All news in category “Incidents and Data Breaches”

⚠️A backdoored release of the Telnyx Python SDK on PyPI was used to deploy credential-stealing malware hidden inside WAV audio files. Security firms Aikido, Socket, and Endor Labs attribute the tampering to TeamPCP, which published versions 4.87.1 and 4.87.2; the latter contained a functioning payload. The malicious code executes on import from telnyx/_client.py and uses steganography to XOR-decode a WAV-hosted second stage that harvests SSH keys, cloud tokens, wallets, environment variables, and Kubernetes secrets. Developers are advised to revert to Telnyx 4.87.0 and treat any systems importing the affected releases as compromised.

🔒 The European Commission is investigating a cyberattack on its Europa.eu platform after a threat actor claimed to have exfiltrated more than 350GB of data from compromised AWS accounts. The attacker told a security reporter they intend to publish the stolen files rather than extort the Commission. The Commission said public websites remain available, internal systems were unaffected, and containment and mitigation measures were implemented while inquiries continue.

🔓 Lloyds Banking Group has disclosed a software glitch that briefly allowed some mobile app users to see other customers' transactions. The bank told the UK Parliament’s Treasury Committee the problem followed an overnight IT change and a defect in the design of the code used to update the API behind the app. Of 21.6 million app users, 447,936 may have been shown another user's transactions and 114,182 may have viewed transaction details during the incident. Lloyds said no full account access or customer losses were identified and that it notified regulators, including the ICO.

🎧 TeamPCP published two malicious telnyx PyPI releases (4.87.1 and 4.87.2) on March 27, 2026 that harvest and exfiltrate credentials using audio steganography embedded in .WAV files. The trojanized code executes on import via modifications to telnyx/_client.py, targets Windows, Linux and macOS, and minimizes forensic traces through in-memory execution and encrypted HTTP exfiltration. PyPI has quarantined the project; users should downgrade to 4.87.0, rotate secrets, and audit affected environments.

🚨 A large-scale campaign is abusing GitHub Discussions to post fake Visual Studio Code security advisories that trick developers into downloading malware. The spam posts use realistic titles, fabricated CVE identifiers, impersonated maintainers, and mass tagging to trigger email notifications to watchers. Links often point to external hosts (commonly Google Drive) that redirect to a domain running JavaScript reconnaissance which profiles victims and forwards data to a command-and-control server. Security vendor Socket says the activity is automated and coordinated across thousands of repositories.

🔒 Push Security has observed a coordinated wave of Adversary-in-the-Middle (AiTM) phishing pages specifically targeting TikTok for Business accounts. The malicious domains were registered on March 24 in a rapid, nine-second window and are hosted behind Cloudflare using Nicenic International Group as registrar. Victims are redirected through legitimate Google Cloud Storage links, presented with TikTok- or Google-themed content, and ultimately confronted with a reverse-proxy AiTM login flow after completing an initial information form.

⚠️ Researchers report that the threat actor TeamPCP compromised the official telnyx Python SDK on PyPI by publishing trojanized releases (4.87.1 and 4.87.2) that exfiltrate sensitive files. The payload executed at install time, stealing SSH private keys and bash history and sending them to an attacker-controlled HTTP endpoint. Socket, Endor Labs, Aikido Security and Wiz confirmed the findings and advise removing the malicious versions and rotating any exposed credentials.

🔒 The year 2025 saw an unprecedented surge of supply-chain compromises that targeted ecosystems across repositories, package registries, CI/CD workflows, and service providers. Incidents ranged from the US$1.5 billion Bybit Safe{Wallet} heist to self-propagating worms like Shai-Hulud and GlassWorm infecting npm and VS Code extensions. Attackers employed stolen tokens, typosquatting, phishing and malicious CI workflows to plant backdoors, steal secrets, and drain crypto, prompting urgent calls for stronger vendor controls, code audits, and incident response readiness.

🔒 The European Commission is investigating a security breach after a threat actor gained access to an Amazon cloud account used to manage Commission infrastructure. The actor claims to have exfiltrated over 350 GB of data, including multiple databases, and provided screenshots as proof while stating they will not extort the Commission but may leak the data later. The Commission's cybersecurity incident response team detected the incident quickly and is investigating; the case follows a January MDM compromise linked to other EU institution attacks.

🔒 The European Commission is investigating a security breach after a threat actor accessed an Amazon cloud account used to manage Commission infrastructure. Sources say the intrusion was quickly detected and that the Commission's cybersecurity incident response team is now probing the incident. The actor claims to have stolen 350 GB of data, including multiple databases, and provided screenshots showing access to employee information and an internal email server. The actor says they will not extort the Commission but may leak the data later.

