BrewedIntel Malware

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Arctic Wolf Labs — Wed, 27 May 2026 18:23:19 GMT

AI Summary

Arctic Wolf reports active exploitation of CVE-2026-35616 in FortiClient EMS to deploy EKZ Infostealer, a credential-stealing malware. The campaign abuses trusted endpoint management infrastructure to push the payload as a fake Fortinet patch. Execution is achieved via PowerShell, silently running the malicious executable. This infostealer collects credentials, posing a significant risk of lateral movement and privilege escalation. Organizations using FortiClient EMS should consider it compromised if unpatched and monitor for anomalous PowerShell activity.

Why do I care?

Exploitation of FortiClient EMS can lead to widespread credential theft across managed endpoints, compromising domain credentials and enabling lateral movement.

What can I do about it?

Apply the latest FortiClient EMS patches, monitor for suspicious PowerShell activity, and enforce application control to block unauthorized executables.

Classification

Vulnerability, High Severity, Credential Theft, Exploit

Source

Source feed: Arctic Wolf Labs | Original source

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 16:10:21 GMT

AI Summary

Grandoreiro and BTMOB banking trojan campaigns are targeting Windows and Android users in Latin America and Europe, according to WatchGuard and ESET. The campaigns focus on companies in Spain, Portugal, Mexico, and mobile users in Brazil. These malware families aim to steal financial credentials and sensitive data. Users and organizations should employ robust security solutions, exercise caution with email attachments and links, and keep systems updated to mitigate the risk of infection.

Why do I care?

These campaigns pose a significant threat to financial data and operational integrity, specifically targeting businesses and mobile users in key regions.

What can I do about it?

Implement email filtering to block phishing, deploy endpoint protection with anti-malware capabilities, and educate users about social engineering tactics used by these banking trojans.

Classification

Malware, High Severity, Banking Trojan, RAT

Source

Source feed: The Hacker News | Original source

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 15:44:29 GMT

AI Summary

A malicious npm package named 'mouse5212-super-formatter' has been discovered targeting Anthropic's Claude AI tool. The package steals files from the '/mnt/user-data' directory, which Claude uses for uploads and outputs. This poses a significant risk to developers and organizations using Claude, as sensitive data could be exfiltrated. The attack vector is a supply chain compromise via the npm registry. Mitigation includes auditing npm dependencies, using package integrity checks, and monitoring for suspicious package behaviors. Users should verify the authenticity of packages before installation and consider using security tools to scan for malicious code.

Why do I care?

This package can exfiltrate sensitive data from Claude AI interactions, potentially exposing confidential business information or intellectual property.

What can I do about it?

Immediately review npm dependencies for any use of 'mouse5212-super-formatter' and similar packages. Implement strict package review policies and use automated security scanners in your CI/CD pipeline.

Classification

Malware, High Severity, Information Stealer, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

Benjamin Read — Wed, 27 May 2026 13:52:45 GMT

AI Summary

The threat actor JINX-0164 uses LinkedIn social engineering to deliver custom macOS malware to employees of cryptocurrency organizations. This malware facilitates CI/CD pipeline hijacking, enabling the actor to inject malicious code, exfiltrate sensitive data, and compromise the software supply chain. The impact includes unauthorized access to private keys, manipulation of blockchain applications, and potential financial theft. Affected organizations face reputational damage and regulatory scrutiny. Mitigation requires robust security awareness training on social engineering, multi-factor authentication, strict access controls for CI/CD systems, and endpoint detection on macOS devices to detect and respond to the custom malware.

Why do I care?

This targeted threat actor specifically attacks cryptocurrency firms' software development infrastructure, using social engineering and custom macOS malware to hijack CI/CD pipelines, which can lead to supply chain compromise and financial loss.

What can I do about it?

Enforce strong authentication and access controls for CI/CD pipelines, conduct regular security awareness training focused on LinkedIn and other professional networking platforms, and monitor macOS endpoints for anomalous processes or network connections indicative of the custom malware.

Classification

Malware, High Severity, Spear Phishing, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Ionut Ilascu — Wed, 27 May 2026 13:28:42 GMT

AI Summary

The Glassworm botnet, targeting developers through software supply-chain attacks, has been disrupted after researchers dismantled its resilient command-and-control infrastructure. The botnet used Solana blockchain transactions and the BitTorrent DHT network for C2 communications, making takedown efforts challenging. The disruption is significant as it prevents further compromise of development environments and potential downstream attacks. Mitigation for organizations includes reviewing software supply chain dependencies and monitoring for unusual blockchain-based communications.

Why do I care?

This botnet specifically targets developers via supply-chain attacks, threatening the integrity of software development pipelines and potentially leading to widespread compromise.

What can I do about it?

Enhance monitoring for anomalous network traffic to blockchain and P2P services, and implement strict software supply-chain verification controls, such as code signing and dependency scanning.

Classification

Malware, High Severity, Botnet, Supply-chain attack

Source

Source feed: Bleeping Computer | Original source

FBI warns of in-person data theft attacks from extortion gang

Sergiu Gatlan — Wed, 27 May 2026 11:51:12 GMT

AI Summary

The FBI warns that the Silent Ransom Group (SRG) is conducting in-person data theft attacks against US law firms. These attacks involve physical intrusion to steal sensitive client data, which is then used for extortion. The group's tactics mark a shift from traditional cyber attacks, escalating physical risks. Organizations must secure premises and enforce strict access controls, while legal firms should implement data encryption and offline backups to mitigate potential ransomware and extortion incidents.

Why do I care?

This extortion gang is bypassing network defenses by physically stealing data, putting your organization at risk of exposure and ransom demands.

What can I do about it?

Enhance physical security measures (e.g., access controls, surveillance) and ensure critical data is encrypted and backed up offline.

Classification

Malware, High Severity, Data Theft, Ransomware

Source

Source feed: Bleeping Computer | Original source

GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 11:48:37 GMT

AI Summary

In a coordinated effort, CrowdStrike, Google, and the Shadowserver Foundation disrupted all command-and-control channels of GlassWorm, a malware campaign targeting software developers since early 2025. The campaign used malicious packages and extensions to compromise developer environments, potentially leading to supply chain attacks. The takedown prevents further communication with compromised systems, limiting the threat's impact. Developers and organizations should review their software supply chain security and monitor for indicators of compromise associated with GlassWorm.

Why do I care?

This campaign specifically targets software developers, aiming to compromise the software supply chain and potentially affect downstream users.

What can I do about it?

Implement strict package validation, monitor for suspicious extensions, and apply principles of least privilege to development environments.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

GlassWorm Botnet Disrupted

Ionut Arghire — Wed, 27 May 2026 10:10:00 GMT

AI Summary

Security firms successfully disrupted the GlassWorm botnet by taking down all four of its command-and-control (C&C) channels. This action mitigates the threat posed by the GlassWorm malware, which previously used these channels to coordinate infected devices. The takedown significantly reduces the botnet's ability to receive commands and exfiltrate data. Organizations should ensure their systems are not compromised by remaining vigilant for signs of infection, though the immediate risk has been lowered. The collaborative effort between security firms demonstrates effective disruption of botnet infrastructure.

Classification

Malware, Medium Severity, Botnet

Source

Source feed: SecurityWeek | Original source

FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data

Ionut Arghire — Wed, 27 May 2026 08:33:34 GMT

AI Summary

The FBI has issued an alert warning that the Silent Ransom Group is targeting law firms by sending operatives in person to physically insert USB drives into systems to steal data. This novel tactic bypasses traditional digital defenses and poses a significant threat, as it combines physical access with ransomware and data theft. Law firms, holding sensitive client information, are at high risk. Organizations must be vigilant against USB-based attacks and implement stringent physical security measures.

Why do I care?

Attackers are using physical delivery of USB drives to gain network access, circumventing standard cybersecurity controls and increasing the risk of data breach and ransomware infection.

What can I do about it?

Enforce strict policies against the use of unknown USB devices, educate employees on the risks, and deploy endpoint detection tools that monitor for malicious USB activity.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 07:45:52 GMT

AI Summary

Microsoft warns of an active cryptojacking campaign leveraging AI chatbot interactions to redirect users to malicious download sites. This emerging social engineering technique increases the visibility of infected recommendations, potentially compromising systems for cryptocurrency mining. Users should exercise caution with chatbot-provided links and ensure endpoint security is up-to-date.

Why do I care?

Attackers are exploiting trusted AI chatbot platforms to propagate cryptojacking malware, which can silently consume system resources and degrade performance.

What can I do about it?

Educate users to verify any download links suggested by chatbots, and deploy endpoint detection and response tools capable of identifying cryptojacking behaviors.

Classification

Malware, High Severity, Cryptojacking, Social Engineering

Source

Source feed: The Hacker News | Original source

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts and Microsoft Defender Security Research Team — Tue, 26 May 2026 21:35:34 GMT

AI Summary

Microsoft Defender Experts identified an active cryptojacking campaign that uses SEO poisoning and AI chatbot interactions to lure users into downloading fake system utilities. Impersonating tools like CrystalDiskInfo and HWMonitor, the campaign targets users with high-performance GPUs to maximize mining yield. The attack chain involves DLL sideloading to silently install ScreenConnect, providing persistent remote access that could enable data theft, lateral movement, or ransomware. Over 150 malicious domains have been linked to the campaign since March 2026. Microsoft Defender detects and blocks this activity. Organizations should enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules to mitigate risks.

Why do I care?

This campaign combines AI-assisted social engineering and software impersonation to target high-value systems, potentially leading to cryptojacking, persistent remote access, and further compromise like ransomware.

What can I do about it?

Enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules. Also educate users to verify software sources and avoid downloading from untrusted links, especially from AI chatbots.

Classification

Malware, High Severity, Cryptojacking, Social Engineering

Source

Source feed: Microsoft Security Blog | Original source

KnowledgeDeliver flaw exploited as a zero-day to install web shells

Ionut Ilascu — Tue, 26 May 2026 20:07:31 GMT

AI Summary

Attackers exploited a critical zero-day vulnerability in the KnowledgeDeliver learning management system to deploy the Godzilla web shell, enabling persistent remote access. The vulnerability allows unauthenticated code execution, posing a severe risk to affected servers. Immediate patching and monitoring for web shell activity are recommended.

Why do I care?

This zero-day in a widely used LMS could allow attackers to gain persistent access to sensitive educational data and internal networks.

What can I do about it?

Apply vendor patches immediately, monitor for Godzilla web shell indicators, and restrict internet exposure of LMS servers.

Classification

Vulnerability, Critical Severity, Web Shell Deployment, Zero-Day Exploitation

Source

Source feed: Bleeping Computer | Original source

Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos

Rob Wright — Tue, 26 May 2026 19:47:14 GMT

AI Summary

A malware campaign dubbed 'Megalodon' compromised thousands of GitHub repositories in just six hours by pushing malicious commits to over 5,500 repos, stealing credentials and developer secrets. The attack highlights the risks of supply chain attacks and the need for stringent repository security measures.

Why do I care?

This campaign demonstrates how attackers can rapidly compromise developer environments, leading to theft of sensitive credentials and secrets that can be used for further attacks.

What can I do about it?

Implement multi-factor authentication, review repository access controls, monitor for unusual commit activity, and use secret scanning tools to detect exposed credentials.

Classification

Malware, High Severity, Credential Theft

Source

Source feed: Dark Reading | Original source

The Hackers Behind Shai-Hulud: Lucky or Skilled?

Alexander Culafi — Tue, 26 May 2026 19:18:01 GMT

AI Summary

TeamPCP, the hacking group behind the Shai-Hulud worm, has inflicted significant damage to the open source ecosystem. The article questions whether their success stems from luck or skill, but the impact is undeniable. The worm exploits weaknesses in open source supply chains, affecting a broad range of downstream users. Organizations must recognize that even less sophisticated actors can cause widespread harm. Mitigation requires proactive dependency management, vulnerability scanning, and strict access controls for third-party components.

