All news with #infostealer tag

🚨 A Bitdefender report warns that cybercriminals have built extensive ecosystems to scam Formula 1 fans, exploiting the sport’s fast-moving digital culture. Scams include counterfeit merchandise, fake grand prix tickets, illegal streaming apps and boxes, social media fraud and distribution of infostealer malware. Fans may also be coerced into botnets for DDoS attacks. Bitdefender urges vigilance and recommends anti-phishing and antivirus tools to reduce risk.

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.

🔍 Ukrainian cyberpolice, working with U.S. law enforcement, say they identified an 18-year-old from Odesa suspected of running an infostealer operation that infected customers of a California online store between 2024 and 2025. The malware harvested browser sessions, credentials, and payment information, compromising 28,000 accounts. Attackers used 5,800 accounts to make unauthorized purchases totaling about $721,000, and authorities executed searches seizing phones, computers, storage media, bank cards, and cryptocurrency-related evidence while the investigation continues.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔎 Unit 42 documents clusters of TamperedChef-style campaigns that trojanize productivity tools (e.g., PDF editors, calendars) to deliver stealers, RATs and proxies. These operations use malvertising-driven distribution, legitimate-looking sites, frequent binary rebuilds and code signing to evade detection. We tracked three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110), over 4,000 samples and 100 variants. If compromised, contact the Unit 42 Incident Response team for assistance.

🔍 On April 22 a trojanized Bitwarden CLI briefly appeared on npm, harvesting developer tokens via a compromised GitHub Action tied to the Checkmarx supply‑chain incident. Bitwarden later issued CVE‑2026‑42994, but the author notes the CVE was retroactive and did not imply a patchable defect. The piece argues CVE’s artifact‑centric model struggles with agentic and model‑mediated threats that mutate behaviorally and often evade dashboards.

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.

🛡️ A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) published to the Microsoft VS Code Marketplace delivered a multi-stage credential stealer and supply-chain poisoning payload to developers' machines. The obfuscated 498 KB payload, pulled from an orphaned commit in the official nrwl/nx GitHub repo, installs the Bun runtime and a Python backdoor on macOS while exfiltrating secrets via HTTPS, GitHub API and DNS tunneling. The maintainers traced the incident to a developer whose GitHub credentials were exposed, revoked access, and advised users to update to v18.100.0 or later and rotate exposed tokens and keys.

🐛 Researchers have uncovered a software supply chain campaign—part of the Mini Shai-Hulud wave—that pushed trojanized updates across the @antv npm ecosystem. The compromise traces to the maintainer account "atool" and affected popular modules including echarts-for-react and many @antv packages. The stealer harvests a wide range of cloud, developer and payment credentials and abuses stolen tokens to republish malicious versions, creating broad downstream exposure for organizations that automatically update dependencies.

🔔 SentinelOne researchers disclosed a new SHub macOS infostealer variant, dubbed Reaper, that lures victims with fake app installers and uses the applescript:// URL scheme to launch a malicious AppleScript. The payload displays a bogus Apple security update, requests the macOS password, and executes a shell script that harvests browser data, crypto wallets, passwords, iCloud and Telegram artifacts, and files from Desktop and Documents. Reaper also persists via a LaunchAgent, hijacks wallet apps by replacing core files, and clears quarantine flags to evade Gatekeeper.

⚠️ OXsecurity identified four malicious npm packages published by account deadcode09284814, including typosquatted modules aimed at Axios users. One package, chalk-tempalte, contains a non-obfuscated clone of the leaked Shai-Hulud infostealer that steals credentials, secrets, and crypto wallet data and exfiltrates it to a known C2. Another package, axois-utils, adds persistent DDoS bot functionality alongside credential theft. Developers should remove affected packages and rotate exposed credentials and API keys immediately.

⚠️ Multiple security firms have flagged newly published versions of the popular node-ipc npm package as malicious, containing obfuscated infostealer code that executes via the CommonJS entrypoint. The compromised releases (9.1.6, 9.2.3, 12.0.1) fingerprint hosts, harvest cloud and developer credentials, compress them, and exfiltrate data via DNS TXT queries. Users should remove affected versions, rotate secrets, and audit caches and lockfiles.

