All news with #credential access tag

📩 Microsoft Defender Research disclosed a large-scale credential-theft campaign that targeted over 35,000 users at roughly 13,000 organizations using polished fake internal compliance notifications. Running April 15–16, 2026, the messages used enterprise-style HTML templates, organization-specific names and attached PDFs that redirected recipients through a Cloudflare CAPTCHA to staged authentication pages. Attackers employed an adversary-in-the-middle (AiTM) flow to harvest tokens and compromise accounts, primarily impacting US firms but seen in 26 countries. Microsoft recommends enabling passwordless authentication, using authenticator apps for MFA, turning on Safe Links and Safe Attachments, and configuring attack disruption in Microsoft Defender XDR.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.

🔒 Cybercrime clusters Cordial Spider and Snarky Spider are executing fast, low-footprint extortion campaigns that rely on vishing and SSO adversary-in-the-middle pages to harvest credentials and MFA codes. After registering devices and suppressing notification emails, attackers pivot directly into SaaS platforms such as Google Workspace, HubSpot, SharePoint, and Salesforce to locate and exfiltrate high-value files. Researchers note heavy use of living-off-the-land techniques and residential proxies to minimize detection.

⚖️ He pleaded guilty after secretly working for a ransomware gang while ostensibly negotiating payments for victims. The arrangement permitted a trusted intermediary to funnel information and influence negotiations in the gang’s favor, undermining client trust and incident response. Prosecutors say the conduct included clandestine communications that advantaged criminals and complicated recovery. The plea underscores risks in relying on third-party negotiators without robust oversight.

🔒The FBI warned transportation and logistics firms of a marked increase in cyber-enabled cargo thefts, estimating losses in the U.S. and Canada could reach nearly $725 million in 2025. Criminals are using phishing, typosquatting domains, and account compromise to post fraudulent load listings and impersonate carriers, rerouting high-value shipments. The bureau urged multi-factor authentication, dual-channel verification of shipment requests, and reporting incidents to IC3 and local law enforcement.

🔒 Ukrainian authorities have arrested three suspects accused of compromising more than 610,000 accounts on the online gaming platform Roblox. Investigators say the group used social engineering lures that delivered infostealer malware to harvest usernames, passwords and authentication tokens, then assessed accounts for rare items and Robux. At least 357 high‑value accounts were identified and sold on Russian websites for cryptocurrency, reportedly generating over $225,000. Searches at ten properties recovered computers, storage devices, mobile phones, bank cards, handwritten notes and cash; analysis is ongoing and the suspects face up to 15 years if convicted.

🛡️ Securonix researchers disclosed a stealthy Python-based backdoor named DEEP#DOOR that establishes persistent access and extensive surveillance on compromised Windows hosts. Delivered via an obfuscated batch dropper, the implant extracts and runs an embedded svc.py payload and uses the public Rust-based tunneling service bore.pub for command-and-control. Its capabilities include remote shells, credential and key theft, webcam and audio capture, and robust anti-analysis measures.

🔒 A supply-chain campaign dubbed "mini Shai-Hulud" infected SAP-related npm packages in late April, inserting install-time malware that harvested developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials across AWS, Azure, GCP and Kubernetes. Researchers identified affected packages including mbt@1.2.48 and several @cap-js modules. The malicious releases were later replaced with safe versions.

🔐 Since October 2025, CrowdStrike's Falcon Shield explains how CORDIAL SPIDER and SNARKY SPIDER execute fast, SaaS-first attacks that bypass endpoint visibility. Through vishing and SSO-themed AiTM pages they capture credentials and session tokens to pivot into IdPs and multiple SaaS apps. Falcon Shield detects anomalous sign-ins, MFA enrollments, notification suppression, and adversary proxy infrastructure to disrupt campaigns.

🔒 Multiple official SAP npm packages were recently compromised in a supply-chain operation that installs a malicious preinstall script during package installation. The script downloads the Bun runtime and executes an obfuscated payload that harvests a wide range of secrets — including npm and GitHub tokens, SSH keys, cloud credentials, Kubernetes configs, and CI/CD environment variables — and exfiltrates them to public GitHub repositories. Researchers attribute the campaign with medium confidence to TeamPCP and warn it includes self-propagation logic to modify other packages using stolen credentials.