Why do I care?

The Shai-Hulud worm targets open source ecosystems, potentially compromising widely used libraries and affecting numerous downstream users.

What can I do about it?

Regularly audit and update open source dependencies, and implement integrity checks and code signing for third-party components.

Classification

Malware, High Severity, Worm

Source

Source feed: Dark Reading | Original source

Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

Tue, 26 May 2026 13:00:00 GMT

AI Summary

FortiGuard Labs has identified a sophisticated phishing campaign that delivers an obfuscated JavaScript variant of the PureLogs information stealer. The attack chain involves JavaScript execution, PowerShell scripts, and process hollowing techniques to evade detection and steal sensitive data, including credentials and other confidential information. This campaign poses a significant threat to organizations, potentially leading to data breaches and further compromise. Mitigation strategies include enhancing email security to block malicious attachments, implementing endpoint detection rules for process hollowing and suspicious PowerShell activity, and conducting regular cybersecurity awareness training to reduce the risk of phishing attacks.

Why do I care?

This phishing campaign deploys a known infostealer capable of credential theft and data exfiltration, posing significant risk to organizational data and potential lateral movement within networks.

What can I do about it?

Implement robust email security filtering, conduct phishing simulations to raise user awareness, and deploy endpoint detection rules specifically for process hollowing and anomalous PowerShell execution.

Classification

Incident, High Severity, Info Stealer, Phishing

Source

Source feed: FortiGuard Labs Threat Research | Original source

New AI DDoS Attacks Are Smarter. Learn How to Fight Back in This Webinar

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 11:58:00 GMT

AI Summary

The article highlights the growing trend of AI-powered DDoS attacks, which are becoming smarter and more difficult to mitigate. Hackers leverage artificial intelligence to identify system weaknesses and automate attacks, increasing speed and impact. While no specific incidents or actors are detailed, the key threat is the enhanced sophistication of DDoS campaigns, posing greater risk to website availability and data integrity. Organizations should proactively invest in AI-driven defense mechanisms and maintain robust incident response plans to counter these evolving threats. The article serves as a warning but lacks concrete evidence or technical depth.

Classification

Malware, Medium Severity, Distributed Denial of Service (DDoS)

Source

Source feed: The Hacker News | Original source

BTMOB: A stealthy RAT burrowing deep into Android devices

Tue, 26 May 2026 08:50:00 GMT

AI Summary

BTMOB is a stealthy remote access trojan (RAT) targeting Android devices. It combines remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise. This malware can allow attackers to execute commands, steal data, and maintain persistent access. The threat is significant for organizations as it can lead to complete compromise of mobile devices, potentially exposing sensitive corporate data. Mitigation involves robust mobile security practices, including app vetting, device management, and endpoint protection solutions.

Why do I care?

BTMOB poses a high risk as it enables full compromise of Android devices, potentially exposing sensitive organizational data and providing attackers with a foothold into corporate networks.

What can I do about it?

Enforce strict mobile device management policies, restrict app installations to trusted sources, and deploy mobile threat defense solutions that can detect and block such malware.

Classification

Malware, High Severity, Android Malware, Remote Access Trojan

Source

Source feed: ESET WeLiveSecurity | Original source

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 07:13:05 GMT

AI Summary

Iranian state-sponsored threat actor Nimbus Manticore (also known as Screening Serpens and UNC1549) is conducting a campaign using phishing emails and SEO poisoning to deploy MiniFast and MiniJunk V2 malware. The lures impersonate organizations in the aviation and software sectors across the US, Europe, and the Middle East. This campaign follows joint US-Israeli military actions against Iran in late February 2026. These malware strains provide persistent access and data exfiltration capabilities. The threat is high due to the actor's state sponsorship and broad targeting. Mitigations include employee awareness training, robust email filtering, browser security controls, and monitoring for unusual outbound traffic.

Why do I care?

This campaign demonstrates continued Iranian cyber aggression targeting critical sectors, with potential for espionage and disruption.

What can I do about it?

Implement advanced email and web filtering, enforce multi-factor authentication, and maintain updated endpoint detection to counter these threats.

Classification

Incident, High Severity, Drive-by Compromise, Spear Phishing

Source

Source feed: The Hacker News | Original source

7-Eleven data breach exposes personal information of 185,000 people

Sergiu Gatlan — Tue, 26 May 2026 07:01:12 GMT

AI Summary

7-Eleven suffered a data breach perpetrated by the ShinyHunters extortion gang, resulting in the theft of personal information belonging to over 183,000 individuals. The exposed data could include names, addresses, and payment card details, putting victims at risk of identity theft and financial fraud. The breach highlights the evolving tactics of extortion groups who target data for ransom. Organizations should prioritize data classification, implement robust access controls, and employ continuous monitoring to detect anomalous activity indicative of a breach.

Why do I care?

This breach demonstrates that even major retail chains are vulnerable to extortion groups, putting customer data at risk and potentially damaging brand reputation.

What can I do about it?

Implement strong access controls, monitor for unusual data access patterns, and regularly test incident response procedures to quickly contain and mitigate such breaches.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 05:19:38 GMT

AI Summary

A high-severity zero-day vulnerability (CVE-2026-5426, CVSS 7.5) in Digital Knowledge KnowledgeDeliver LMS, popular in Japan, was exploited to deploy the Godzilla web shell and subsequently Cobalt Strike Beacon. The flaw stems from hard-coded ASP.NET machine keys, enabling remote code execution. Organizations using this LMS should prioritize patching to prevent full compromise.

Why do I care?

Unpatched vulnerabilities in internal-facing applications like LMS can be leveraged for initial access and deployment of advanced persistent threats.

What can I do about it?

Apply the vendor patch immediately and review machine key rotation practices to prevent similar flaws.

Classification

Vulnerability, High Severity, C2 Framework, Web Shell

Source

Source feed: The Hacker News | Original source

Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)

Tue, 26 May 2026 00:01:48 GMT

AI Summary

The article, though lacking detail, indicates the potential emergence of an information stealer called ACR Stealer distributed through a phishing page impersonating Claude. This suggests an ongoing threat where users may be tricked into downloading malware disguised as a legitimate application. Without further information, the true impact and distribution remain unclear, but organizations should be aware of the possibility of credential theft and data exfiltration. The limited content prevents a full assessment, but the mention of a new stealer warrants caution.

Classification

Malware, Medium Severity, Info Stealer

Source

Source feed: SANS Internet Storm Center | Original source

25th May – Threat Intelligence Report

urias — Mon, 25 May 2026 15:08:40 GMT

AI Summary

This week's threat intelligence report covers multiple high-impact incidents. ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records. GitHub suffered a breach via a weaponized VS Code extension, exfiltrating 3,800 internal repositories. Grafana Labs also experienced a breach but refused ransom. The FBI warned about Kali365, a phishing kit targeting Microsoft 365 with device-code phishing that bypasses MFA. AI threats include campaigns compromising nine Mexican government agencies and a Russian actor using AI for propaganda and credential theft. Critical vulnerabilities include actively exploited Windows Defender flaws, Trend Micro Apex One directory traversal, and Drupal SQL injection under active mass attack. Threat intelligence reveals Nimbus Manticore (IRGC-linked) using SEO poisoning to deliver MiniFast backdoor, a 124% surge in hacktivism and ransomware in Germany, Austria, and Switzerland, Showboat Linux malware targeting telecoms, and a Laravel supply chain attack. Patching, multi-factor authentication, and monitoring for token theft are critical mitigations.

Why do I care?

Defenders should be concerned about the breadth of attacks including supply chain compromise, AI-driven phishing, and rapid exploitation of critical vulnerabilities, which pose significant risks to organizational security and data integrity.

What can I do about it?

Prioritize patching for Windows Defender, Trend Micro Apex One, and Drupal; implement phishing-resistant MFA; monitor for OAuth token abuse; restrict access to GitHub and CI/CD pipelines; and review AI email filters for injection evasion.

Classification

Vulnerability, High Severity, Data Breach, Exploit, Phishing

Source

Source feed: Check Point Research | Original source

Microsoft Access VBA, (Mon, May 25th)

Mon, 25 May 2026 14:14:58 GMT

AI Summary

This article briefly notes that Microsoft Access files can contain VBA code, which may be used for macro-based attacks. No specific threats, campaigns, or vulnerabilities are mentioned. The information is generic and does not describe any active exploitation or targeted attacks.

Classification

Malware, Low Severity, Malware Delivery

Source

Source feed: SANS Internet Storm Center | Original source

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

Google Threat Intelligence Group — Mon, 25 May 2026 14:00:00 GMT

AI Summary

Mandiant investigated a critical vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS, allowing unauthenticated Remote Code Execution via ViewState deserialization due to hardcoded ASP.NET machine keys. An unknown threat actor exploited this to deploy the BLUEBEAM in-memory web shell, tamper with files, and trick users into downloading a fake installer, leading to Cobalt Strike BEACON backdoor infections. Impact includes full server compromise and potential user infection. Immediate remediation requires rotating machine keys, restricting access, and monitoring for indicators such as Event ID 1316, suspicious process launches from w3wp.exe, and file changes. This incident underscores the severe risk of shared secrets in deployment templates.

Why do I care?

This vulnerability enables unauthenticated remote code execution, allowing attackers to compromise the web server and infect all visitors with malware, resulting in extensive breach of sensitive data and systems.

What can I do about it?

Immediately generate and apply unique cryptographically strong machine keys for each KnowledgeDeliver instance, restrict LMS access to trusted IP ranges, and conduct thorough threat hunting using the provided IOCs and event log patterns.

Classification

Vulnerability, Critical Severity, Backdoor, Remote Code Execution, Web Shell

Source

Source feed: Mandiant Frontline Blog | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:26:06 GMT

AI Summary

TeamPCP is conducting a sophisticated supply chain campaign across three package ecosystems, including GitHub and Microsoft. They have trojanized a Microsoft-published Python SDK, compromised GitHub's internal codebase, and open-sourced their own framework. This widespread campaign puts downstream users at significant risk of compromise. Immediate verification of package integrity and monitoring for anomalous behavior is recommended.

Why do I care?

This campaign demonstrates sophisticated supply chain compromise targeting multiple ecosystems, including Microsoft and GitHub, putting downstream users at risk.

What can I do about it?

Verify the integrity of third-party packages, monitor for anomalous behavior, and restrict use of untrusted repositories.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:25:47 GMT

AI Summary

TeamPCP supply chain campaign operates across three package ecosystems, compromising GitHub's internal codebase and trojanizing a Microsoft-published Python SDK. The group has also open-sourced its attack framework. This campaign poses a critical threat to software supply chain integrity, impacting major tech platforms. Immediate review of dependencies and enhanced supply chain security measures are recommended.

Why do I care?

Supply chain attacks can undermine trust in widely used software, as seen with TeamPCP compromising GitHub internal and Microsoft SDKs, potentially affecting downstream users.

What can I do about it?

Implement strict package integrity verification, monitor for unauthorized changes, and use software composition analysis to detect trojanized components.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

Laravel-Lang Packages Poisoned for Malware Delivery

Ionut Arghire — Mon, 25 May 2026 10:41:07 GMT

AI Summary

In a targeted supply chain attack, malicious tags were published within a 15-minute window to the Laravel-Lang packages. These tags introduced backdoors designed to exfiltrate CI secrets. The incident highlights the continued risk of repository compromise and the need for robust supply chain security measures. Users should verify package integrity and monitor for unusual updates.

Why do I care?

This attack demonstrates how seemingly legitimate package updates can be weaponized to steal CI secrets, compromising downstream systems.

What can I do about it?

