All news in category “Incidents and Data Breaches”

🔐 Socket warns of an active supply-chain worm, codenamed SANDWORM_MODE, that abused at least 19 malicious npm packages to harvest developer credentials and cryptocurrency keys. The packages — many typosquatting legitimate modules and published by aliases official334 and javaorg — contain code to steal tokens, environment secrets and LLM API keys. The campaign also includes a weaponized GitHub Action, an optional home-directory wiper, and an McpInject component that targets AI coding assistants. Users should remove affected packages, rotate tokens, and audit repositories and CI workflows.

🔒 The University of Mississippi Medical Center (UMMC) has taken many IT systems offline following a ransomware attack that disrupted access to electronic medical records and forced clinics and elective procedures to be cancelled. UMMC activated its Emergency Operations Plan and is working with the FBI and the Department of Homeland Security while hospitals operate using downtime procedures. The organisation has taken network systems offline for risk assessments and has not confirmed whether patient or employee data was exfiltrated.

🔒 Group-IB reports that Iranian APT MuddyWater launched Operation Olalampo, using new and updated implants to target organizations across the MENA region. Attacks beginning January 26, 2026 employed malicious Office macros to deliver downloaders like GhostFetch and HTTP_VIP, a Rust backdoor CHAR, and a second-stage implant GhostBackDoor. The campaign leverages C2 servers, a Telegram-controlled bot, and signs of AI-assisted development.

🔐 A Russian-speaking, financially motivated actor used commercial generative AI to scale scans and credential guessing against exposed FortiGate management ports, compromising over 600 devices across 55 countries. Amazon Threat Intelligence observed the activity between January 11 and February 18, 2026, noting no FortiGate zero-day exploits were used — the campaign relied on internet-exposed interfaces and weak single-factor credentials. Post-compromise activity included Active Directory theft, credential harvesting, NTLM relay and attempts to target Veeam backup servers, consistent with ransomware preparation.

🔍 Amazon says a Russian-speaking threat actor used commercial AI services to help breach over 600 FortiGate firewalls across 55 countries during a five-week campaign in early 2026. The attacker did not rely on zero-day exploits but instead scanned internet-facing management ports and used brute-force attempts against weak credentials lacking MFA. After gaining access, the actor extracted device configurations (including SSL‑VPN and administrative credentials) and deployed AI-assisted Python and Go tools to parse settings, map networks, and automate reconnaissance. Amazon urges administrators to remove exposed management interfaces, enable MFA, ensure VPN passwords differ from Active Directory credentials, and harden backup systems.

⚠️ Researchers discovered that a compromised npm publish token allowed an attacker to push a modified release of the widely used Cline CLI that added a malicious postinstall script to fetch and run the AI agent OpenClaw. Aside from that new script, package contents and the CLI binary matched the legitimate prior release, making the change easy to miss. The malicious publish was live on the registry for about eight hours on February 17 before it was deprecated and corrected; developers who installed during that window are advised to update Cline and remove OpenClaw if it was not intentionally installed.

🔒 Spanish authorities say they arrested a 20-year-old who allegedly exploited a payment gateway to reserve luxury hotel rooms for a single euro cent. The suspect reportedly manipulated the communication between a booking site and the bank so the reservation appeared fully authorised while only €0.01 was processed. Multiple fraudulent bookings were reported by the travel agency, and one hotel lost over €20,000.

🔐 Amazon Threat Intelligence observed a Russian-speaking, financially motivated actor using commercial generative AI to compromise over 600 FortiGate devices across 55+ countries from 2026-01-11 to 2026-02-18. The campaign did not exploit FortiGate vulnerabilities; it abused exposed management ports and weak single-factor credentials. The actor used AI-generated plans, scripts, and developer assistance to scale credential-based access and automate post-exploitation tasks.

🔒 Advantest Corporation reported that its corporate network experienced a ransomware intrusion detected on February 15, prompting immediate isolation of affected systems and the engagement of third-party cybersecurity specialists. Preliminary findings indicate an unauthorized party may have deployed ransomware in portions of the network, though no data theft has been confirmed. The company says it will notify and advise any customers or employees if their information is determined to be impacted. The investigation is ongoing and, to date, no ransomware group has claimed responsibility.

⚠️ Proofpoint uncovered TrustConnect, a malware-as-a-service that masquerades as a legitimate remote monitoring and management (RMM) product and is advertised at about $300 per month. The operation uses a polished public website and a backend portal that functions as a web-based command-and-control dashboard for paying customers. Attackers primarily rely on social engineering — phishing lures and signed installers impersonating Zoom, Teams, Adobe Reader and others — to trick victims into running the RAT, which auto-registers infected hosts in the portal. Researchers disrupted parts of the infrastructure but observed resilient activity and a related variant called DocConnect.

