< ciso
brief />
Tag Banner

All news with #infostealer tag

369 articles · page 4 of 19

World Password Day 2026: Why Passwords No Longer Protect

🔐 The World Password Day 2026 post contends that conventional password guidance is now inadequate: a 16-character secret can be lifted by infostealer malware from browser caches or exposed when employees paste credentials into unmanaged AI chatbots. It exposes a global, commoditized underground on platforms like Telegram where harvested credentials are bought and sold. The article warns organizations that passwords alone cannot prevent account takeover and urges layered technical and policy controls.
read more →

ThreatsDay: Stealers, AI-Powered Exploits, and Patching

⚠️ ThreatsDay reports a mix of blunt‑force commodity attacks and high‑impact technical flaws this week. A new MicroStealer campaign is targeting education and telecom organizations, exfiltrating browser credentials, active sessions and wallets via Discord webhooks and attacker servers. Researchers disclosed critical ICS and MOVEit vulnerabilities while analysis shows the VECT 2.0 ransomware encryptor is broken. Browsers and AI are accelerating risk vectors — patch and verify installs urgently.
read more →

ClickFix macOS Campaign Uses Terminal, Delivers Infostealers

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.
read more →

VoidStealer Bypasses Chrome App-Bound Encryption Exploit

🔓 Researchers found that a new infostealer, VoidStealer, can bypass Chrome’s App-Bound Encryption by attaching to the browser process as a debugger and setting breakpoints at decryption routines. At the moment the browser decrypts data, the malware reads the master key directly from memory, enabling theft of session cookies and other secrets. The technique affects other Chromium-based browsers and is available as malware-as-a-service, increasing its reach. Users should combine secure practices and endpoint defenses rather than rely solely on built-in protections.
read more →

PyTorch Lightning PyPI Release Backdoored with Stealer

⚠️A malicious PyTorch Lightning package (lightning==2.6.3) published to PyPI contained a hidden execution chain that triggers on import and silently spawns a background process. That process downloads the Bun JavaScript runtime (v1.3.13) and runs an 11.4 MB heavily obfuscated payload detected by Microsoft Defender as ShaiWorm. The payload steals .env files, API keys, GitHub tokens, and credentials from Chrome, Firefox, and Brave, and can query cloud APIs; Lightning AI reverted PyPI to 2.6.1 and urges immediate rotation of secrets.
read more →

High-Risk GenAI Browser Extensions Targeting Users

🛡️ Unit 42 identified 18 malicious browser extensions posing as GenAI productivity tools that deliver RATs, infostealers and MitM capabilities. These extensions intercept prompts, exfiltrate credentials and proxy HTTPS responses, often using AI-generated code to accelerate development. Organizations should restrict extensions, scrutinize permissions and treat browsers as critical attack surfaces. Google removed or warned developers after disclosure.
read more →

PyTorch Lightning PyPI Compromise Pushes Malicious Releases

⚠️ A supply chain attack delivered two malicious PyPI releases of PyTorch Lightning (versions 2.6.2 and 2.6.3) published on April 30, 2026; the packages execute automatically on import to harvest credentials. The malicious build hides a _runtime directory with a downloader that fetches the Bun JavaScript runtime and runs an obfuscated 11MB payload that validates GitHub tokens against the api.github[.]com/user endpoint and injects worm-like commits across writable branches. The threat also tampers with local npm packages by adding postinstall hooks, incrementing patch versions, repacking .tgz files, and enabling accidental republishing back to npm. PyPI has quarantined the project; maintainers are investigating, and users should block the affected releases, downgrade to 2.6.1, and rotate any exposed credentials.
read more →

Three Arrested Over Hacking of 610,000 Roblox Accounts

🔒 Ukrainian authorities have arrested three suspects accused of compromising more than 610,000 accounts on the online gaming platform Roblox. Investigators say the group used social engineering lures that delivered infostealer malware to harvest usernames, passwords and authentication tokens, then assessed accounts for rare items and Robux. At least 357 high‑value accounts were identified and sold on Russian websites for cryptocurrency, reportedly generating over $225,000. Searches at ten properties recovered computers, storage devices, mobile phones, bank cards, handwritten notes and cash; analysis is ongoing and the suspects face up to 15 years if convicted.
read more →

Three Arrested Over Sale of 610,000 Stolen Roblox Accounts

🚨 Ukrainian police arrested three individuals accused of hacking and selling over 610,000 Roblox accounts, reportedly generating about $225,000 in proceeds. The Lviv authorities executed ten searches, seizing $35,000 in cash and multiple devices including 37 mobile phones, 11 desktop PCs, seven laptops, five tablets, and four USB drives. Prosecutors say the suspects — aged 19, 21, and 22 — used info‑stealing malware disguised as a game-enhancer, harvested credentials, categorized accounts by value, and sold high‑value profiles via a Russian website and closed online communities.
read more →

KELA: 2.9 Billion Compromised Credentials Tracked in 2025

🔒 KELA's 2026 report reveals nearly 2.9 billion compromised credentials traced worldwide in 2025, including usernames, passwords, session tokens and cookies sourced from ULP lists, breached email repositories and marketplaces. At least 347 million were obtained by infostealers operating on about 3.9 million infected machines, driven by a surge in macOS infections. The firm warns that AI-driven, autonomous attack workflows and increasing vulnerability weaponization are escalating risk for organizations.
read more →

