< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 3 of 19

SHub 'Reaper' macOS Infostealer Spoofs Apple Updates

🔔 SentinelOne researchers disclosed a new SHub macOS infostealer variant, dubbed Reaper, that lures victims with fake app installers and uses the applescript:// URL scheme to launch a malicious AppleScript. The payload displays a bogus Apple security update, requests the macOS password, and executes a shell script that harvests browser data, crypto wallets, passwords, iCloud and Telegram artifacts, and files from Desktop and Documents. Reaper also persists via a LaunchAgent, hijacks wallet apps by replacing core files, and clears quarantine flags to evade Gatekeeper.
read more →

Leaked Shai-Hulud Source Fuels npm Infostealer Campaign

⚠️ OXsecurity identified four malicious npm packages published by account deadcode09284814, including typosquatted modules aimed at Axios users. One package, chalk-tempalte, contains a non-obfuscated clone of the leaked Shai-Hulud infostealer that steals credentials, secrets, and crypto wallet data and exfiltrates it to a known C2. Another package, axois-utils, adds persistent DDoS bot functionality alongside credential theft. Developers should remove affected packages and rotate exposed credentials and API keys immediately.
read more →

node-ipc npm Package Compromised to Steal Credentials

⚠️ Multiple security firms have flagged newly published versions of the popular node-ipc npm package as malicious, containing obfuscated infostealer code that executes via the CommonJS entrypoint. The compromised releases (9.1.6, 9.2.3, 12.0.1) fingerprint hosts, harvest cloud and developer credentials, compress them, and exfiltrate data via DNS TXT queries. Users should remove affected versions, rotate secrets, and audit caches and lockfiles.
read more →

How to Manage Subscriptions Securely and Avoid Scams

🔒 Subscription services are widespread and often contain personal data, making them attractive targets for attackers. The article outlines common attack vectors — phishing, credential reuse, infostealers, and bulk-resale of hacked family slots — and explains practical defenses: use password managers, enable two-factor authentication or passkeys, and monitor active sessions. It also advises how to spot phishing and track hidden recurring charges through bank statements and app-store settings.
read more →

Gremlin Stealer Evolves into Modular, Stealthy Infostealer

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.
read more →

PawsRunner Steganography Delivers PureLogs Infostealer

🛡️ FortiGuard Labs details a phishing campaign that uses TXZ attachments and environment-variable obfuscation to execute a fileless .NET loader. The loader, tracked as PawsRunner, retrieves encrypted payloads hidden inside PNG images using steganography and delivers the PureLogs infostealer. The campaign abuses multiple network APIs, prioritizes image responses, and uses cat images as cover, with final-stage C2 communication via HTTPS.
read more →

Gremlin Stealer Evolution: Obfuscation and New Capabilities

🔐 This report analyzes a new Gremlin stealer variant that leverages advanced obfuscation, including a commercial packer with instruction virtualization and .NET resource XOR encoding, to conceal final-stage payloads. The malware harvests browser cookies, session tokens, clipboard contents and cryptocurrency wallet data, and has added modules for Discord token theft, WebSocket session hijacking and a clipboard crypto-clipper. The variant uses staged in-memory decryption and a numeric decoder routine to frustrate static analysis, and Palo Alto Networks recommends protective coverage via Cortex XDR, Advanced WildFire and network security controls, and contacting Unit 42 for incident response.
read more →

Compromised node-ipc Releases Contain Stealer and Backdoor

⚠️ Researchers from Socket and StepSecurity warn that recently published versions of node-ipc (9.1.6, 9.2.3 and 12.0.1) contain an obfuscated stealer/backdoor triggered at runtime. The payload is appended as an IIFE to node-ipc.cjs, causing execution on every require('node-ipc') and avoiding npm lifecycle hooks. It fingerprints hosts, harvests up to 90 credential categories, compresses data, and exfiltrates via HTTPS to sh.azurestaticprovider[.]net and via DNS TXT records after overriding the resolver. The malicious builds were published by an unrelated maintainer account, prompting removal and secret rotation recommendations.
read more →

