All news in category “Incidents and Data Breaches”

🚨 Malicious release v0.23.3 of the elementary-data PyPI package was published after an attacker exploited a GitHub Actions script-injection flaw in the project's workflow. The tainted package and its Docker image silently installed an elementary.pth-based loader that exfiltrated SSH keys, cloud credentials, developer tokens and cryptocurrency wallets. A clean v0.23.4 was released, but users who pulled the compromised artifacts must rotate secrets and remediate affected environments.

🔒 ShinyHunters stole personal data for about 5.5 million ADT customers and posted an 11GB archive on a dark web leak site after a failed extortion. ADT says it detected the intrusion on April 20 and that accessed information was largely limited to names, phone numbers, and addresses, with a small number of records including DOBs and last-four SSNs/Tax IDs. The group claims the attack began with a vishing compromise of an employee's Okta SSO account that enabled theft from the company's Salesforce instance; ADT reports no payment data or customer security systems were affected.

🔒 Checkmarx has confirmed that data tied to its GitHub repository was posted on the dark web after a March 23 supply chain attack. The company says the repository is maintained separately from its customer production environment and that no customer data is stored there; a forensic investigation to verify the nature and scope of the posted material is ongoing. Access to the affected repository has been locked down, and Checkmarx says it will notify customers and relevant parties if customer information is implicated.

🔒 Itron, a global provider of utilities technology, disclosed an unauthorized third-party breach of its IT systems in an 8-K filed on April 24. The company immediately activated its cybersecurity response plan, engaged external advisors and notified law enforcement while launching a comprehensive investigation. Itron says it has remediated and removed the unauthorized activity, observed no further access, and found no intrusion in customer-hosted systems. It reports operations were not materially disrupted and expects insurers to cover a significant portion of direct costs while it evaluates required legal and regulatory notifications.

🔒 Medtronic disclosed a network intrusion after the ShinyHunters extortion group claimed to have stolen more than 9 million records and multiple terabytes of internal corporate data. The company said the incident affected "certain corporate IT systems" but has not impacted products, patient safety, manufacturing, or hospital customer networks, which it says are segregated. An investigation is underway to determine whether personal data was accessed, and Medtronic said it will notify affected individuals and provide support if exposure is confirmed.

🔒 22-year-old Evan Tangeman of Newport Beach was sentenced to 70 months in prison after pleading guilty to laundering proceeds tied to a $230 million cryptocurrency theft. Court documents say Tangeman (aka E, Tate, Evan|Exchanger) helped move at least $3.5 million between October 2023 and May 2025 using mixers, exchanges, peel chains, and VPNs. He was also ordered to serve three years of supervised release.

🔒 A pro‑Ukrainian hacktivist group known as PhantomCore exploited a chain of vulnerabilities in TrueConf Server, using three flaws to achieve remote command execution and bypass authentication beginning in September 2025. Positive Technologies reported that although TrueConf released patches on August 27, 2025, the actors reproduced and weaponized the chain in the wild. Compromised servers were used as springboards for lateral movement, deploying PHP web shells, reverse shells and tunneled proxies, and for harvesting credentials with both bespoke and commodity tools.

🔍 Cybersecurity researchers have flagged 73 cloned Microsoft Visual Studio Code extensions on the Open VSX repository tied to the persistent GlassWorm campaign. Six packages are confirmed malicious, while the remainder behave as sleeper implants that build trust until a subsequent update delivers a secondary payload hosted on GitHub. The extensions act as innocuous loaders that retrieve a VSIX payload and install it into all detected IDEs using --install-extension, enabling data theft, remote access trojans, and a rogue Chromium extension. Socket is tracking this activity as GlassWorm v2, with more than 320 artifacts identified since December 21, 2025.

📞 Unit 42 and RH-ISAC report BlackFile has targeted retail and hospitality since Feb 2026, linking activity to CL-CRI-1116 and overlaps with UNC6671/Cordial Spider. The group uses vishing—impersonating IT helpdesks with spoofed VoIP—and phishing pages that mimic corporate SSO, plus antidetect browsers and residential proxies to harvest credentials and OTPs. After access they register devices to bypass MFA, escalate privileges, and exfiltrate data via Salesforce and SharePoint APIs. Recommendations include caller identity checks, strict escalation for IT support, and simulation-based phone-security training.