LofyGang Returns Targeting Minecraft with LofyStealer

🛡️ A Brazil-based cybercrime group known as LofyGang has resurfaced after more than three years, deploying a new infostealer called LofyStealer (aka GrabBot) that specifically targets Minecraft players. The malware is disguised as a game cheat called 'Slinky' and uses a JavaScript loader to drop and execute chromelevator.exe in memory to harvest browser data. It captures cookies, passwords, tokens, payment cards and IBANs across multiple browsers and exfiltrates them to a C2 at 24.152.36[.]241. ZenoX highlights a strategic shift to a malware-as-a-service model with free and premium tiers and warns that attackers are increasingly abusing GitHub, SEO-poisoned lures and other trusted platforms to distribute malicious payloads.
read more →

Phishing Crypto-Wallet Clones on iOS and macOS Platforms

🔒 Kaspersky researchers discovered a campaign that placed 26 fake crypto-wallet apps in the Chinese App Store, impersonating popular wallets and using benign features to pass review. The malicious apps direct users to phishing pages that prompt installation of a provisioning profile, enabling sideloaded, trojanized wallet builds that request seed phrases. On macOS, infostealers like MacSync use ClickFix lures and can patch legitimate wallet apps to display fake recovery dialogs. The report includes concrete mitigation steps to protect seed phrases and devices.
read more →

Popular PyPI package hacked to push secrets-stealer

🚨 Malicious release v0.23.3 of the elementary-data PyPI package was published after an attacker exploited a GitHub Actions script-injection flaw in the project's workflow. The tainted package and its Docker image silently installed an elementary.pth-based loader that exfiltrated SSH keys, cloud credentials, developer tokens and cryptocurrency wallets. A clean v0.23.4 was released, but users who pulled the compromised artifacts must rotate secrets and remediate affected environments.
read more →

Bitwarden CLI npm Package Compromised to Steal Keys

🔒 The Bitwarden CLI @bitwarden/cli npm package was briefly compromised when attackers published a malicious v2026.4.0 release on April 22, 2026. The injected payload harvested developer secrets — including npm and GitHub tokens, SSH keys, and cloud credentials — and contained self‑propagation capability to infect other packages. Bitwarden confirmed only the npm distribution channel was affected, found no evidence of vault or production data access, revoked compromised access, deprecated the release, and initiated remediation; affected developers should rotate exposed credentials.
read more →

Supply Chain Breach Compromises Checkmarx KICS Artifacts

🔐 Checkmarx's KICS Docker images and VS Code/Open VSX extensions were trojanized to harvest developer secrets. Dependency security firm Socket investigated after Docker alerted them to malicious images pushed to the official checkmarx/kics repository and found an embedded MCP addon that downloaded a credential-stealing module (mcpAddon.js). The malware targeted GitHub tokens, cloud credentials, npm tokens, SSH keys, Claude configs and environment variables, encrypting and exfiltrating them to audit.checkmarx.cx while creating public GitHub repositories to receive stolen data. Checkmarx removed the artifacts, rotated exposed credentials and advised developers to rotate secrets, pin image SHAs and rebuild from trusted sources.
read more →

Trojanized NFC Relay App Used to Steal Card Data in Brazil

💳 Cybercriminals have trojanized an Android NFC-relay application to capture contactless payment data and PINs, enabling cloning of cards and remote ATM cash-outs. ESET researchers report a new NGate malware variant was injected into the HandyPay app and distributed via a fake lottery site and a spoofed Google Play page targeting Android users in Brazil since November 2025. Traces in the injected code, including emoji markers in debug logs, led researchers to suspect use of generative AI, and ESET has published indicators and a MITRE ATT&CK mapping to aid detection.
read more →

Trojanized Android App Enables New NFC Payment Fraud

📱 ESET has identified a new NGate variant that uses a trojanized version of the legitimate HandyPay NFC relay app to harvest payment card data and PINs. Distributed since November 2025 and focused on Brazil, the malicious app relays tapped NFC data to attacker-controlled devices to facilitate contactless fraud and ATM withdrawals. It requires minimal permissions by leveraging its role as the default payment application, helping it evade detection.
read more →

NGate Android Campaign Trojans HandyPay to Steal NFC

🔒 ESET researchers uncovered a NGate Android campaign that trojanized the HandyPay NFC relay app to steal contactless card data and capture PINs for fraudulent ATM withdrawals. The poisoned app, spread via fake Rio de Prêmios sites and a deceptive Play Store listing, asks to be set as the default payment app and prompts users to enter their card PIN before tapping their card. Artifacts including emoji-laden debug messages suggest parts of the injected code may have been generated or modified with a large language model.
read more →

NGate Android Malware Hides in Trojans of HandyPay App

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.
read more →

New NGate Variant Trojans HandyPay to Steal NFC Data

🔒 ESET researchers discovered a new NGate malware variant that trojanized the legitimate HandyPay Android NFC-relay app, with injected code displaying artifacts consistent with GenAI-assisted development. The patched app silently forwards NFC payment card data and captures payment card PINs, exfiltrating them to attacker-controlled C&C infrastructure to enable contactless ATM cash-outs and unauthorized payments. Distribution targeted Android users in Brazil since November 2025 via a fake Rio de Prêmios lottery site and a counterfeit Google Play page; both samples were served from the same domain, indicating a single operator. ESET notified Google and the HandyPay developer; known samples are detected by Google Play Protect and ESET.
read more →