All news with #token theft tag

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🛡️ NIST and CISA released the initial draft of Interagency Report (IR) 8597, offering implementation guidance to protect identity tokens and assertions from forgery, theft, and misuse. The draft, open for public comment through January 30, 2026, targets federal agencies and cloud service providers. It reviews controls for IAM systems that rely on digitally signed tokens and calls on CSPs to adopt Secure by Design principles while prioritizing transparency, configurability, and interoperability. The report also urges agencies to understand CSP architectures and deployment models to align protections with their risk and threat environment.

🔒 Kaspersky researchers report that ToddyCat updated its toolkit in late 2024 and early 2025 to target Outlook email data and Microsoft 365 access via OAuth 2.0 tokens. Previously known for compromising internet-facing Microsoft Exchange servers, the group now uses a C++ utility, TCSectorCopy, to copy OST files and parses them with XstReader to read full email archives. When browser-based token extraction was blocked, attackers deployed ProcDump to dump tokens from Outlook memory. Kaspersky released IOCs and technical details to support detection and response.

🔒 Kaspersky Labs reports that the ToddyCat APT refined its toolkit in late 2024 and early 2025 to harvest Outlook offline archives and Microsoft 365 OAuth tokens in addition to browser credentials. New PowerShell and C++ components — notably TomBerBill and TCSectorCopy — copy browser artifacts and sector‑level OST files while attackers also attempt in‑memory token grabs from Outlook processes to maintain persistent access.

🛡️ Kaspersky researchers report that the ToddyCat APT has evolved tactics to harvest corporate email and Microsoft 365 access tokens. Operators deployed a C++ utility, TCSectorCopy, to copy Outlook OST files sector-by-sector and then extract messages with XstReader. They also used SharpTokenFinder to enumerate and steal JWTs and, when blocked, relied on ProcDump to obtain Outlook memory dumps. PowerShell variants of TomBerBil were observed stealing browser cookies, credentials and DPAPI keys across network shares.

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.

🛡️ Modern cloud work lives across email, files, chat, and a mesh of integrations, and attackers increasingly exploit trusted OAuth grants rather than compromising accounts directly. In early August the actor behind recent Salesforce intrusions used stolen Drift email tokens to access a small set of Google Workspace mailboxes; Google revoked the tokens and disabled the integration on August 9. Material Security advocates shifting from perimeter-only defenses to content-centric controls such as message-level MFA, OAuth governance, and automated containment to make stolen tokens far less damaging.

🔒 A critical token validation flaw in Microsoft Entra ID could permit full tenant compromise by abusing undocumented, unsigned actor tokens issued by a legacy Access Control Service. Researcher Dirk-jan Mollema showed that when paired with a vulnerability in the deprecated Azure AD Graph API (CVE-2025-55241) those tokens could impersonate any user — including Global Administrators — across tenants without leaving tenant logs. Microsoft confirmed a fix after the July report and later patched the CVE.

🔒 Researchers disclosed a max-severity vulnerability in Microsoft Entra ID that allowed attackers to request and reuse internal Actor tokens to impersonate any user, including Global Administrators, across tenants. The issue stemmed from a legacy Azure AD Graph API that failed to validate the originating tenant, enabling cross-tenant impersonation without triggering MFA, Conditional Access, or audit logs. Microsoft patched the flaw, tracked as CVE-2025-55241, and rolled a global fix but experts warn that lack of historical visibility leaves uncertainty about past exploitation.

🔐 The Python Software Foundation has invalidated PyPI publishing tokens that were exfiltrated during the early-September GhostAction supply chain attack. GitGuardian first reported malicious GitHub Actions workflows attempting to steal secrets, and PyPI found no evidence that the stolen tokens were used to publish malware. Affected maintainers were contacted and advised to rotate credentials and adopt short-lived Trusted Publishers tokens for GitHub Actions. PyPI also recommended reviewing account security history for suspicious activity.

🔒 On September 29 at 12:00 PM ET, BleepingComputer and SC Media will host a live webinar featuring browser security experts from Push Security to examine how modern web browsers have become a primary enterprise attack surface. The session will cover malicious and shadow extensions, session token theft, OAuth abuse, and emerging ClickFix and FileFix techniques, plus mitigation strategies. Attendees will learn practical detection and response approaches to protect SaaS sessions, restore visibility at the web edge, and close gaps missed by traditional endpoint and identity controls.

🔐 This Unit 42 report describes how compromised OAuth tokens in third‑party integrations create severe supply‑chain exposure, using recent incidents as examples. It highlights three recurring weaknesses: dormant integrations, insecure token storage and long‑lived credentials, and explains how attackers exploit these to exfiltrate data and pivot. The authors recommend token posture management, encrypted secret storage and centralized runtime monitoring to detect and revoke abused tokens quickly.

🔐 Cybercriminals increasingly target corporate credentials, authentication tokens and session cookies to bypass MFA and impersonate legitimate users. Stolen credentials accounted for a large share of recent breaches and estimates indicate billions of credentials were exposed in 2024. Organizations can reduce risk with Zero Trust, robust MFA, realistic training and continuous behavioral monitoring to detect suspicious sessions.

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.