All news in category "Incidents and Data Breaches"

GlassWorm Resurfaces in VS Code Extensions and GitHub

🐛 Researchers have found a renewed wave of the GlassWorm supply-chain worm targeting Visual Studio Code extensions and GitHub repositories after it was previously declared contained. The malware hides JavaScript payloads in undisplayable Unicode characters, making malicious code invisible in editors, and uses blockchain memos on Solana to publish remote C2 endpoints. Koi researchers identified three newly compromised OpenVSX extensions and observed credential theft and AI-styled commits used to propagate the worm.

APT37 Abuses Google Find Hub to Remotely Wipe Android

🔍 North Korean-linked operators abuse Google Find Hub to locate targets' Android devices and issue remote factory resets after compromising Google accounts. The attacks focus on South Koreans and begin with social engineering over KakaoTalk, using signed MSI lures that deploy AutoIT loaders and RATs such as Remcos, Quasar, and RftRAT. Wiping devices severs mobile KakaoTalk alerts so attackers can hijack PC sessions to spread malware. Recommended defenses include enabling multi-factor authentication, keeping recovery access ready, and verifying unexpected files or messages before opening.

Konni Exploits Google's Find Hub to Remotely Wipe Devices

⚠️ The North Korea-linked Konni threat actor has been observed combining spear-phishing and signed installers to compromise Windows and Android systems and exfiltrate credentials. Genians Security Center reports attackers used stolen Google account credentials to access Google Find Hub and remotely reset devices, causing unauthorized data deletion. The campaign, detected in early September 2025, uses malicious MSI packages and RATs including EndRAT and Remcos to maintain long-term access and propagate via compromised KakaoTalk sessions.

Yanluowang Broker Pleads Guilty to Ransomware Access

🔒 Aleksey Olegovich Volkov, a Russian national who used aliases including chubaka.kor and nets, has agreed to plead guilty to acting as an initial access broker for the Yanluowang ransomware group. Between July 2021 and November 2022 he sold credentials that enabled intrusions at eight U.S. companies and facilitated ransom demands ranging from $300,000 to $15 million. FBI warrants seized server logs, stolen data, chat histories and iCloud records linking Volkov to the scheme and to partial Bitcoin payments. He faces up to 53 years in prison and must pay more than $9.1 million in restitution.

Yanluowang Access Broker Pleads Guilty in Ransomware Case

🔒 A Russian national has pleaded guilty to acting as an initial access broker for the Yanluowang ransomware group, admitting to selling corporate network access used in attacks on at least eight U.S. companies between July 2021 and November 2022. FBI searches of a server tied to the operation recovered chat logs, stolen files, and victim credentials that linked payments and access to the defendant. Investigators traced the suspect through Apple iCloud data, cryptocurrency exchange records, and social media accounts, and blockchain analysis tied portions of ransom payments to addresses he provided. He faces decades in prison and more than $9.1 million in restitution.

65% of Top Private AI Firms Exposed Secrets on GitHub

🔒 A Wiz analysis of 50 private companies from the Forbes AI 50 found that 65% had exposed verified secrets such as API keys, tokens and credentials across GitHub and related repositories. Researchers employed a Depth, Perimeter and Coverage approach to examine commit histories, deleted forks, gists and contributors' personal repos, revealing secrets standard scanners often miss. Affected firms are collectively valued at over $400bn.

China-aligned UTA0388 leverages AI in GOVERSHELL attacks

📧 Volexity has linked a series of spear-phishing campaigns from June to August 2025 to a China-aligned actor tracked as UTA0388. The group used tailored, rapport-building messages impersonating senior researchers and delivered archive files that contained a benign-looking executable alongside a hidden malicious DLL loaded via search order hijacking. The distributed malware family, labeled GOVERSHELL, evolved through five variants capable of remote command execution, data collection and persistence, shifting communications from simple shells to encrypted WebSocket and HTTPS channels. Linguistic oddities, mixed-language messages and bizarre file inclusions led researchers to conclude LLMs likely assisted in crafting emails and possibly code.

Ludwigshafen City Administration Faces Extended IT Outage

🚨 Ludwigshafen's city administration shut down its IT systems on 6 November after monitoring tools flagged serious anomalies, leaving online services and phone and email communications unavailable. A specialist internet-forensics firm was engaged overnight and reported a cyberattack could not be ruled out; officials say indicators have since intensified. There is currently no evidence of citizen data exfiltration, and backups and emergency plans operated as intended while investigations continue.

Phishing Campaign Uses Meta Business Suite to Target SMBs

📨 Check Point email security researchers uncovered a large-scale phishing campaign that abuses Meta's Business Suite and the facebookmail.com delivery domain to send convincing fake notifications. Attackers craft messages that appear to originate from Meta, allowing them to bypass many traditional security filters and increase the likelihood of SMBs across the U.S. and internationally engaging with malicious links or credential-stealing pages. Organizations should strengthen email defenses, monitor suspicious Business Suite activity, and educate staff to reduce exposure.

Cyberattack Halts Dutch Broadcaster, Forces Vinyl Use

🎧 RTV Noord, a regional Dutch TV and radio broadcaster, reported a cyber incident on November 6, 2025, that blocked staff access to critical systems. Presenters on the "De Ochtendploeg" breakfast show resorted to playing CDs and LPs to stay on air. The attackers left a message on the network, prompting suspicion of ransomware, and the newsroom confirmed internal channels were limited to WhatsApp while services were restored.