Implement strict package version pinning, verify digital signatures, and monitor for unexpected package releases or tags.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 09:32:54 GMT

AI Summary

The Lazarus Group, a North Korean state-sponsored threat actor, is deploying a new cross-platform remote access trojan (RAT) called RemotePE against financial and cryptocurrency organizations. The attack chain involves two loaders, DPAPILoader and RemotePELoader, which decrypt and execute the memory-only payload. This in-memory operation helps evade detection. The campaign highlights Lazarus's continued focus on cryptocurrency targets and the financial sector, posing a significant threat due to the group's sophistication and history of high-impact attacks. Organizations in these verticals should remain vigilant and implement advanced monitoring for memory-resident malware.

Why do I care?

Lazarus Group is a highly capable APT known for targeting financial institutions and crypto exchanges; their use of memory-only techniques makes this attack difficult to detect with traditional file-based signatures.

What can I do about it?

Deploy endpoint detection and response (EDR) solutions capable of monitoring anomalous memory allocations and process injections, and ensure staff are trained to recognize phishing attempts that may deliver the initial payload.

Classification

Malware, High Severity, Memory-Only Malware, RAT

Source

Source feed: The Hacker News | Original source

Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

Ionut Arghire — Mon, 25 May 2026 07:40:55 GMT

AI Summary

A widespread supply chain attack named 'Megalodon' has compromised over 5,500 GitHub repositories by injecting malicious GitHub Actions workflows through fake automated commits. The payloads are designed to steal credentials, CI/CD secrets, API keys, and tokens, putting development environments at risk. The impact is severe, as attackers can gain unauthorized access to critical infrastructure and cloud services. Organizations with compromised repositories face potential lateral movement and data breaches. Mitigation requires immediate auditing of all GitHub Actions workflows, rotating all exposed secrets, monitoring for unauthorized commits, and enforcing strict branch protection policies to prevent similar injections.

Why do I care?

This attack directly exploits CI/CD pipelines to steal sensitive credentials and secrets, which can lead to widespread compromise of your development infrastructure and cloud services.

What can I do about it?

Immediately audit all GitHub Actions workflows for unauthorized modifications, rotate all credentials and secrets, enable branch protection, and restrict workflow triggers to trusted sources.

Classification

Malware, Critical Severity, Credential Theft, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 05:59:13 GMT

AI Summary

A coordinated supply chain attack campaign, codenamed TrapDoor, has targeted multiple software package ecosystems including npm, PyPI, and Crates.io. Since May 22, 2026, over 34 malicious packages across more than 384 versions have been published in waves. These packages contain credential-stealing malware designed to harvest sensitive information from developers and organizations. The attack highlights the growing risk of cross-ecosystem supply chain compromises, which can have cascading effects across the software development lifecycle. Organizations must enhance their software supply chain security by verifying package integrity, auditing dependencies, and monitoring for suspicious activities to mitigate the threat.

Why do I care?

This campaign directly targets developers through trusted package registries, compromising downstream software and stealing credentials that can lead to broader network breaches.

What can I do about it?

Immediately audit your projects for any of the 34 known malicious packages, implement strict software composition analysis, and enforce multi-factor authentication and least-privilege access for package publishing accounts.

Classification

Malware, High Severity, Credential Theft, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Laravel Lang packages hijacked to deploy credential-stealing malware

Lawrence Abrams — Sat, 23 May 2026 20:48:23 GMT

AI Summary

A sophisticated supply chain attack targeting Laravel Lang localization packages exposed developers to credential-stealing malware. Attackers abused GitHub version tags to inject malicious code into Composer packages. This campaign potentially compromised developer credentials and systems, impacting applications built with the affected packages. Mitigation involves rigorous verification of package integrity and dependency management, alongside monitoring for suspicious behavior.

Why do I care?

This supply chain attack directly targets developers, enabling credential theft and further compromise of internal systems and code repositories.

What can I do about it?

Audit Laravel Lang package versions, verify checksums, and implement dependency scanning to detect unauthorized changes. Enforce multi-factor authentication and monitor for credential misuse.

Classification

Malware, High Severity, Credential Theft, Supply Chain Attack

Source

Source feed: Bleeping Computer | Original source

Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

info@thehackernews.com (The Hacker News) — Sat, 23 May 2026 16:07:51 GMT

AI Summary

A coordinated supply chain attack campaign has compromised eight packages on Packagist, injecting malicious code into package.json files to target JavaScript projects. The code downloads and executes a Linux binary hosted on GitHub Releases. This highlights the risk of supply chain attacks on open-source ecosystems. Organizations using these packages should inspect for unauthorized modifications, monitor for suspicious outbound connections, and review dependencies for unexpected JavaScript files. The attack's coordination and use of multiple packages indicate a deliberate effort to distribute malware, potentially for initial access or data theft. Immediate action includes scanning for affected package versions and rotating credentials.

Why do I care?

This coordinated attack injects malicious executables into trusted packages, potentially giving attackers persistent access to build and deployment pipelines where these packages are used.

What can I do about it?

Audit your Composer dependencies for the affected packages, remove any unauthorized package.json inclusions, and monitor for unexpected GitHub Releases downloads or Linux binary executions in your CI/CD environment.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Italy disrupts CINEMAGOAL piracy app that stole streaming auth codes

Bill Toulas — Sat, 23 May 2026 14:23:44 GMT

AI Summary

Italian authorities disrupted the CINEMAGOAL piracy app, which provided unauthorized access to streaming platforms like Netflix, Disney+, and Spotify by stealing authentication codes. The operation targeted the app's infrastructure and distributors, impacting the piracy ecosystem. The takedown highlights ongoing efforts to combat credential theft and protect streaming services. Organizations in the media and entertainment sector should monitor for similar threats and enforce strong access controls.

Classification

Malware, Medium Severity, Credential Theft, Piracy

Source

Source feed: Bleeping Computer | Original source

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

info@thehackernews.com (The Hacker News) — Sat, 23 May 2026 09:51:13 GMT

AI Summary

A supply chain attack has compromised multiple Laravel-Lang PHP packages to deliver a cross-platform credential-stealing framework. The affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Organizations using these packages should update immediately and audit their environments for unauthorized credential access.

Why do I care?

These compromised packages can lead to widespread credential theft across environments using Laravel-Lang, impacting sensitive data and user accounts.

What can I do about it?

Immediately update affected packages to the latest patched version, review package integrity using checksums, and monitor for unusual credential access patterns.

Classification

Malware, High Severity, Credential Stealer, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 17:35:02 GMT

AI Summary

A global law enforcement operation led by France and the Netherlands has dismantled the First VPN Service, a criminal VPN used by at least 25 ransomware groups to anonymize their activities. The takedown disrupts infrastructure that facilitated ransomware attacks, data theft, scanning, and DDoS attacks. By removing this layer of anonymity, authorities hinder attackers' ability to hide origins, potentially reducing the frequency or success of future campaigns. The operation underscores international cooperation in targeting cybercriminal enablers.

Why do I care?

This takedown removes a key anonymity tool used by ransomware adversaries, potentially forcing them to seek less reliable alternatives, which may increase detection opportunities for defenders.

What can I do about it?

Monitor for changes in ransomware attack patterns as actors adapt; ensure incident response plans account for possible shifts in initial access techniques or C2 infrastructure.

Classification

Malware, High Severity, Cybercrime, Ransomware

Source

Source feed: The Hacker News | Original source

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 16:20:32 GMT

AI Summary

The Belarus-aligned threat actor Ghostwriter (UAC-0057/UNC1151) is targeting Ukrainian government entities using phishing emails lures referencing the Ukrainian online learning platform Prometheus. CERT-UA reported the campaign, which aims to deliver malware via spear-phishing attacks. The group's focus on government organizations indicates a strategic interest in gathering intelligence or disrupting operations. The use of a legitimate platform themed lure increases the likelihood of successful compromise. Organizations should be vigilant for emails purporting to be from Prometheus or related to online learning, as they may carry malicious payloads. Immediate implementation of email security controls and user awareness training is recommended to mitigate this threat.

Why do I care?

Ghostwriter is actively targeting Ukrainian government entities with spear-phishing emails leveraging the Prometheus platform theme, posing a risk of initial access and follow-on malicious activities.

What can I do about it?

Enhance email filtering for Prometheus-related lures and conduct user awareness training to identify and report suspicious emails. Verify any unsolicited email links or attachments before interaction.

Classification

Malware, High Severity, Spear Phishing

Source

Source feed: The Hacker News | Original source

Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

stcpresearch — Fri, 22 May 2026 15:09:29 GMT

AI Summary

Check Point Research reports on Nimbus Manticore (UNC1549), an IRGC-affiliated threat actor active during Operation Epic Fury (Feb 2026). The group employed spear-phishing lures targeting aviation and software sectors, leveraging SEO poisoning and AppDomain Hijacking for initial access and execution. A new AI-assisted backdoor, MiniFast, was deployed alongside the MiniJunk framework. Campaigns included destructive attacks and data exfiltration from cloud environments against US and Israeli entities. The actor demonstrated rapid adaptation amid wartime conditions, emphasizing the need for heightened vigilance against targeted phishing and emerging evasion techniques.

Why do I care?

This IRGC-affiliated group is actively targeting defense, aviation, and telecom sectors with sophisticated malware and novel evasion techniques during a geopolitical conflict, posing a direct threat to national security and critical infrastructure.

What can I do about it?

Enforce multi-layered defenses against spear-phishing, monitor for AppDomain Hijacking via anomalous .config files, and deploy behavioral detection for AI-assisted malware like MiniFast. Update signatures and conduct threat hunting for UNC1549 TTPs.

Classification

Malware, High Severity, Data Exfiltration, Destructive Attack, Spear Phishing

Source

Source feed: Check Point Research | Original source

The Good, the Bad and the Ugly in Cybersecurity – Week 21

SentinelOne — Fri, 22 May 2026 15:08:13 GMT

AI Summary

This week's cybersecurity roundup highlights three major stories: international police operations dismantling cybercrime infrastructure (including First VPN and an infostealer campaign), a new macOS stealer variant called Reaper (part of SHub Stealer family) that spoofs Apple, Google, and Microsoft brands to infect Macs, and two actively exploited Microsoft Defender zero-days (including CVE-2026-41091) enabling SYSTEM privileges and denial-of-service on unpatched Windows systems. The Reaper malware employs advanced evasion techniques, harvests credentials and financial documents, and establishes persistence. Organizations should apply Microsoft updates urgently and monitor for suspicious AppleScript activity and outbound traffic.

Why do I care?

The Microsoft Defender zero-days are actively exploited, granting SYSTEM privileges or causing DoS, and the Reaper macOS stealer targets business documents and credentials with persistence.

What can I do about it?

Immediately apply Microsoft security updates for Defender, and on macOS monitor for unexpected AppleScript execution, LaunchAgents, and outbound connections to suspicious domains.

Classification

Vulnerability, High Severity, Infostealer, Phishing, Ransomware

Source

Source feed: SentinelOne | Original source

RemotePE: The Lazarus RAT that lives in memory

Fox-SRT — Fri, 22 May 2026 14:55:58 GMT

AI Summary

This article details a sophisticated memory-only toolset used by a Lazarus subgroup targeting financial and cryptocurrency organizations. The toolset consists of three components: DPAPILoader, which uses DPAPI and environmental keying to decrypt and load RemotePELoader from disk; RemotePELoader, which beacons to a C2 server and receives RemotePE; and RemotePE, a RAT executed entirely in memory. The malware evades detection through DPAPI encryption, memory-only execution, and masquerading as legitimate Windows services. The toolset's low forensic footprint makes it suitable for long-term observation campaigns, often preceding high-impact theft. Defenders are encouraged to hunt for service masquerading and memory-resident payloads.

Why do I care?

This sophisticated Lazarus toolset can maintain persistent, fileless access for extended periods, potentially leading to large-scale financial theft from targeted organizations.

What can I do about it?