🔓The French Ministry of Finance confirmed a cybersecurity incident in late January after a threat actor used credentials stolen from a civil servant to access the national bank account registry FICOBA. The attacker accessed and likely exfiltrated data for about 1.2 million accounts, including bank identifiers (RIBs/IBANs), account holder names, addresses and sometimes taxpayer identification numbers. Authorities restricted the intruder’s access once detected and say the tax authority DGFiP is working with ANSSI and CNIL to secure systems. Affected users and banking institutions will be notified and warned to remain vigilant against scams.

⚠️ On February 17, 2026, the npm package cline was maliciously published as cline@2.3.0 using a compromised publish token; the release added a postinstall hook that executed npm install -g openclaw@latest. Installations between 03:26–11:30 PT pulled OpenClaw onto developer machines. Cline has released 2.4.0, deprecated 2.3.0, revoked the token and updated publishing to support OIDC; users are advised to upgrade and remove any unexpected OpenClaw installs, though researchers say overall impact is low since OpenClaw is not inherently malicious and no Gateway daemon was started.

🔓 PayPal is notifying customers that a software error in its PayPal Working Capital loan application exposed sensitive personal information, including Social Security numbers, for nearly six months. The company says the issue, present from July 1 to December 13, 2025, was caused by a code change that was rolled back after discovery on December 12. PayPal has reset passwords for affected accounts, refunded unauthorized transactions for some users, and is offering two years of Equifax credit monitoring.

🔒 Elastic Security Labs disclosed a ClickFix campaign that leverages compromised legitimate websites to deliver a new remote access trojan named MIMICRAT. Attackers inject JavaScript to load an externally hosted PHP lure that shows a fake Cloudflare verification page and tricks victims into running a PowerShell command. A multi-stage PowerShell chain performs ETW and AMSI bypasses, then drops a Lua-based in-memory loader which decrypts shellcode to install the RAT. MIMICRAT communicates over HTTPS on port 443 using profiles that mimic web analytics and supports localized lures in 17 languages to widen impact.

🔒 The University of Mississippi Medical Center (UMMC) closed all clinic locations statewide after a ransomware attack disrupted multiple IT systems and blocked access to the Epic electronic medical record. Outpatient and ambulatory surgeries, procedures, and imaging appointments were canceled while inpatient and emergency care continue using established downtime procedures. UMMC said it has taken network systems offline, is working with the FBI and CISA, and that attackers have communicated and may be negotiating an extortion demand.

🔔 The FBI says Americans lost more than $20 million last year amid a sharp increase in ATM 'jackpotting' attacks that use malware to force cash machines to dispense money. These attacks—often leveraging Ploutus—target the ATM's software layer (the XFS interface) to bypass bank authorization and trigger withdrawals without cards. The agency urged institutions to audit ATMs for unauthorized removable storage and validate system images to detect physical intrusion and malware staging.

🛡️ A 29-year-old Ukrainian national was sentenced to five years in U.S. prison after pleading guilty to charges tied to a scheme that sold stolen U.S. identities to overseas IT workers, enabling them to secure jobs at roughly 40 American companies and funnel wages back to North Korea. Prosecutors say he operated Upworksell.com, managed hundreds of proxy identities and U.S.-based laptop farms, and was ordered to pay $46,547.28, serve 12 months of supervised release, and forfeit more than $1.4 million.

⚖️ Oleksandr Didenko, a 39-year-old Ukrainian, was sentenced to 60 months in prison and 12 months of supervised release after pleading guilty to aggravated identity theft and wire fraud conspiracy for selling stolen U.S. identities to foreign IT workers. Using the seized platform UpWorkSell, he provided at least 871 proxy identities and accounts that helped applicants secure positions with roughly 40 U.S. companies and supported multiple "laptop farms" that masked device locations. Authorities also seized more than $1.4 million in cash and cryptocurrency tied to the scheme.

🔒 Saxony's State Criminal Police Office (LKA) has created a special commission to investigate a cyberattack on the Staatliche Kunstsammlungen Dresden. The incident, reported on January 21, disrupted significant parts of the institution's digital infrastructure, including its online shop and visitor services, while the physical security systems were reportedly not affected. The Dresden Public Prosecutor General's Office is directing the investigation but has provided no further details. The SKD says it is working closely with a security firm to ensure the safety of collections and visitors.

💰 The FBI warned that 1,900 ATM jackpotting incidents have been reported since 2020, with 700 occurring in 2025 and losses exceeding $20 million last year. Threat actors deploy specialized malware such as Ploutus, often gaining physical access using generic keys to open ATM faces and then replacing or modifying hard drives to install code. The malware exploits the Windows OS and the ATM's XFS layer to issue dispenser commands directly, bypassing bank authorization and enabling rapid cash-outs across multiple ATM models. The FBI advised operators to strengthen physical protections, change default credentials, enforce device allowlisting, maintain logs, and configure automatic shutdowns when compromise indicators are detected.