All news in category “Incidents and Data Breaches”

🔍 LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.

🔍 Researchers at Cisco Talos discovered that an apparent security lapse exposed the backend of a campaign exploiting the four-month-old React2Shell (CVE-2025-55182) Next.js flaw. A password-protected database and web application holding harvested credentials, tokens, SSH keys, and API secrets was briefly accessible, letting analysts view the attackers' dashboard. The automated campaign compromised hundreds of hosts in a single day and prompted notifications to affected providers while urging immediate patching.

🔒 A core infrastructure engineer, Daniel Rhyne, pleaded guilty on April 1 after launching an insider extortion attack that used routine admin tools and techniques to disable systems and accounts. He initiated unauthorized RDP sessions, deleted administrator accounts, changed passwords, and scheduled tasks on the domain controller, then claimed to have erased backups while demanding roughly $750,000 in bitcoin. Security experts say the methods were alarmingly predictable and could have been prevented by immutable backups, strict least privilege controls, and behavioral alerts for high‑risk tools.

🔒 Hims & Hers says support tickets were exfiltrated from its Zendesk instance after threat actors accessed a third-party customer service platform via a compromised Okta SSO account. The company reports the activity occurred Feb 4–7, 2026, was first noticed on Feb 5, and that an internal investigation concluded on March 3 that certain tickets were accessed or acquired without authorization. Potentially exposed information includes names, contact details, and other request-related data; the company states no medical records or doctor communications were affected and is offering 12 months of credit monitoring to impacted individuals.

🔍 A China-aligned threat cluster identified as TA416 has resumed focused operations against European government and diplomatic entities since mid-2025, according to Proofpoint. The campaign combined web bugs and malware delivery to deploy the PlugX backdoor via Azure Blob, Google Drive, compromised SharePoint, and attacker-controlled domains. Attackers repeatedly altered infection chains—abusing Cloudflare Turnstile pages, OAuth redirection through Microsoft Entra ID, and MSBuild-based C# project files with DLL side-loading—to enhance stealth and persistence. The group also expanded targeting to Middle Eastern governments following the February 2026 regional conflict.

🔒 Recent weeks have seen multiple high-profile supply chain compromises, including malicious modifications to Axios and repository hijacks by TeamPCP that impacted tools such as Trivy. These incidents highlight how widely used libraries can rapidly propagate risk and complicate inventory and remediation efforts. The report emphasizes securing identity and CI/CD pipelines, maintaining accurate software inventories, prioritizing rapid patching, and reinforcing fundamentals like segmentation, robust logging, and multi-factor authentication to limit impact and lateral movement.

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.

🔒 CERT‑EU traced the Europa.eu data theft to a supply‑chain compromise of Trivy, the open‑source vulnerability scanner, which exposed an AWS API key and led to the theft of approximately 350 GB of web data (91.7 GB compressed). The actor, publicly linked to TeamPCP, exploited a GitHub Actions misconfiguration (CVE-2026-33634) to force CI/CD pipelines to pull credential‑stealing malware via manipulated Trivy tags. Stolen material was later passed to ShinyHunters. CERT‑EU urges updating to safe Trivy releases, rotating cloud credentials, auditing CI/CD usage, and binding GitHub Actions to immutable SHA‑1 hashes.

🔒 Ransomware's shift to multi-extortion is producing real operational harm across healthcare, finance, and manufacturing, with widespread incidents and patient-care disruptions reported in 2025–2026. Attackers now routinely exfiltrate data before encrypting systems, making backups alone insufficient and increasing regulatory and business risk. The article highlights D.AMO from Penta Security, an integrated platform combining kernel-level folder encryption, process-based access control, and independent recovery to render stolen files unreadable, block unauthorized access, and speed restoration.

📹 WebinarTV discovers public Zoom invites, joins meetings, secretly records the streams, and posts the videos on 404 Media. It does not use Zoom’s built‑in recording feature, so Zoom’s administrative controls and recording logs cannot detect or block these captures. This behavior raises significant privacy and consent concerns for organizers and participants of publicly announced meetings.

🔒 The maintainer of Axios confirmed a supply chain compromise caused by a targeted social engineering campaign attributed to North Korean actors tracked as UNC1069. Attackers impersonated a legitimate company's founder, lured the maintainer into a branded Slack workspace and a fraudulent Teams call, then deployed a RAT to steal npm credentials. Two malicious releases (1.14.1 and 0.30.4) carried the WAVESHAPER.V2 implant.