Monitor for suspicious service installations mimicking Internet Authentication Service and investigate unknown services loading DLLs from unusual paths. Additionally, deploy behavioral detection for memory-only payload execution and DPAPI anomalies.

Classification

Vulnerability, High Severity, Remote Access Trojan

Source

Source feed: Fox-IT Blog | Original source

Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks

Arielle Waldman — Fri, 22 May 2026 13:17:25 GMT

AI Summary

The 2026 Verizon Data Breach Investigations Report highlights that healthcare organizations continue to face persistent threats from ransomware and vendor breaches, with evolving social engineering tactics increasing sector vulnerability. Social engineering attacks have become more sophisticated, often targeting employees to gain initial access and deploy ransomware. Such incidents can lead to significant operational downtime, data exfiltration, and financial losses. Vendor breaches introduce additional third-party risks. To counter these threats, healthcare entities should invest in comprehensive security awareness training, implement multi-factor authentication, enforce least-privilege access, and conduct regular security assessments and incident response exercises. Proactive threat hunting and robust vendor risk management are also essential to mitigate the impact of these evolving attacks.

Classification

Malware, Medium Severity, Ransomware, Social Engineering

Source

Source feed: Dark Reading | Original source

Canadian Man Arrested for Operating Kimwolf Botnet

Eduard Kovacs — Fri, 22 May 2026 12:11:03 GMT

AI Summary

Jacob Butler, a 23-year-old Canadian, was arrested for operating the Kimwolf botnet, with US authorities seeking extradition on computer hacking charges. This arrest underscores ongoing law enforcement efforts to dismantle botnet infrastructure used for cybercrime. While specific impacts are undisclosed, botnets like Kimwolf pose significant threats to organizations, potentially enabling distributed denial-of-service (DDoS) attacks, data theft, or further malware delivery. The takedown serves as a deterrent and emphasizes the importance of proactive cyber defense measures such as network monitoring, access controls, and user awareness training to prevent botnet infections.

Why do I care?

The Kimwolf botnet represents a persistent threat that could be used for DDoS, data theft, or further malware distribution, impacting organizational security.

What can I do about it?

Ensure network monitoring for C2 traffic, apply security patches, and educate users on phishing risks to mitigate botnet infections.

Classification

Malware, High Severity, Botnet

Source

Source feed: SecurityWeek | Original source

‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested

Eduard Kovacs — Fri, 22 May 2026 09:24:22 GMT

AI Summary

The FBI disrupted the 'First VPN' cybercrime service and arrested its administrator. The VPN service was used by numerous ransomware groups for network reconnaissance and intrusions. This law enforcement action impacts criminal infrastructure but highlights the ongoing threat from ransomware groups. Organizations should remain vigilant and ensure robust network monitoring and access controls for VPN services.

Why do I care?

The dismantling of First VPN disrupts a key tool used by ransomware groups for network reconnaissance, reducing their ability to conduct intrusions.

What can I do about it?

Organizations should enforce strict VPN policies, monitor for unusual VPN traffic, and implement strong authentication and logging to detect unauthorized access.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Kaspersky — Fri, 22 May 2026 09:12:13 GMT

AI Summary

Cloud Atlas continues to target government and diplomatic entities in Russia and Belarus using spear-phishing emails with ZIP archives containing LNK files. The attack chain involves PowerShell scripts that deploy two backdoors: VBCloud, a file stealer targeting documents and PDFs, and PowerShower, used for network reconnaissance, lateral movement, and Kerberoasting. The group employs SSH tunnels, Tor, and RevSocks for persistent C2, along with registry persistence and anti-forensic measures. Organizations in these sectors are at high risk of data theft and network compromise.

Why do I care?

Cloud Atlas is a sophisticated APT group actively targeting government and diplomatic sectors in Russia and Belarus, using advanced techniques to steal sensitive data and move laterally within networks.

What can I do about it?

Implement email filtering to detect malicious attachments, enforce multi-factor authentication, monitor for unusual PowerShell execution and SSH tunnel activity, and conduct regular security awareness training to reduce phishing risk.

Classification

Vulnerability, High Severity, Backdoor, Credential Theft, Spear Phishing

Source

Source feed: Kaspersky Securelist | Original source

US and Canada arrest and charge suspected Kimwolf botnet admin

Sergiu Gatlan — Fri, 22 May 2026 09:01:20 GMT

AI Summary

A Canadian man was arrested by US and Canadian authorities for operating the KimWolf DDoS botnet, which infected nearly two million devices worldwide. The botnet was capable of launching extensive distributed denial-of-service attacks, representing a significant threat to internet infrastructure. This arrest underscores the ongoing efforts by law enforcement to dismantle large-scale botnets and highlights the need for organizations to protect their assets from such threats.

Why do I care?

The KimWolf botnet infected nearly 2 million devices and could be used for massive DDoS attacks, potentially disrupting critical services.

What can I do about it?

Keep all systems and devices updated, deploy network monitoring for anomalous traffic, and consider DDoS mitigation services to protect against volumetric attacks.

Classification

Malware, High Severity, Botnet, Distributed Denial of Service (DDoS)

Source

Source feed: Bleeping Computer | Original source

Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 08:50:18 GMT

AI Summary

The U.S. Department of Justice announced the arrest of Canadian Jacob Butler for operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet facilitated DDoS-for-hire attacks, enabling customers to launch distributed denial-of-service attacks against targets. The arrest highlights ongoing law enforcement efforts against cybercrime. Organizations should implement robust DDoS mitigation strategies to defend against such threats.

Why do I care?

DDoS botnets like Kimwolf can disrupt online services, causing financial and reputational damage. This arrest indicates active malicious operations that could target your organization if unmitigated.

What can I do about it?

Deploy DDoS protection solutions, monitor network traffic for anomalies, and ensure incident response plans include DDoS mitigation procedures. Collaborate with ISPs to block malicious traffic.

Classification

Malware, High Severity, Botnet, DDoS

Source

Source feed: The Hacker News | Original source

Cross-Platform NPM Stealer, (Fri, May 22nd)

Fri, 22 May 2026 06:14:42 GMT

AI Summary

A cross-platform Node.js stealer was identified in a static analysis of an obfuscated sample. The malware, likely distributed via NPM, collects sensitive information and is designed to evade detection. While the sample did not execute in a sandbox, its obfuscation and functionality pose a threat to organizations using Node.js environments. Further analysis is required to assess the full impact and distribution vectors.

Classification

Malware, Medium Severity, Information Stealer

Source

Source feed: SANS Internet Storm Center | Original source

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

BrianKrebs — Thu, 21 May 2026 21:50:25 GMT

AI Summary

The article reports the arrest of Jacob Butler, known as 'Dort', the operator of the Kimwolf IoT botnet. Kimwolf enslaved millions of IoT devices to launch record-breaking DDoS attacks, reaching nearly 30 Tbps and causing financial losses exceeding $1 million per victim. The botnet also targeted Department of Defense networks. Butler faces charges in Canada and the U.S. after launching DDoS, doxing, and swatting campaigns against researchers. The infrastructure for Kimwolf and three other botnets was seized with international law enforcement. The case highlights the ongoing threat from IoT botnets and the importance of securing such devices.

Why do I care?

Kimwolf demonstrates how unsecured IoT devices can be weaponized into massive DDoS botnets, causing record-breaking attack volumes, substantial financial losses, and potential disruption to critical infrastructure, including military networks.

What can I do about it?

Ensure all IoT devices are updated, use strong unique passwords, disable unnecessary services, and segment IoT networks from critical systems. Implement DDoS protection and monitoring solutions to detect and mitigate volumetric attacks.

Classification

Malware, Critical Severity, Botnet, DDoS

Source

Source feed: Krebs on Security | Original source

The art of being ungovernable

William Largent — Thu, 21 May 2026 18:00:14 GMT

AI Summary

Cisco Talos identified a commodity BadIIS malware variant powering a Malware-as-a-Service (MaaS) ecosystem used by Chinese-speaking cybercriminal groups. The toolset, identifiable by embedded 'demo.pdb' strings, includes builder tools and persistence mechanisms. It enables malicious SEO fraud, server content hijacking, and traffic redirection. Rapid updates and vendor evasion tactics make it a persistent threat. Defenders should monitor IIS for unauthorized redirection and 503 errors, hunt for the distinct PDB strings and Chinese-language folder paths, and update endpoint protections.

Why do I care?

This active commodity malware ecosystem lowers the barrier for cybercriminals, enabling widespread server traffic hijacking and evading detection with rapid updates.

What can I do about it?

Monitor IIS for unauthorized redirection and 503 errors, hunt for 'demo.pdb' strings and Chinese folder paths in binaries, and update endpoint detection to counter evasion tactics.

Classification

Malware, High Severity, Malware-as-a-Service

Source

Source feed: Cisco Talos Intelligence Group | Original source

Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 14:17:09 GMT

AI Summary

Showboat is a modular Linux malware targeting a Middle East telecommunications provider since mid-2022. It operates as a post-exploitation framework capable of spawning remote shells, transferring files, and establishing a SOCKS5 proxy for covert command and control. The malware's proxy functionality enables attackers to route traffic through compromised systems, potentially facilitating lateral movement and data exfiltration. While the specific threat actor remains unidentified, the prolonged campaign underscores a persistent threat to critical infrastructure in the region. Detection efforts should focus on unusual proxy traffic and unauthorized remote shell activity. Mitigation includes network segmentation, host-based monitoring for Linux systems, and strict egress filtering to limit outbound connections.

Why do I care?

Showboat's SOCKS5 proxy and remote shell capabilities allow attackers to maintain persistent access and exfiltrate data from telecom networks, posing a risk to customer privacy and service integrity.

What can I do about it?

Deploy endpoint detection and response (EDR) on Linux servers, monitor for unexpected proxy traffic, and enforce least-privilege access controls to limit post-exploitation movement.

Classification

Malware, High Severity, Backdoor, Post-Exploitation Framework, Proxy

Source

Source feed: The Hacker News | Original source

Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet

Sponsored by Flare — Thu, 21 May 2026 14:00:10 GMT

AI Summary

This article examines the Lucifer Drainer-as-a-Service (DaaS) platform, which automates the theft of cryptocurrency by tricking users into approving malicious transactions. Unlike traditional hacking, Lucifer relies on phishing to lure victims and automated scripts to initiate fraudulent token approvals. Once approved, the drainer swiftly empties the victim's wallet. The analysis highlights the scale and accessibility of such platforms, making wallet theft a significant and growing threat. Mitigation emphasizes user vigilance, transaction simulation tools, and hardware wallets to prevent unauthorized approvals.

Why do I care?

Crypto drainers like Lucifer directly compromise user funds by exploiting human trust in transaction approvals, posing a severe financial risk to individuals and organizations holding cryptocurrency.

What can I do about it?

Implement transaction simulation and warning systems that alert users to suspicious token approvals, and enforce strict policies on verifying transaction details before signing.

Classification

Malware, High Severity, Crypto Drainer, Phishing

Source

Source feed: Bleeping Computer | Original source

Chinese hackers target telcos with new Linux, Windows malware

Bill Toulas — Thu, 21 May 2026 14:00:00 GMT

AI Summary

A Chinese cyber-espionage campaign targeting telecommunications providers has been identified, utilizing two new malware families: Showboat for Linux and JFMBackdoor for Windows. The campaign aims to conduct persistent espionage, potentially exfiltrating sensitive data and enabling long-term surveillance. Telecoms are critical infrastructure, making this a high-priority threat. Mitigation includes enhanced network monitoring, endpoint detection, and access controls.

Why do I care?

Telecommunications providers are prime targets for cyber-espionage, as compromising them can lead to widespread data theft and surveillance capabilities.

What can I do about it?

Implement robust endpoint detection systems, enforce network segmentation, and monitor for unusual outbound connections to mitigate backdoor persistence.

