Click any tag below to further narrow down your results
Links
This tool generates Windows PE executables that trigger YARA rule matches, helping users validate their malware detection signatures. It automates the creation of test files based on specific patterns, ensuring effective scanning and rule accuracy. Safe to use, the executables exit immediately without executing harmful code.
This article analyzes a malicious Visual Studio Code extension that implements ransomware-like behavior. It highlights how the extension encrypts files, uploads sensitive data, and communicates with a command and control server via a private GitHub repository. The piece questions how such obvious malware passed the marketplace review.
Cybersecurity experts found a new Android spyware, RadzaRat, disguised as a file manager app. It grants hackers full control over devices, including keylogging capabilities, and is undetectable by antivirus programs. The malware is easily accessible online and can be deployed by anyone with basic skills.
OpenClaw has added VirusTotal's malware scanning to its ClawHub marketplace after finding 341 malicious skills in its platform. This integration scans all published skills for known malware, but experts warn it won't catch all threats, particularly those using prompt injection techniques.
Google Chrome's new autofill feature can now store sensitive information like passports and vehicle IDs, making form-filling faster. However, experts warn that this could increase risks if a user's Google account is compromised, as all that data is concentrated in one place. The cybersecurity community advises against storing sensitive information in browsers due to rising malware threats.
Researchers found insecure bootstrap scripts in legacy Python packages that could allow attackers to exploit a domain takeover. The scripts fetch an outdated installation package from a now-available domain, which poses a risk of executing malicious code. Some affected packages have removed the scripts, but others, like slapos.core, still include them.
Bitdefender Labs found that 17% of the OpenClaw AI skills examined in February 2026 are malicious. These skills, masquerading as useful tools, are used to steal crypto keys and install malware on macOS, with one user linked to 199 harmful scripts.
The Kimwolf botnet, known for infecting over 2 million devices, has reportedly gained unauthorized access to the control panel of Badbox 2.0, a major botnet linked to advertising fraud. This access allows Kimwolf to deploy its malware on devices connected to Badbox 2.0, raising concerns about the spread of malicious software.
The article details a targeted malware attack disguised as a freelance job opportunity on LinkedIn. It breaks down how the malicious code was embedded in a GitLab repository and outlines key warning signs for developers to watch for to avoid similar scams.
Google released an urgent update for Chrome to fix two vulnerabilities that can be exploited by simply visiting malicious web pages. Users should ensure they're on version 143.0.7499.146 or later to stay protected from potential attacks.
This article explores the use of AI models, particularly Claude Opus 4.6, to detect hidden backdoors in binary executables. While some success was noted, with a 49% detection rate for obvious backdoors, the approach remains unreliable for production use due to high false positives and limitations in analyzing complex binaries.
Malcontent is a tool designed to detect supply-chain malware using context analysis and differential methods. It supports various file formats and programming languages, analyzing Linux programs primarily, but also works with macOS and Windows. It features three modes: analyze, diff, and scan, allowing for in-depth examination of program capabilities and risks.
A report from Zscaler reveals that over 239 malicious Android apps were downloaded 42 million times from Google Play between June 2024 and May 2025. The rise in malware includes banking trojans and spyware, with a notable shift towards social engineering tactics. India, the U.S., and Canada are the top targets, while adware has become the most detected threat.
Some Notepad++ users are experiencing security incidents where the software may be involved in facilitating unauthorized access. The situation is still developing, and while only a few organizations have reported issues, users should monitor specific processes and network activity related to the application.
Researchers found a harmful Chrome extension called Crypto Copilot that secretly siphons Solana from users during transactions. It injects hidden fees into swaps on the Raydium exchange, transferring funds to an attacker's wallet without user knowledge. The extension remains available for download, despite its malicious behavior.
Google is introducing developer verification requirements to enhance security on the Android platform, addressing issues with scams and malware. The update considers feedback from various user groups, including students and experienced users, offering tailored solutions for each. Early access to the new verification process is starting for developers.
Security researchers identified and removed a fake VSCode extension masquerading as Prettier. The extension was designed to deploy Anivia Stealer malware, but swift action limited its impact to just a handful of users. Developers are warned to be cautious with third-party tools.
A coordinated effort has released over 67,000 fake npm packages since early 2024, aimed at flooding the registry rather than stealing data. The malicious packages use JavaScript scripts that require manual execution to propagate, creating a self-replicating network that burdens the platform. Researchers link this activity to a monetization scheme involving TEA tokens.
