< ciso
brief />
Tag Banner

All news with #data exfiltration tag

217 articles

Injective SDK npm package used to steal wallet keys

πŸ”’ Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
read more β†’

Helix vishing group targets SharePoint data theft

πŸ”’ A new extortion group dubbed Helix uses vishing, device-code phishing, and MFA abuse to access and exfiltrate files from SharePoint environments. Operators impersonate managers via phone calls and spoofed caller IDs to trick employees into granting access, then register authenticators for persistence and bulk-download content. ReliaQuest links Helix tactics and infrastructure to prior groups like ShinyHunters and BlackFile, and recommends disabling device-code authentication and restricting SharePoint to managed devices.
read more β†’

Weekly ThreatsDay: Emerging cyber risks and trends

πŸ”’ This ThreatsDay roundup highlights a series of recent, pragmatic security incidents and research findings that stem from routine administrative mistakes and small configuration errors. It covers a multinational fraud takedown, malicious typosquatting of payment SDKs, novel code-injection techniques, and a critical unauthenticated ArcGIS Server flaw. The report also outlines ransomware tool overlaps, data-exfiltration concerns in Claude Code, social engineering campaigns abusing Teams and Meta, and multiple kernel and driver vulnerabilities.
read more β†’

AssuranceAmerica breach exposes millions of driver records

πŸ”’ AssuranceAmerica disclosed a data breach impacting 6,998,886 individuals after detecting suspicious activity on March 17, 2026. The incident began with a targeted attack on an employee that allowed unauthorized access and copying of data files. Stolen records include names, contact details, policy and claims information, driver and vehicle data, and driver's license numbers. The insurer has disabled compromised credentials, isolated affected systems, notified law enforcement, and strengthened security controls.
read more β†’

Accenture confirms breach after hacker offers data

πŸ”’ Accenture has acknowledged an isolated security breach after a threat actor claimed to have stolen 35 GB of source code and related data and tried to sell it on a cybercrime forum. The company said it has remediated the issue and that there is no impact to Accenture operations or service delivery. The attacker, operating as "888," posted claims of exfiltrated source code, keys, tokens, and configuration files and shared a screenshot of an Azure DevOps repository clone. Accenture did not confirm the extent of the accessed data, how access occurred, or whether customer data was affected.
read more β†’

Suspected China-Nexus Campaign Targets Indian Taxpayers

πŸ›‘οΈ Seqrite Labs uncovered a targeted multi-stage phishing operation, dubbed Operation DragonReturn, impersonating India's Income Tax Department to deliver a remote access trojan. First observed on May 18, 2026, the campaign uses carefully crafted bilingual lures, malicious PDF attachments, and a ZIP-based DLL side-loading chain to install persistence and exfiltrate sensitive financial and credential data. The activity shows links to China-hosted infrastructure and overlaps with known tax-themed threat groups.
read more β†’

TrojPix: High‑Speed Air‑Gap Data Exfiltration

πŸ–₯️ Researchers at Shandong University demonstrated TrojPix, a novel covert channel that modulates otherwise imperceptible on-screen pixels so the video cable emits a faint radio signal a nearby receiver can decode. The technique requires only user-level malware that can draw to the screen and achieved a peak throughput of 8.1 Mbps and a laboratory range reported up to 208 meters. TrojPix works without hardware changes, can hide transmissions under normal-looking content or a fake powered-off display, and was tested across multiple monitor brands and cable types.
read more β†’

Opera GX auto-install flaw allowed silent data leaks

πŸ›‘οΈ Researchers discovered a flaw in the gaming-focused Opera GX browser that allowed malicious websites to silently auto-install a GX Mod (a .crx look-and-feel package) and use its CSS to extract specific data from pages a victim visited. In a proof of concept, the team reconstructed a signed-in user's full Gmail address from a single visit, with no clicks required. Opera patched the issue in Opera GX version 130.0.5847.89, labeled the bug P1, paid the $5,000 maximum bounty, and reported no evidence of in-the-wild exploitation. There was no practical workaround prior to the patch.
read more β†’

Avalon modular malware framework and CrownX ransomware

πŸ›‘οΈ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more β†’

Aflac Japan Confirms Major Customer Data Breach

πŸ›‘οΈ Aflac Japan disclosed a data breach after an unauthorized third party accessed systems between June 15 and June 25. The company reported that impacted files may include policy and coverage details, personal data, and bank account information, and said US systems were not affected. Some customer services were taken offline while calls and other channels continue to support claims. Authorities have been notified and no misuse has yet been confirmed.
read more β†’