Classification

Malware, High Severity, Backdoor Malware, Cyber Espionage

Source

Source feed: Bleeping Computer | Original source

Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks

Nate Nelson — Thu, 21 May 2026 14:00:00 GMT

AI Summary

Chinese APT groups have deployed a Linux backdoor codenamed 'Showboat' against telecommunications providers in Central Asia. The malware enables persistent access and data exfiltration, targeting small market communications providers for espionage. The campaign highlights the ongoing threat to critical infrastructure and the need for enhanced network monitoring and endpoint security. Mitigation includes implementing robust access controls, regular patching, and monitoring for anomalous behavior indicative of backdoor activity.

Why do I care?

Telecommunications providers are critical infrastructure; this backdoor enables long-term espionage and data theft.

What can I do about it?

Deploy endpoint detection and response (EDR) solutions, segment networks, and monitor for unusual outbound connections or file modifications.

Classification

Malware, High Severity, Backdoor, Cyber Espionage

Source

Source feed: Dark Reading | Original source

Police seize “First VPN” service used in ransomware, data theft attacks

Bill Toulas — Thu, 21 May 2026 13:09:51 GMT

AI Summary

In a joint international law enforcement operation, the 'First VPN' service was taken offline. This VPN was used by cybercriminals to anonymize their activities in ransomware and data theft attacks. The seizure disrupts criminal infrastructure and hinders threat actors' ability to mask their communications. Organizations should note the takedown as a positive step but continue to implement robust security controls against ransomware and data theft. The operation demonstrates international cooperation in combating cybercrime.

Classification

Malware, Medium Severity, Data Theft, Ransomware

Source

Source feed: Bleeping Computer | Original source

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 11:52:14 GMT

AI Summary

This week's threat bulletin highlights a worrying trend where attackers exploit trusted components rather than breaking in directly. Reported threats include Linux rootkits, a router zero-day vulnerability, AI-assisted intrusions, and scam kits. Key incidents involve leaked tokens, malicious packages in software updates, login credential theft, and the resurgence of old tools. These attacks compromise trust in routine operations such as software updates, cloud services, and support interactions. Attackers are leveraging AI to craft convincing phishing campaigns and using rootkits to maintain persistence. The router zero-day exposes critical infrastructure. The impact is broad, affecting many organizations. Mitigation requires enhanced monitoring of trusted workflows, strict access controls, multi-factor authentication, and user awareness of phishing and social engineering tactics.

Classification

Malware, Medium Severity, Credential Theft, Phishing, Rootkit

Source

Source feed: The Hacker News | Original source

Apple Rejected 2 Million App Store Submissions in 2025 for Security and Fraud Prevention

Ionut Arghire — Thu, 21 May 2026 11:17:15 GMT

AI Summary

Apple rejected over 2 million App Store submissions in 2025 as part of its security and fraud prevention efforts, blocking 1.1 billion accounts and $2.2 billion in potentially fraudulent transactions. This demonstrates the company's ongoing commitment to platform security and user protection.

Classification

Malware, Low Severity, Fraud

Source

Source feed: SecurityWeek | Original source

Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days

Ionut Arghire — Thu, 21 May 2026 09:52:05 GMT

AI Summary

Microsoft has released patches for two zero-day vulnerabilities, named UnDefend and RedSun Defender, which are being actively exploited in the wild. The flaws allow attackers to elevate privileges to SYSTEM or cause a denial-of-service condition, potentially leading to full system compromise. Given the active exploitation, organizations should prioritize applying these patches. The vulnerabilities were reported by security researchers and affect Microsoft products, though specific affected software has not been detailed. Immediate patching is critical to mitigate risk.

Why do I care?

These zero-day vulnerabilities are actively exploited and can grant attackers SYSTEM-level privileges, enabling complete control over affected systems.

What can I do about it?

Apply the relevant Microsoft security updates immediately and ensure endpoint monitoring is in place to detect any related post-exploitation activity.

Classification

Vulnerability, Critical Severity, Denial of Service, Privilege Escalation

Source

Source feed: SecurityWeek | Original source

GitHub links repo breach to TanStack npm supply-chain attack

Sergiu Gatlan — Thu, 21 May 2026 06:54:01 GMT

AI Summary

GitHub disclosed a breach where attackers compromised 3,800 internal repositories by exploiting a malicious version of the Nx Console VS Code extension, which was itself compromised in the TanStack npm supply-chain attack. The incident underscores the risk of supply-chain attacks on development tools, with potential exposure of sensitive source code. Recommended mitigations include auditing third-party extensions and monitoring for unauthorized access.

Why do I care?

This breach demonstrates how adversaries can leverage widely used developer tools to gain initial access to corporate networks, potentially exposing sensitive source code and intellectual property.

What can I do about it?

Restrict the use of unverified extensions, enforce code review for dependencies, and monitor for anomalous behavior in development environments.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: Bleeping Computer | Original source

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

info@thehackernews.com (The Hacker News) — Thu, 21 May 2026 04:27:01 GMT

AI Summary

GitHub confirmed that its internal repositories were breached via a poisoned Nx Console VS Code extension, which compromised an employee device after an attacker hacked the developer's system. The malicious extension allowed the attacker to steal credentials and exfiltrate sensitive data from internal repositories. This supply chain attack underscores the risk of compromised trusted extensions in development environments. GitHub has taken steps to revoke accessed tokens and is working with the Nx team to mitigate the impact. Organizations should review their use of third-party extensions and enforce strict access controls to prevent similar incidents.

Why do I care?

Compromised development tools and extensions can lead to unauthorized access to sensitive internal repositories, enabling data theft and further attacks within your supply chain.

What can I do about it?

Enforce strict vetting and monitoring of third-party IDE extensions, limit permissions and access tokens, and implement endpoint detection controls to identify malicious extension behavior.

Classification

Malware, Critical Severity, Extension Poisoning, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Ukraine identifies infostealer operator tied to 28,000 stolen accounts

Bill Toulas — Wed, 20 May 2026 21:36:24 GMT

AI Summary

Ukrainian cyberpolice, with U.S. law enforcement, identified an 18-year-old from Odesa as the operator of an infostealer malware campaign that stole credentials from an online store in California, affecting 28,000 accounts. The investigation highlights cross-border cooperation in combating cybercrime, but the specific malware family and broader group affiliation remain undisclosed. Mitigation emphasizes credential hygiene and monitoring for stolen credentials.

Classification

Malware, Medium Severity, Data Theft, Infostealer

Source

Source feed: Bleeping Computer | Original source

Fake Android Apps Commit Carrier Billing Fraud for Premium Svcs.

Jai Vijayan — Wed, 20 May 2026 20:35:35 GMT

AI Summary

Fake Android apps are being used to commit carrier billing fraud for premium services. These malicious apps employ techniques such as WebView automation, JavaScript injection, and OTP interception to execute fraudulent subscriptions while evading detection. The impact includes unauthorized premium service charges on victims' phone bills, leading to financial loss. Users are advised to avoid downloading apps from untrusted sources, review app permissions carefully, and monitor billing statements for suspicious charges. Organizations should implement mobile security policies and educate users about the risks of sideloading apps.

Why do I care?

These fraudulent apps can lead to direct financial loss from unauthorized premium service charges and may compromise personal data through OTP interception.

What can I do about it?

Implement strict mobile app vetting processes, deploy mobile threat defense solutions, and educate users to only install apps from official stores and review permissions.

Classification

Malware, High Severity, Fraud

Source

Source feed: Dark Reading | Original source

Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Microsoft Defender Security Research Team — Wed, 20 May 2026 17:48:44 GMT

AI Summary

Microsoft identified an active supply chain attack on @antv npm packages, where a threat actor compromised a maintainer account and published malicious versions of data-visualization libraries like G2 and G6. The malicious payload, Mini Shai-Hulud, executes during npm install and targets CI/CD pipelines, specifically GitHub Actions, to steal credentials from GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and 1Password. It evades detection through obfuscation and environment gating, and performs memory scraping for additional secrets. The attack cascaded through dependencies like echarts-for-react, affecting over 1 million weekly downloads. The @antv team has resolved the issue, but organizations using affected versions should immediately update and review their CI/CD secret management to prevent credential exposure.

Why do I care?

This supply chain attack directly targets CI/CD environments, enabling attackers to steal cloud and infrastructure credentials, potentially leading to full compromise of build pipelines and cloud accounts.

What can I do about it?

Update all @antv packages to the latest non-malicious versions, audit your npm dependencies for malicious hashes, and implement strict secret rotation and monitoring for GitHub Actions and other linked services.

Classification

Malware, Critical Severity, Credential Theft, Supply Chain Attack

Source

Source feed: Microsoft Security Blog | Original source

AI-Powered App Attacks Are Faster, More Frequent and Harder to Stop

Kevin Townsend — Wed, 20 May 2026 14:37:36 GMT

AI Summary

Digital.ai's latest threat report warns that agentic AI has erased the distinction between emerging and primary targets, enabling attackers to compromise mobile apps within hours of release across all industries. This AI-driven approach accelerates the speed and frequency of attacks while complicating detection and mitigation efforts. The blurring of target boundaries means that no app is safe from immediate threats, demanding a proactive security posture. The report emphasizes the need for real-time threat detection and advanced defense mechanisms to counter these rapidly evolving AI-powered app attacks. Organizations must adopt continuous monitoring and automated responses to protect their mobile applications from this new wave of sophisticated threats.

Why do I care?

Attackers leveraging AI can target mobile apps within hours of release, increasing the risk of compromise before traditional defenses can be updated.

What can I do about it?

Implement comprehensive mobile app security testing, runtime protection, and continuous monitoring to detect and respond to AI-driven attacks in real time.

Classification

Malware, High Severity, Mobile App Attack

Source

Source feed: SecurityWeek | Original source

Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 14:36:44 GMT

AI Summary

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation that abused its Artifact Signing system to sign malicious code, enabling ransomware and other attacks. The threat actor Fox Tempest offered this service, compromising thousands of machines globally. The takedown removes a key enabler for ransomware operations, highlighting the abuse of trusted signing services.

Why do I care?

This operation enabled ransomware attacks against thousands of organizations by bypassing security controls through signed malware.

What can I do about it?

Monitor for unauthorized use of code signing certificates and enforce strict controls on signing processes to prevent abuse.

Classification

Malware, High Severity, Malware-as-a-Service, Ransomware

Source

Source feed: The Hacker News | Original source

Misconfigured, Enrolled and Dormant: Anatomy of a P2Pinfect Kubernetes Compromise

Wed, 20 May 2026 13:00:00 GMT

AI Summary

FortiGuard Labs analyzed P2Pinfect compromises in Google Kubernetes Engine clusters, revealing how exposed Redis instances enable persistent botnet enrollment. The peer-to-peer malware can remain dormant and poses significant cloud runtime risks, including data exfiltration and resource hijacking. Mitigation requires hardening Redis configurations, implementing network segmentation, and deploying robust monitoring for suspicious activities.

Why do I care?

Unsecured Redis in Kubernetes can lead to permanent botnet enrollment, risking data breaches and cloud resource abuse.

What can I do about it?

Restrict Redis access to trusted sources, enable authentication, and monitor for anomalous traffic indicative of botnet communication.

Classification

Malware, High Severity, Botnet

Source

Source feed: FortiGuard Labs Threat Research | Original source

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 12:51:43 GMT

AI Summary

In 2025, the China-aligned threat actor Webworm has been observed deploying two custom backdoors, EchoCreep and GraphWorm, which utilize Discord and Microsoft Graph API for command-and-control communications. Targeting government agencies, this campaign demonstrates the group's continued evolution and reliance on legitimate services to evade detection. The use of widely trusted platforms like Discord and Microsoft Graph API makes their C2 traffic blend in with normal network activity, posing a significant challenge for defenders. Organizations should monitor anomalous API calls and Discord usage, and apply strict controls on outbound traffic to mitigate this threat.