The Kimwolf botnet has infected over 2 million devices by exploiting vulnerabilities in residential proxy networks. It spreads through compromised Android TV boxes and digital photo frames, allowing attackers to relay malicious traffic and launch DDoS attacks. Security experts warn that the risk from unsecured proxy networks is escalating.
Attackers are using a new method called "Browser-in-the-Browser" to create convincing fake login windows that steal usernames and passwords. These pop-ups look legitimate and can trick users, but employing a password manager and being cautious with links can help protect your accounts.
Attackers exploited vulnerabilities in SolarWinds Web Help Desk to steal high-privilege credentials from various organizations. Microsoft is investigating which specific flaws were used, as multiple recent and old CVEs are in play. Security teams are advised to apply patches and monitor for unauthorized remote management tools.
A security audit of ClawHub found 341 malicious skills, primarily linked to a single campaign called ClawHavoc. These skills disguise themselves as legitimate tools but deliver trojans capable of stealing sensitive information from users. The attack leverages common installation practices to bypass security measures.
This article discusses methods for evading Endpoint Detection and Response (EDR) systems using LLVM's obfuscation techniques. It explores both traditional post-compilation evasion strategies and a newer compile-time obfuscation approach that complicates reverse engineering. The piece highlights the current challenges in effective evasion despite these advancements.
Researchers found that open source packages on npm and PyPI were infected with malware that stole wallet credentials from dYdX developers and users. The malicious code captured seed phrases and device fingerprints, leading to potential irreversible theft of cryptocurrency. The attack affected multiple versions of the compromised packages.
OpenClaw, a popular AI agent, has been linked to security issues due to malware found in numerous user-created add-ons on its ClawHub marketplace. Security researchers identified hundreds of malicious skills that trick users into downloading harmful software that can steal sensitive information. The platform's creator is implementing measures to mitigate these risks, but vulnerabilities remain.
MacPersistenceChecker is a macOS app that identifies all items set to run automatically on your system. It helps detect malware and unwanted software by scoring each persistence mechanism based on risk factors. Users can analyze and decide what to keep or remove.
DumpBrowserSecrets is a tool that extracts sensitive data from various web browsers, including Chrome, Firefox, and Edge. It retrieves information like cookies, credentials, and browsing history using a combination of executable and DLL components. The tool can handle both Chromium-based and non-Chromium browsers for data extraction and decryption.
The SmartTube YouTube client for Android TV was hacked after the developer's signing keys were compromised, allowing malware to be injected into the app. Users are advised to avoid recent versions and check for unauthorized access to their Google Accounts. The developer plans to release a safe update soon.
The Eclipse Foundation revoked some access tokens from its Open VSX project after a report revealed they were exposed in public repositories. This vulnerability could have allowed attackers to manipulate or distribute malicious extensions. New token prefixes and stricter security measures are being implemented to prevent future incidents.
This article discusses a security flaw in popular AI IDEs like Cursor and Windsurf, which recommended non-existent extensions from Microsoft’s marketplace. The authors proactively claimed vulnerable namespaces on OpenVSX to prevent malicious uploads, securing the environment for developers.
NoMoreStealer is a kernel-mode minifilter driver for Windows that monitors file system access to prevent untrusted processes from reaching protected paths. It uses allowlists for process trust and communicates with a Wails frontend for real-time notifications. The project is a demo with several limitations and should be used for educational purposes only.
The Glassworm malware campaign has resurfaced with 24 new malicious packages on OpenVSX and the Microsoft Visual Studio Marketplace. This malware uses hidden code to steal developer credentials and cryptocurrency data while providing remote access to attackers. Despite prior containment efforts, it continues to evade detection and reappear on these platforms.
The article details a supply chain attack on Notepad++, where attackers compromised the update infrastructure between June and September 2025. It outlines various infection chains, unique payloads, and the methods used to gather system information and install malicious software. Kaspersky's solutions successfully blocked these attacks as they unfolded.
Researchers found a sophisticated malware framework called VoidLink that targets Linux machines, particularly in cloud environments. It has over 30 customizable modules for reconnaissance, privilege escalation, and stealth, indicating a shift towards targeting Linux systems by professional threat actors.
