All news with #code signing tag

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation, codenamed OpFauxSign, that abused Artifact Signing to produce short-lived fraudulent code-signing certificates and deliver signed malware. The company seized the SignSpace site signspace[.]cloud, took hundreds of virtual machines offline, and blocked hosting for the underlying code. Operators tied to the group, called Fox Tempest, sold signing services for $5,000–$9,000 and facilitated distribution of Rhysida ransomware and loaders like Oyster. Microsoft added the actor likely used stolen U.S. and Canadian identities to pass verification and repeatedly adapted its tradecraft as defenders revoked certificates.

🔒 Microsoft has disrupted the infrastructure behind a major malware code-signing service, seizing the group's site signspace[.]cloud and revoking more than 1,000 abused certificates. The company removed hundreds of attacker-controlled Azure virtual machines and linked the operation to a group it calls Fox Tempest. The service sold malware signing-as-a-service to ransomware affiliates, letting signed malicious installers evade Windows warnings and deploy backdoors, infostealers, and ransomware.

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation that abused its Azure Artifact Signing platform to generate fraudulent short-lived code-signing certificates used by ransomware gangs and other cybercriminals. The actor, tracked as Fox Tempest, created over 1,000 certificates and hundreds of Azure tenants and subscriptions. Microsoft seized the signspace[.]cloud domain, took virtual machines offline, revoked certificates, and filed a lawsuit in the Southern District of New York.

🔒 Fox Tempest operated a malware-signing-as-a-service that abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates, allowing signed malware to bypass controls. Microsoft tracked the actor since September 2025 and disrupted the MSaaS in May 2026, revoking over one thousand certificates and targeting the infrastructure. The group used hundreds of Azure tenants, preconfigured VMs on Cloudzy, and charged customers thousands for signing malicious binaries; Microsoft provides detections, IOCs, and mitigations to help defenders respond.

🔒 OpenAI confirmed that two employee devices were breached in the Mini Shai-Hulud/TanStack supply-chain attack that compromised hundreds of npm and PyPI packages. The company said customer data, production systems, intellectual property, and deployed software were not impacted. OpenAI isolated affected systems, revoked sessions, rotated credentials, and engaged a third-party forensic firm. It is rotating code-signing certificates as a precaution, requiring macOS users to update desktop apps before June 12, 2026.

🔒 OpenAI is rotating macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package (v1.14.1) on March 31, 2026. The workflow had access to certificates used to sign macOS apps including ChatGPT Desktop, Codex, Codex CLI, and Atlas. OpenAI says it found no evidence the certificate was misused but is revoking and rotating it as a precaution; macOS users must update apps by May 8, 2026.

🔒 In February 2026 Microsoft Defender Experts uncovered phishing campaigns that delivered digitally signed malware impersonating common workplace applications. The threat actor used an EV certificate issued to TrustConnect Software PTY LTD to sign trojanized installers (examples include msteams.exe, adobereader.exe, and invite.exe) that deployed RMM tools such as ScreenConnect, Tactical RMM, and MeshAgent. Executables reinforced legitimacy by copying to Program Files, registering services, creating Run keys, and executing encoded PowerShell to stage additional payloads and connect to attacker-controlled domains, enabling persistent remote access and lateral movement.

🔐 The author of Notepad++ says the recently released updates have hardened a previously compromised update mechanism so it is now effectively unexploitable. Releases from 8.8.9 through 8.9.2 add layered checks: the updater now verifies both the signed installer and the signed XML manifest with independent cryptographic signatures and aborts on any anomaly. The auto-updater was reinforced, though users can still opt out during installation. The developer warns no system is absolutely unbreakable, but the changes substantially raise attacker cost.

🔐 Notepad++ has implemented a double-lock update verification in version 8.9.2 to close recently exploited supply-chain gaps. The updater now validates both the signed installer from GitHub and a digitally signed XML (XMLDSig) served from the official notepad-plus-plus.org domain, and removes risky components such as libcurl.dll. Additional hardening removes insecure cURL SSL options and restricts plugin management execution to programs signed with the same certificate as WinGUp; users should upgrade to 8.9.2 or disable the auto-updater during installation.