Why do I care?

Webworm is a China-aligned APT actively targeting government agencies with backdoors that abuse popular services like Discord and Microsoft Graph API, enabling stealthy data exfiltration and persistent access.

What can I do about it?

Implement network monitoring for unusual Discord and MS Graph API traffic, restrict API access to approved applications, and deploy endpoint detection rules to identify the EchoCreep and GraphWorm backdoors.

Classification

Malware, High Severity, Backdoor, Command and Control via Legitimate Services

Source

Source feed: The Hacker News | Original source

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

Ionut Arghire — Wed, 20 May 2026 11:06:49 GMT

AI Summary

Over 320 NPM packages in the @antv namespace were compromised via a maintainer account, resulting in a supply chain attack dubbed 'Mini Shai-Hulud'. Malicious versions were published, potentially impacting developers and applications that depend on these packages. Organizations should audit their dependencies for malicious versions and implement integrity checks to mitigate the risk of widespread compromise.

Why do I care?

This supply chain attack exposes organizations to malicious code embedded in trusted packages, risking data breaches and system compromise.

What can I do about it?

Immediately audit your NPM dependencies for any @antv packages, verify their integrity against official sources, and consider using lockfiles and package integrity monitoring tools.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

Tracking TamperedChef Clusters via Certificate and Code Reuse

Joseph Ganter — Wed, 20 May 2026 10:00:46 GMT

AI Summary

Unit 42's analysis of TamperedChef malware clusters reveals the use of trojanized productivity applications and malvertising to deliver stealthy payloads. This campaign targets users seeking productivity tools, leveraging deceptive ads to distribute malicious software through signed binaries. The malware exhibits code reuse and certificate manipulation to evade detection, indicating a sophisticated operational capability. Organizations should be vigilant against malvertising and enforce strict application whitelisting to mitigate the risk of trojanized app infections.

Why do I care?

TamperedChef uses trojanized productivity apps and malvertising to bypass traditional defenses, posing a significant threat of stealthy malware delivery to end users.

What can I do about it?

Implement application whitelisting and block unsigned software downloads. Educate users on the risks of downloading tools from untrusted sources and enable network monitoring for malvertising campaigns.

Classification

Malware, High Severity, Adware, Trojan

Source

Source feed: Unit 42 (Palo Alto Networks) | Original source

GitHub Confirms Hack Impacting 3,800 Internal Repositories

Ionut Arghire — Wed, 20 May 2026 09:28:53 GMT

AI Summary

The TeamPCP hacking group gained access to 3,800 of GitHub's internal repositories after an employee installed a poisoned Visual Studio Code extension. The incident highlights the risks of software supply chain attacks via compromised developer tools. GitHub confirmed the breach, which affected internal code and potentially sensitive data. Organizations should enforce strict extension vetting and user education to prevent similar attacks.

Why do I care?

Internal repositories contain proprietary code and secrets; unauthorized access can lead to data theft or further compromise.

What can I do about it?

Implement strict controls on allowed extensions, conduct security training, and monitor for anomalous file access.

Classification

Malware, High Severity, Supply Chain Compromise, Trojanized Software

Source

Source feed: SecurityWeek | Original source

A malicious VS code extension just breached GitHub ‘s internal repositories

Pierluigi Paganini — Wed, 20 May 2026 08:50:50 GMT

AI Summary

GitHub suffered a breach after an employee installed a trojanized Visual Studio Code extension from the official marketplace. The attack resulted in the exfiltration of approximately 3,800 internal repositories. The cybercrime group TeamPCP claimed responsibility and is demanding at least $50,000 for the stolen data, threatening public release if unpaid. GitHub detected the intrusion, removed the malicious extension, isolated the endpoint, and initiated incident response. The company stated that no customer data outside the affected repositories appears compromised, though investigations continue. The incident underscores the persistent risk of supply chain attacks targeting developer tools, as malicious extensions can bypass marketplace security and lead to major data breaches.

Why do I care?

Even security-conscious organizations like GitHub can be breached through a single employee installing a malicious IDE extension, demonstrating that supply chain attacks on development tools pose a critical risk to intellectual property and internal systems.

What can I do about it?

Enforce strict policies on extension installations, limit developer endpoints to approved extensions only, implement behavior-based monitoring for unusual data exfiltration, and conduct regular security awareness training focused on trusted software supply chains.

Classification

Malware, Critical Severity, Data Theft, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

GitHub confirms breach of 3,800 repos via malicious VSCode extension

Sergiu Gatlan — Wed, 20 May 2026 08:14:08 GMT

AI Summary

GitHub confirmed that approximately 3,800 internal repositories were breached after an employee installed a malicious Visual Studio Code extension from the marketplace. The trojanized extension, impersonating a legitimate tool, stole authentication tokens and allowed unauthorized access to source code. GitHub has revoked tokens and is monitoring for misuse. This incident highlights risks from third-party extensions in the software supply chain and underscores the need for strict controls on developer tools.

Why do I care?

This incident demonstrates that even major tech companies can fall victim to supply chain attacks via developer tools, emphasizing the risk of malicious extensions to credentials and code assets.

What can I do about it?

Restrict marketplace access to approved extensions, enforce code review for developer tools, and use behavioral detection to flag anomalous extension activity.

Classification

Malware, High Severity, Malicious Extension, Supply chain attack

Source

Source feed: Bleeping Computer | Original source

Cybercrime service disrupted for abusing Microsoft platform to sign malware

Lawrence Abrams — Tue, 19 May 2026 21:47:31 GMT

AI Summary

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation that abused its Artifact Signing service to generate fraudulent code-signing certificates. This service was used by ransomware gangs and other cybercriminals to sign malware, making it appear legitimate and bypass security controls. The takedown prevents further abuse of this platform, reducing the ability of threat actors to distribute signed malware. Organizations should review their code signing policies, verify digital signatures against trusted certificate authorities, and monitor for unusual certificate usage to mitigate risks from such services.

Why do I care?

This service enabled malware to be signed with legitimate-looking certificates, increasing the effectiveness of ransomware and other threats by bypassing security controls.

What can I do about it?

Enforce strict code-signing policies, verify all digital signatures against trusted certificate authorities, and monitor for anomalous certificate usage within your environment.

Classification

Malware, High Severity, Code Signing Abuse, Ransomware

Source

Source feed: Bleeping Computer | Original source

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

info@thehackernews.com (The Hacker News) — Tue, 19 May 2026 16:38:12 GMT

AI Summary

The Trapdoor operation is a large-scale ad fraud and malvertising scheme targeting Android users through 455 malicious apps and 183 C2 domains, generating over 659 million daily bid requests. This multi-stage fraud pipeline impacts users via resource consumption and potential exposure to malicious ads. Mitigation includes careful app installation, use of security tools, and monitoring for unusual device behavior.

Why do I care?

Organizations with mobile device fleets face resource hijacking and potential breach from malicious Android apps that evade detection.

What can I do about it?

Implement mobile threat defense solutions, enforce app vetting policies, and monitor for suspicious ad traffic or app behavior.

Classification

Malware, High Severity, Ad Fraud, Malvertising

Source

Source feed: The Hacker News | Original source

Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

Eduard Kovacs — Tue, 19 May 2026 16:06:22 GMT

AI Summary

Microsoft disrupted a malware-signing service operated by the threat actor Fox Tempest. This service was used by cybercriminals to sign ransomware and other malware with valid code signing certificates, allowing the malicious software to appear legitimate and evade security defenses. The disruption removes a key enabler for ransomware operations, reducing the ability of adversaries to distribute signed malware. Organizations are advised to remain vigilant and enforce strict code signing verification, as the service's takedown may temporarily reduce but not eliminate the threat from signed malware.

Why do I care?

Fox Tempest's signing service enabled ransomware operators to bypass security defenses by masquerading malicious executables as legitimate software, increasing the risk of successful compromise.

What can I do about it?

Enforce strict code signing policies, inspect all signed binaries for validity, and deploy endpoint detection solutions capable of identifying anomalous signing behavior and signed malware.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

Exposing Fox Tempest: A malware-signing service operation

Microsoft Threat Intelligence — Tue, 19 May 2026 15:07:01 GMT

AI Summary

Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to provide short-lived, fraudulently signed certificates to other cybercriminals, including Vanilla Tempest and Storm groups. This service enables trusted delivery of malware such as Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, allowing them to bypass security controls and successfully execute on victim systems. Over a thousand certificates and hundreds of Azure subscriptions were established, impacting sectors like healthcare, education, government, and finance globally. In May 2026, Microsoft's Digital Crimes Unit disrupted the service, revoking certificates and taking down infrastructure. Organizations are urged to use advanced detection and endpoint security solutions to mitigate signed malware threats.

Why do I care?

Fox Tempest provides signed malware to ransomware operators, bypassing traditional security controls and increasing the risk of successful compromise and extortion across a wide range of industries.

What can I do about it?

Implement endpoint detection and response (EDR) with behavioral analytics, enforce application control policies, and regularly review and revoke suspicious signing certificates using Microsoft Defender's indicators of compromise.

Classification

Malware, High Severity, Malware Distribution, Ransomware

Source

Source feed: Microsoft Security Blog | Original source

New Shai-Hulud malware wave compromises 600 npm packages

Bill Toulas — Tue, 19 May 2026 14:30:22 GMT

AI Summary

A new Shai-Hulud malware campaign has compromised over 600 packages in the npm registry, targeting the software supply chain. Threat actors published malicious packages to infiltrate development environments, potentially leading to widespread code execution and data theft. The attack underscores the risk of supply-chain vulnerabilities, affecting developers and organizations that rely on npm dependencies. Immediate mitigation includes auditing and removing affected packages.

Why do I care?

This supply-chain attack introduces malware across hundreds of packages, potentially compromising thousands of downstream applications and exposing sensitive data.

What can I do about it?

Conduct an immediate audit of npm dependencies for known malicious packages, enable package signing and integrity verification, and consider using private registries with vetting processes.

Classification

Malware, Critical Severity, Supply Chain Attack

Source

Source feed: Bleeping Computer | Original source

7-Eleven confirms data breach claimed by the ShinyHunters gang

Sergiu Gatlan — Tue, 19 May 2026 14:16:41 GMT

AI Summary

7-Eleven confirmed a data breach claimed by the ShinyHunters extortion group. The incident exposed customer data, and the group is likely to demand a ransom. The breach underscores the persistent threat from cybercriminal groups targeting large retailers. Mitigation includes enhancing network segmentation, enforcing multi-factor authentication, and conducting regular security audits.

Why do I care?

A confirmed breach at a major retailer like 7-Eleven indicates that attackers can compromise sensitive customer data, leading to financial and reputational damage.

What can I do about it?

Implement robust access controls, enable logging and monitoring for unusual data exfiltration, and ensure incident response plans are up to date to quickly contain such breaches.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

Legacy Windows Tool MSHTA Fuels Surge in Silent Malware Attacks

Kevin Townsend — Tue, 19 May 2026 13:00:00 GMT

AI Summary

Attackers are increasingly abusing the legacy Windows utility MSHTA to deliver stealers, loaders, and persistent malware in a silent manner. The attacks often originate from phishing emails or fake software downloads, leveraging MSHTA as a LOLBIN (Living Off the Land Binary) to evade detection. This technique allows malware to be executed without triggering traditional security controls, leading to stealthy compromise. Organizations are at risk of data theft and further malware deployment. Mitigation includes monitoring MSHTA execution, restricting its use to only authorized scenarios, and enhancing user awareness to prevent phishing and social engineering. Regular review of LOLBIN usage can help detect anomalous activity.