Ukrainian Defense Forces were attacked by a charity-themed malware campaign delivering backdoor malware called PluggyApe, likely linked to the Russian threat groups Void Blizzard and Laundry Bear. The campaign used deceptive messages to lure victims into downloading malicious files disguised as documents. CERT-UA warns that mobile devices are increasingly targeted due to their weaker security.
Two harmful extensions on the Visual Studio Code Marketplace, Bitcoin Black and Codo AI, steal sensitive information from developers' machines. They can capture screenshots, credentials, and hijack browser sessions, and were published under the name 'BigBlack.' Microsoft has since removed both extensions from the marketplace.
Microsoft has addressed multiple zero-day vulnerabilities in Windows and Office that hackers are actively exploiting. These flaws allow attackers to execute malware with minimal user interaction, primarily through malicious links and files. Security experts warn of a high risk of system compromise and ransomware deployment.
On November 24, 2025, over 1,000 NPM packages were compromised using a fake Bun runtime, leading to the infection of more than 27,000 GitHub repositories. The malicious code steals sensitive information and exfiltrates it via a GitHub Action runner. This incident appears to be linked to a previous attack identified as "Shai-Hulud."
This article reviews new macOS malware discovered in 2025, detailing infection methods, persistence techniques, and the functionality of each specimen. The focus is primarily on information stealers, highlighting their rise in prevalence and the tactics used to distribute them. It also provides links to malware samples for analysis.
This article details how ten malicious npm packages use typosquatting techniques to execute credential harvesting malware on developers' systems. It describes the multi-stage process, including automatic execution, IP tracking, and extensive data extraction methods targeting various operating systems.
Nikkei reported a data breach affecting over 17,000 employees and partners after malware compromised its Slack platform. The stolen information includes names, email addresses, and chat histories, but the company asserts that sensitive journalistic data remains secure.
The Herodotus malware family targets Android devices by using random delays to imitate human typing, making it harder for security software to detect. Currently distributed through SMS phishing, it can bypass Accessibility permissions and interact with the user interface to steal sensitive information. Experts warn Android users to be cautious about app permissions and avoid downloading apps from untrusted sources.
A Reddit user reported that xubuntu.org may be compromised, as torrent downloads are serving a suspicious zip file containing an executable. The file's TOS states a copyright date of 2026, raising further concerns since it's currently 2025. Users are advised to avoid downloading from the site until the issue is resolved.
A new variant of the ClickFix attack uses a malicious Chrome extension that pretends to be an ad blocker. It tricks users into executing harmful commands that install the ModeloRAT malware, primarily targeting corporate environments.
Research reveals over 4,500 Clawdbot/Moltbot instances are publicly exposed, allowing attackers to extract sensitive data like API keys and WhatsApp session credentials. The vulnerabilities stem from insecure design, misconfigured dashboards, and excessive permissions. Immediate action is recommended for users to mitigate risks.
Amazon's threat intelligence teams discovered an advanced threat actor using zero-day vulnerabilities in Cisco and Citrix systems. The actor deployed custom malware to gain unauthorized access, highlighting the risks to critical identity and network access control infrastructures.
A state-sponsored group, Lotus Blossom, compromised Notepad++'s hosting infrastructure, allowing them to serve malicious updates to targeted users in Southeast Asia. The attack leveraged DLL sideloading and Lua script injections to deliver malware, affecting various sectors globally.
eScan confirmed a breach of its update server that allowed malicious updates to be distributed to some customers on January 20, 2026. The incident involved unauthorized access leading to the deployment of malware, which has since been contained and remediated. eScan disputes claims made by Morphisec about the discovery of the breach.
The lotusbail npm package masquerades as a legitimate WhatsApp API library but contains sophisticated malware that steals user credentials, messages, and contacts. It captures data by intercepting communications and uses custom encryption to evade detection. Even after uninstalling the package, attackers retain access to compromised accounts.
WhatsApp has integrated Rust to improve security in its media handling, protecting users from potential malware threats. This upgrade follows lessons learned from past vulnerabilities, enabling faster and safer media sharing across billions of devices.
AI-driven IDEs like Cursor and Google Antigravity recommend extensions that may not exist in the OpenVSX registry. This gap allows malicious actors to claim unregistered namespaces and potentially distribute malware. Researchers have reported the issue and taken steps to prevent exploitation.
