All news in category “Incidents and Data Breaches”

⚠ Microsoft warns that information-stealing campaigns are expanding beyond Windows to target Apple macOS by leveraging cross-platform languages like Python and abusing trusted distribution platforms. Since late 2025, attackers have used malvertising and Google Ads to redirect users to fake sites that employ ClickFix lures and DMG installers to deploy families such as Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. Campaigns use fileless execution, native macOS utilities, and AppleScript to harvest browser credentials, session cookies, iCloud Keychain items, and developer secrets. Organizations are urged to train users on malvertising and fake installers, monitor Terminal and iCloud Keychain access, and inspect network egress for POSTs to newly registered or suspicious domains.

🔒 Coinbase confirmed that a contractor improperly accessed data for approximately 30 customers in a December incident, and the individual no longer performs services for the company. Impacted users were notified, provided identity theft protection services, and Coinbase disclosed the incident to relevant regulators. Screenshots of an internal support panel briefly appeared on Telegram and were associated with the 'Shiny Lapsus Hunters' posts, showing customer PII, KYC details, and wallet balances, though attribution remains unclear.

🚨 Step Finance announced on January 31 that attackers compromised devices belonging to several executives, resulting in the theft of roughly $40 million in digital assets. The Solana-based DeFi analytics and execution platform engaged external cybersecurity researchers and law enforcement and has recovered about $4.7 million so far through Token22 protections and partner coordination. Some operations are paused to strengthen security. Users are advised not to interact with the STEP token while a pre-exploit snapshot and remediation plan are processed.

🗂️ Iron Mountain says a recent incident claimed by the Everest extortion group was limited primarily to marketing materials. Attackers used a compromised credential to access a single public-facing file-sharing folder containing vendor marketing files; no customer confidential data or other systems were affected. The company confirmed no ransomware or malware was deployed and the compromised credential has been deactivated.

⚠️ Sysdig researchers observed an AI-assisted intrusion in November 2025 that converted exposed AWS credentials in a public S3 bucket into full administrative control in under eight minutes. The attackers exploited an IAM user with Lambda and limited Amazon Bedrock access, injected malicious code into an existing Lambda function, and generated admin keys from the function output. They then moved laterally across multiple principals, invoked multiple foundation models (LLMjacking), disabled model-invocation logging, and attempted to provision costly GPU instances to run ML workloads. Sysdig recommends enforcing least privilege, restricting UpdateFunctionCode and PassRole, protecting S3 buckets, enabling Lambda versioning, and turning on Bedrock logging.

🔓 Security researchers warn that attackers are exploiting the critical CVE-2025-11953 flaw in the React Native Metro server to drop malicious Windows and Linux payloads. The issue abuses the development-only /open-url HTTP endpoint, which accepts POST requests and can pass a user-supplied URL unsanitized to the system open() call. JFrog disclosed the bug and it was fixed in @react-native-community/cli-server-api v20.0.0+, but active exploitation (Metro4Shell) has been observed delivering base64 PowerShell stagers and UPX-packed binaries.

🔒 Security researchers have identified a new ransomware-as-a-service operation named Vect that began recruiting affiliates in December 2025. According to Halcyon, Vect uses C++-built malware with ChaCha20-Poly1305 AEAD and intermittent (block) encryption to speed disruption, and advertises cross-platform targeting for Windows, Linux and VMware ESXi. Red Piranha notes strong OPSEC including Monero payments, TOX communications and TOR-only infrastructure.

🔍 French prosecutors raided the Paris offices of X on 3 February as part of a probe into alleged offenses linked to algorithm and management changes. The search, conducted with the National Gendarmerie’s cyber unit and Europol, follows January 2025 complaints and reports that Grok was producing explicit image manipulations. Prosecutors say a change to X’s CSAM detection tool coincided with an 81.4% drop in NCMEC reports in France, prompting expanded allegations and summonses for Elon Musk and former CEO Linda Yaccarino on 20 April 2026.

🔒Forcepoint X-Labs has warned of a multi-stage phishing campaign that uses short, business-themed emails and PDF attachments to harvest corporate Dropbox credentials. The PDFs contain embedded AcroForm links that limit scanning by security tools and redirect victims to a legitimate cloud-hosted portal serving a spoofed login page. By leveraging reputable cloud infrastructure, the attackers reduce suspicion and bypass many automated reputation checks. Submitted credentials are exfiltrated to a Telegram channel, enabling account takeover and follow-on abuse.

