All news with #secrets exposure tag

Spiderman phishing kit targets dozens of European banks

🕷️Spiderman is a newly observed phishing kit that replicates banking and cryptocurrency login flows to capture credentials, 2FA codes, credit card details, and wallet seed phrases. Researchers at Varonis report it targets customers across five European countries and major brands including Deutsche Bank, ING, CaixaBank, PayPal, and crypto wallets such as Ledger and Metamask. The kit’s modular control panel lets operators filter victims by country or device, intercept PhotoTAN and OTP codes in real time, export harvested data with one click, and redirect non-targeted visitors.

Gartner Urges Enterprises to Block AI Browsers Now

⚠️Gartner recommends blocking AI browsers such as ChatGPT Atlas and Perplexity Comet because they transmit active web content, open tabs, and browsing context to cloud services, creating risks of irreversible data loss. Analysts cite prompt-injection, credential exposure, and autonomous agent errors as primary threats. Organizations should block installations with existing network and endpoint controls and restrict any pilots to small, low-risk groups.

ClayRat Android Spyware Upgraded with Greater Control

🔒 A new version of the ClayRat Android spyware significantly expands surveillance and device-control features, researchers at Zimperium report. The campaign now pairs Default SMS privileges with aggressive abuse of Accessibility Services to enable a keylogger that captures PINs, passwords and unlock patterns, full-screen recording via the MediaProjection API, deceptive overlays and automated taps that hinder removal. Over 700 unique APKs and more than 25 active phishing domains — including impersonations of video platforms and car apps — have been observed distributing the malware.

Android FvncBot, SeedSnatcher, and ClayRat Upgrades Evolved

📱 Cybersecurity researchers disclosed two new Android malware families (FvncBot, SeedSnatcher) and an upgraded ClayRat with expanded data-theft features. Reported by Intel 471, CYFIRMA, and Zimperium, the samples abuse Android accessibility services and MediaProjection to harvest keystrokes, stream screens, install overlays, and exfiltrate credentials. FvncBot targets Polish banking users and implements HVNC, web-injects, and keylogging; SeedSnatcher focuses on stealing cryptocurrency seed phrases and 2FA via SMS interception. These threats enable persistent device takeover and credential theft.

AI Agents in CI/CD Can Be Tricked into Privileged Actions

⚠️ Researchers at Aikido Security discovered that AI agents embedded in CI/CD workflows can be manipulated to execute high-privilege commands by feeding user-controlled strings (issue bodies, PR descriptions, commit messages) directly into prompts. Workflows pairing GitHub Actions or GitLab CI/CD with tools like Gemini CLI, Claude Code, OpenAI Codex or GitHub AI Inference are at risk. The attack, dubbed PromptPwnd, can cause unintended repository edits, secret disclosure, or other high-impact actions; the researchers published detection rules and a free scanner to help teams remediate unsafe workflows.

Shai-Hulud 2.0 NPM malware exposed 400,000 developer secrets

🔒 Wiz researchers say the second Shai-Hulud NPM malware wave infected hundreds of packages and exposed roughly 400,000 raw secrets across some 30,000 GitHub repositories. Although TruffleHog verified about 10,000 secrets, Wiz found over 60% of leaked NPM tokens still valid as of Dec 1, leaving active credentials at risk. The payload propagated via the preinstall event (node setup_bun.js), affected over 800 package versions, and included a conditional destructive home-directory wipe. A small number of packages — notably @postman/tunnel-agent@0.6.7 and @asyncapi/specs@6.8.3 — represented the bulk of infections, indicating targeted mitigation could have sharply reduced impact.

Malicious Chrome and Edge Extensions Threaten Enterprises

🔍 Koi Security revealed a long-running surveillance campaign by an actor it calls 'ShadyPanda' that abused legitimate-seeming Chrome and Edge extensions to harvest browsing data, hijack search results, and deploy a backdoor enabling remote code execution. The group built trust by publishing useful extensions (including Clean Master) and then silently pushed malicious updates that bypassed marketplace re-approval. With an estimated 4.3 million infected browser instances, enterprises should treat browser extensions as high-risk assets and urgently audit and remediate add-ons on corporate and employee devices.

