Santa is a macOS binary and file access authorization system designed to monitor execution and file access, allowing users to manage binary permissions through a local database and various configuration options. It operates in MONITOR or LOCKDOWN modes, supports code signing and path-based rules, and can synchronize settings with remote servers. Santa aims to enhance security by preventing malware execution while integrating into existing defense strategies.

Threat actors are using a Japanese Unicode character to create deceptive phishing links that mimic legitimate Booking.com URLs, tricking users into visiting malicious sites. This technique exploits visual similarities in characters, making it difficult for users to discern the real domain. Security measures are suggested to help users identify and avoid such phishing attempts.

Malicious packages on the Python Package Index (PyPI) have been identified that deliver the SilentSync remote access Trojan (RAT) to unsuspecting users. These packages exploit the trust developers place in PyPI for downloading dependencies, highlighting the need for vigilance and security measures in the Python ecosystem.

The article discusses the vulnerabilities associated with TCC (Transparency, Consent, and Control) on macOS, which regulates app access to sensitive user data. It highlights the misconceptions among developers regarding TCC's importance in protecting user privacy and outlines various scenarios where malware could exploit TCC bypasses.

A developer almost fell victim to a sophisticated scam disguised as a job interview with a legitimate-looking blockchain company. By using AI to analyze the code before running it, he discovered embedded malware designed to steal sensitive information, highlighting the need for caution in tech interviews.

Malicious npm packages are utilizing the Ethereum blockchain to facilitate malware delivery, raising concerns about the security of the JavaScript package ecosystem. These packages exploit vulnerabilities to deliver harmful code, leveraging blockchain technologies to obfuscate their operations and evade detection. Developers are urged to exercise caution and implement protective measures against such threats.

Hundreds of e-commerce sites have been compromised in a supply-chain attack that allowed malware to execute malicious code in visitors' browsers, potentially stealing sensitive payment information. The attack involved at least three software providers and may have affected up to 1,000 sites, with the malware remaining dormant for six years before activation. Security firm Sansec reported limited global remediation efforts for the affected customers, including a major multinational company.

A new rootkit leveraging the io_uring interface has been discovered, capable of bypassing traditional Linux security measures. This malicious software operates at a low level, allowing it to evade detection and maintain persistence on infected systems, raising significant concerns for system administrators and security professionals.

A threat actor known as WhiteCobra has infiltrated the Visual Studio marketplace and Open VSX registry with 24 malicious extensions designed to steal cryptocurrency. The group uses deceptive tactics to make these extensions appear legitimate, leading to significant financial losses, including a recent incident involving a core Ethereum developer. Researchers emphasize the need for improved verification processes to protect users from such sophisticated attacks.

Microsoft has identified a new malware, Lumma, which has been found on approximately 394,000 Windows PCs. The Lumma password stealer is designed to capture sensitive login information, raising significant security concerns for users. Microsoft is urging users to take precautions to protect their devices from this threat.

A malicious update in the npm package postmark-mcp introduced a backdoor that silently exfiltrates emails from users to an external server, highlighting severe vulnerabilities in the trust model of MCP servers used by AI assistants. With over 1,500 weekly downloads, developers unknowingly handed over complete email control to a compromised tool, raising alarms about the security of tools integrated into enterprise workflows. Immediate action is required to remove the malicious package and audit other MCP servers for similar risks.

A set of ten malicious VSCode extensions on the Microsoft Visual Studio Code Marketplace has been found to infect users with the XMRig cryptominer for Monero. These extensions masquerade as legitimate tools and execute a PowerShell script to install the malware while also disabling critical Windows security features. Microsoft has since removed the extensions and blocked the publisher from the marketplace.

Hackers are leveraging Google.com to distribute malware that evades traditional antivirus software, raising significant security concerns. Users are advised to employ various protective measures to safeguard their systems against these threats.

A vulnerability has been discovered in Canon printer drivers that allows hackers to execute malicious code on affected systems. Users are advised to update their drivers to mitigate potential security risks associated with this flaw. The issue highlights the importance of maintaining up-to-date software for safeguarding devices against cyber threats.

A Python proof-of-concept script allows users to dump sensitive files such as SAM, SYSTEM, and NTDS.dit from a physical disk without triggering security alerts by bypassing standard Windows file APIs. It operates by directly reading NTFS filesystem structures, obfuscating the output with XOR encryption to avoid detection by EDR/AV systems. This tool is intended for educational purposes only and should be used in a controlled test environment.

A recent supply chain attack has compromised several npm packages, allowing the distribution of backdoor malware. This incident highlights vulnerabilities in the software supply chain, emphasizing the need for enhanced security measures in package management systems.

A new malware strain has emerged that targets WordPress sites by mimicking Cloudflare's checkout pages, potentially deceiving users into entering sensitive information. This malware exploits vulnerabilities in e-commerce platforms, posing a significant risk to both site owners and customers. Website administrators are urged to enhance their security measures to prevent such attacks.

