< ciso
brief />
Tag Banner

All news with #credential dumping tag

91 articles

Spirals ransomware encrypts corporate networks rapidly

🛡️Researchers report a June intrusion where the new Spirals ransomware actor moved from initial access to data theft and encryption in under 24 hours. After compromising a publicly exposed IIS server and uploading an ASP.NET web shell, the attacker bypassed UAC, enabled RDP, created local accounts, and harvested credentials. They disabled security and backup services, used multiple lateral movement and remote-access tools, and deployed a Rust-based payload named bitsadmin.exe to encrypt files and drop a ransom note.
read more →

Shai Hulud CI/CD to Redshift breach analysis

🔍 This FortiGuard Labs analysis examines the Shai Hulud supply chain worm that poisoned CI/CD dependencies to harvest Jenkins credentials and pivot into AWS. The report outlines a mid‑May 2026 incident where FortiCNAPP traced external use of a Jenkins instance role, IAM escalation to a cloudops-monitor identity, and subsequent Redshift data extraction. It highlights detection signals, MITRE mappings, and recommended containment actions.
read more →

Analysis of Reported Credential Compromise of FortiGate

🔐 Fortinet has observed malicious actors harvesting FortiGate credentials in an activity labeled "FortiBleed." Their initial analysis indicates attackers are reusing credentials from prior incidents and leveraging brute-force techniques against devices lacking strong passwords and multi-factor authentication. This is not a new Fortinet vulnerability and is unrelated to recent advisories. Fortinet is investigating, notifying impacted customers, and recommending immediate defensive actions and hardening.
read more →

Salesforce disables Klue app after OAuth breach

🔒 Salesforce has disabled the Klue Battlecards app integration after unusual activity tied to a Klue security incident on June 11, 2026, which may have allowed unauthorized access to some customer data. Klue says attackers used a compromised legacy credential to obtain OAuth tokens and access connected third-party platforms, while Salesforce emphasizes the issue stemmed from the app connection and not its platform. Klue and customers like Huntress are investigating, revoking tokens, and remediating impacts.
read more →

Fortibleed campaign exposes 75,000 Fortinet firewalls

🔒 Researchers have uncovered a large credential-compromise campaign called Fortibleed that exposed tens of thousands of Fortinet FortiGate devices worldwide. Analysis by SOCRadar, Hudson Rock, and independent researchers found stolen configuration files, administrator and SSL VPN credentials, and tooling used to automate collection and cracking. Affected devices span 194 countries, with roughly 75,000 devices reportedly compromised, prompting urgent remediation advice including credential rotation and upgrading to modern FortiOS hashes.
read more →

China-linked group exploited REDCap to target research

🔒 Google warns that a China-associated threat actor, UNC6508, ran a prolonged espionage campaign targeting US and Canadian research environments by abusing legacy versions of REDCap. The attackers trojanized upgrade processes with modular malware called INFINITERED to achieve persistence, harvest credentials, and maintain a backdoor. GTIG recommends inspecting REDCap files, validating upgrades, and enforcing stronger authentication and DLP controls.
read more →

Compromised JavaScript in Popular WordPress Plugins

🛡️ An attacker served tampered JavaScript used by PushEngage, OptinMonster, and TrustPulse, executing only when a logged-in WordPress administrator loaded the files. The malicious code created an attacker-controlled admin account, installed a hidden plugin backdoor providing remote code execution, and exfiltrated credentials to a fake tidio[.]cc domain. Sansec disclosed the campaign on June 13; PushEngage confirmed exposures that lasted longer than the brief windows seen for the other plugins. Site owners should treat any site that loaded the affected scripts during the window as compromised and perform server-side scans and credential rotations immediately.
read more →

Unpatched Windows search: URI leaks NTLMv2 hashes

🔒 Researchers disclosed an unpatched Windows issue that can expose a user's NTLMv2 hash via the search: URI handler. Similar to CVE-2026-33829 in the Snipping Tool, the flaw leverages a crumb=location: parameter to force an SMB connection and trigger NTLM authentication. The weakness produces the same Net-NTLMv2 leak and attack prerequisites, and Microsoft declined to patch it after responsible disclosure.
read more →

Supply Chain Intrusions Target Developer Tooling

🔒 CISA is addressing multiple software supply chain intrusions that target developer ecosystems, specifically CI/CD pipelines, code extensions, and workflows. A malicious Nx Console VS Code extension (version 18.95.0) exploited a prior compromise of Nx developer systems to access a GitHub employee’s device, leading to unauthorized access and exfiltration of internal repositories and assignment of CVE-2026-48027. The “Megalodon” campaign injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens. CISA urges organizations to detect and remediate potential compromises and implement recommended best practices for package repositories and CI/CD security.
read more →

Coordinated Takedown Disrupts GlassWorm C2 Channels

🛡️ CrowdStrike, together with Google and the Shadowserver Foundation, announced the simultaneous disruption of all command-and-control channels used by GlassWorm, a persistent campaign that has targeted software developers since early 2025. The operators trojanized VS Code extensions and poisoned npm and Python packages to deliver a data-theft framework capable of credential harvesting and system profiling. Multiple resilient C2 resolution layers were used — Solana memo fields, BitTorrent DHT, Google Calendar events, and commercial VPS hosts — all of which were neutralized in the coordinated action. CrowdStrike attributes the activity to likely Russia-based cybercriminals and warns about the severe risk posed by supply chain compromises to developer ecosystems.
read more →