⚖️ Saheed Sunday Owolabi, 35, was sentenced to 15 years in a U.S. federal prison after a jury convicted him of conspiracy to commit wire fraud and money laundering. Prosecutors described how he posed as women online to cultivate romantic relationships, then persuaded victims to transfer funds and provided bank accounts used to launder proceeds—more than $1.5 million sent to Nigeria. Chat logs showing he had attempted to swindle another fraudster undermined his claim of being a mere middleman, and images recovered from his phone displayed luxury purchases made with stolen funds.

🛡️Security researchers have discovered an updated SparkCat trojan on both the Apple App Store and Google Play Store, hiding inside seemingly benign apps such as enterprise messengers and food delivery services. Kaspersky said it found two infected iOS apps and one Android app that primarily target cryptocurrency users in Asia. The iOS variant scans photo galleries for English wallet mnemonic phrases, while the Android version employs code virtualization, cross-platform languages and regional keyword scanning for Japanese, Korean and Chinese. Both samples use an OCR module to exfiltrate images containing recovery phrases to attacker-controlled servers, underscoring a rapidly evolving threat.

🔒 A former core infrastructure engineer pleaded guilty after remotely accessing his employer's network and scheduling tasks that deleted domain administrator accounts and changed hundreds of passwords. Prosecutors say Daniel Rhyne targeted an industrial company in Somerset County, New Jersey, altering passwords to TheFr0zenCrew! and scheduling shutdowns that affected 254 servers and 3,284 workstations. He emailed coworkers demanding 20 BTC (roughly $750,000) and threatened to shut down 40 servers daily; investigators found web searches and a hidden VM used to plan the extortion. Rhyne was arrested in August and faces charges carrying up to 15 years in prison.

🔐 Drift confirmed that attackers drained about $285 million from its Solana-based decentralized exchange on April 1, 2026, using pre-signed transactions tied to durable nonce accounts. The company says no smart-contract vulnerability or compromised seed phrases were involved; attackers instead obtained multisig approvals through sophisticated social engineering and pre-signed authorizations. Threat intelligence firms TRM Labs and Elliptic report on-chain indicators linking the heist to DPRK-associated actors, noting use of Tornado Cash, cross-chain bridging and rapid laundering. Drift is coordinating with security vendors, bridges, exchanges and law enforcement to trace and attempt to freeze funds.

🔍 Abnormal researchers uncovered a targeted credential theft campaign active from November 2025 to March 2026 that focused on C‑suite and senior personnel across more than 20 industry verticals. The operation was powered by a previously undocumented phishing-as-a-service platform, Venom, and used SharePoint-themed lures with embedded QR codes. The phishing emails employed randomized HTML, fabricated multi-message threads and persona spoofing to evade detection and isolate human targets. Attackers used both AiTM relays and Microsoft’s device code flow to bypass MFA and achieve persistent access.

🔐 CERT-EU attributed a cloud compromise of the European Commission to TeamPCP, saying attackers used a compromised AWS API key allegedly stolen in a Trivy supply‑chain incident to access the Commission’s cloud and harvest secrets. The intruders used TruffleHog to locate additional credentials, attached a new access key to an existing user to evade detection, and carried out reconnaissance before exfiltrating data. The stolen dataset was later posted by ShinyHunters as a 90GB archive (≈340GB uncompressed), and CERT-EU confirmed the theft includes tens of thousands of files with personal information. CERT-EU reported no websites were defaced and found no evidence of lateral movement between Commission AWS accounts.

⚠️ Threat actors are exploiting the recent Claude Code source-code leak to distribute the Vidar infostealer via fake GitHub repositories. Anthropic accidentally exposed a 59.8 MB JavaScript source map on March 31 that revealed 513,000 lines of TypeScript across 1,906 files, and copies rapidly proliferated on GitHub. Zscaler found a malicious repo optimized for search that lures users to download a 7‑Zip archive containing a Rust dropper, ClaudeCode_x64.exe, which deploys Vidar and the GhostSocks proxy. The archive is updated frequently and may carry additional payloads.

🔓 Cisco Talos has linked a large-scale credential harvesting campaign to a threat cluster tracked as UAT-10608 that exploited CVE-2025-55182 in React Server Components and the Next.js App Router to breach at least 766 hosts. The intruders deployed a multi-stage dropper that collected environment variables, SSH keys, cloud metadata credentials, API keys, and other secrets before aggregating them in a password-protected web GUI called NEXUS Listener. Researchers accessed an exposed instance and observed a broad array of stolen items, including Stripe keys, GitHub tokens, AI platform keys, webhook secrets, and database connection strings. Organizations are urged to patch vulnerable Next.js deployments, enforce least privilege, enable IMDSv2, rotate credentials, and implement secret scanning.