< ciso
brief />
Tag Banner

All news with #data exfiltration tag

217 articles · page 8 of 11

Trust Wallet Chrome Extension Compromise Drains Millions

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.
read more →

Malicious Chrome Extensions Route Traffic to Steal Data

🔒 Two Chrome extensions in the Web Store, both published as Phantom Shuttle, are malicious plugins that hijack browser traffic and have been active since at least 2017, researchers report. Targeting users in China, the extensions pose as proxy and network-speed tools and prepend obfuscated code to the jQuery library to route requests through attacker-controlled proxies using hardcoded credentials and a PAC script. The plugins dynamically reconfigure Chrome proxy settings and route traffic for over 170 high-value domains, intercepting HTTP authentication challenges to capture form credentials, session cookies and API tokens while excluding local networks and the command-and-control domain to limit detection. At the time of reporting the extensions remained in Chrome's official marketplace; users are advised to install only extensions from reputable publishers and review requested permissions carefully.
read more →

Trojanized npm WhatsApp API library steals data silently

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.
read more →

Activists Claim Copy of Spotify’s Entire Music Library

🎵 Spotify is investigating claims by a collective of pirate activists who say they accessed 256 million rows of metadata and 86 million audio files — roughly 300 terabytes in total. The activists report that metadata, but not audio files, was made publicly available via Anna’s Archive, which frames the release as cultural preservation. Spotify has confirmed a probe into an incident in which a third party allegedly scraped public metadata and bypassed DRM protections to access certain audio files.
read more →

Coupang breach affects 33.7M users, raises data risks

🔒 Coupang disclosed a data breach impacting 33.7 million customer accounts, exposing names, phone numbers, email addresses, delivery address books and purchase histories. The company detected unusual activity on November 6, confirmed a breach on November 18 and publicly disclosed the incident on November 29; attackers had access from June 24 to November 8. A former employee who retained access keys is the prime suspect. The incident highlights gaps where non‑mandated data remained unencrypted and underscores the need for stronger voluntary protections.
read more →

DPRK Hackers Responsible for $2.02B Crypto Theft in 2025

💰 Threat actors linked to North Korea stole at least $2.02 billion in cryptocurrency during 2025, a 51% increase year‑over‑year that made DPRK actors the leading source of global crypto theft. Chainalysis attributes much of the total to a February compromise of Bybit, estimated at $1.5 billion and linked to the cluster TraderTraitor. The report details systematic laundering across DeFi, mixers, bridges and OTC services, and an expanded use of IT infiltration schemes such as Wagemole to gain privileged access and facilitate high‑impact thefts.
read more →

China-Linked Ink Dragon Employs ShadowPad and FINALDRAFT

🛡️ Check Point Research links a sustained espionage campaign to the China-aligned cluster known as Ink Dragon (also tracked as Jewelbug, CL-STA-0049, Earth Alux/REF7707) that has targeted government and telecommunications organisations across Europe, Asia and Africa since at least March 2023. The actor exploits exposed web applications and predictable ASP.NET machine keys to drop web shells and install a custom ShadowPad IIS Listener, turning compromised servers into resilient C2 relays. Operators deploy a modular backdoor FINALDRAFT (aka Squidoor), alongside NANOREMOTE, loaders and tooling such as VARGEIT and Cobalt Strike to enable stealthy lateral movement, credential theft and high-throughput exfiltration.
read more →

Ink Dragon Uses European Government Servers as Relays

🔍 A prolific China-linked group known as Ink Dragon is exploiting misconfigured public-facing servers in European government networks to create relay nodes, Check Point reports. After probing IIS, SharePoint and other web services for configuration flaws, operators quietly harvest credentials, reuse administrator and service accounts, and move laterally using Remote Desktop to blend into normal traffic. They install backdoors and credential-stealing implants, and deploy a customized module and a new FinalDraft backdoor to maintain long-term access and obfuscate command channels.
read more →

Browser VPN Extension Found Harvesting AI Chat Data

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.
read more →

Urban VPN Extension Caught Exfiltrating AI Chat Data

🔒 Researchers at Koi found that the popular Urban VPN Proxy browser extension injects scripts to capture full AI chat conversations — including prompts and responses — then exports them to the extension vendor's backend. The monitoring runs even when the VPN is disabled and activates on major platforms such as ChatGPT, Claude, Gemini, Perplexity and Grok. For organizations that paste internal code, data or research into AI tools, this creates a significant data-theft risk outside corporate controls.
read more →

