All news with #credential dumping tag

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

🔒 Sinqia disclosed an attempted theft of approximately R$710 million (about $130m) from two banking customers processed through its Pix transaction environment on 29 August 2025. The company says attackers leveraged compromised credentials from an IT vendor, halted Pix processing, and engaged forensic teams while cooperating with regulators. A portion of the funds has been recovered and investigations, including law enforcement coordination, are ongoing.

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

🔐 Evertec disclosed that hackers breached its Brazilian subsidiary Sinqia S.A.'s environment on the Central Bank real-time payment system Pix on August 29, 2025, and attempted unauthorized transactions totaling up to $130 million. Sinqia halted Pix transaction processing and retained external cybersecurity forensics experts to investigate and contain the incident. The Central Bank revoked Sinqia’s Pix access while recovery efforts continue and part of the funds has been recovered; Evertec reports no evidence of exposed personal data and attributes the intrusion to stolen credentials from an IT vendor account.

🔒 Cloudflare confirmed that it and some customers were impacted by the Salesloft/Drift breach which exposed Salesforce support case text. The company found 104 Cloudflare API tokens in the exfiltrated data, rotated them, and observed no suspicious activity tied to those tokens. No Cloudflare infrastructure was compromised; affected customers were notified and advised to rotate any credentials shared in support tickets and to harden third-party integrations.

🔍 Researchers link a social engineering campaign to the North Korea–linked Lazarus Group that distributed three cross-platform RATs — PondRAT, ThemeForestRAT, and RemotePE — against a decentralized finance (DeFi) organization. Fox-IT observed the actors impersonating an employee on Telegram and using fake Calendly/Picktime pages to arrange meetings and gain a foothold via a loader named PerfhLoader. The intrusion delivered multiple tools (screenshotter, keylogger, credential stealers, Mimikatz, proxy programs) and saw an operational progression from the primitive PondRAT to the in-memory ThemeForestRAT, culminating in the more advanced RemotePE for high-value access.

🔒 A sophisticated supply-chain attack targeted the widely used Nx build-system packages on the npm registry, exposing developer credentials and sensitive files. According to a report from Wiz, attackers published malicious Nx versions on August 26, 2025 that harvested GitHub and npm tokens, SSH keys, environment variables and cryptocurrency wallets. The campaign uniquely abused installed AI CLI tools (for example, Claude and Gemini) by passing dangerous permission flags to exfiltrate file-system contents and perform reconnaissance, then uploaded roughly 20,000 files to attacker-controlled public repositories. Organizations should remove affected package versions, rotate exposed credentials and inspect developer workstations and CI/CD pipelines for persistence.

🛡️ Malicious updates to the Nx npm package were published on 26 August, briefly delivering AI-assisted data‑stealing malware to developer systems. The infected releases injected crafted prompts into local AI CLIs (Anthropic’s Claude, Google Gemini, Amazon Q) to locate GitHub/npm tokens, SSH keys, .env secrets and cryptocurrency wallets, then encoded and uploaded the harvest by creating public repositories under victims' accounts. StepSecurity says eight compromised versions were live for five hours and 20 minutes and that attackers subsequently weaponized stolen GitHub CLI OAuth tokens to expose and fork private organization repositories. Recommended mitigation includes revoking tokens and SSH/GPG keys, making exposed repos private, disconnecting affected users and following a full remediation plan.

🔒 South Korean authorities have extradited a 34-year-old suspect from Thailand, accused of masterminding a coordinated campaign that siphoned millions in stocks from celebrities, including Jung Kook. Investigators say the group stole personal data from Korean telecom firms, used it to assume victims' identities and opened brokerage accounts between August 2023 and January 2024. With assistance from Interpol and Thai authorities, officials tracked and arrested the suspect, who has admitted some allegations while denying others.