GlassWorm Returns: 24 Malicious Extensions Target Developers

🔍 The GlassWorm supply-chain campaign has resurfaced with 24 malicious extensions distributed across the Microsoft Visual Studio Marketplace and Open VSX, impersonating popular developer tools such as Flutter, React and Tailwind. Researchers say attackers inflated download counts and slipped malicious updates after initial approval to evade filters. Analysis found Rust-based implants that load platform-specific libraries (os.node and darwin.node) to fetch Solana-based C2 details and download encrypted JavaScript payloads, while a Google Calendar fallback is also used. Developers and repository maintainers are urged to audit installed extensions and review update histories.

Malicious npm Package Tries to Manipulate AI Scanners

⚠️ Security researchers disclosed that an npm package, eslint-plugin-unicorn-ts-2, embeds a deceptive prompt aimed at biasing AI-driven security scanners and also contains a post-install hook that exfiltrates environment variables. Uploaded in February 2024 by user "hamburgerisland", the trojanized library has been downloaded 18,988 times and remains available; the exfiltration was introduced in v1.1.3 and persists in v1.2.1. Analysts warn this blends familiar supply-chain abuse with deliberate attempts to evade LLM-based analysis.

Iran-linked MuddyWater Deploys MuddyViper Against Israel

🔒 ESET reports Iranian-aligned MuddyWater has deployed a previously undocumented backdoor named MuddyViper against Israeli organizations across academia, engineering, local government, manufacturing, technology, transportation, and utilities, as well as one Egyptian technology company. The intrusions began with spear-phishing PDFs and exploitation of VPN and remote-access vulnerabilities to deliver loaders called Fooder, which decrypt and execute the C/C++ backdoor or drop tunneling proxies and browser-data collectors. MuddyViper implements about 20 commands for reconnaissance, file transfer, command execution, and exfiltration of Windows credentials and browser data; several Fooder variants masquerade as the Snake game and use delayed execution to evade detection.

MuddyWater targets Israel with new Fooder and MuddyViper

🛡️ ESET researchers identified a MuddyWater campaign running from 30 September 2024 to 18 March 2025 that primarily targeted organizations in Israel and one confirmed technology victim in Egypt. Operators deployed newly observed custom tools — a reflective loader called Fooder and a C/C++ backdoor named MuddyViper — and abused RMM installers and reverse tunnels. The malware uses Windows CNG for AES-CBC encryption and communicates over HTTPS; operators deliberately minimized hands-on-keyboard activity to hinder detection.

OpenAI Data Exposed After Mixpanel Phishing Incident

🔒 OpenAI confirmed a customer data exposure after its analytics partner Mixpanel suffered a smishing attack on November 8, which allowed attackers to access profile metadata tied to platform.openai.com accounts. Stolen fields included names, email addresses, approximate location, OS/browser details, referrers, and organization or user IDs. OpenAI says ChatGPT and core systems were not breached and that no API keys, passwords, payment data, or model payloads were exposed. The company has terminated its use of Mixpanel and is notifying impacted customers directly.

Years of JSONFormatter and CodeBeautify Credentials Leak

🔒 New research from watchTowr Labs found over 80,000 files saved to online code-formatting tools, exposing thousands of passwords, API keys, repository tokens and other sensitive credentials across government, telecoms, finance, healthcare and critical infrastructure. The datasets comprise five years of JSONFormatter content and one year of CodeBeautify content (about 5GB), and both services used predictable, shareable URLs and a Recent Links page that made mass crawling trivial. Researchers uploaded decoy AWS keys that were abused within 48 hours, and both sites have temporarily disabled save functionality while implementing enhanced content-prevention measures.

