All news in category “Incidents and Data Breaches”

🚨Research by Socket uncovered a coordinated campaign of 108 malicious Chrome extensions that affected about 20,000 users. Distributed across gaming, social media and translation categories, these extensions appear legitimate while quietly harvesting sensitive data, including Google profiles and active web sessions. Operators used a single command-and-control infrastructure and shared code, complicating detection and enabling a Malware-as-a-Service model.

📱 Mirax is a newly observed Android Remote Access Trojan distributed via Meta advertisements that reached over 220,000 accounts, primarily in Spanish-speaking countries. According to Cleafy, Mirax pairs conventional RAT capabilities—keystroke capture, overlays, camera and SMS access—with an embedded SOCKS5 residential proxy implemented over Yamux to route attacker traffic through victim IPs. The threat uses GitHub-hosted droppers, selectable crypters (Virbox, Golden Crypt), and multi-stage installation flows that request accessibility permissions to persist and evade analysis. Researchers note the platform is offered as a selective MaaS to vetted affiliates, increasing its operational and monetization potential.

🔔 Cybersecurity researchers have uncovered a coordinated campaign of 108 malicious Google Chrome extensions that share a common command-and-control backend and have accumulated roughly 20,000 installs. The add-ons, published under five publisher identities, exfiltrate credentials and session data, inject ads and arbitrary JavaScript, and can force-load attacker-controlled sessions. Many abuse OAuth2, strip security headers, and periodically harvest Telegram Web sessions. Users should remove suspicious extensions and log out of Telegram Web sessions to invalidate any stolen tokens.

🔒 Basic-Fit, one of Europe's largest gym operators, disclosed unauthorized access to the system that records members' visits and said about 1 million members across the Netherlands, Belgium, Luxembourg, France, Spain and Germany were affected. The intrusion was detected and stopped within minutes, but investigators determined the attacker exfiltrated data including full name, address, email, phone number, date of birth, bank account details and membership information. Franchise-held customer records were stored separately and were not exposed. Basic-Fit says no identification documents or account passwords were accessed, and the company has notified regulators and continues to monitor the situation with external experts.

🔓 A data set allegedly belonging to Rockstar Games was published by the ShinyHunters extortion group after they say authentication tokens were stolen from Anodot and used to access connected Snowflake accounts. The leak reportedly contains more than 78.6 million records of internal analytics — including in‑game revenue, purchase metrics, player behavior, and game economy data for GTA Online and Red Dead Online — plus Zendesk support analytics. Rockstar said only a limited amount of non‑material company information was accessed and that the incident does not affect players.

🔒 The FBI Atlanta Field Office and Indonesian authorities dismantled the W3LL phishing platform and seized infrastructure, leading to the arrest of the alleged developer. The W3LL kit, sold for $500, enabled adversary-in-the-middle attacks to capture credentials, session cookies and one-time MFA tokens, allowing attackers to bypass multifactor protections. Its marketplace, W3LLSTORE, facilitated the sale of over 25,000 compromised accounts and contributed to attempts exceeding $20 million in fraud.

🔒 OpenAI is rotating macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package (v1.14.1) on March 31, 2026. The workflow had access to certificates used to sign macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI says it found no evidence the certificate was misused but is revoking and rotating it as a precaution; macOS users must update apps by May 8, 2026.

🔒 Booking.com confirmed that unauthorized parties accessed booking information associated with some reservations. The company says it immediately forced PIN resets for affected current and past bookings and directly emailed impacted users with updated reservation PINs and guidance. Compromised fields may include full names, email and postal addresses, phone numbers, and communications with property providers. Booking.com warned customers to be vigilant for phishing and noted that app notifications were not sent, which has caused confusion.

🔒 Researchers report that the JanelaRAT malware, a modified BX RAT, extensively targeted banks and financial services across Latin America, with telemetry showing 14,739 attack attempts in Brazil and 11,695 in Mexico during 2025. The trojan steals banking and cryptocurrency credentials, captures keystrokes, screenshots and system metadata, and uses custom title-bar detection to trigger actions on matched sites. Attackers shifted delivery from VBScript ZIPs to rogue MSI installers and DLL side-loading, often installing a malicious Chromium extension for persistence and data exfiltration. Vendors including Kaspersky, KPMG, and Zscaler documented multi-stage chains and robust C2 capabilities.