⚠️ Researchers have uncovered a supply-chain campaign dubbed the "mini Shai-Hulud" that poisoned multiple SAP-related npm packages to install credential-stealing malware during installation. The malicious releases added a preinstall hook that fetched and executed a platform-specific Bun binary, harvesting local credentials, GitHub and npm tokens, CI secrets, and cloud credentials. Analysts from Aikido Security, SafeDep, Socket, StepSecurity and Wiz advise rotating tokens, inspecting workflows, and upgrading to patched releases.

🔒 CISA has ordered U.S. federal agencies to secure Windows endpoints against a zero-click authentication coercion flaw, tracked as CVE-2026-32202. Akamai reported the bug as a residual issue left after an incomplete February patch for an RCE, CVE-2026-21510, and says it enabled credential theft via auto-parsed LNK files. Microsoft flagged exploitation after reporting inquiries, and CISA added the issue to its KEV Catalog, directing agencies to patch by May 12 under BOD 22-01. Organizations are urged to apply vendor mitigations or discontinue affected products if fixes are unavailable.

🔐 Cisco Talos’ Year in Review, authored by Hazel Burton, highlights how lower barriers to attack and rapid proof-of-concept development are stressing defenders. The report shows attackers increasingly rely on valid accounts, credential abuse, and management-plane targets while still producing detectable anomalous behavior. Recommended priorities include hardening IAM, prioritizing patching by exposure, improving visibility into legacy components, and securing systems that broker trust.

🔒 Xu Zewei, a 34-year-old Chinese national, has been extradited to the US and charged in connection with a series of intrusions between February 2020 and June 2021 allegedly tied to the Silk Typhoon campaign. US prosecutors allege Xu acted under direction of China's Ministry of State Security and used a private contractor, Shanghai Powerock Network Co. Ltd., to obscure government involvement. Authorities say early intrusions targeted US universities and COVID-19 researchers and later exploited Microsoft Exchange vulnerabilities; Xu faces counts including wire fraud, unauthorized access and identity theft, and his co-defendant remains at large.

🐛Researchers from Socket have identified malicious npm packages that execute during installation to harvest credentials and developer artifacts, then attempt worm-like propagation across ecosystems. The payload targets cloud and CI/CD tokens, SSH keys, .npmrc files, browser profiles and crypto wallets, exfiltrating data via HTTPS webhooks and ICP endpoints. It attempts to republish compromised packages using stolen npm tokens and can also generate PyPI payloads via .pth injection. The campaign leverages blockchain-hosted canisters for C2 and remains under active investigation.

🛡️ A malicious npm release of the Bitwarden CLI (version 2026.4.0) was briefly published after attackers compromised a GitHub Action in the project's CI/CD pipeline. The trojanized package included a loader that installs bun and executes a payload designed to harvest cloud, development, and CI credentials. Bitwarden reported no evidence of user vault access and the package was removed within roughly 1.5 hours, with compromised access revoked and remediation initiated.

🔒 The Bitwarden CLI @bitwarden/cli npm package was briefly compromised when attackers published a malicious v2026.4.0 release on April 22, 2026. The injected payload harvested developer secrets — including npm and GitHub tokens, SSH keys, and cloud credentials — and contained self‑propagation capability to infect other packages. Bitwarden confirmed only the npm distribution channel was affected, found no evidence of vault or production data access, revoked compromised access, deprecated the release, and initiated remediation; affected developers should rotate exposed credentials.

🔒 Mandiant attributes a newly documented cluster, UNC6692, with social-engineering campaigns via Microsoft Teams that coerce victims into installing malicious software and browser extensions. The actor leverages large-scale email-bombing to create urgency, then impersonates IT helpdesk staff to deliver an AutoHotkey-based installer hosted on attacker-controlled AWS S3. That installer loads the SNOW malware family — including SNOWBELT, SNOWGLAZE, and SNOWBASIN — enabling credential theft, tunneling, lateral movement, and data exfiltration.

🔐 Checkmarx's KICS Docker images and VS Code/Open VSX extensions were trojanized to harvest developer secrets. Dependency security firm Socket investigated after Docker alerted them to malicious images pushed to the official checkmarx/kics repository and found an embedded MCP addon that downloaded a credential-stealing module (mcpAddon.js). The malware targeted GitHub tokens, cloud credentials, npm tokens, SSH keys, Claude configs and environment variables, encrypting and exfiltrating them to audit.checkmarx.cx while creating public GitHub repositories to receive stolen data. Checkmarx removed the artifacts, rotated exposed credentials and advised developers to rotate secrets, pin image SHAs and rebuild from trusted sources.