All news with #infostealer tag

🛡️ On September 8, 2025, a sophisticated phishing campaign led to the compromise of a trusted maintainer account and the insertion of cryptocurrency-stealing malware into more than 18 foundational npm packages. The malicious versions collectively represented over 2 billion weekly downloads and affected millions of applications from personal projects to enterprise systems. The debug package was among those compromised and alone exceeds 357 million weekly downloads. npm has removed several malicious package versions and is coordinating ongoing remediation.

🚨 A phishing attack against maintainer Josh Junon (qix) led to a widespread compromise of highly popular npm packages, including chalk and debug-js, whose combined footprint exceeds billions of weekly downloads. The attacker pushed malicious updates that attempted to steal cryptocurrency by swapping wallet addresses, but the community discovered and removed the tainted releases within two hours. According to Wiz, the compromised modules reached roughly 10% of cloud environments in that short window, yet the actor ultimately profited only minimally as the injected payload targeted browser crypto-signing and yielded just a few hundred dollars at most.

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.

🔑 Researchers found four malicious npm packages impersonating Flashbots and common cryptographic utilities to harvest Ethereum wallet credentials. Uploaded by user "flashbotts" between September 2023 and August 19, 2025, the libraries exfiltrate private keys and mnemonic seed phrases to a Telegram bot and transmit environment data via Mailtrap SMTP. One package also redirects unsigned transactions to an attacker-controlled wallet.

🛡️ Trend Micro warns of an Atomic macOS Stealer (AMOS) campaign that lures users with trojanized 'cracked' apps such as CleanMyMac, and instructs victims to run terminal commands. Attackers shifted from .dmg installers to terminal-based installs to evade Gatekeeper enhancements. AMOS persists via a LaunchDaemon and a hidden binary, then exfiltrates credentials, browser data, crypto wallets, Telegram chats and keychain items. Researchers advise layered defenses beyond native OS protections.

🛡️ Researchers found a malicious npm package named nodejs-smtp that impersonated the nodemailer mailer to avoid detection and entice installs. On import the module uses Electron tooling to unpack an app.asar, replace a vendor bundle with a payload, repackage the application, and erase traces to inject a clipper into Windows desktop wallets. The backdoor redirects BTC, ETH, USDT, XRP and SOL transactions to attacker-controlled addresses while retaining legitimate mailer functionality as a cover.

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.

⚠️Cybercriminals are abusing Meta advertising to distribute a malicious Android app impersonating TradingView Premium. Bitdefender says the campaign, active since at least July 22, redirects Android users to a counterfeit site that serves a trojanized tw-update.apk and requests accessibility rights while simulating an OS update to capture PINs. The installed Brokewell variant escalates privileges to exfiltrate credentials and 2FA codes, hijack SMS, record screens and audio, and accept remote commands for theft and device control.

🔍 Threat actors used Google ads to promote a fraudulent AppSuite PDF Editor that silently delivered the TamperedChef infostealer. Multiple domains hosted signed installers with revoked certificates; the malicious payload was activated after a delay and is launched with the "-fullupdate" argument, checking for security agents and extracting browser secrets via DPAPI. Operators also pushed related apps such as OneStart, ManualFinder and Epibrowser, and in some cases converted hosts into residential proxies; Truesec and Expel published IoCs for detection.

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.

🔒 ShadowCaptcha is a large-scale campaign abusing over 100 compromised WordPress sites to push visitors to fake Cloudflare or Google CAPTCHA pages using the ClickFix social‑engineering lure. Injected JavaScript initiates redirection chains, employs anti‑debug techniques, and silently copies commands to the clipboard to coerce users into running built‑in Windows tools or saving and executing HTA files. Attackers weaponize LOLBins and DLL side‑loading to deliver installers and payloads — observed outcomes include credential stealers (Lumma, Rhadamanthys), Epsilon Red ransomware, and XMRig cryptocurrency miners — with some miner variants fetching configs from Pastebin and dropping a vulnerable driver (WinRing0x64.sys) to seek kernel access. Affected sites span multiple countries and sectors, underscoring the importance of timely WordPress hardening, network segmentation, user training, and MFA.

🔒 CrowdStrike disrupted a malvertising campaign that redirected users to counterfeit macOS help pages and urged them to run a malicious one-line installation command. Observed between June and August 2025, the operation sought to deliver the SHAMOS variant of the Atomic macOS Stealer (AMOS), a Mach-O binary distributed by MaaS operator Cookie Spider. The installer decoded a Base64 string, executed a Bash script that captured credentials and fetched the payload from icloudservers[.]com.

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

🛡️ Researchers disclosed a new .NET-based DLL loader named QuirkyLoader that's been used since November 2024 to deliver information stealers, keyloggers and RATs via email spam. IBM X-Force says attackers send malicious archives from both legitimate providers and self-hosted servers; each archive contains a DLL, an encrypted payload and a real executable used for DLL side-loading. The loader uses process hollowing to inject decrypted payloads into AddInProcess32.exe, InstallUtil.exe or aspnet_wp.exe. Operators compile the .NET DLL with ahead-of-time (AOT) compilation so the resulting binary resembles native C/C++ code and is harder to attribute.

🔍 Cisco Talos reports an active malvertising campaign delivering a multi-stage PowerShell/C# malware framework dubbed PS1Bot. The modular framework executes modules in-memory to minimize artifacts and supports information theft, keylogging, screenshot capture and cryptocurrency wallet exfiltration. Delivery begins with SEO-poisoning archives containing a downloader that writes a polling PowerShell script to C:\ProgramData and executes received code with Invoke-Expression.

🔍 In this Unlocked 403 episode host Becks speaks with ESET malware researcher Lukas Stefanko to explain how modern spyware operates and why commonplace apps can become surveillance tools. They examine ESET’s discovery of BadBazaar, describe common infection vectors, persistence techniques and permissions abuse, and note that some tools can compromise devices without any user interaction. Lukas outlines practical detection signals and step‑by‑step removal advice. The conversation also points listeners to a prior episode for deeper Android threat analysis.