< ciso
brief />
Tag Banner

All news with #data exfiltration tag

217 articles · page 4 of 11

NGate Android Malware Hides in Trojans of HandyPay App

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.
read more →

108 Malicious Chrome Extensions Linked to Single Backend

🔔 Cybersecurity researchers have uncovered a coordinated campaign of 108 malicious Google Chrome extensions that share a common command-and-control backend and have accumulated roughly 20,000 installs. The add-ons, published under five publisher identities, exfiltrate credentials and session data, inject ads and arbitrary JavaScript, and can force-load attacker-controlled sessions. Many abuse OAuth2, strip security headers, and periodically harvest Telegram Web sessions. Users should remove suspicious extensions and log out of Telegram Web sessions to invalidate any stolen tokens.
read more →

Basic-Fit data breach exposes personal details of 1M

🔒 Basic-Fit, one of Europe's largest gym operators, disclosed unauthorized access to the system that records members' visits and said about 1 million members across the Netherlands, Belgium, Luxembourg, France, Spain and Germany were affected. The intrusion was detected and stopped within minutes, but investigators determined the attacker exfiltrated data including full name, address, email, phone number, date of birth, bank account details and membership information. Franchise-held customer records were stored separately and were not exposed. Basic-Fit says no identification documents or account passwords were accessed, and the company has notified regulators and continues to monitor the situation with external experts.
read more →

Hidden Security Risks of Shadow AI in Enterprises 2026

🔒 As AI tools spread inside organizations without formal approval, employees increasingly use generative platforms and third‑party models that operate outside IT visibility. That creates uncontrolled data exposure, expanded attack surfaces, and identity risks when sensitive information or credentials are shared. Organizations should adopt clear AI usage policies, approved secure alternatives, enhanced monitoring, and targeted employee training to enable safe, productive AI usage.
read more →

Scrutiny Grows Over LinkedIn’s Handling of User Data

🔍LinkedIn’s massive trove of user information is facing scrutiny after a small European firm behind the BrowserGate campaign alleged that hidden code on linkedin.com scans visitors’ machines for installed software and transmits the inventory to LinkedIn and third parties. The group, which uses names including Teamfluence and Fairlinked and is led by an individual using the name Steven Morrell, framed the activity as an “illegal” search and a form of corporate espionage. LinkedIn denied core accusations, said it discloses browser-extension scanning in its privacy policy to detect abuse and protect site stability, and declined to confirm whether the data is used only for those purposes.
read more →

LinkedIn 'Browsergate' and violent crypto delivery robberies

🔍 A German privacy group, Fairlinked, reports that LinkedIn injects a large JavaScript payload into Chrome-based browsers that scans for over 6,000 installed extensions and collects device signals on many interaction events. The code allegedly harvests extension presence, CPU/memory/screen and other metadata and ties those fingerprints to logged-in identities. LinkedIn disputes the characterisation, saying the checks target scraping and policy-violating extensions. Users are advised to consider non-Chrome browsers and reduce extension exposure to limit profiling.
read more →

GrafanaGhost vulnerability enables silent data exfiltration

🔒 Researchers at Noma's Threat Research Team have disclosed a critical vulnerability, GrafanaGhost, that enables attackers to silently extract sensitive enterprise data from Grafana environments. The exploit chains application and AI weaknesses — including flawed URL validation and indirect prompt injection — to transfer data to attacker servers without credentials or user interaction. Built-in guardrails can be bypassed with simple prompt tricks and protocol-relative URLs, allowing automatic background exfiltration that leaves little trace.
read more →

Zero‑click Grafana AI flaw enables enterprise data leaks

🛡️ Researchers disclosed a critical issue in Grafana, dubbed GrafanaGhost, that enables zero‑click exfiltration of sensitive telemetry and business data via AI‑powered dashboards. Noma Security reported the chained exploit, which combines indirect prompt injection and a URL validation bypass; Grafana validated the report and released a patch. The attack abuses protocol‑relative URLs and model keywords to trick AI into sending data to attacker servers. Organizations should patch, restrict img‑src, and enforce egress controls.
read more →

36 Malicious npm Packages Exploited Redis and PostgreSQL

SafeDep researchers disclosed 36 malicious npm packages masquerading as Strapi v3 plugins that execute payloads via the postinstall hook. Uploaded by four sockpuppet accounts over 13 hours, the packages weaponized Redis and PostgreSQL to deploy reverse shells, harvest credentials, and install a persistent implant targeting a hostname named prod-strapi. The postinstall script runs with the installing user's privileges, creating acute risk for CI/CD pipelines and containers. Users who installed any listed package are advised to assume compromise and rotate all credentials.
read more →

LinkedIn's Hidden Script Scans 6,000+ Chrome Extensions

🔍 LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.
read more →

LinkedIn scans 6,000+ Chrome extensions, gathers device info

🔍 A new report named BrowserGate alleges that LinkedIn injects hidden JavaScript into user sessions to probe browsers for installed extensions and collect device characteristics. BleepingComputer independently observed a randomized script that attempted to detect 6,236 extensions by checking extension resource URLs and also harvested CPU, memory, screen, timezone, battery, audio, and storage details. LinkedIn says it looks for extensions that scrape content or violate its Terms and uses detection to inform defenses and enforcement, while the report warns this scanning could map competitors' customers and enable profiling. The use and sharing of the collected data have not been independently verified.
read more →