Memory Integrity Enforcement (MIE) is Apple's latest advancement in memory safety, utilizing a combination of secure memory allocators and the Enhanced Memory Tagging Extension (EMTE) to provide continuous, robust protection against memory corruption vulnerabilities. By integrating hardware and software security measures, MIE aims to safeguard devices while maintaining performance, marking a significant evolution in consumer operating system security.

AgentHopper, an AI virus concept, was developed to exploit multiple coding agents through prompt injection vulnerabilities. This research highlights the ease of creating such malware and emphasizes the need for improved security measures in AI products to prevent potential exploits. The post also provides insights into the propagation mechanism of AgentHopper and offers mitigations for developers.

The latest version of the 'Crocodilus' Android malware now includes a feature that adds fake contacts to infected devices, allowing attackers to spoof trusted callers and enhance their social engineering tactics. Initially identified in Turkey, the malware has expanded its reach globally and incorporates advanced evasion techniques to avoid detection while stealing sensitive data. Android users are advised to exercise caution and download only from trusted sources to mitigate risks.

Sketchy is a cross-platform security scanner designed to identify potential risks in GitHub repositories, packages, or scripts before installation. It highlights various security concerns, including code execution patterns and credential theft, helping users avoid malicious software. The tool is open-source and encourages users to audit its code and report any malware findings.

A browser hijacking campaign has infected 2.3 million users of Chrome and Edge through malicious extensions that started as legitimate tools. These extensions, which include features like color pickers and emoji keyboards, were later updated to include malware that tracks user activity and redirects browser sessions. Microsoft has removed the extensions from its store, but Google has not yet responded to the incident.

A report has revealed that 40 npm packages have been compromised as part of a supply chain attack, exposing vulnerabilities that could potentially affect thousands of projects. The malicious packages were designed to steal sensitive data and create backdoors for attackers, highlighting the ongoing risks in open-source software ecosystems. Developers are urged to review their dependencies and ensure they are not using affected packages.

A recent NPM supply chain attack involving a self-propagating worm called Shai-Hulud has highlighted the vulnerability of package registries like NPM. Sysdig's Threat Intelligence Feed offers real-time insights into these threats, enabling organizations to quickly assess their exposure and respond effectively. By monitoring malicious NPM packages, Sysdig aids security teams in identifying risks and taking action promptly.

A new Linux malware called "Plague" has been discovered, allowing attackers persistent SSH access while evading traditional detection methods for over a year. It employs advanced obfuscation techniques and environment tampering to eliminate traces of malicious activity, making it particularly difficult to identify and analyze. Researchers emphasize its sophisticated nature and the ongoing threat it poses to Linux systems.

A malicious post-install command executed during the installation of the nx build kit created unauthorized GitHub repositories in users' accounts, stealing sensitive information like wallets and API keys. Organizations are urged to review their GitHub activity and rotate credentials to mitigate exposure, while ongoing investigations continue into the incident.

Two malicious Rust packages, faster_log and async_println, were downloaded nearly 8,500 times from Crates.io and designed to steal cryptocurrency private keys by scanning developers' systems for sensitive information. Discovered by security researchers at Socket, the packages were removed and their publishers banned, urging affected developers to clean their systems and secure their digital assets.

A security warning has been issued regarding a major printer vendor's software that was found to contain malware, potentially compromising user data and system integrity. Users are advised to uninstall the affected software immediately and check for any unusual activity on their devices.

The article explores techniques for making virtual machines mimic real hardware to deceive malware. By presenting a more authentic environment, it aims to hinder malware's ability to detect its surroundings and improve security measures against malicious software.

Researchers discovered 60 malicious packages on NPM designed to collect sensitive host and network information, sending it to a Discord webhook. These packages, which were uploaded under misleading names, posed a significant risk for targeted network attacks, and although reported, some remained available for download at the time of writing. Additionally, another campaign involved eight typosquatting packages capable of deleting files and corrupting data, which had been present on NPM for two years.

FreeVPN.One, initially a trusted VPN, has been caught secretly capturing users' screens and sensitive information without consent through a series of updates that expanded its permissions and functionality. Despite claiming to protect user privacy, the extension employs deceptive practices to surveil users, raising serious concerns about security in browser marketplaces. The article highlights the risks associated with malicious extensions and the need for better oversight in software security.

A fake "My Vodafone" app was distributed to targets via SMS, claiming to restore mobile data connectivity after an attacker disabled their connection. The app, signed with an enterprise certificate, contains multiple privilege escalation exploits, including an unusual sixth exploit related to the iPhone's Display Co-Processor (DCP), which raises concerns about the security implications of compromising such co-processors in modern devices.