TrickMo Variant Leverages TON for C2, Tunneling Capabilities

🔒A new TrickMo Android banking trojan variant, observed by ThreatFabric in January–February 2026, leverages the decentralized TON network for command-and-control communications and targets banking and cryptocurrency wallet users in France, Italy and Austria. The malware uses a runtime-loaded APK (dex.module) delivered via dropper apps and phasing websites, and embeds a native TON proxy to resolve .adnl endpoints. It adds network-oriented features — reconnaissance commands, SSH tunnelling and authenticated SOCKS5 proxying — enabling compromised devices to act as programmable network pivots and exit nodes.
read more →

Mini Shai-Hulud Worm Compromises npm and PyPI Supply Chain

⚠ TeamPCP's "Mini Shai-Hulud" campaign has trojanized npm and PyPI packages from maintainers including TanStack, Mistral AI, OpenSearch, UiPath, and Guardrails AI, deploying an obfuscated credential stealer that targets cloud services, crypto wallets, AI tools, messaging apps and CI systems. The malware exfiltrates data via a Session Protocol domain (filev2.getsession[.]org), a typosquat domain and GitHub API dead-drops, and persists through IDE hooks in Claude Code and VS Code. Attackers abused GitHub Actions OIDC permissions and produced malicious packages with valid SLSA attestations; TanStack's cluster was assigned CVE-2026-45321 (CVSS 9.6).
read more →

Malicious Infostealer Found in Top Hugging Face Repo

🔒 HiddenLayer discovered the Open-OSS/privacy-filter repository on Hugging Face was malicious on May 7. The repo, which copied OpenAI's Privacy Filter model card almost verbatim and showed inflated engagement, delivered a Rust-based infostealer via a base64-encoded loader. The malware steals browser passwords, session cookies, tokens, crypto wallet data and other credentials. HiddenLayer warns anyone who ran files from the repo to treat hosts as fully compromised and to wipe, isolate and rotate all affected credentials.
read more →

Fake Claude Code Installer Steals Browser Credentials

🔒 Ontinue detailed a campaign distributing a previously undocumented information stealer via fake Claude Code install pages that hijack Chromium browsers to bypass App-Bound Encryption and exfiltrate cookies, passwords and payment data from developer workstations. The lure substituted the canonical Anthropic host for an attacker-controlled domain while /install.ps1 returned a verbatim genuine installer, letting automated scanners see benign PowerShell. A native helper is reflectively injected into browser processes to invoke the IElevator2 COM interface and extract encryption keys, while the PowerShell layer handles persistence, collection and C2 communications. Defenders are urged to enforce constrained PowerShell, enable script block logging and block newly registered domains.
read more →

Fake Hugging Face Model Impersonating OpenAI Hits 244K

⚠️ A malicious Hugging Face repository posing as an OpenAI release delivered an infostealer to Windows hosts and accumulated about 244,000 downloads before removal. Researchers at HiddenLayer found the repo copied OpenAI’s model card and included a loader.py that fetched and executed credential-stealing payloads. The loader disabled SSL verification, used jsonkeeper.com as a C2, and employed scheduled tasks and a Rust-based infostealer to exfiltrate browser data, wallets, Discord storage, and FileZilla credentials.
read more →

Fake OpenAI Model on Hugging Face Delivered Info Stealer

🚨 A malicious Hugging Face repository impersonating OpenAI's Privacy Filter model reached #1 trending before being disabled after delivering a Rust-based information stealer to Windows users. The attacker typosquatted the legitimate release and copied its model card, instructing victims to run a loader.py or Windows start.bat to fetch payloads via a JSON Keeper dead drop. The multi-stage chain used PowerShell to download secondary loaders, set Defender exclusions, and install a one-shot scheduled task that launched a stealer collecting browser, wallet and app data for exfiltration.
read more →

