< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles

Injective SDK npm package used to steal wallet keys

🔒 Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
read more →

Fake Paysafe, Skrill SDKs on npm and PyPI steal creds

🔒 Malicious packages impersonating Paysafe, Skrill, and Neteller SDKs were published to npm and PyPI, delivering credential-stealing malware to developers and applications. Socket discovered 17 packages that expose expected APIs but return fake success responses while searching for and exfiltrating secrets such as API keys, tokens, and AWS credentials. Developers who installed these packages are urged to rotate secrets, inspect dependency trees and CI logs, and block the malicious package names at registry proxies.
read more →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Silent Swap clipper exploits browser extensions

🛡️ McAfee Labs uncovered an active campaign, dubbed Silent Swap, that deploys malicious Chromium extensions masquerading as a 'Google Notes' utility to intercept and replace cryptocurrency wallet addresses copied to the clipboard. The installers, observed in .NET and Golang variants, inject the extension into Chromium-based browsers by modifying protected preferences and recalculating security hashes to bypass store installation. The threat uses an EtherHiding technique to resolve C2 domains via the blockchain and performs dynamic, server-side wallet mappings to redirect funds to attacker-controlled addresses. Telemetry shows global infections, with higher concentration in India.
read more →

ClickFix Emerges as Dominant Malware Delivery Method

🔒 Analysis by ReliaQuest shows the ClickFix social engineering technique dominated malware delivery from March to May 2026. ClickFix tricks users into pasting attacker-supplied commands into trusted dialogs like Run, Terminal, or Script Editor, allowing payloads such as infostealers to execute while evading many defenses. The method has been used to deliver Windows malware and, notably, to deploy AMOS/Atomic Stealer to macOS via Script Editor. ReliaQuest urges equal monitoring for macOS and recommends user training and administrative restrictions to mitigate ClickFix risks.
read more →

Malicious Perplexity-themed Chrome Extension Captured Searches

🔍 Microsoft discovered a malicious Chrome extension posing as Perplexity that logged every search query and each character typed in the address bar by routing input through an attacker-controlled server before redirecting to legitimate results. The extension, named "Search for perplexity ai" and using a look-alike domain, set itself as the default search engine and redirected queries and live suggestion traffic to the attacker domain, collecting headers, IPs, and user agent data. Microsoft reported the extension to Google, which removed it from the Chrome Web Store; defenders are urged to remove the extension and verify search settings immediately.
read more →

Hijacked npm and Go packages deploy cross‑platform stealer

🛡️ Cybersecurity researchers discovered two malicious npm packages and a cluster of Go packages that deploy a Python-based information stealer targeting Windows, Linux, and macOS. The attack hides execution in a VS Code task that runs when a project folder is opened and retrieves encrypted JavaScript from blockchain transaction data to configure a socket.io backdoor. The campaign uses a disguised font file to deliver multi-stage payloads and ultimately installs a Python infostealer that exfiltrates credentials, wallets, and developer artifacts.
read more →

International takedown of Amadey and StealC networks

🛡️ A multinational law enforcement operation, coordinated with private-sector partners such as Bitdefender, ESET, and Microsoft, dismantled infrastructure powering the Amadey and StealC malware ecosystems. Authorities identified and restricted over $47 million in criminal cryptocurrency, recovered 27 million stolen credentials, and dismantled hundreds of servers and domains. The action disrupted loader-and-stealer chains used to fuel ransomware and fraud.
read more →

Law enforcement disrupts StealC and Amadey infostealers

🛡️ Operation Endgame participants executed a coordinated takedown of the StealC and Amadey infostealer infrastructures, seizing roughly 50 domains and nearly 200 active C2 IPs. The action was led by Germany’s Federal Criminal Police Office with coordination from Europol’s EC3 and support from partners including Microsoft, ESET and Proofpoint. Microsoft used AI to accelerate analysis and helped sever criminal control of over 18,000 victim devices. The broader operation seized crypto assets, recovered millions of credentials and dismantled hundreds of servers and domains.
read more →