Tata Electronics Confirms Cyberattack, Data Leaked

πŸ”’ Tata Electronics confirmed a cybersecurity incident that affected parts of its IT infrastructure but said operations continued normally and remained unaffected. The company said response protocols were deployed immediately after detection. The disclosure responds to claims by the World Leaks group, which posted directories and documents allegedly containing manufacturing data for Apple products. BleepingComputer has contacted Apple for comment about potential exposure of proprietary data.
read more β†’

Implementing Egress Controls to Prevent Data Exfiltration

πŸ”’ This post outlines an architecture and controls for preventing data exfiltration from AWS environments by combining centralized network inspection, DNS filtering, and data perimeter policies. It explains a hub-and-spoke pattern using Transit Gateway, AWS Network Firewall, and Route 53 Resolver DNS Firewall to inspect and block unauthorized outbound traffic, including scenarios involving compromised workloads and agentic AI. The article details layered preventive, detective, and corrective measures using AWS services such as GuardDuty, Security Hub, IAM Access Analyzer, EventBridge, and Firewall Manager to automate detection and response.
read more β†’

Klue OAuth breach expands as Icarus claims attack

πŸ”’ Klue confirmed an incident on June 12 in which attackers used a compromised legacy credential to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce. The company says customer content stored in Klue was not impacted and that the breach was limited to integrations; affected credentials and tokens were revoked and CrowdStrike engaged. Cybersecurity firms ReliaQuest and Huntress reported extensive Salesforce data exfiltration, and the Icarus extortion group has publicly claimed responsibility.
read more β†’

SearchLeak shows broader AI prompt injection risk

πŸ”’ A proof-of-concept called SearchLeak demonstrated a prompt injection attack against Microsoft M365 Copilot Enterprise that tricks users into clicking crafted links to exfiltrate corporate data. Researchers combined three weaknesses in Copilot Search β€” including URL query parameters treated as natural language prompts β€” to leak sensitive content. Microsoft patched the server-side flaw, but the incident highlights risks when AI services access broad corporate assets and the need for render-time sanitization and stricter CSPs.
read more β†’

Operation Escaneo exposes Latin American intrusions

πŸ” New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more β†’

Serverless GitHub Pages Phishing Hits Mexican Banks

πŸ›‘οΈ New research from Group-IB describes the GitBait campaign, a multi-year phishing operation targeting Mexican banks that used GitHub Pages for hosting and SheetBest to exfiltrate credentials into Google Sheets. The operation relied on modular phishing kits, automated publishing, and crafted Open Graph tags to spread links via messaging apps while evading search indexing. Group-IB reported over 100 GitHub-hosted domains and urges banks to monitor brand abuse and suspicious traffic to cloud services.
read more β†’

Malicious JetBrains plugins harvest AI API keys

πŸ›‘οΈ A coordinated campaign on the JetBrains Marketplace used at least 15 malicious IDE plugins to exfiltrate developers' AI provider API keys. Discovered by Aikido Security, the pluginsβ€”posing as AI assistants, code-review tools, and Git utilitiesβ€”sent keys to a hardcoded server when users clicked "Apply" after entering credentials. Published from October 2025 through June 2026, these plugins were installed nearly 70,000 times and remain available on the Marketplace at the time of reporting.
read more β†’

China-linked group exploited REDCap to target research

πŸ”’ Google warns that a China-associated threat actor, UNC6508, ran a prolonged espionage campaign targeting US and Canadian research environments by abusing legacy versions of REDCap. The attackers trojanized upgrade processes with modular malware called INFINITERED to achieve persistence, harvest credentials, and maintain a backdoor. GTIG recommends inspecting REDCap files, validating upgrades, and enforcing stronger authentication and DLP controls.
read more β†’

iRhythm confirms patient data breach after extortion

πŸ”’ iRhythm Holdings disclosed a data breach after threat actors accessed patient personal and health information stored on third-party business applications. The company detected the incident on June 10, 2026, after receiving a ransom demand the prior week and launched an investigation with external cybersecurity experts. iRhythm said the breach involved data exfiltration via social engineering but did not affect its clinical devices, manufacturing, or financial systems. The firm has not confirmed the exact number of affected individuals.
read more β†’

Anubis Ransomware Targets Adriatic Port Authority

πŸ”’ New analysis from Resecurity details a ransomware attack by the Anubis group that targeted the Adriatic Port Authority, operator of Ancona port. The breach, traced to December 11, 2025 and publicly claimed by Anubis in January 2026, reportedly affected about 2% of the authority's data while backups preserved most records. Resecurity says the incident disrupted operations, forced vessel rerouting, and involved a reported $10m Bitcoin ransom demand, with sensitive safety and security plans among the stolen files.
read more β†’