< ciso
brief />
Tag Banner

All news with #token theft tag

49 articles · page 2 of 3

EvilTokens Abuses Microsoft Device-Code Flow for Takeovers

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.
read more →

EvilTokens kit powers Microsoft device-code phishing

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.
read more →

Zero Trust: Bridging Authentication and Device Trust

🔒 The perimeter model has broken down as workforces go hybrid, and many Zero Trust deployments miss a key link between identity and session authorization. Specops Device Trust argues that authentication must be contextualized with real-time device posture checks to prevent token theft and session hijacking. Binding identity to a verified device and continuous monitoring lets organizations enforce dynamic, low-friction policies that reduce risk.
read more →

2026 Cloudflare Threat Report: Rise of High-Trust Attacks

🔍 The 2026 Cloudflare Threat Report from Cloudforce One documents a shift from brute-force intrusion toward high-trust exploitation, introducing a new metric: the Measure of Effectiveness (MOE). The report identifies eight trends — including AI-driven attack automation, token theft that neutralizes MFA, weaponized cloud tooling, and record-setting hyper-volumetric DDoS — that favor speed and throughput over sophistication. It urges organizations to adopt autonomous, real-time defenses and previews an upgraded automated threat-events command center to help harden the connective tissue of modern networks.
read more →

Fake Google Security PWA Steals OTPs, Wallets, Proxies

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.
read more →

RoguePilot Flaw: Copilot in Codespaces Could Leak Tokens

🛡️ RoguePilot was a vulnerability in GitHub Codespaces that allowed GitHub Copilot to be manipulated via a crafted GitHub issue, enabling silent execution of hidden AI instructions and potential exfiltration of a privileged GITHUB_TOKEN. Orca Security researcher Roi Nisimi reported that an attacker could embed the prompt inside an HTML comment and direct Copilot to send the token to an external server. Microsoft patched the flaw after responsible disclosure. The disclosure underscores risks from AI-mediated prompt injection and urges better prompt handling, content sanitization, and least-privilege token practices.
read more →

OpenClaw token flaw enables one-click remote RCE exploit

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.
read more →

Chrome Extensions Inject Affiliate Tags, Steal Tokens

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.
read more →

Fake ChatGPT Chrome Extensions Steal Session Tokens

⚠️ Security researchers have found at least 16 malicious Chrome extensions posing as productivity tools for ChatGPT, designed to harvest users' authentication tokens and hijack sessions. Rather than exploiting ChatGPT itself, the extensions hook into the browser to intercept requests with authorization headers and exfiltrate session tokens to attacker-controlled servers. Researchers reported about 900 downloads across the set when discovered; users should remove suspicious extensions, change passwords, and review account access.
read more →

Five Chrome Extensions Hijack Enterprise Sessions, Target HR

🔒 Researchers at Socket uncovered a coordinated campaign in which five Chrome extensions, marketed as productivity tools, clandestinely stole session authentication tokens and enabled full account takeover. More than 2,300 users installed the malicious add-ons, which targeted enterprise HR and ERP platforms such as Workday, NetSuite and SuccessFactors. Some extensions exfiltrated cookies every 60 seconds, while others blocked admin and security pages to prevent incident response. Removal requests have been filed with the Chrome Web Store security team.
read more →

Open WebUI SSE Flaw Allows Malicious Model Server Takeover

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.
read more →

Trust Wallet Chrome Extension Exploit Drains $7M Patch Now

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.
read more →

Trust Wallet Extension Hack Led to $7M Crypto Theft

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.
read more →

Trust Wallet Chrome Extension Compromise Drains Millions

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.
read more →

NIST and CISA Draft Guidance to Protect Identity Tokens

🛡️ NIST and CISA released the initial draft of Interagency Report (IR) 8597, offering implementation guidance to protect identity tokens and assertions from forgery, theft, and misuse. The draft, open for public comment through January 30, 2026, targets federal agencies and cloud service providers. It reviews controls for IAM systems that rely on digitally signed tokens and calls on CSPs to adopt Secure by Design principles while prioritizing transparency, configurability, and interoperability. The report also urges agencies to understand CSP architectures and deployment models to align protections with their risk and threat environment.
read more →

ToddyCat toolkit pivots to Outlook and Microsoft tokens

🔒 Kaspersky researchers report that ToddyCat updated its toolkit in late 2024 and early 2025 to target Outlook email data and Microsoft 365 access via OAuth 2.0 tokens. Previously known for compromising internet-facing Microsoft Exchange servers, the group now uses a C++ utility, TCSectorCopy, to copy OST files and parses them with XstReader to read full email archives. When browser-based token extraction was blocked, attackers deployed ProcDump to dump tokens from Outlook memory. Kaspersky released IOCs and technical details to support detection and response.
read more →

ToddyCat APT Targets Outlook Archives and M365 Tokens

🔒 Kaspersky Labs reports that the ToddyCat APT refined its toolkit in late 2024 and early 2025 to harvest Outlook offline archives and Microsoft 365 OAuth tokens in addition to browser credentials. New PowerShell and C++ components — notably TomBerBill and TCSectorCopy — copy browser artifacts and sector‑level OST files while attackers also attempt in‑memory token grabs from Outlook processes to maintain persistent access.
read more →

ToddyCat Tools Target Outlook, Steal M365 Tokens Now

🛡️ Kaspersky researchers report that the ToddyCat APT has evolved tactics to harvest corporate email and Microsoft 365 access tokens. Operators deployed a C++ utility, TCSectorCopy, to copy Outlook OST files sector-by-sector and then extract messages with XstReader. They also used SharpTokenFinder to enumerate and steal JWTs and, when blocked, relied on ProcDump to obtain Outlook memory dumps. PowerShell variants of TomBerBil were observed stealing browser cookies, credentials and DPAPI keys across network shares.
read more →

Token Theft Fuels SaaS Breaches — Security Teams Must Act

🔐 Token theft is now a primary vector for SaaS breaches, with stolen OAuth, API keys, and session tokens enabling attackers to bypass MFA and access integrated services. High-profile incidents from 2023 to 2025 show how a single unrotated token can compromise code, secrets, or customer data across platforms. Teams should prioritize discovery, continuous monitoring, and strict token hygiene—rotation, least-privilege scopes, approval workflows, and prompt revocation.
read more →

Defend the Target, Not Just the Door: Google Workspace

🛡️ Modern cloud work lives across email, files, chat, and a mesh of integrations, and attackers increasingly exploit trusted OAuth grants rather than compromising accounts directly. In early August the actor behind recent Salesforce intrusions used stolen Drift email tokens to access a small set of Google Workspace mailboxes; Google revoked the tokens and disabled the integration on August 9. Material Security advocates shifting from perimeter-only defenses to content-centric controls such as message-level MFA, OAuth governance, and automated containment to make stolen tokens far less damaging.
read more →