A new Android banking Trojan named Anatsa has been discovered, targeting users by mimicking legitimate banking applications. It employs advanced techniques to steal sensitive information and bypass security measures, posing a significant threat to users’ financial security. The malware is spread through malicious apps and phishing campaigns, highlighting the need for increased vigilance among mobile users.

Call stacks enhance malware detection by providing detailed insights into who is executing specific activities on Windows systems. By utilizing execution tracing features and enriching call stack data, Elastic's approach improves the ability to identify and respond to malicious behavior more effectively. The article emphasizes the importance of accurately analyzing call stacks to expose the lies malware authors use to conceal their actions.

The article discusses the evolution of the Pipemagic malware, detailing its development, functionality, and impact on affected systems. It highlights the increasing sophistication of the malware and its methods of operation, emphasizing the need for enhanced security measures to combat such threats.

Microsoft Teams will implement automatic warnings for private messages containing links flagged as malicious, including spam, phishing, and malware. This feature, available for Microsoft Defender for Office 365 and Teams enterprise customers, is set to begin public preview in September 2025 and become generally available by November 2025. Admins can enable or manage these warnings through the Teams Admin Center.

The repository chronicles the author's development of a stealthy in-memory loader aimed at understanding malware evasion techniques and enhancing skills in offensive security and low-level programming. The project consists of multiple sub-projects, focusing on tasks such as memory allocation, downloading payloads to memory, and executing machine code directly from memory, with future plans to incorporate encryption and advanced evasion techniques. It serves as an educational resource for penetration testers and security researchers, emphasizing ethical usage.

Researchers from Safety have discovered infostealer malware targeting Russian cryptocurrency developers through npm packages designed to appear legitimate. These malicious packages, which aim to extract sensitive information such as cryptocurrency credentials, are linked to servers in the USA, raising suspicions of state-sponsored activity against Russia's ransomware operators. Developers in the Solana ecosystem are advised to secure their software supply chains to mitigate these threats.

Two novel techniques for shutting down cryptominer botnets are explored, leveraging the vulnerabilities in common mining topologies. By exploiting stratum communications, one approach can effectively ban mining proxies, resulting in a drastic reduction of their operational hashrate and revenue. The article also introduces a tool named XMRogue that aids in executing these strategies against malicious mining operations.

Elastic Security Labs reports on the misuse of SHELLTER, a commercial evasion framework, by threat groups for infostealer campaigns since April 2025. The framework's advanced capabilities allow malicious actors to evade detection by anti-malware solutions, prompting the release of a dynamic unpacker by Elastic Security Labs to analyze SHELLTER-protected binaries. Key features include polymorphic obfuscation, payload encryption, and mechanisms to bypass detection systems.

The article discusses a malware issue affecting GitHub users on macOS, highlighting how this malware can compromise systems and steal sensitive information. It emphasizes the importance of maintaining security practices and being aware of potential threats when using software development tools.

Security researchers discovered that a weak password used by Paradox.ai allowed access to sensitive personal information of millions of job applicants for McDonald's, exposing 64 million records. Additionally, a malware infection on a Paradox developer's device compromised various internal and third-party credentials, raising concerns about the company's security practices despite previous audits.

A critical security alert was issued regarding 18 widely-used npm packages that were compromised to include malicious code, which secretly intercepted crypto and web3 activities in users' browsers. The affected packages, including popular ones like "chalk" and "debug," collectively accounted for over 2 billion downloads weekly. Users are advised to utilize Aikido's safe-chain to avoid such vulnerabilities.

The article discusses the techniques of Dll Sideloading and Direct Syscalls as methods to evade antivirus and EDR solutions. It explains how Dll Sideloading exploits vulnerabilities in legitimate applications to load malicious DLLs while suggesting strategies to select the right executables that minimize detection risks. A notable example provided is Oleview.exe, which is signed by Microsoft and not commonly installed on Windows systems.

The article discusses outdated and misapplied techniques in malware development (MalDev), emphasizing the need to adapt to modern security measures like automated detection systems. It provides insights on various aspects of malware creation, including data storage in executables, encryption methods, process injection, and the limitations of conventional evasion techniques against security products. The author advocates for a deeper understanding of security software to identify effective blind spots for malware deployment.

The article discusses a Linux-based cryptominer that has been discovered, detailing its operation and potential impact on system performance and security. It also highlights the methods used by the malware to hide its presence and evade detection. Users are advised to take necessary precautions to protect their systems from such threats.

A significant vulnerability in ESET software has been discovered, which could be exploited by attackers to deploy malware, specifically linked to the ToddyCat APT group. This flaw poses a heightened risk to users of ESET’s security products, emphasizing the need for immediate updates to mitigate potential threats.