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.

🛡️ Notepad++ released version 8.8.9 to address a weakness in its WinGUp updater after reports that the updater retrieved and executed malicious binaries instead of legitimate update packages. The issue surfaced in community forums where a spawned %Temp%\AutoUpdater.exe executed reconnaissance commands and exfiltrated data to a public paste service. Version 8.8.9 now enforces code-signature verification for downloaded installers and aborts updates that fail signature checks.

🔐 Amazon ECR now offers managed container image signing to simplify and standardize container provenance. Using a few clicks in the ECR Console or a single API call, you create a signing rule that references an AWS Signer signing profile (signature validity, target repositories), and ECR automatically signs images when they are pushed using the pusher's identity. AWS Signer handles key and certificate lifecycle, and all signing operations are logged to CloudTrail. The feature is available in all Regions where AWS Signer is offered.

🔒Rhysida, a known enterprise-focused ransomware gang, is distributing malware via malvertising on Microsoft's Bing that redirects users to fake download pages for common tools such as Microsoft Teams, PuTTY, and Zoom. Victims who download receive an initial access trojan called OysterLoader, which establishes a persistent backdoor and is signed with Microsoft-like certificates to appear legitimate. The campaign pairs obfuscation/packing to lower static detection with trusted code signing to bypass allow-lists and AV. Experts urge behavior-based EDR, certificate pinning, DNS filtering, and tighter certificate oversight.

🔒 Microsoft has announced the preview of Signing Transparency, a cloud-managed service that records every software signature in an append-only ledger protected by confidential computing. The service verifies and countersigns COSE envelopes, issues cryptographic receipts tied to a Merkle-tree inclusion proof, and keeps signing keys in a secure enclave. Organizations and auditors can independently verify releases, detect tampering, and retain receipts for compliance and incident response.

🔒 Microsoft Threat Intelligence has revoked more than 200 code-signing certificates that were fraudulently used to sign counterfeit Microsoft Teams installers delivering a persistent backdoor and ransomware. The campaign, tracked as Vanilla Tempest (also known as Vice Spider/Vice Society), employed SEO poisoning and malvertising to lure users to spoofed download sites hosting fake MSTeamsSetup.exe files that deployed the Oyster backdoor and ultimately Rhysida ransomware. Microsoft says the actor abused Trusted Signing and services such as SSL.com, DigiCert and GlobalSign to sign malicious binaries. A fully enabled Microsoft Defender Antivirus detects and blocks these threats, and Microsoft provides guidance through Microsoft Defender for Endpoint for mitigation and investigation.

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

🔒 Microsoft disrupted a campaign by the financially motivated group Vanilla Tempest (also tracked as VICE SPIDER/Vice Society) after revoking over 200 code signing certificates used to sign malicious Microsoft Teams installers. The attackers used malvertising and SEO-poisoned domains mimicking Teams to distribute fake MSTeamsSetup.exe files that deployed the Oyster backdoor. The intervention curtailed a wave of Rhysida ransomware launches.

⚠️ Researchers at Koi Security warn that a threat actor known as TigerJack is distributing malicious Visual Studio Code extensions on both the official marketplace and the community-maintained OpenVSX registry. Two extensions, C++ Playground and HTTP Format, were removed from the VSCode marketplace after roughly 17,000 downloads but remain available on OpenVSX, and the actor repeatedly republishes variants under new accounts. The malicious code exfiltrates source code, deploys a CoinIMP cryptominer with no resource limits, or fetches remote JavaScript to enable arbitrary code execution, creating significant risks to developer machines and corporate networks.

🔐 AWS Lambda now supports code signing in AWS GovCloud (US-West and US-East) through the managed AWS Signer service. Lambda validates signatures at deployment to ensure code has not been altered and that it originates from trusted signers. Administrators can create Signing Profiles, bind allowed profiles to functions, and configure whether failed signature checks produce warnings or reject deployments. Access and permissions are controlled via IAM, and there is no additional charge to use this capability.

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.