🔒 Push Security warns of an adversary-in-the-middle (AitM) phishing campaign that seizes control of TikTok for Business accounts by presenting victims with malicious credential-capture pages after a Cloudflare Turnstile check. Lures include lookalike TikTok for Business and fake Google Careers pages, sometimes offering scheduled calls to gain trust. The attackers host pages on multiple domains and use the Turnstile challenge to evade automated scanners. Separately, WatchGuard reported SVG attachments used to deliver a Go-based malware artifact linked to BianLian-style activity.

🔐 Die Linke says it was hit by a serious cyberattack that it attributes to the hacker group Qilin, possibly Russian‑speaking, and has taken parts of its IT infrastructure offline. Party federal secretary Janis Ehling said attackers appear to be seeking sensitive internal and employee data; the membership database was not compromised. Authorities warned the party as the intrusion was detected, and a criminal complaint has been filed as the party coordinates with security services.

🔒 The Alliance for Creativity and Entertainment (ACE) has shut down AnimePlay, a major illegal anime streaming platform that hosted over 60 terabytes of TV shows and movies and had more than 5 million registered users, mostly in Indonesia. ACE said it seized 15 domains, hosting servers, full source code, 29 GitHub repositories, databases, advertising tools, and other backend systems, taking the service offline. The developer and admin surrendered control of the backend ecosystem, and ACE said the action restricts the operator's ability to rebuild or relaunch the platform.

🔒Bearlyfy, a pro-Ukrainian group also tracked as Labubu, has been linked to more than 70 attacks on Russian companies and began deploying a proprietary Windows ransomware called GenieLocker in March 2026. The group combines extortion and sabotage, often gaining initial access via vulnerable external services and deploying remote tools like MeshAgent. According to vendor F6, about one in five victims pay ransoms, and demand amounts have grown substantially.

🔒 The Dutch National Police disclosed a security breach stemming from a successful phishing attack, saying the incident was detected quickly and access was blocked by its Security Operations Center. Officials describe the impact as limited and state that citizens' data and investigative information were not accessed. A criminal investigation and an internal probe into affected systems are ongoing.

🔎 Unit 42 identified converging cyberespionage clusters that targeted a Southeast Asian government between June and August 2025. The investigation found three simultaneous activity clusters—Stately Taurus, CL-STA-1048, and CL-STA-1049—using USB-propagated worms, multiple RATs, and stealthy loaders to establish persistent access and exfiltrate data. Unit 42 links tooling and TTPs to China-aligned actors and recommends layered defenses including Cortex XDR and Advanced WildFire.

🔒 Ajax Amsterdam disclosed that a hacker exploited vulnerabilities in its IT systems, allowing access to some fan data and control over ticket transfers. The club said only email addresses for a few hundred people were viewed and that fewer than 20 stadium-banned individuals had names, emails and dates of birth exposed. RTL journalists, tipped by the attacker, independently verified the flaws and demonstrated the ability to transfer season tickets, modify stadium bans and access broad fan data via APIs and shared keys. Ajax has engaged external experts, patched the vulnerabilities, notified authorities and advised fans to remain vigilant for impersonation attempts.

🔒 A long-running espionage campaign attributed to China-linked threat cluster Red Menshen has embedded stealthy kernel-level implants into telecom networks to maintain persistent, low-noise access. Rapid7 highlights BPFDoor, a Linux backdoor that leverages Berkeley Packet Filter functionality to trigger shells only when a specifically crafted "magic" packet is seen, avoiding open listeners and conventional C2 channels. The actor also deploys CrossC2, Sliver, TinyShell, credential harvesting tools and a controller that can operate inside victim environments to enable lateral movement and covert monitoring.

🔒eSentire researchers disclosed on March 25 that a new campaign using a Node.js backdoor, dubbed EtherRAT, leverages Ethereum smart contracts to conceal command-and-control infrastructure. The technique, referred to as EtherHiding, stores C2 addresses on-chain and enables operators to rotate servers cheaply. The malware retrieves contract data via public RPC providers, mimics CDN traffic to blend in, collects detailed system fingerprints and steals cryptocurrency wallets and cloud credentials. Organizations are advised to restrict risky Windows utilities, train staff against IT support scams and consider blocking common crypto RPC endpoints.

🔒 Threat actors are targeting TikTok for Business accounts with Cloudflare-hosted phishing pages that evade bot detection by using Google Storage redirects and a Cloudflare Turnstile check. Victims first see fake forms that request business-email validation and are then shown a reverse-proxy login page that captures credentials and session cookies, allowing account takeover even with 2FA enabled. Push Security links the activity to a campaign that previously targeted Google Ad Manager and notes multiple NiceNIC-registered domains hosted in the same Google Storage bucket. Users should verify domains, treat unsolicited invites cautiously, and prefer passkeys for high-value accounts.