Classification

Malware, Medium Severity

Source

Source feed: SecurityWeek | Original source

Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows

Janos Gergo SZELES — Tue, 19 May 2026 12:58:25 GMT

AI Summary

Bitdefender researchers report that attackers continue to exploit Microsoft's legacy MSHTA tool, which is present by default on Windows systems. MSHTA can execute VBScript and JavaScript from local or remote files, making it a convenient vector for delivering malware. By using this signed Microsoft binary, adversaries can bypass application whitelisting and other security controls. The technique is often used in phishing campaigns where users are tricked into opening .hta files or clicking links that invoke MSHTA. This allows the execution of arbitrary code without raising immediate suspicion. Organizations should monitor MSHTA usage and consider restricting or disabling it if not required for business operations.

Classification

Malware, Medium Severity, Living-off-the-Land Binary (LOLBin) Abuse

Source

Source feed: Bitdefender Labs | Original source

The New Phishing Click: How OAuth Consent Bypasses MFA

info@thehackernews.com (The Hacker News) — Tue, 19 May 2026 11:30:00 GMT

AI Summary

In February 2026, the EvilTokens phishing-as-a-service platform emerged, compromising over 340 Microsoft 365 organizations across five countries within five weeks. It exploits OAuth consent prompts to bypass multi-factor authentication by tricking users into entering a code at microsoft.com/devicelogin and completing MFA, then stealing the resulting access token. This allows persistent unauthorized access without triggering typical phishing alerts. The scale and speed of compromise indicate a significant operational capability, posing a high risk to organizations relying on MFA as a sole security measure. Immediate review of OAuth consent policies and device login flows is critical to mitigate this threat.

Why do I care?

EvilTokens bypasses MFA via OAuth consent phishing, allowing attackers to gain persistent access to Microsoft 365 without raising typical alerts, putting sensitive data at risk.

What can I do about it?

Restrict OAuth consent to trusted apps only, require admin consent for all applications, and monitor for unusual device login activity and token grants.

Classification

Incident, High Severity, Credential Access, OAuth Abuse, Phishing

Source

Source feed: The Hacker News | Original source

Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS

Elizabeth Montalbano — Tue, 19 May 2026 11:13:44 GMT

AI Summary

The article reports on the SHub Reaper stealer, which disguises itself as fake installers for WeChat and Miro to target macOS users. It marks a shift from ClickFix social engineering to AppleScript-based execution, spoofing legitimate brands like Google, Microsoft, and Apple. Once executed, it backdoors the system to steal sensitive data. This threat poses a significant risk to macOS users, emphasizing the need for caution when downloading software and the importance of endpoint security measures to detect such deceptive installations.

Why do I care?

This stealer targets macOS users by impersonating trusted applications, leading to data theft and unauthorized system access, which can severely compromise organizational security.

What can I do about it?

Educate users to verify software sources and employ endpoint detection tools that can identify AppleScript-based attacks and block fake installer downloads.

Classification

Malware, High Severity, Social Engineering, Stealer

Source

Source feed: Dark Reading | Original source

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Joey Chen — Tue, 19 May 2026 10:00:20 GMT

AI Summary

Cisco Talos has identified a commercially distributed BadIIS variant operated under a malware-as-a-service model, likely targeting Chinese-speaking cybercriminal networks. Tracked since 2021 and actively maintained through early 2026, this commodity malware automates web server compromise on Microsoft IIS infrastructure. Primary objectives include malicious SEO fraud, content hijacking, and traffic redirection for search engine manipulation. The toolset features robust persistence mechanisms, automated deployment, and advanced obfuscation techniques to evade antivirus detection and survive server restarts. Impact spans global IIS deployments, enabling attackers to monetize traffic and exploit search engine rankings. Defense strategies should prioritize monitoring IIS service anomalies, auditing registered PDB paths and custom binaries, and enforcing strict application whitelisting. Continuous log analysis and proactive threat hunting for known MaaS distribution patterns are recommended.

Why do I care?

This actively maintained, commercially distributed BadIIS variant poses a significant risk to organizational IIS deployments by enabling persistent server compromise, traffic hijacking, and lucrative SEO fraud campaigns. Its MaaS distribution model increases the likelihood of targeted, automated attacks across your infrastructure.

What can I do about it?

Audit IIS installations for unauthorized binaries, validate executable PDB strings against known developer profiles, and enforce application control policies to block unsigned or anomalous web server components. Implement rigorous monitoring for unexpected outbound traffic redirection and search engine crawling anomalies.

Classification

Malware, High Severity, Malware-as-a-Service (MaaS), SEO Fraud, Traffic Manipulation

Source

Source feed: Cisco Talos Intelligence Group | Original source

The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

Merav Bar — Tue, 19 May 2026 08:29:30 GMT

AI Summary

TeamPCP is conducting a multi-ecosystem supply chain compromise targeting GitHub, NPM, and VSCode. The attack aims to steal credentials and establish persistence within developer environments. This campaign leverages the trusted nature of these platforms to reach a wide audience, posing significant risks to organizations that rely on open-source components. The impact includes credential theft, potential code integrity loss, and downstream compromise of software supply chains. Urgent action is needed to strengthen supply chain security, monitor for malicious extensions, and enforce strict access controls.

Why do I care?

This attack targets developer ecosystems, compromising credentials and code integrity, which can lead to widespread supply chain breaches.

What can I do about it?

Implement rigorous supply chain security, vet third-party extensions, and enforce least privilege for developer accounts.

Classification

Malware, High Severity, Credential Theft, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

info@thehackernews.com (The Hacker News) — Tue, 19 May 2026 07:49:23 GMT

AI Summary

A compromised version of the Nx Console extension (rwl.angular-console v18.95.0) for Visual Studio Code was identified on the VS Code Marketplace. With over 2.2 million installations, the extension contains a credential stealer targeting developers. This supply chain attack poses a significant threat to the developer community, potentially leading to unauthorized access to sensitive credentials and systems. Immediate action is required to remove the compromised extension and scan for any indicators of compromise.

Why do I care?

This supply chain attack targets the developer toolchain, potentially compromising credentials and systems across many organizations due to the extension's broad installation base.

What can I do about it?

Remove the malicious extension version immediately, scan all systems for signs of compromise, and enforce strict extension vetting and update controls.

Classification

Malware, High Severity, Credential Theft, Supply Chain Compromise

Source

Source feed: The Hacker News | Original source

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

Mon, 18 May 2026 23:00:00 GMT

AI Summary

A supply chain attack via the npm ecosystem targeted the AntV data visualization library. Over 300 malicious package versions were published across 323 packages after a maintainer account was compromised. This is part of the ongoing Mini Shai-Hulud worm campaign, which aims to distribute malware via trusted packages. The attack highlights the risk of compromised credentials in open-source ecosystems. Immediate actions include auditing npm dependencies for affected packages, rotating credentials, and implementing multi-factor authentication. The impact is widespread, potentially affecting any project using the compromised packages. Organizations should review their software supply chain and monitor for unusual activity.

Why do I care?

This attack compromises the software supply chain by injecting malicious code into widely-used npm packages, potentially affecting numerous downstream users and leading to data theft or further compromise.

What can I do about it?

Immediately audit your dependencies for any package versions from the AntV ecosystem published after the compromise date, rotate any compromised npm token or account credentials, and enable multi-factor authentication.

Classification

Malware, High Severity, Supply Chain Compromise, Trojan

Source

Source feed: Snyk Blog | Original source

How Storm-2949 turned a compromised identity into a cloud-wide breach

Microsoft Defender Security Research Team — Mon, 18 May 2026 22:42:50 GMT

AI Summary

Storm-2949 executed a sophisticated cloud breach by compromising identities through social engineering and Self-Service Password Reset (SSPR) abuse, bypassing MFA and gaining persistent access. They moved laterally across Microsoft 365 and Azure environments, exfiltrating sensitive data from M365 apps, Azure Storage, SQL databases, and Key Vaults using legitimate administrative features without malware, employing ScreenConnect for remote access and defense evasion. This incident underscores the critical risk of identity compromise in cloud environments. Microsoft recommends robust identity protections, conditional access, and behavior-based detection to mitigate such threats.

Why do I care?

This attack shows that a single compromised identity can lead to a full cloud-wide breach and massive data exfiltration without malware, highlighting the need for comprehensive identity protection and visibility across cloud layers.

What can I do about it?

Enforce multifactor authentication with number matching, monitor SSPR abuse, implement conditional access policies, use behavior-based detection tools like Microsoft Defender for Cloud Apps and Defender for Identity, and apply least-privilege access for cloud resources.

Classification

Malware, Critical Severity, Cloud Compromise, Credential Access, Data Exfiltration

Source

Source feed: Microsoft Security Blog | Original source

INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers

Bill Toulas — Mon, 18 May 2026 22:15:30 GMT

AI Summary

INTERPOL's Operation Ramz, targeting the Middle East and North Africa, resulted in the arrest of over 200 individuals and seizure of 53 servers used for malware distribution and phishing. The operation highlights ongoing efforts to disrupt cybercrime infrastructure, particularly credential theft and malware delivery. No specific threat actors or malware families were disclosed, but the takedown impacts multiple criminal operations.

Classification

Incident, Medium Severity, Malware, Phishing

Source

Source feed: Bleeping Computer | Original source

SHub macOS infostealer variant spoofs Apple security updates

Bill Toulas — Mon, 18 May 2026 21:42:20 GMT

AI Summary

A new variant of the SHub macOS infostealer has been discovered, using AppleScript to display a fake Apple security update prompt that tricks users into granting access. Once activated, the malware installs a backdoor, enabling persistent access and data theft, including credentials and files. This spoofing technique targets macOS users by exploiting trust in Apple's update mechanism. The impact includes potential compromise of sensitive information and long-term system access for attackers. Mitigation requires user education to recognize fake updates, endpoint detection rules, and application whitelisting. Organizations should enforce strict update policies and monitor for unauthorized AppleScript execution.

Why do I care?

This SHub variant targets macOS systems with a convincing fake update, leading to backdoor installation and credential theft, which can result in significant data breaches and long-term compromise.

What can I do about it?

Enforce endpoint detection rules for AppleScript activity, block unauthorized security update prompts, and educate users to verify updates via System Preferences rather than pop-ups.

Classification

Malware, High Severity, Backdoor, Infostealer

Source

Source feed: Bleeping Computer | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)

Mon, 18 May 2026 20:08:00 GMT

AI Summary

The TeamPCP supply chain campaign has escalated with two major developments: an officially confirmed compromise of the Checkmarx Jenkins plugin and a new self-spreading worm named Mini Shai-Hulud distributed via npm and PyPI. These threats target software supply chains, potentially affecting many downstream users. Organizations should review their use of affected components and bolster software supply chain defenses.

Why do I care?

Supply chain attacks can compromise trusted software dependencies, enabling widespread initial access and lateral movement across multiple targets.

What can I do about it?

Implement software bill of materials (SBOM) practices, monitor for suspicious updates to plugins and packages, and enforce code signing and integrity verification.

Classification

Adversary, High Severity, Supply Chain Attack, Worm

Source

Source feed: SANS Internet Storm Center | Original source

Shai-Hulud Worm Clones Spread After Code Release

Alexander Culafi — Mon, 18 May 2026 19:53:05 GMT

AI Summary

The article reports the release of the Shai-Hulud worm source code, which researchers warn is self-replicating and could scale rapidly. Developers are urged to exercise caution as the code may enable widespread infections. The worm's ability to spread autonomously poses a significant risk to software development environments and could lead to data loss or system compromise.

Why do I care?

Shai-Hulud is a self-replicating worm that can scale quickly, posing a significant risk of widespread infection and potential data compromise.

What can I do about it?

Implement network segmentation to limit worm propagation, monitor for unusual file replication activities, and ensure all systems are patched to reduce exploitation vectors.

