All news with #infostealer tag

🚨 Malicious release v0.23.3 of the elementary-data PyPI package was published after an attacker exploited a GitHub Actions script-injection flaw in the project's workflow. The tainted package and its Docker image silently installed an elementary.pth-based loader that exfiltrated SSH keys, cloud credentials, developer tokens and cryptocurrency wallets. A clean v0.23.4 was released, but users who pulled the compromised artifacts must rotate secrets and remediate affected environments.

🔒 The Bitwarden CLI @bitwarden/cli npm package was briefly compromised when attackers published a malicious v2026.4.0 release on April 22, 2026. The injected payload harvested developer secrets — including npm and GitHub tokens, SSH keys, and cloud credentials — and contained self‑propagation capability to infect other packages. Bitwarden confirmed only the npm distribution channel was affected, found no evidence of vault or production data access, revoked compromised access, deprecated the release, and initiated remediation; affected developers should rotate exposed credentials.

🔐 Checkmarx's KICS Docker images and VS Code/Open VSX extensions were trojanized to harvest developer secrets. Dependency security firm Socket investigated after Docker alerted them to malicious images pushed to the official checkmarx/kics repository and found an embedded MCP addon that downloaded a credential-stealing module (mcpAddon.js). The malware targeted GitHub tokens, cloud credentials, npm tokens, SSH keys, Claude configs and environment variables, encrypting and exfiltrating them to audit.checkmarx.cx while creating public GitHub repositories to receive stolen data. Checkmarx removed the artifacts, rotated exposed credentials and advised developers to rotate secrets, pin image SHAs and rebuild from trusted sources.

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.

📱 ESET has identified a new NGate variant that uses a trojanized version of the legitimate HandyPay NFC relay app to harvest payment card data and PINs. Distributed since November 2025 and focused on Brazil, the malicious app relays tapped NFC data to attacker-controlled devices to facilitate contactless fraud and ATM withdrawals. It requires minimal permissions by leveraging its role as the default payment application, helping it evade detection.

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.

🔒 ESET researchers discovered a new NGate malware variant that trojanized the legitimate HandyPay Android NFC-relay app, with injected code displaying artifacts consistent with GenAI-assisted development. The patched app silently forwards NFC payment card data and captures payment card PINs, exfiltrating them to attacker-controlled C&C infrastructure to enable contactless ATM cash-outs and unauthorized payments. Distribution targeted Android users in Brazil since November 2025 via a fake Rio de Prêmios lottery site and a counterfeit Google Play page; both samples were served from the same domain, indicating a single operator. ESET notified Google and the HandyPay developer; known samples are detected by Google Play Protect and ESET.

🔒 Two phishing campaigns are delivering Formbook infostealer to Windows devices using distinct stealth techniques. One abuses DLL sideloading via RAR attachments containing multiple DLLs and an EXE, while the other hides payloads in obfuscated JavaScript and PDF files that drop PowerShell commands and a custom loader. WatchGuard warns these methods leverage trusted processes to evade detection and urges monitoring of archive attachments, anomalous DLL loads and suspicious PowerShell activity.

🔒 DarkSword and Coruna are two newly discovered, zero-click spyware families actively abused in the wild to compromise iPhones and iPads without user interaction. DarkSword targets iOS 18 with a six‑vulnerability chain and runs filelessly in RAM, while Coruna exploits older releases (iOS 13–17.2.1) via numerous WebKit flaws. Both harvest passwords, messages, photos, browser history and crypto‑wallet secrets; researchers report several thousand infections and advise immediate OS updates and mitigations.

🔒 Researchers at Socket uncovered 108 malicious Google Chrome extensions that collectively amassed about 20,000 installs and reported to a single command-and-control server. Published under five publisher identities, the add-ons posed as games, Telegram sidebars, and enhancement tools while exfiltrating Google account data, hijacking Telegram Web sessions, opening arbitrary URLs, and injecting ads and scripts. Some source files contained Russian-language comments; attribution remains unconfirmed. Users should remove any identified extensions and log out of Telegram Web sessions immediately.

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.

📱 A newly identified Android banking trojan called Mirax is spreading across Europe, combining remote-access features with residential proxy capabilities to expand its criminal utility. Researchers at Cleafy report campaigns reached more than 200,000 accounts by leveraging social media advertisements and fake streaming apps. Mirax runs as a restricted Malware-as-a-Service (MaaS), enabling real-time device control, dynamic overlay injection for credential theft, continuous keylogging, and the conversion of infected phones into proxy nodes to help bypass fraud controls.

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🛡️Kaspersky and analysts observed unknown actors briefly compromise CPUID, swapping legitimate download links for trojanized installers of CPU‑Z and HWMonitor for under 24 hours. The malicious packages contained a signed executable alongside a malicious CRYPTBASE.dll that leveraged DLL side‑loading, performed anti‑sandbox checks and fetched additional payloads. The campaign deployed STX RAT, a feature‑rich RAT with HVNC and extensive infostealer and remote‑control capabilities, impacting individuals and organizations in multiple sectors.

🐛 A new phase of the GlassWorm campaign uses a Zig-compiled native Node addon embedded in a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker, impersonating WakaTime, to gain OS-level access and stealthily install additional payloads. The addon (installed as win.node on Windows and mac.node on macOS) runs outside the JavaScript sandbox, locates IDEs that support VS Code extensions, downloads a malicious VSIX from an attacker-controlled GitHub account, and silently installs it across detected editors. The second-stage extension then reads commands from the Solana blockchain to obtain its C2, exfiltrates sensitive data, and deploys a RAT that ultimately installs an information-stealing Chrome extension; affected users should assume compromise and rotate secrets.

🔐 Google has introduced Device Bound Session Credentials (DBSC) protection in Chrome 146 for Windows to block infostealer malware from harvesting session cookies. The feature cryptographically ties session cookies to hardware-backed keys stored in the Trusted Platform Module (TPM) on Windows, with macOS support planned for a future release. Because the per-session private keys are generated by a security chip and cannot be exported, exfiltrated cookies become useless without proof of key possession. The protocol is privacy-conscious, uses distinct keys per session to avoid cross-site correlation, and was developed with industry input including Microsoft.

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.

🔒 Organizations must move beyond checkbox breach monitoring to defend against fast-moving infostealers. Ran Geva (CEO, Webz.io & Lunar) warns that monthly scans and reliance on MFA, EDR, or zero-trust alone often miss stolen credentials, session cookies, and stealer logs. With 4.17 billion compromised credentials observed in 2025 and high breach costs, enterprises need continuous, forensic-grade monitoring, automated triage, and integrations that can reset credentials and invalidate sessions quickly.