP-related npm packages to install credential-stealing malware during installation. The malicious releases added a preinstall hook that fetched and executed a platform-specific Bun binary, harvesting local credentials, GitHub and npm tokens, CI secrets, and cloud credentials. Analysts from Aikido Security, SafeDep, Socket, StepSecurity and Wiz advise rotating tokens, inspecting workflows, and upgrading to patched releases.

🛡️ Researchers identified an AI-assisted supply-chain campaign that injected malicious code into npm packages — notably @validate-sdk/v2 — after a dependency was introduced by Anthropic's Claude Opus LLM. ReversingLabs named the operation PromptMink and attributed it to DPRK-aligned actor Famous Chollima (aka Shifty Corsair). The tainted packages siphon crypto credentials and secrets through layered transitive dependencies and have evolved into multi-platform RATs and information stealers.

🔍 Austrian and Albanian authorities, supported by Europol and Eurojust, dismantled a large-scale cryptocurrency investment fraud operation responsible for estimated losses of €50 million. The coordinated action, which began in June 2023 and culminated in raids on April 17, resulted in 10 arrests and seizures of cash, hundreds of computers and mobile devices for forensic analysis. The ring operated professional call centres with up to 450 employees, using fake trading platforms and "retention agents" who used remote-access tools and psychological pressure to extract funds and later re-scam victims with bogus recovery fees.

🔍 Researchers at ReversingLabs uncovered a malicious npm dependency, @validate-sdk/v2, that exfiltrated secrets and enabled attackers to access cryptocurrency wallets after being added to an autonomous trading agent in February 2026. The commit is reported to have been co-authored by Claude Opus, and attribution points to the North Korean state-sponsored group Famous Chollima. The campaign, tracked as PromptMink, used a two-layer package strategy—public-facing Web3 utilities to attract users while secondary dependencies delivered evolving malware that scanned environment files, collected system information, compressed project data, and installed SSH keys for persistence across Linux and Windows environments.

🔒 The Vercel incident highlights how employee-installed AI apps can create persistent OAuth bridges between core enterprise systems and third parties, turning shadow AI into a critical attack vector. In the Vercel case a trial use of Context.ai granted access to Google Workspace, and when Context.ai was breached attackers leveraged stored tokens to pivot into Vercel. The piece urges admins to adopt default-deny consent, routinely audit integrations, and extend controls beyond primary clouds to manage OAuth sprawl.

🛡️ Xu Zewei, a 34-year-old accused of working for China's Ministry of State Security and linked to the state-backed hacking group Hafnium (also called Silk Typhoon), has been extradited from Italy to the United States and arrived in Houston. He pleaded not guilty at a federal hearing and is being held at the Federal Detention Center. U.S. prosecutors allege Xu targeted COVID-19 researchers in early 2020 and participated in the 2021 Microsoft Exchange zero-day campaign; if convicted on charges including wire fraud, conspiracy to damage protected computers, and aggravated identity theft, he faces decades in prison.