ClickFix Phishing Campaign Targets Hotels, Delivers PureRAT

🔒 Sekoia warns of a large-scale phishing campaign targeting hotel staff that uses ClickFix-style pages to harvest credentials and deliver PureRAT. Attackers impersonate Booking.com in spear-phishing emails, redirect victims through a scripted chain to a fake reCAPTCHA page, and coerce them into running a PowerShell command that downloads a ZIP containing a DLL-side‑loaded backdoor. The modular RAT supports remote access, keylogging, webcam capture and data exfiltration and persists via a Run registry key.

GlassWorm Malware Found in Three VS Code Extensions

🔒 Researchers identified three malicious VS Code extensions tied to the GlassWorm campaign that together had thousands of installs. The packages — ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs — were still available at reporting. Koi Security warns GlassWorm harvests Open VSX, GitHub, and Git credentials, abuses invisible Unicode for obfuscation, and uses blockchain-updated C2 endpoints. Defenders should audit extensions, rotate exposed tokens and credentials, and monitor repositories and wallet activity for signs of compromise.

GlassWorm Returns to OpenVSX with Three VSCode Extensions

⚠ The GlassWorm malware campaign has resurfaced on OpenVSX, delivering malicious payloads via three new VSCode extensions that have been reported as downloaded over 10,000 times. The extensions use invisible Unicode obfuscation to execute JavaScript and harvest credentials and cryptocurrency wallet data through Solana transactions. Koi Security says the attacker reused infrastructure with updated C2 endpoints and that investigators accessed an attacker server, recovering victim data and identifying multiple global victims.

NuGet Packages Deliver Planned Disruptive Time Bombs

⚠️ Researchers found nine NuGet packages published under the developer name shanhai666 that combine legitimate .NET libraries with a small sabotage payload set to trigger between 2027 and 2028. The malicious code uses C# extension methods to intercept database and PLC operations and probabilistically terminate processes or corrupt writes. Socket advises immediate audits, removal from CI/CD pipelines, and verification of package provenance.

China-linked Hackers Reuse Legacy Flaws to Backdoor Targets

🔍 Symantec and Carbon Black attributed a mid‑April 2025 intrusion to a China-linked threat cluster that targeted a U.S. nonprofit engaged in influencing policy, using mass scanning and multiple legacy exploits (including CVE-2021-44228, CVE-2017-9805, and Atlassian flaws) to gain initial access. The intruders established stealthy persistence via scheduled tasks that invoked legitimate binaries (msbuild.exe, csc.exe), injected code to reach a C2 at 38.180.83[.]166, and sideloaded a DLL through a Vipre component to run an in-memory RAT. Researchers linked the loader to China-aligned clusters such as Salt Typhoon and warned of broader reuse of legacy vulnerabilities and IIS/ASP.NET misconfigurations for long-term backdoors.

Sandworm Deploys New Wiper Malware in Ukraine Q2–Q3 2025

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.

Malicious NuGet Packages Contain Delayed Logic Bombs

⚠️ Socket has identified nine malicious NuGet packages published in 2023–2024 by the account "shanhai666" that contain time‑delayed logic bombs intended to sabotage database operations and industrial control systems. The most dangerous, Sharp7Extend, bundles the legitimate Sharp7 PLC library and uses C# extension methods plus an encrypted configuration to trigger probabilistic process terminations (≈20%) and silent PLC write failures (≈80% after 30–90 minutes). Several SQL-related packages are set to activate on staged dates in August 2027 and November 2028, and the packages were collectively downloaded 9,488 times. All nine malicious packages have been removed from NuGet; attribution remains uncertain.

Malicious Ransomvibe Extension Found in VSCode Marketplace

⚠️ A proof-of-concept ransomware strain dubbed Ransomvibe was published as a Visual Studio Code extension and remained available in the VSCode Marketplace after being reported. Secure Annex analysts found the package included blatant indicators of malicious functionality — hardcoded C2 URLs, encryption keys, compression and exfiltration routines — alongside included decryptors and source files. The extension used a private GitHub repository as a command-and-control channel, and researchers say its presence highlights failures in Microsoft’s marketplace review process.

Malicious VS Code Extension and Trojanized npm Packages

⚠️ Researchers flagged a malicious Visual Studio Code extension named susvsex that auto-zips, uploads and encrypts files on first launch and uses GitHub as a command-and-control channel. Uploaded on November 5, 2025 and removed from Microsoft's VS Code Marketplace the next day, the package embeds GitHub access tokens and writes execution results back to a repository. Separately, Datadog disclosed 17 trojanized npm packages that deploy the Vidar infostealer via postinstall scripts.

Vidar Infostealer Delivered Through Malicious npm Packages

🔒 Datadog Security researchers found 17 npm packages (23 releases) that used a postinstall downloader to execute the Vidar infostealer on Windows systems. The trojanized modules masqueraded as Telegram bot helpers, icon libraries, and forks of libraries like Cursor and React, and were available for about two weeks with at least 2,240 downloads before the accounts were banned. Organizations should adopt SBOMs, SCA, internal registries, add ignore-scripts policies, and enable real-time package scanning to reduce supply chain risk.