FlexibleFerret macOS Campaign Uses Go-Based Backdoor

🦊 Jamf Threat Labs reports a macOS malware chain, named FlexibleFerret, that employs staged scripts, credential‑harvesting decoys and a persistent Go-based backdoor to maintain long-term access. The campaign uses a second-stage shell script that reconstructs download paths and fetches different payloads for arm64 and Intel systems, then unpacks and runs a loader while writing a LaunchAgent for persistence. A decoy app mimics Chrome permission prompts and a Chrome-style password window to steal credentials, which are exfiltrated via the legitimate Dropbox API. The final stage invokes a Golang backdoor, CDrivers, that provides remote command-and-control and extensive data-theft capabilities.

Opto 22 groov View: API exposes user API keys and metadata

🔒 CISA warns that Opto 22's groov View API exposes API keys and user metadata through a users endpoint that returns keys for all accounts to any principal with an Editor role. The issue affects groov View Server for Windows R1.0a–R4.5d and GRV‑EPIC‑PR1/PR2 firmware prior to 4.0.3. Successful exploitation could disclose credentials, reveal keys, and enable privilege escalation; Opto 22 has released patches and recommends upgrading to Server R4.5e and firmware 4.0.3 alongside network-level mitigations.

ToddyCat Tools Target Outlook, Steal M365 Tokens Now

🛡️ Kaspersky researchers report that the ToddyCat APT has evolved tactics to harvest corporate email and Microsoft 365 access tokens. Operators deployed a C++ utility, TCSectorCopy, to copy Outlook OST files sector-by-sector and then extract messages with XstReader. They also used SharpTokenFinder to enumerate and steal JWTs and, when blocked, relied on ProcDump to obtain Outlook memory dumps. PowerShell variants of TomBerBil were observed stealing browser cookies, credentials and DPAPI keys across network shares.

Shai-Hulud Worm Resurfaces, Infects Hundreds of npm Packages

🐛 Security teams have warned of a rapidly spreading secret-stealing worm, Shai-Hulud, that has resurfaced in the npm ecosystem and already infected hundreds of packages with tens of millions of downloads. First seen in September, attackers hijack developer accounts to publish trojanized packages that exfiltrate AWS keys and GitHub tokens to attacker-controlled repositories. Vendors including Wiz Security and Mondoo report explosive scaling—hundreds of new repos discovered every 30 minutes—and urge urgent dependency audits. Recommended mitigations include rotating credentials, disabling npm postinstall scripts in CI, enforcing MFA, pinning versions, and using tools like Safe-Chain to block malicious packages.

Shai-Hulud 2.0 Worm Spreads Through npm and GitHub

⚠️ Researchers at Wiz, JFrog and others are tracking a renewed campaign of the Shai‑Hulud credentials‑stealing worm spreading through the npm registry and GitHub. The new Shai‑Hulud 2.0 executes during the preinstall phase, exfiltrates developer and CI/CD secrets to randomized repositories, and injects malicious payloads into other packages. Widely used modules, including @asyncapi/specs, Zapier, Postman and others, have been compromised, prompting immediate remediation steps for affected developers and organizations.

Hidden Risks in DevOps Stacks and Data Protection Strategies

🔒 DevOps platforms like GitHub, GitLab, Bitbucket, and Azure DevOps accelerate development but also introduce data risks from misconfigurations, exposed credentials, and service outages. Under the SaaS shared responsibility model, customers retain liability for protecting repository data and must enforce MFA, RBAC, and tested backups. Third-party immutable backups and left-shifted security practices are recommended to mitigate ransomware, insider threats, and accidental deletions.

Eurofiber France reports ticketing-system data breach

🔒 Eurofiber France disclosed a cybersecurity incident after attackers exploited a vulnerability in its ticket management system and exfiltrated information. The company said the impact is limited to its French division, including the ATE portal and several regional sub-brands, and that banking details and other critical data on separate systems were not affected. Authorities (CNIL, ANSSI) were notified and an extortion report has been filed while investigations continue.