🛡️The FBI, with the Indonesian National Police, dismantled the infrastructure of the W3LL phishing network, detained the alleged developer identified as G.L., and seized key domains used to harvest credentials. The off‑the‑shelf W3LL toolkit—marketed for about $500—enabled adversary‑in‑the‑middle attacks that bypassed MFA and targeted primarily Microsoft 365 accounts. Authorities say the operation attempted more than $20 million in fraud and was linked to tens of thousands of compromised accounts.

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🔔 Emergency updates address a critical PDF zero‑day in Adobe Acrobat Reader (CVE-2026-34621, CVSS 8.6) that executes malicious JavaScript when specially crafted documents are opened. The report also highlights Anthropic's Mythos being used as an exploit-generation engine, state-linked interference with infrastructure, and research showing telecom optical fibers can be abused for acoustic eavesdropping. Prioritize patching, credential hygiene, and detection for fileless and AI-driven attacks.

🛡️ The FBI Atlanta field office, together with US and Indonesian authorities, dismantled a large-scale phishing operation built around the W3LL phishing kit. The kit, sold via a members-only marketplace called W3LL Store, enabled attackers to clone login pages and harvest credentials for as little as $500. Investigators seized the w3ll.store domain, identified an alleged developer known as 'G.L.', and say the toolkit may have been used against over 17,000 victims worldwide between 2023 and 2025.

🔒 North Korea–linked APT37 has been observed using Facebook friend requests and Messenger to build trust with targets before moving conversations to Telegram and distributing a ZIP archive containing a trojanized Wondershare PDFelement. The tampered installer executes encrypted shellcode that contacts a compromised legitimate site, japanroom[.]com, to fetch a seemingly benign JPG which stages the RokRAT payload. The malware then leverages Zoho WorkDrive for command-and-control, enabling screenshots, remote command execution via cmd.exe, host reconnaissance, and evasion of security products.

🔒 Operation Atlantic, led by the UK's National Crime Agency with US and Canadian partners, froze $12m and disrupted multiple fraud networks after a week-long probe. The operation focused on approval phishing, a technique that tricks victims into granting full access to cryptocurrency wallets via fake alerts or popups. Investigators, supported by private-sector firms including Binance, Coinbase, Tether, and analytics vendors, identified over 20,000 compromised wallets across 30+ countries and contacted 3,000 victims. Authorities also disrupted more than 120 scam domains and flagged an additional $33m believed stolen in related crypto fraud.

🔒 OpenAI disclosed that a GitHub Actions workflow used to sign its macOS apps downloaded a malicious version of Axios on March 31, though the company says it found no evidence of user-data access or broader system compromise. The workflow had access to a signing certificate and notarization materials for ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI is treating the certificate as compromised, revoking and rotating it, and warns older macOS app builds will be blocked by default starting May 8, 2026 to protect users.

🛡️Kaspersky and analysts observed unknown actors briefly compromise CPUID, swapping legitimate download links for trojanized installers of CPU‑Z and HWMonitor for under 24 hours. The malicious packages contained a signed executable alongside a malicious CRYPTBASE.dll that leveraged DLL side‑loading, performed anti‑sandbox checks and fetched additional payloads. The campaign deployed STX RAT, a feature‑rich RAT with HVNC and extensive infostealer and remote‑control capabilities, impacting individuals and organizations in multiple sectors.

🔒 An international law enforcement action led by the U.K.'s National Crime Agency, dubbed Operation Atlantic, identified over 20,000 victims of cryptocurrency fraud across Canada, the UK, and the US. The weeklong operation brought together the NCA, U.S. Secret Service, Ontario authorities and private-sector partners to share real-time intelligence and conduct coordinated victim outreach. Investigators froze more than $12 million in suspected criminal proceeds tied to approval phishing and traced over $45 million in stolen cryptocurrency, and they will continue analyzing intelligence to pursue further criminal activity.

🔍 A Citizen Lab report details how law enforcement agencies worldwide used an ad-based geolocation platform to monitor up to 500 million mobile devices. The system, developed by Cobwebs Technologies and later sold by Penlink, aggregates device identifiers, coordinates, and profile data harvested from apps and advertising. Researchers warn the tool enables long-term, warrantless tracking and identification of individuals, raising legal and human-rights concerns.