VoidLink is a sophisticated malware framework targeting Linux systems, designed for stealthy, long-term access in cloud environments. It features a flexible architecture with over 30 plugins, capable of adapting its behavior based on the detected environment and employing various evasion techniques. The framework is linked to Chinese-affiliated developers and shows signs of rapid evolution.
This article details TangleCrypt, a new Windows malware packer linked to a ransomware attack. It discusses its methods for hiding payloads and the flaws in its implementation that may lead to crashes. Key features include its use of multiple encoding layers and basic anti-analysis techniques.
Google patched 107 vulnerabilities in Android, including two high-severity flaws currently being exploited. Users should check their Android version and update to at least the 2025-12-05 patch level to ensure these issues are resolved. It's important to only install apps from trusted sources and keep devices up to date for security.
A new report from Zimperium reveals a rise in NFC relay malware targeting Android users' tap-to-pay systems. Over 760 malicious apps have been found that impersonate legitimate banking applications to steal payment data and facilitate fraud. Users are advised to download apps only from the Google Play Store and stay vigilant against unknown payment requests.
This article explains the need to monitor and control outbound traffic to protect against internal threats like malware and phishing. It highlights how malicious software can communicate externally and the compliance requirements related to outbound traffic restrictions. It also discusses the challenges businesses face in implementing these restrictions and suggests advanced security solutions.
GlassWorm malware has reappeared in Visual Studio Code extensions just weeks after being declared eradicated. The worm uses invisible Unicode characters to hide its code and is now also infecting GitHub repositories, posing risks to developers and critical infrastructure worldwide.
Researchers found a phishing campaign using Phorpiex malware to spread Global Group ransomware. The attack employs deceptive file names to trick users into downloading a Windows shortcut that encrypts files offline, making recovery nearly impossible. It also erases backup files to cover its tracks.
This article outlines five key security features expected to dominate in 2026, including supply chain malware detection and AI-based vulnerability management. It also highlights three important capabilities that should be prioritized, such as advanced application detection and real-time AI threat modeling.
Researchers have uncovered two new Android malware families, FvncBot and SeedSnatcher. FvncBot targets banking users in Poland, using advanced techniques for data theft, while SeedSnatcher aims to steal cryptocurrency wallet seed phrases and intercept SMS for two-factor authentication.
A long-running campaign by a group called ShadyPanda has infected 4.3 million users of Chrome and Edge with spyware hidden in legitimate-looking browser extensions. Some of these extensions, still available on the Edge store, allow attackers to track user behavior and steal sensitive data. Researchers warn that the infrastructure for attacks remains active even after the extensions have been removed.
The article explains how attackers can turn self-hosted GitHub Actions runners into backdoors, allowing persistent access to compromised systems. It details the Shai-Hulud worm as a case study, highlighting its methods for exploiting GitHub's infrastructure and the security risks involved.
Researchers found that Sicarii ransomware has a decryption flaw, rendering victims' data unrecoverable even if they pay the ransom. The malware generates a new RSA key for each attack, discarding the private key, leaving no viable recovery option. Caution is advised for organizations considering ransom payments.
The article discusses the vulnerabilities associated with TCC (Transparency, Consent, and Control) on macOS, which regulates app access to sensitive user data. It highlights the misconceptions among developers regarding TCC's importance in protecting user privacy and outlines various scenarios where malware could exploit TCC bypasses.
Malicious packages on the Python Package Index (PyPI) have been identified that deliver the SilentSync remote access Trojan (RAT) to unsuspecting users. These packages exploit the trust developers place in PyPI for downloading dependencies, highlighting the need for vigilance and security measures in the Python ecosystem.
Threat actors are using a Japanese Unicode character to create deceptive phishing links that mimic legitimate Booking.com URLs, tricking users into visiting malicious sites. This technique exploits visual similarities in characters, making it difficult for users to discern the real domain. Security measures are suggested to help users identify and avoid such phishing attempts.
Santa is a macOS binary and file access authorization system designed to monitor execution and file access, allowing users to manage binary permissions through a local database and various configuration options. It operates in MONITOR or LOCKDOWN modes, supports code signing and path-based rules, and can synchronize settings with remote servers. Santa aims to enhance security by preventing malware execution while integrating into existing defense strategies.
A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.
