All news with #token theft tag

⚠️ A new infostealer dubbed Storm surfaced on underground marketplaces in early 2026, offering subscription-based credential and session theft for under $1,000 per month. Storm harvests browser passwords, session cookies, crypto wallets, autofill data, and app tokens, then uploads encrypted artifacts and performs server-side decryption to evade endpoint detection. The platform also automates cookie restoration using supplied Google refresh tokens and geographically matched SOCKS5 proxies, enabling silent session hijacking and persistent access to web services.

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Device-code phishing attacks that exploit the OAuth 2.0 Device Authorization Grant flow have surged sharply this year, driven by commodity phishing kits. Researchers report a 37.5x increase in detected pages and identify at least 11 kits, with the PhaaS offering EvilTokens the most prominent. These kits mimic legitimate SaaS flows, use anti-bot protections and cloud hosting, and trick victims into entering device codes that grant attackers valid access and refresh tokens. Security teams are advised to disable unused device-code flows and monitor authentication logs and sessions closely.

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.

🔒 The perimeter model has broken down as workforces go hybrid, and many Zero Trust deployments miss a key link between identity and session authorization. Specops Device Trust argues that authentication must be contextualized with real-time device posture checks to prevent token theft and session hijacking. Binding identity to a verified device and continuous monitoring lets organizations enforce dynamic, low-friction policies that reduce risk.

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.

🛡️ RoguePilot was a vulnerability in GitHub Codespaces that allowed GitHub Copilot to be manipulated via a crafted GitHub issue, enabling silent execution of hidden AI instructions and potential exfiltration of a privileged GITHUB_TOKEN. Orca Security researcher Roi Nisimi reported that an attacker could embed the prompt inside an HTML comment and direct Copilot to send the token to an external server. Microsoft patched the flaw after responsible disclosure. The disclosure underscores risks from AI-mediated prompt injection and urges better prompt handling, content sanitization, and least-privilege token practices.

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

🛡️ NIST and CISA released the initial draft of Interagency Report (IR) 8597, offering implementation guidance to protect identity tokens and assertions from forgery, theft, and misuse. The draft, open for public comment through January 30, 2026, targets federal agencies and cloud service providers. It reviews controls for IAM systems that rely on digitally signed tokens and calls on CSPs to adopt Secure by Design principles while prioritizing transparency, configurability, and interoperability. The report also urges agencies to understand CSP architectures and deployment models to align protections with their risk and threat environment.

🔒 Kaspersky researchers report that ToddyCat updated its toolkit in late 2024 and early 2025 to target Outlook email data and Microsoft 365 access via OAuth 2.0 tokens. Previously known for compromising internet-facing Microsoft Exchange servers, the group now uses a C++ utility, TCSectorCopy, to copy OST files and parses them with XstReader to read full email archives. When browser-based token extraction was blocked, attackers deployed ProcDump to dump tokens from Outlook memory. Kaspersky released IOCs and technical details to support detection and response.