Malvertising: Claude.ai Shared Chats Deliver Mac Malware

⚠️ Attackers are using Google Ads to direct macOS users to malicious instructions hosted inside Claude.ai shared chats. The chats disguise themselves as official installation guides and prompt users to paste Terminal commands that download compressed shell scripts and execute them in memory. Some variants profile victims (including keyboard locale) before running a second-stage payload via osascript, while others immediately steal browser credentials, cookies, and Keychain items. Avoid pasting terminal commands and visit the official site directly.
read more →

Fake Hugging Face Repo Pushes Rust Infostealer and Typosquatting

⚠️A malicious Hugging Face repository impersonated OpenAI’s Privacy Filter and briefly reached #1, reportedly accumulating 244,000 downloads before removal. HiddenLayer found the repo used a typosquatted name and a loader.py that disabled SSL checks, decoded a base64 URL, and executed a PowerShell chain to deploy a Rust-based infostealer. The malware harvests browser credentials, tokens, wallets, SSH/FTP/VPN files and more, exfiltrating data to a C2 server. Users are urged to reimage affected machines, rotate credentials, and replace wallets and seed phrases.
read more →

ACSC Alerts on ClickFix Campaign Delivering Vidar Stealer

🚨 The Australian Cyber Security Centre (ACSC) has warned of a widespread campaign using compromised WordPress sites and the ClickFix social‑engineering technique to deliver the Vidar Stealer infostealer to Windows systems. Attackers lure victims with fake CAPTCHA prompts that trick users into executing malicious commands, enabling in‑memory persistence and evasion. The ACSC advises restricting unauthorised execution, keeping WordPress and OS components patched, limiting clipboard write access, and enforcing phishing‑resistant MFA.
read more →

TCLBanker Trojan Self-Spreads via WhatsApp and Outlook

⚠️ A new banking trojan named TCLBanker is being distributed via a trojanized MSI installer for Logitech AI Prompt Builder and targets 59 banking, fintech, and cryptocurrency platforms, with initial activity observed mainly in Brazil. Researchers at Elastic Security Labs report the malware uses DLL side-loading and strong anti-analysis defenses, runs persistent watchdogs to detect debuggers, and monitors the browser address bar to trigger theft routines. It provides remote-control capabilities (live streaming, screenshots, keylogging, clipboard theft, and shell execution) and uses WPF overlays to capture credentials. Uniquely, TCLBanker includes worm modules that hijack WhatsApp Web sessions and abuse Microsoft Outlook to self-propagate to contacts, increasing the risk of rapid spread.
read more →

Australia Alerts to ClickFix Campaign Distributing Vidar

⚠️ The Australian Cyber Security Center (ACSC) warns of an ongoing campaign using the ClickFix social-engineering technique to deliver Vidar Stealer. Attackers compromise WordPress sites and redirect visitors to pages that display fake Cloudflare verification or CAPTCHA prompts instructing users to copy and execute malicious PowerShell commands. Once executed, the payload launches Vidar, which operates from memory and targets browser credentials, cookies, cryptocurrency wallets, autofill data, and system information. ACSC advises restricting PowerShell execution, applying application allow-listing, and keeping WordPress themes and plugins updated or removed when unused.
read more →

PCPJack credential stealer targets cloud, displaces TeamPCP

🔒 SentinelOne researchers led by Alex Delamotte disclosed PCPJack, a modular credential-theft framework that targets exposed cloud, container, developer, productivity, and financial services while actively removing artifacts tied to TeamPCP. The campaign boots via a shell script that prepares the host, installs Python, fetches six purpose-built Python payloads, and launches an orchestrator that exploits known CVEs and propagates in a worm-like fashion. Stolen credentials are encrypted and exfiltrated to attacker-controlled Telegram channels, and a secondary script harvests service keys from IMDS, Kubernetes service accounts, and Docker instances for a wide range of services including OpenAI and 1Password.
read more →