🔒 The open-source editor Notepad++ was the target of a sophisticated supply‑chain attack after threat actors compromised its shared hosting provider and redirected selective update traffic to malicious servers between June and December 2025. Researchers say the campaign is likely Chinese state‑sponsored; Rapid7 identified a custom backdoor called Chrysalis and observed Cobalt Strike and Metasploit activity. Notepad++ has migrated hosting and improved its WinGup updater to verify certificates and signatures, with enforcement planned in forthcoming releases.

🔓 Security researchers at Wiz discovered a public Supabase API key in Moltbook’s client-side JavaScript that granted unauthenticated read/write access to the production database. The misconfiguration—absence of Row Level Security (RLS) policies—exposed around 1.5 million agent tokens, roughly 30,000 email addresses and thousands of private messages. With write privileges an attacker could impersonate any agent, inject malicious content or prompt-injection payloads, and deface the site. Moltbook’s developer has since remediated the issue after multiple rounds of fixes with Wiz.

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.

🛡️ Stay calm and avoid rash moves when ransomware hits: shutting down systems can cause 'forensic suicide' by destroying volatile evidence such as RAM. Joanna Lang-Recht recommends isolating affected hosts from networks rather than powering them off, preserving forensic images, and engaging specialized incident response teams. Prioritize containment, secure offline backups, and clear crisis roles. Treat negotiation as an economic decision and rely on trained negotiators rather than emotional engagement.

🔒 Rapid7 attributes a late-2025 compromise of the infrastructure hosting Notepad++ to the China-linked actor known as Lotus Blossom. Attackers delivered a previously undocumented backdoor, Chrysalis, via a malicious NSIS installer after hijacking update requests beginning in June 2025; access was terminated on December 2, 2025. Notepad++ patched updater verification in version 8.8.9, migrated hosting, rotated credentials, and responders have published indicators and mitigations.

🐛 A new GlassWorm campaign distributed through compromised OpenVSX extensions is targeting macOS systems to steal passwords, crypto-wallet data, and developer credentials and configurations. Malicious updates pushed from the hijacked oorzc account on January 30 trojanized four packages with roughly 22,000 cumulative downloads and established persistence via a LaunchAgent while excluding Russian-locale systems. Socket's analysis shows broad data collection across browsers, wallets, macOS Keychain, Apple Notes, developer secrets, and exfiltration to 45.32.150[.]251; affected releases were removed and tokens revoked, but users are advised to perform full system clean-up and rotate secrets.

🔍 VirusTotal has identified a surge of malicious OpenClaw skills being used as a delivery channel for droppers, backdoors, infostealers and remote access tools, turning automation workflows into a supply‑chain risk. VT added native support in Code Insight to analyze OpenClaw skill packages (including ZIPs) using Gemini 3 Flash, flagging behaviors like downloading and executing external code, network operations, and sensitive data access. The report highlights prolific abuse by a single publisher and provides concrete recommendations for users and marketplaces to reduce exposure.

⚠️ A security audit by Koi Security found 341 malicious skills among 2,857 listings on the ClawHub marketplace, many deploying a macOS stealer tracked as Atomic Stealer in a campaign dubbed ClawHavoc. Attackers used fake prerequisites and social engineering to trick users into running installers or terminal scripts that fetch next-stage payloads from attacker-controlled infrastructure. The malicious skills include typosquats, crypto tools, YouTube utilities and backdoors that exfiltrate bot credentials and keys, exposing OpenClaw users to significant supply-chain risks.

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.

🔒 A months-long supply chain attack redirected update traffic for notepad-plus-plus.org to attacker-controlled servers, enabling malicious manifests to be served to the built-in WinGUp updater and, in some cases, pointing users to compromised executables. Investigators conclude the intrusion stemmed from a compromise of the shared hosting provider infrastructure rather than a flaw in the Notepad++ code. Logs suggest the breach began in June 2025, with direct server access ending on 2 September 2025 while exposed credentials lingered until 2 December 2025.

🔒 Notepad++ developers say Chinese state-sponsored actors hijacked the project's update delivery last year, intercepting and selectively redirecting update requests to malicious servers by exploiting insufficient verification in older WinGUp updaters. The compromise began in June 2025 after a hosting provider breach and persisted until Dec 2, 2025, when the provider terminated access. The project migrated hosting, rotated credentials, patched the updater to verify certificates and signatures, and urges users to change SSH/FTP/MySQL credentials, review WordPress accounts, and update software.