Hundreds of e-commerce sites have been compromised in a supply-chain attack that allowed malware to execute malicious code in visitors' browsers, potentially stealing sensitive payment information. The attack involved at least three software providers and may have affected up to 1,000 sites, with the malware remaining dormant for six years before activation. Security firm Sansec reported limited global remediation efforts for the affected customers, including a major multinational company.
Malicious npm packages are utilizing the Ethereum blockchain to facilitate malware delivery, raising concerns about the security of the JavaScript package ecosystem. These packages exploit vulnerabilities to deliver harmful code, leveraging blockchain technologies to obfuscate their operations and evade detection. Developers are urged to exercise caution and implement protective measures against such threats.
A developer almost fell victim to a sophisticated scam disguised as a job interview with a legitimate-looking blockchain company. By using AI to analyze the code before running it, he discovered embedded malware designed to steal sensitive information, highlighting the need for caution in tech interviews.
Microsoft has identified a new malware, Lumma, which has been found on approximately 394,000 Windows PCs. The Lumma password stealer is designed to capture sensitive login information, raising significant security concerns for users. Microsoft is urging users to take precautions to protect their devices from this threat.
A malicious update in the npm package postmark-mcp introduced a backdoor that silently exfiltrates emails from users to an external server, highlighting severe vulnerabilities in the trust model of MCP servers used by AI assistants. With over 1,500 weekly downloads, developers unknowingly handed over complete email control to a compromised tool, raising alarms about the security of tools integrated into enterprise workflows. Immediate action is required to remove the malicious package and audit other MCP servers for similar risks.
A set of ten malicious VSCode extensions on the Microsoft Visual Studio Code Marketplace has been found to infect users with the XMRig cryptominer for Monero. These extensions masquerade as legitimate tools and execute a PowerShell script to install the malware while also disabling critical Windows security features. Microsoft has since removed the extensions and blocked the publisher from the marketplace.
Hackers are leveraging Google.com to distribute malware that evades traditional antivirus software, raising significant security concerns. Users are advised to employ various protective measures to safeguard their systems against these threats.
A vulnerability has been discovered in Canon printer drivers that allows hackers to execute malicious code on affected systems. Users are advised to update their drivers to mitigate potential security risks associated with this flaw. The issue highlights the importance of maintaining up-to-date software for safeguarding devices against cyber threats.
A threat actor known as WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions designed to steal cryptocurrency. The group uses deceptive tactics to make these extensions appear legitimate, leading to significant financial losses, including a recent incident involving a core Ethereum developer. Researchers emphasize the need for improved verification processes to protect users from such sophisticated attacks.
A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.
A new malware strain has emerged that targets WordPress sites by mimicking Cloudflare's checkout pages, potentially deceiving users into entering sensitive information. This malware exploits vulnerabilities in e-commerce platforms, posing a significant risk to both site owners and customers. Website administrators are urged to enhance their security measures to prevent such attacks.
Memory Integrity Enforcement (MIE) is Apple's latest advancement in memory safety, utilizing a combination of secure memory allocators and the Enhanced Memory Tagging Extension (EMTE) to provide continuous, robust protection against memory corruption vulnerabilities. By integrating hardware and software security measures, MIE aims to safeguard devices while maintaining performance, marking a significant evolution in consumer operating system security.
AgentHopper, an AI virus concept, was developed to exploit multiple coding agents through prompt injection vulnerabilities. This research highlights the ease of creating such malware and emphasizes the need for improved security measures in AI products to prevent potential exploits. The post also provides insights into the propagation mechanism of AgentHopper and offers mitigations for developers.
The latest version of the 'Crocodilus' Android malware now includes a feature that adds fake contacts to infected devices, allowing attackers to spoof trusted callers and enhance their social engineering tactics. Initially identified in Turkey, the malware has expanded its reach globally and incorporates advanced evasion techniques to avoid detection while stealing sensitive data. Android users are advised to exercise caution and download only from trusted sources to mitigate risks.
A Python proof-of-concept script allows users to dump sensitive files such as SAM, SYSTEM, and NTDS.dit from a physical disk without triggering security alerts by bypassing standard Windows file APIs. It operates by directly reading NTFS filesystem structures, obfuscating the output with XOR encryption to avoid detection by EDR/AV systems. This tool is intended for educational purposes only and should be used in a controlled test environment.
Sketchy is a cross-platform security scanner designed to identify potential risks in GitHub repositories, packages, or scripts before installation. It highlights various security concerns, including code execution patterns and credential theft, helping users avoid malicious software. The tool is open-source and encourages users to audit its code and report any malware findings.