🔒 Subscription services are widespread and often contain personal data, making them attractive targets for attackers. The article outlines common attack vectors — phishing, credential reuse, infostealers, and bulk-resale of hacked family slots — and explains practical defenses: use password managers, enable two-factor authentication or passkeys, and monitor active sessions. It also advises how to spot phishing and track hidden recurring charges through bank statements and app-store settings.

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.

🔐 This report analyzes a new Gremlin stealer variant that leverages advanced obfuscation, including a commercial packer with instruction virtualization and .NET resource XOR encoding, to conceal final-stage payloads. The malware harvests browser cookies, session tokens, clipboard contents and cryptocurrency wallet data, and has added modules for Discord token theft, WebSocket session hijacking and a clipboard crypto-clipper. The variant uses staged in-memory decryption and a numeric decoder routine to frustrate static analysis, and Palo Alto Networks recommends protective coverage via Cortex XDR, Advanced WildFire and network security controls, and contacting Unit 42 for incident response.

⚠️ Researchers from Socket and StepSecurity warn that recently published versions of node-ipc (9.1.6, 9.2.3 and 12.0.1) contain an obfuscated stealer/backdoor triggered at runtime. The payload is appended as an IIFE to node-ipc.cjs, causing execution on every require('node-ipc') and avoiding npm lifecycle hooks. It fingerprints hosts, harvests up to 90 credential categories, compresses data, and exfiltrates via HTTPS to sh.azurestaticprovider[.]net and via DNS TXT records after overriding the resolver. The malicious builds were published by an unrelated maintainer account, prompting removal and secret rotation recommendations.

🔒A new TrickMo Android banking trojan variant, observed by ThreatFabric in January–February 2026, leverages the decentralized TON network for command-and-control communications and targets banking and cryptocurrency wallet users in France, Italy and Austria. The malware uses a runtime-loaded APK (dex.module) delivered via dropper apps and phasing websites, and embeds a native TON proxy to resolve .adnl endpoints. It adds network-oriented features — reconnaissance commands, SSH tunnelling and authenticated SOCKS5 proxying — enabling compromised devices to act as programmable network pivots and exit nodes.

⚠ TeamPCP's "Mini Shai-Hulud" campaign has trojanized npm and PyPI packages from maintainers including TanStack, Mistral AI, OpenSearch, UiPath, and Guardrails AI, deploying an obfuscated credential stealer that targets cloud services, crypto wallets, AI tools, messaging apps and CI systems. The malware exfiltrates data via a Session Protocol domain (filev2.getsession[.]org), a typosquat domain and GitHub API dead-drops, and persists through IDE hooks in Claude Code and VS Code. Attackers abused GitHub Actions OIDC permissions and produced malicious packages with valid SLSA attestations; TanStack's cluster was assigned CVE-2026-45321 (CVSS 9.6).

🔒 HiddenLayer discovered the Open-OSS/privacy-filter repository on Hugging Face was malicious on May 7. The repo, which copied OpenAI's Privacy Filter model card almost verbatim and showed inflated engagement, delivered a Rust-based infostealer via a base64-encoded loader. The malware steals browser passwords, session cookies, tokens, crypto wallet data and other credentials. HiddenLayer warns anyone who ran files from the repo to treat hosts as fully compromised and to wipe, isolate and rotate all affected credentials.

🔒 Ontinue detailed a campaign distributing a previously undocumented information stealer via fake Claude Code install pages that hijack Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords and payment data from developer workstations. The lure substituted the canonical Anthropic host for an attacker-controlled domain while /install.ps1 returned a verbatim genuine installer, letting automated scanners see benign PowerShell. A native helper is reflectively injected into browser processes to invoke the IElevator2 COM interface and extract encryption keys, while the PowerShell layer handles persistence, collection and C2 communications. Defenders are urged to enforce constrained PowerShell, enable script block logging and block newly registered domains.