🔒 On April 13, 2026, Itron, Inc. detected unauthorized access to certain internal IT systems and activated its cybersecurity response plan. The company notified law enforcement and engaged external advisors to investigate, mitigate, remediate, and contain the activity. Itron reports the intrusion has been blocked with no observed follow‑up, no customer impact, and no material disruption to business operations. The investigation is ongoing and the company expects a significant portion of incident-related costs to be covered by insurance.

❄️UNC6692 uses social engineering and Microsoft Teams to deliver a custom malware suite dubbed Snow. The attackers combine an 'email bombing' tactic with Teams messages posing as IT helpdesk staff to lure victims into installing a fake patch. The link drops AutoHotkey scripts that load SnowBelt, a malicious Chrome extension that operates in a headless Edge session, establishing persistence and relaying commands to a Python backdoor via a WebSocket tunneler.

🔒 ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employee’s Okta SSO and accessed Salesforce data.

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.

🔥 A custom backdoor named Firestarter has been observed persisting on Cisco Firepower and Secure Firewall devices running ASA or FTD software, surviving reboots, firmware updates, and security patches. U.S. CISA and the U.K. NCSC link the activity to a threat actor tracked as UAT-4356, which exploited CVE-2025-20333 and CVE-2025-20362. Cisco recommends reimaging and upgrading affected devices; administrators can check compromise with show kernel process | include lina_cs, and CISA published YARA rules and mitigation guidance.

🔎 Since February, Unit 42 has observed sustained operations by TGR-STA-1030 across multiple countries, with a pronounced concentration in Central and South America. The observed intrusions reuse the same tactics, techniques, and procedures previously attributed to this group, indicating continuity with prior espionage campaigns. Analysts reference The Shadow Campaigns: Uncovering Global Espionage for historical context, and advise organizations in affected regions to review detections and strengthen defensive controls.

🔒 Tyler Buchanan has pleaded guilty in a Florida court to conspiring with others to hack company computer systems and steal at least $8 million in virtual currency. He faces sentencing later this year. Buchanan is tied to the notorious Scattered Spider group, which has used SMS phishing and colleague impersonation to target employees. Security leaders are urged to reinforce defenses and train staff against social engineering.

📞 BlackFile, a financially motivated extortion group active since February 2026, is using vishing and spoofed VoIP/CNAM calls to impersonate IT support and harvest employee credentials and one-time passcodes. Palo Alto Networks' Unit 42 and RH-ISAC report attackers register devices to bypass multifactor authentication, escalate to executive accounts, and search Salesforce and SharePoint via APIs for files containing terms like 'confidential' and 'SSN'. Stolen data is moved to attacker-controlled infrastructure and published on a dark web leak site before seven-figure ransom demands are issued; victims have also faced swatting and targeted harassment. Organizations are advised to tighten call-handling policies, enforce caller identity verification, and conduct simulation-based social engineering training.

🔒 CISA and the U.K. NCSC disclosed that a federal civilian agency's Cisco Firepower device running ASA firmware was compromised in September 2025 by a persistent backdoor dubbed FIRESTARTER. The ELF bootkit alters the startup mount list and attempts to hook LINA to execute arbitrary shellcode and sustain post-patching persistence. Cisco recommends reimaging; a cold power cycle is a temporary mitigation.

🛰️ The NASA Office of Inspector General (OIG) says a Chinese national, identified in a 2024 indictment as Song Wu, posed as U.S. researchers to obtain sensitive aerospace modeling software and source code from NASA employees, universities, and private firms. The campaign ran from January 2017 through December 2021 and also targeted multiple U.S. government agencies. Song faces wire fraud and aggravated identity theft charges and remains at large.

🔒 The personal health data of more than 500,000 UK Biobank volunteers was briefly listed for sale on Chinese e-commerce platforms, prompting removal of the adverts and joint action by UK and Chinese authorities. UK Biobank says the datasets were de-identified and did not include direct identifiers such as names or NHS numbers, and there is currently no evidence the data were purchased. The organisation has suspended researcher access, restricted downloads on its cloud research platform and launched a forensic investigation into misuse by researchers at three academic institutions.