A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.
A browser hijacking campaign has infected 2.3 million users of Chrome and Edge through malicious extensions that started as legitimate tools. These extensions, which include features like color pickers and emoji keyboards, were later updated to include malware that tracks user activity and redirects browser sessions. Microsoft has removed the extensions from its store, but Google has not yet responded to the incident.
A security warning has been issued regarding a major printer vendor's software that was found to contain malware, potentially compromising user data and system integrity. Users are advised to uninstall the affected software immediately and check for any unusual activity on their devices.
Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io and designed to steal cryptocurrency private keys by scanning developers' systems for sensitive information. Discovered by security researchers at Socket, the packages were removed and their publishers banned, urging affected developers to clean their systems and secure their digital assets.
A malicious post-install command executed during the installation of the nx build kit created unauthorized GitHub repositories in users' accounts, stealing sensitive information like wallets and API keys. Organizations are urged to review their GitHub activity and rotate credentials to mitigate exposure, while ongoing investigations continue into the incident.
A new Linux malware called "Plague" has been discovered, allowing attackers persistent SSH access while evading traditional detection methods for over a year. It employs advanced obfuscation techniques and environment tampering to eliminate traces of malicious activity, making it particularly difficult to identify and analyze. Researchers emphasize its sophisticated nature and the ongoing threat it poses to Linux systems.
A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.
The article explores techniques for making virtual machines mimic real hardware to deceive malware. By presenting a more authentic environment, it aims to hinder malware's ability to detect its surroundings and improve security measures against malicious software.
The article discusses the evolution of the Pipemagic malware, detailing its development, functionality, and impact on affected systems. It highlights the increasing sophistication of the malware and its methods of operation, emphasizing the need for enhanced security measures to combat such threats.
Call stacks enhance malware detection by providing detailed insights into who is executing specific activities on Windows systems. By utilizing execution tracing features and enriching call stack data, Elastic's approach improves the ability to identify and respond to malicious behavior more effectively. The article emphasizes the importance of accurately analyzing call stacks to expose the lies malware authors use to conceal their actions.
A new Android banking Trojan named Anatsa has been discovered, targeting users by mimicking legitimate banking applications. It employs advanced techniques to steal sensitive information and bypass security measures, posing a significant threat to users’ financial security. The malware is spread through malicious apps and phishing campaigns, highlighting the need for increased vigilance among mobile users.
Researchers discovered 60 malicious packages on NPM designed to collect sensitive host and network information, sending it to a Discord webhook. These packages, which were uploaded under misleading names, posed a significant risk for targeted network attacks, and although reported, some remained available for download at the time of writing. Additionally, another campaign involved eight typosquatting packages capable of deleting files and corrupting data, which had been present on NPM for two years.
A fake "My Vodafone" app was distributed to targets via SMS, claiming to restore mobile data connectivity after an attacker disabled their connection. The app, signed with an enterprise certificate, contains multiple privilege escalation exploits, including an unusual sixth exploit related to the iPhone's Display Co-Processor (DCP), which raises concerns about the security implications of compromising such co-processors in modern devices.
FreeVPN.One, initially a trusted VPN, has been caught secretly capturing users' screens and sensitive information without consent through a series of updates that expanded its permissions and functionality. Despite claiming to protect user privacy, the extension employs deceptive practices to surveil users, raising serious concerns about security in browser marketplaces. The article highlights the risks associated with malicious extensions and the need for better oversight in software security.
Researchers from Safety have discovered infostealer malware targeting Russian cryptocurrency developers through npm packages designed to appear legitimate. These malicious packages, which aim to extract sensitive information such as cryptocurrency credentials, are linked to servers in the USA, raising suspicions of state-sponsored activity against Russia's ransomware operators. Developers in the Solana ecosystem are advised to secure their software supply chains to mitigate these threats.
The repository chronicles the author's development of a stealthy in-memory loader aimed at understanding malware evasion techniques and enhancing skills in offensive security and low-level programming. The project consists of multiple sub-projects, focusing on tasks such as memory allocation, downloading payloads to memory, and executing machine code directly from memory, with future plans to incorporate encryption and advanced evasion techniques. It serves as an educational resource for penetration testers and security researchers, emphasizing ethical usage.