NANOREMOTE Windows Backdoor Abuses Google Drive API for C2

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.
read more →

Marquis Software Breach Impacts Over 780,000 Nationwide

🔒 Marquis Software Solutions confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall firewall vulnerability on 14 August. The company shut down affected systems and engaged external cybersecurity specialists; a late-October review found unauthorized actors copied files containing personal and financial data from certain business customers. Marquis is offering free credit monitoring and has implemented multiple security controls while its investigation continues, and it reports no evidence so far that the stolen data has been posted online.
read more →

Researchers Find 30+ Flaws in AI IDEs, Enabling Data Theft

⚠️Researchers disclosed more than 30 vulnerabilities in AI-integrated IDEs in a report dubbed IDEsaster by Ari Marzouk (MaccariTA). The issues chain prompt-injection with auto-approved agent tooling and legitimate IDE features to achieve data exfiltration and remote code execution across products like Cursor, GitHub Copilot, Zed.dev, and others. Of the findings, 24 received CVE identifiers; exploit examples include workspace writes that cause outbound requests, settings hijacks that point executable paths to attacker binaries, and multi-root overrides that trigger execution. Researchers advise using AI agents only with trusted projects, applying least privilege to tool access, hardening prompts, and sandboxing risky operations.
read more →

Leroy Merlin Notifies French Customers of Data Breach

🔔 French home improvement retailer Leroy Merlin has notified customers in France that certain personal data may have been exposed in a cyberattack, including full names, phone numbers, email and postal addresses, dates of birth and loyalty program details. The company says no banking data or account passwords were involved and that it moved quickly to block unauthorized access and contain the incident. The notice warns customers to be vigilant against phishing and impersonation attempts; BleepingComputer confirmed the notification is genuine and has sought further details. No ransomware group had claimed responsibility at the time of reporting.
read more →

ShadyPanda Browser Extension Campaign Hits 4.3M Users

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.
read more →

Malicious npm Package Tries to Manipulate AI Scanners

⚠️ Security researchers disclosed that an npm package, eslint-plugin-unicorn-ts-2, embeds a deceptive prompt aimed at biasing AI-driven security scanners and also contains a post-install hook that exfiltrates environment variables. Uploaded in February 2024 by user "hamburgerisland", the trojanized library has been downloaded 18,988 times and remains available; the exfiltration was introduced in v1.1.3 and persists in v1.2.1. Analysts warn this blends familiar supply-chain abuse with deliberate attempts to evade LLM-based analysis.
read more →

Glassworm Malware Surges in Third Wave of VS Code Extensions

🐛 The Glassworm campaign has resurfaced in a third wave, with 24 new malicious VS Code-compatible extensions appearing on both the Microsoft Visual Studio Marketplace and OpenVSX. Once installed, these extensions push updates that deploy Rust-based implants, use invisible Unicode to evade review, exfiltrate GitHub, npm, and OpenVSX credentials and cryptocurrency wallet data, and deploy a SOCKS proxy and an HVNC client for stealthy remote access. Researchers say attackers inflate download counts to blend with legitimate projects and manipulate search results; both vendors have been contacted about continued bypasses.
read more →

Sha1-Hulud NPM Worm Returns, Broad Supply‑Chain Risk

🔐 A new wave of the self‑replicating npm worm, dubbed Sha1‑Hulud: The Second Coming, impacted over 800 packages and 27,000 GitHub repositories, targeting API keys, cloud credentials, and repo authentication data. The campaign backdoored packages, republished malicious installs, and created GitHub Actions workflows for command‑and‑control while dynamically installing Bun to evade Node.js defenses. GitGuardian reported hundreds of thousands of exposed secrets; PyPI was not affected.
read more →

RBKC Cyberattack on IT Provider Disrupts Local Councils

🔒 The Royal Borough of Kensington and Chelsea (RBKC) has warned residents their data may have been compromised after unusual activity linked to a shared IT service provider was detected earlier this week. The council says it has evidence that some historical data was copied and removed and that the material could end up in the public domain. RBKC urged residents to be vigilant for phishing and social‑engineering attempts via email, text and phone while services are restored, and warned disruption could continue for at least two weeks as investigations and recovery proceed.
read more →

Researchers Expose Widespread Dashcam Botnet Risk to Privacy

🔒 Singaporean researchers demonstrated how inexpensive offline dashcams can be weaponized into a self‑propagating surveillance network. They identified common weaknesses — default or hardcoded Wi‑Fi credentials, exposed services (FTP/RTSP), MAC‑spoofing and replay attacks — that allow attackers to download video, audio, timestamps and GPS metadata. The team showed mass compromise is feasible and offered mitigation steps for vendors and drivers.
read more →