FBI Advises Caution Using Chinese Mobile Apps Over Privacy

🔒 The FBI has issued a public service announcement warning Americans about privacy and data-security risks posed by foreign-developed mobile applications, particularly those maintained by Chinese companies. The bureau says some apps may collect extensive personal data — even when only active — and may store information on servers in China or require consent to share data. The FBI recommends disabling unnecessary sharing, updating device software, and installing apps only from official app stores.
read more →

Hackers Target Iranwire Exile Portal, Judiciary Reports

🛡️According to the Iranian judiciary's mouthpiece Misan, the exile news portal Iranwire was allegedly breached and a large volume of sensitive material was taken, including correspondence, staff lists, informant identities and other highly confidential records. The site displayed a maintenance notice while continuing to post on social media, and authorities blamed the hacker group Handala, which has been linked to prior operations.
read more →

ChatGPT vulnerability enabled covert data exfiltration

⚠️A security flaw in ChatGPT could be triggered by a single malicious prompt to create a covert exfiltration channel, researchers at Check Point reported. The issue allowed data to be leaked via a DNS side channel from the model’s isolated runtime and was patched by OpenAI on 20 February after disclosure. Check Point demonstrated extraction of uploaded files and private prompts and warned that users copying prompts from public sources could be exposed.
read more →

TeamPCP Targets Stolen Supply Chain Secrets, Monetizes Data

🔐 Researchers at Wiz report that TeamPCP has been harvesting, validating, encrypting and exfiltrating cloud credentials, SSH keys, Kubernetes configs and other development secrets from compromised supply chain components to attacker-controlled domains. The group used typosquatting on PyPI to push credential-stealing malware into packages affecting Trivy, KICS, LiteLLM and Telnyx. Wiz warns this activity appears linked to, or at least shared with, extortion-focused actors such as Lapsus$, and vendors report claims of partnerships with ransomware affiliates, raising the risk of follow-on ransomware campaigns.
read more →

OpenAI patches Codex and ChatGPT leaks, fixes two bugs

🔒 Researchers disclosed two vulnerabilities in OpenAI’s AI stack affecting Codex and ChatGPT. BeyondTrust found a command injection flaw in Codex that let a malicious GitHub branch name execute code inside task containers and expose short-lived GitHub tokens. Check Point Research discovered a hidden outbound channel in ChatGPT’s code execution runtime that could silently transmit chats, uploads, or outputs to an external server. OpenAI patched both issues before public disclosure and researchers warn that autonomous code execution increases long-term risk.
read more →

OpenAI Patches ChatGPT Data, Codex Token Vulnerability

🔒 OpenAI patched two vulnerabilities affecting ChatGPT and Codex that could have allowed covert exfiltration of user data and theft of GitHub tokens. Check Point disclosed a DNS-based side-channel in ChatGPT's Linux execution environment that encoded conversation content into outbound DNS requests, potentially enabling remote shell access. BeyondTrust found a command-injection bug in Codex that allowed branch-name payloads to retrieve GitHub tokens. Both flaws were responsibly disclosed and fixed in February 2026; vendors report no evidence of active exploitation.
read more →

Severe Cyberattack on Die Linke; Qilin Likely Culprit

🔐 Die Linke says it was hit by a serious cyberattack that it attributes to the hacker group Qilin, possibly Russian‑speaking, and has taken parts of its IT infrastructure offline. Party federal secretary Janis Ehling said attackers appear to be seeking sensitive internal and employee data; the membership database was not compromised. Authorities warned the party as the intrusion was detected, and a criminal complaint has been filed as the party coordinates with security services.
read more →

FBI: Handala Hackers Use Telegram for Malware C2 Operations

🔐 The FBI warns that Iranian-linked actors, including Handala and a state-associated Homeland Justice group, are using Telegram as command-and-control infrastructure in Windows malware campaigns. Attackers employ social engineering to install malware that exfiltrates screenshots and files from journalists, dissidents, and opposition groups worldwide. The alert followed the seizure of four clearnet domains and references prior disruptive operations such as Handala's attack on Stryker.
read more →

VoidStealer uses debugger trick to steal Chrome master key

🔓 VoidStealer, an information stealer offered as MaaS since mid‑December 2025, uses a debugger-based technique to extract Chrome's v20_master_key directly from memory. The malware starts a suspended, hidden browser process, attaches as a debugger, and waits for the target chrome.dll to load before setting hardware breakpoints on an instruction that references the key. When the breakpoint triggers during startup decryption, VoidStealer reads the register pointer and uses ReadProcessMemory to capture the plaintext key without privilege escalation. Gen Digital reports this is the first infostealer observed in the wild using this approach.
read more →