Classification

Malware, High Severity, Worm

Source

Source feed: Dark Reading | Original source

Leaked Shai-Hulud malware fuels new npm infostealer campaign

Bill Toulas — Mon, 18 May 2026 17:28:02 GMT

AI Summary

The leaked Shai-Hulud infostealer malware is now being used in new attacks on the npm registry. Malicious packages infected with this malware have been identified, posing a significant supply chain risk. The malware is designed to steal sensitive information such as credentials and API tokens, potentially leading to data breaches and further compromise. Organizations using npm packages should immediately review their dependencies and implement measures to verify package integrity. This campaign highlights the ongoing threat of supply chain attacks via public package repositories.

Why do I care?

As an organization, the use of malicious npm packages can lead to credential theft and compromise of internal systems, especially if developers unknowingly install infected dependencies.

What can I do about it?

Enforce strict package verification, use integrity checks like npm audit, and monitor for anomalous network activity from development environments.

Classification

Malware, High Severity, Infostealer, Supply Chain Attack

Source

Source feed: Bleeping Computer | Original source

18th May – Threat Intelligence Report

urias — Mon, 18 May 2026 14:58:29 GMT

AI Summary

This week's threat intelligence report covers multiple critical incidents: ransomware attacks on West Pharmaceutical and Foxconn (claimed by Nitrogen), a source code leak at Vodafone allegedly by Lapsus$, and a $10.7M theft from THORChain. Critical vulnerabilities include YellowKey and GreenPlasma in Windows, CVE-2026-42945 in NGINX, CVE-2026-20182 in Cisco Catalyst SD-WAN (actively exploited), and CVE-2026-28819 in Apple products. AI threats involve Claw Chain vulnerabilities in OpenClaw, an AI-assisted macOS kernel exploit bypassing M5 security, and mass-produced phishing pages via Vercel's v0.dev. A Hugging Face repository disguised as OpenAI's privacy filter infected over 200,000 downloads with an infostealer. Check Point Research also analyzed an internal leak from The Gentlemen ransomware operation and reported Q1 2026 ransomware trends showing 2,122 leak-site victims, with Qilin leading. Organizations should prioritize patching, monitor for AI-driven phishing, and deploy advanced threat detection.

Why do I care?

Organizations face immediate risk from exploited vulnerabilities and ransomware attacks targeting major supply chains; unpatched systems could lead to data breaches and operational disruption.

What can I do about it?

Prioritize patching for critical CVEs (CVE-2026-44112, CVE-2026-42945, CVE-2026-20182), implement multi-layered security controls, and educate users on phishing threats using AI-generated content.

Classification

Vulnerability, Critical Severity, Phishing, Ransomware, Vulnerability Exploitation

Source

Source feed: Check Point Research | Original source

ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed

Pierluigi Paganini — Mon, 18 May 2026 13:48:01 GMT

AI Summary

ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records containing PII and corporate data. The group threatened to publish the data if a ransom was not paid by April 21. 7-Eleven confirmed the incident, noting unauthorized access to systems storing franchisee documents on April 8, 2026. The breach exposes sensitive franchise applicant information, and the full impact is still under investigation. ShinyHunters has previously targeted major organizations, often focusing on Salesforce instances.

Why do I care?

ShinyHunters is actively targeting Salesforce instances, and this breach demonstrates the risk of exposing sensitive franchisee data, which can lead to financial and reputational damage.

What can I do about it?

Secure Salesforce instances with strong access controls, enable multi-factor authentication, monitor for anomalous activity, and ensure incident response plans include data extortion scenarios.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain

Phil Stokes — Mon, 18 May 2026 13:00:42 GMT

AI Summary

SHub Reaper is a new variant of the SHub macOS infostealer that uses a multi-stage attack chain spoofing Apple, Google, and Microsoft. It bypasses Apple's Terminal mitigation by leveraging the applescript:// URL scheme to launch Script Editor with a pre-populated malicious payload. After execution, it steals login credentials, exfiltrates documents via an AMOS-style file grabber, and establishes persistence through a fake Google Software Update directory. The malware includes anti-analysis measures such as WebGL fingerprinting, checks for password managers and cryptocurrency wallets, and sends telemetry via Telegram. It avoids targeting Russian-speaking users. This attack poses a high risk for credential theft, data exfiltration, and persistent backdoor access on macOS systems. Mitigation involves blocking typo-squatted domains, educating users, and monitoring for SHub indicators.

Why do I care?

This sophisticated macOS stealer bypasses built-in protections and can lead to credential theft, document exfiltration, and persistent access, compromising sensitive data and systems.

What can I do about it?

Block identified typo-squatted domains, increase user awareness about fake installers, monitor for applescript:// URL launches and suspicious process executions, and deploy endpoint detection rules for SHub indicators.

Classification

Malware, High Severity, Backdoor, Infostealer

Source

Source feed: SentinelOne | Original source

IT threat evolution in Q1 2026. Mobile statistics

Anton Kivva — Mon, 18 May 2026 12:00:30 GMT

AI Summary

The Q1 2026 mobile threat report from Kaspersky reveals a persistent mobile threat landscape. While total attacks decreased to 2.67M, banking Trojans surged, with Mamont accounting for 73.5% of detections. New versions of SparkCat crypto stealer were found on Google Play and the App Store, using advanced obfuscation including a custom Dalvik-like VM and Apple's Vision framework for OCR. Triada backdoor also saw a significant increase. Adware and RiskTool apps remain prevalent. The findings emphasize the need for robust mobile security measures, especially against credential theft and financial malware.

Why do I care?

Mobile threats are increasingly sophisticated, with banking Trojans and crypto stealers targeting user credentials and funds, and new variants evading detection on official app stores.

What can I do about it?

Deploy and maintain mobile security solutions, educate users to download apps only from trusted sources, and monitor for suspicious behavior on devices.

Classification

Malware, High Severity, Backdoor, Banking Trojan, Crypto Stealer

Source

Source feed: Kaspersky Securelist | Original source

IT threat evolution in Q1 2026. Non-mobile statistics

AMR — Mon, 18 May 2026 12:00:22 GMT

AI Summary

In Q1 2026, ransomware activity remains high, with Kaspersky blocking over 343 million attacks and detecting nearly 3,000 new ransomware variants. Law enforcement achieved notable successes, including the seizure of the RAMP cybercrime forum domains, and arrests related to the Phobos and BlackCat groups. A zero-day vulnerability in Cisco Secure FMC (CVE-2026-20131) was heavily exploited by the Interlock group for initial access. Clop ransomware led the most prolific groups by victim count on data leak sites, followed by Qilin and emerging group The Gentlemen. The quarter saw 77,319 unique users attacked, with the highest activity in March. Key mitigation includes patching critical vulnerabilities, network segmentation, and maintaining offline backups. The threat landscape underscores the need for proactive defense against evolving ransomware operations.

Why do I care?

Ransomware groups are actively exploiting zero-day vulnerabilities in network appliances and leveraging data leak sites for extortion, posing a direct threat to organizational data and operations.

What can I do about it?

Immediately patch CVE-2026-20131 in Cisco Secure FMC, implement strict access controls, and ensure comprehensive backup and incident response plans are in place to mitigate ransomware impact.

Classification

Malware, High Severity, Ransomware

Source

Source feed: Kaspersky Securelist | Original source

7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand

Eduard Kovacs — Mon, 18 May 2026 11:25:54 GMT

AI Summary

The convenience store chain 7-Eleven confirmed a data breach after the threat actor group ShinyHunters demanded a ransom. The hackers claim to have stolen over 600,000 Salesforce records containing personal and corporate data. The breach underscores the risk of third-party data stores and the growing trend of extortion-driven attacks. Organizations should prioritize securing cloud-based CRM platforms and implement robust access controls and monitoring. The incident highlights the need for rapid incident response and proactive threat hunting to mitigate data exfiltration and ransomware-related impacts.

Why do I care?

This breach demonstrates that even large enterprises are vulnerable to data exfiltration via compromised cloud services, potentially exposing sensitive customer and corporate information to extortion.

What can I do about it?

Immediately audit third-party integrations like Salesforce for unusual access patterns, enforce multi-factor authentication, and ensure backup strategies are in place to recover data without paying ransom.

Classification

Malware, High Severity, Data Theft, Ransomware

Source

Source feed: SecurityWeek | Original source

First Shai-Hulud Worm Clones Emerge

Ionut Arghire — Mon, 18 May 2026 09:45:15 GMT

AI Summary

At least one threat actor has adopted the newly released Shai-Hulud Worm source code to attack NPM developers, potentially compromising the software supply chain. The worm targets the NPM ecosystem, and developers should be vigilant about malicious packages. Immediate mitigation includes verifying package integrity and scrutinizing third-party dependencies.

Why do I care?

The attack targets NPM developers, potentially leading to widespread supply chain compromise if malicious packages are published.

What can I do about it?

Implement strict package review processes, use package integrity verification, and monitor for unusual updates in dependencies.

Classification

Malware, High Severity, Supply Chain Attack, Worm

Source

Source feed: SecurityWeek | Original source

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

info@thehackernews.com (The Hacker News) — Mon, 18 May 2026 08:57:26 GMT

AI Summary

Cybersecurity researchers have discovered four malicious npm packages that deliver information-stealing malware and Phantom Bot DDoS malware. One package, chalk-tempalte, is a clone of the Shai-Hulud worm. The packages have been downloaded hundreds of times, posing a supply chain risk. They can steal sensitive data and be used to launch DDoS attacks. Organizations should audit their npm dependencies and ensure they are not using these packages. Recommended mitigations include using package verification tools, scanning for typosquatting, and regularly updating dependencies.

Why do I care?

These malicious npm packages can compromise your systems by stealing credentials and user data, and can be used to launch DDoS attacks.

What can I do about it?

Remove any of the listed packages from your dependencies, and implement strict package name validation and supply chain security tools to detect malicious packages.

Classification

Malware, High Severity, DDoS Botnet, Infostealer

Source

Source feed: The Hacker News | Original source

Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations

info@thehackernews.com (The Hacker News) — Mon, 18 May 2026 06:46:37 GMT

AI Summary

The fast16 malware, identified as a pre-Stuxnet cyber sabotage tool, was designed to tamper with nuclear weapons simulations by corrupting uranium-compression calculations. Analysis by Symantec and Carbon Black reveals its Lua-based hook engine targeted specific processes. This highlights the sophistication of state-sponsored attacks on critical infrastructure. Organizations involved in sensitive simulations should implement strict integrity monitoring and access controls.

Why do I care?

This malware demonstrates that even pre-Stuxnet, adversaries developed tools to sabotage nuclear simulations, posing a critical threat to national security and infrastructure.

What can I do about it?

Implement rigorous integrity checks and monitoring for simulation software, restrict access, and use behavioral detection to identify hooks and unauthorized process modifications.

Classification

Malware, Critical Severity, Cyber Sabotage, Targeted Attack

Source

Source feed: The Hacker News | Original source

Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

Bill Toulas — Sun, 17 May 2026 14:43:10 GMT

AI Summary

The Tycoon2FA phishing kit has evolved to conduct device-code phishing attacks, abusing Trustifi click-tracking URLs to compromise Microsoft 365 accounts. This technique tricks users into entering a device code on a legitimate Microsoft login page, allowing attackers to gain access without traditional credentials. The attack bypasses multi-factor authentication (MFA) and poses significant risk. Organizations should implement phishing-resistant MFA, monitor for unusual device code requests, and educate users about this advanced phishing method.

Why do I care?

This attack bypasses MFA and directly compromises Microsoft 365 accounts, allowing attackers to access sensitive data and perform lateral movement.

What can I do about it?

Enforce phishing-resistant MFA (e.g., FIDO2), monitor for anomalous device code authentication patterns, and train users to verify login prompts before entering codes.

Classification

Incident, High Severity, Credential Theft, MFA Bypass, Phishing

Source

Source feed: Bleeping Computer | Original source