A new attack known as "pixnapping" has emerged, targeting Android devices by using pixel-stealing techniques to access sensitive information. This method allows attackers to manipulate the display output, potentially compromising user data without their knowledge. Users are advised to remain vigilant and update their security measures to protect against this threat.

The Python Software Foundation has issued a warning about new phishing attacks targeting PyPI users, urging them to reset their credentials after receiving fake emails from a fraudulent site. Victims are being misled into verifying their email for account maintenance, which could lead to credential theft and subsequent malware attacks on published packages. Users are advised to change passwords immediately and implement stronger security measures like two-factor authentication.

Discord users are at risk from a new phishing attack involving invite link hijacking, which leads to the installation of malware on victims' devices. The attack exploits the trust users place in Discord links, making it crucial for users to verify the authenticity of links before clicking. Security experts recommend staying vigilant and using protective measures to avoid falling victim to such scams.

Multiple DuckDB-related npm packages were compromised, including duckdb and its associated modules, which contained malicious code aimed at draining crypto wallets. The attack mirrors previous incidents of phishing in the npm ecosystem, leading to the vendor marking the latest release as deprecated and issuing an advisory on GitHub.

A researcher discovered 57 Chrome extensions, used by 6 million users, that contain risky capabilities such as monitoring browsing behavior and accessing sensitive cookies. While some have been removed from the Chrome Web Store, others remain, and users are advised to uninstall them and reset their passwords as a precaution.

A new spear-phishing campaign, dubbed "Venom Spider," is targeting hiring managers and recruiters by masquerading as job seekers. The attackers exploit the necessity for HR staff to open email attachments, delivering a backdoor malware known as "More_eggs" to compromise systems and gather sensitive information.

Cybercriminals are increasingly exploiting the Lovable AI website builder to create phishing pages and fraudulent sites that impersonate well-known brands. Despite Lovable's efforts to detect and eliminate malicious content, the rising number of AI site generators is lowering the barriers for cybercrime. Recent campaigns have targeted organizations and individuals through sophisticated phishing schemes, resulting in significant data theft and malware distribution.

RIFT (Rust Interactive Function Tool) is a suite designed to aid reverse engineers in analyzing Rust malware, consisting of an IDA plugin static analyzer, a generator for creating signatures, and a diff applier for applying binary diffing results. It is crucial to use RIFT within a secure virtual machine environment to avoid security risks, and the tools are primarily tested on Windows and Linux systems. Community contributions are encouraged to enhance the tool's capabilities.

The npm author Qix was targeted in a significant supply chain attack through a phishing email that spoofed npm branding, tricking the author into compromising their account. Malicious code was introduced into several packages, redirecting cryptocurrency transactions to the attacker's addresses, highlighting the persistent threat of phishing in the open-source ecosystem.

Microsoft will disable all ActiveX controls by default in Microsoft 365 and Office 2024 applications to enhance security and reduce the risk of malware. Users will see a notification when attempting to open documents with ActiveX controls, and while they can enable ActiveX through the Trust Center, Microsoft advises keeping it disabled unless necessary. This decision is part of a broader initiative to strengthen security against vulnerabilities exploited by cybercriminals.

A new malware disguised as a game on Steam, titled "Blockblasters," has been identified as a crypto scam. The malicious software can steal sensitive information from users, raising concerns about security on the platform and the need for better protection against such threats.

BamboozlEDR is an Event Tracing for Windows (ETW) tool designed for generating realistic security events to test EDR detection capabilities and security monitoring solutions. It features a TUI interface, supports multiple Windows ETW providers, and includes advanced features such as event obfuscation to protect against static analysis. The tool is intended for research and testing purposes and requires user interaction to minimize misuse.

Threat actors have exploited SourceForge to distribute fake Microsoft Office add-ins that install malware, including cryptocurrency miners and clipboard hijackers, on victims' computers. Over 4,600 systems, primarily in Russia, have been affected by this campaign, which involved deceptive project pages mimicking legitimate tools. Users are advised to download software only from trusted sources and verify files before execution.

The article explores the concept of developing C2-less malware using large language models (LLMs) for autonomous decision-making and exploitation. It discusses the implications of such technology, particularly through a malware example called "PromptLock," which utilizes LLMs to generate and execute code without human intervention. The author proposes a proof of concept for self-contained malware capable of exploiting misconfigured services on a target system.

Fake cryptocurrency exchange advertisements on Facebook have been spreading malware, posing significant risks to unsuspecting users. These malicious ads are designed to deceive individuals into downloading harmful software, leading to potential data breaches and financial losses. Users are urged to remain vigilant and report suspicious ads to protect themselves from such threats.

A new malware, identified as CL-STA-0969, has been discovered that covertly installs itself on targeted systems, posing a significant threat to users' security and privacy. Researchers warn that this malware is capable of evading detection by traditional antivirus software, making it particularly dangerous. Users are advised to enhance their security measures to protect against this emerging threat.