Operation Endgame disrupts Amadey and StealC malware

🔎 Microsoft, Europol, and international partners executed Operation Endgame to disrupt infrastructure used by the Amadey and StealC malware families. The coordinated takedown targeted servers, domains, and related resources, seizing cryptocurrency and recovering millions of stolen credentials. Private-sector partners including Microsoft, ESET, Proofpoint, and IBM X-Force supported law enforcement actions across several countries. The effort also targeted SocGholish loaders and follows prior phases that disrupted other malware families.
read more →

macOS Gaslight backdoor uses prompt injection tactics

🛡️ SentinelLabs uncovered a North Korea-linked macOS backdoor, tracked as macOS.Gaslight, that embeds 38 fabricated system messages to manipulate AI-assisted malware triage. The Rust implant carries an infostealer and interactive backdoor that exfiltrates browser data, terminal histories and the macOS login keychain, using Telegram Bot API with certificate pinning for command and control. Researchers noted novel tradecraft including runtime staging of a standalone Python interpreter and self-scrubbing of the Telegram bot token from logs. SentinelLabs warned analysts to treat sample contents as adversarial input and to isolate hostile content from LLM-based tools.
read more →

StealC and Amadey: Infostealer Ecosystem Disruption

🔍 Microsoft analyzes how infostealers like StealC and loaders such as Amadey fuel a commodified cybercrime economy by harvesting credentials, cookies, and tokens from unmanaged devices. The post details methods of delivery (SEO poisoning, malicious ads, ClickFix, phishing), StealC’s data collection and C2 behaviors, and how stolen logs are monetized. It also describes a coordinated takedown on June 24, 2026, by Microsoft DCU and partners that disrupted hundreds of domains and C2 servers.
read more →

OpenClaw AI supply chain risks and findings

🧭 OpenClaw is an AI agent executing third-party skills from ClawHub, and several malicious campaigns emerged after launch. Our Feb–May 2026 analysis identified five skills that bypassed screening and fell into three threat categories: macOS infostealers, an evasion technique using inflated file size, and novel agentic threats for financial gain. All five skills were reported and removed; OpenClaw and NVIDIA have since increased screening and analysis.
read more →

PowerShell stealer targets Telegram sessions

🛡️ Researchers discovered a PowerShell script masquerading as a Windows telemetry update that steals Telegram for Windows session data. The script collects system info, closes Telegram to access the tdata folder, zips its contents, and sends the archive to an attacker-controlled bot before removing traces. The sample was found on Pastebin and appears to be a prototype, with no confirmed successful exfiltration yet. Users are advised to use robust endpoint security and enable Telegram Two‑Step Verification or passkeys.
read more →

Search-Your-Target Market for Stolen Credentials

🔎 Flare analyzed 470 underground forum posts from January 2025 to June 2026 revealing a growing service layer that lets buyers query massive infostealer-derived credential collections for specific companies, platforms, domains, geographies, or account types. These sellers act as brokers, offering search, deduplication, formatting, and targeted delivery of credentials from databases claiming billions of records. Buyer feedback highlights gaps in quality, freshness, and validity, while the market partially overlaps with Initial Access Brokers and amplifies account takeover risks.
read more →

ThreatsDay: AI Abuse, Fileless Mac Attacks, and More

📰 This week's ThreatsDay roundup highlights a range of active campaigns and emerging risks, from DoH adoption in Windows Server 2025 to search-hijacking Chrome extensions and fileless macOS infections. Researchers uncovered abuse of shared AI chat features to deliver credential stealers, large-scale WhatsApp booking fraud, and memory-only stealers targeting banks. Vendors and agencies are responding with mitigations, advisories, and new product timelines to address quantum and AI-driven threats.
read more →

Cybercrime Escalates Across Asia-Pacific Amid Digitization

🛡️Interpol warns that cybercrime now accounts for 30% of crime in over half of Asia and South Pacific nations, driven by rapid digital adoption. The 2025/2026 Asia and South Pacific Cyberthreat Assessment, covering 18 countries, highlights online scams, infostealers, ransomware, deepfakes and BEC as primary threats. The report notes sharp rises in ransomware, DDoS and deepfake activity, and calls for improved cross-border collaboration and capacity building.
read more →

Rokarolla Android trojan targets 217 financial apps

🛡️ A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and supports 137 commands. Distributed via malicious sites posing as Chrome or TikTok installers, it requests Accessibility and other sensitive permissions to gain near-complete control of infected devices. Researchers at Zimperium report it harvests SMS, contacts, keystrokes, screenshots, and lock-screen credentials while displaying phishing overlays and disabling protections like Google Play Protect.
read more →

Malicious Steam Workshop wallpapers used to deliver malware

🛡️ Researchers at Kaspersky report threat actors abusing Steam Workshop to distribute malware via the Wallpaper Engine app. Attackers upload malicious application-type wallpapers that execute payloads when installed, leading to account theft, backdoors, miners, and information stealers. Valve removed the identified items, but users are advised to only download from trusted creators and scan Workshop content with up-to-date antivirus.
read more →