GitHub Breach Linked to Malicious Nx Console Extension

🔒 GitHub said hackers accessed approximately 3,800 internal repositories after a developer installed a malicious version of the Nx Console Visual Studio Code extension that was poisoned during last week's TanStack npm supply-chain attack. The intrusion, linked to the actor known as TeamPCP, used stolen CI/CD credentials to move into multiple projects including UiPath, Guardrails AI and OpenSearch. GitHub secured the compromised device, rotated high-impact secrets and continues log analysis and monitoring to detect follow-on activity.
read more →

Mini Shai Hulud: antv npm Packages Compromised in CI/CD

🔒 Microsoft disclosed an active supply-chain attack that compromised an @antv npm maintainer account and published malicious versions of charting libraries, including echarts-for-react. The obfuscated ~499 KB JavaScript payload executes during npm install and targets GitHub Actions runners to harvest secrets from GitHub, AWS, HashiCorp Vault, npm, Kubernetes and 1Password by scraping process memory and enumerating secret stores. The campaign leverages privilege escalation, dual-channel exfiltration, and SLSA provenance forgery to evade detection; GitHub removed malicious packages and invalidated exposed tokens.
read more →

Compromised Nx Console Extension Delivers Credential Stealer

🛡️ A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) published to the Microsoft VS Code Marketplace delivered a multi-stage credential stealer and supply-chain poisoning payload to developers' machines. The obfuscated 498 KB payload, pulled from an orphaned commit in the official nrwl/nx GitHub repo, installs the Bun runtime and a Python backdoor on macOS while exfiltrating secrets via HTTPS, GitHub API and DNS tunneling. The maintainers traced the incident to a developer whose GitHub credentials were exposed, revoked access, and advised users to update to v18.100.0 or later and rotate exposed tokens and keys.
read more →

OpenAI Devices Hit by TanStack Supply Chain Attack May 2026

🛡️ OpenAI disclosed that two corporate employee devices were compromised by the Mini Shai-Hulud supply chain attack linked to TanStack. The company said no user data, production systems, or intellectual property were accessed or altered, though limited credential material was exfiltrated from a subset of internal source-code repositories. OpenAI isolated affected systems, revoked sessions, rotated credentials and code-signing certificates, and temporarily restricted deployment workflows. macOS users must update affected apps before the June 12, 2026 certificate revocation cutoff.
read more →

Iranian Hackers Target Major South Korean Electronics Maker

🔒 Symantec researchers attribute a February 2026 cyber-espionage campaign to MuddyWater (Seedworm), which spent a week inside a major South Korean electronics manufacturer's network. The attackers relied on DLL sideloading of legitimate binaries — Fortemedia's fmapp.exe and SentinelOne's sentinelmemoryscanner.exe — to load malicious DLLs containing ChromElevator. They used PowerShell (now invoked via Node.js loaders) for reconnaissance, credential theft, persistence and SOCKS5 tunneling, and exfiltrated data via sendit.sh.
read more →

Mass npm and PyPI Supply-Chain Compromise Targets TanStack

🛡️ The TeamPCP group compromised 170 npm and PyPI packages on May 11, rapidly spreading malicious code across ecosystems including the @tanstack router and Mistral AI SDKs. Attackers abused GitHub Actions' pull_request_target trigger to harvest OIDC tokens and inject the Mini Shai-Hulud malware, which steals credentials and carries a destructive dead-man’s switch. Security vendors detected the compromise quickly; affected users should check lockfiles, pin known-good versions, and rotate exposed credentials.
read more →

Škoda Warns of Customer Data Breach After Shop Hack

🔒 Škoda Auto has disclosed a data breach after attackers exploited a vulnerability in its online shop software, gaining unauthorized access to customer records. The automaker said the issue was detected via technical security monitoring, the flaw was fixed, and the incident was reported to authorities. Stolen data included names, addresses, contact details, order information, and login credentials (email and hashed passwords), while full credit card data was not stored on the compromised system. Škoda has engaged IT forensics, warned customers about potential phishing and credential reuse, and urged vigilance.
read more →

Malicious Claude Code Installer Steals Browser Keys

🛡️Researchers at Ontinue warn that attackers are impersonating Anthropic’s Claude Code installer to deploy a previously undocumented PowerShell loader that evades detection and extracts browser encryption material. The campaign swaps the legitimate one-line install command for an attacker-controlled PowerShell chain, establishing stealthy persistence and exfiltration. It also abuses Chrome’s IElevator2 elevation interface to recover Application-Bound Encryption (ABE) keys introduced in Chrome 127.
read more →

cPanel Vulnerability Exposes Hosting Supply Chain Risks

🔒 A recently disclosed cPanel vulnerability, tracked as CVE-2026-41940, is being exploited at scale to deploy backdoors, plant SSH keys, steal credentials, and compromise hosting systems. Researchers at XLab link much of the activity to a long-running group called Mr_Rot13, with automated scans from over 2,000 attacker IPs observed after the late-April disclosure. The incident highlights weak visibility into hosting control planes and urges organizations to treat exposed control panels as high-priority incidents: patch immediately, rotate credentials, hunt for webshells, and review logs for persistence.
read more →

cPanel Authentication Bypass Deploys Filemanager Backdoor

🔒 Researchers report that a threat actor known as Mr_Rot13 is exploiting a critical cPanel/WHM vulnerability (CVE-2026-41940) to deploy a cross-platform backdoor named Filemanager on compromised hosts. A QiAnXin XLab analysis indicates automated attacks from more than 2,000 source IPs worldwide and an infection chain that replaces root credentials, plants SSH keys, deploys a PHP web shell, and delivers a Go-based infector. The malware harvests credentials and system data, sends results to attacker-controlled infrastructure, and enables file management and remote command execution across Windows, macOS, and Linux.
read more →