Collecting Cyber-News from over 60 sources

Tag: breach

Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths

Apr 23, 2026 8:39 PM

Tags: access, api, attack, authentication, automation, breach, control, credentials, crypto, data, data-breach, endpoint, exploit, intelligence, malicious, malware, open-source, pypi, risk, service, software, supply-chain, theft, threat, unauthorized, worm

<div cla TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer machines including tokens, API keys, and more. From there, the malware publishes additional compromised packages under hijacked credentials, abusing developer trust in open source ecosystems to spread. Impacted organizations should remove the malware immediately, examine…
Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths

Apr 23, 2026 8:39 PM

Tags: access, api, attack, authentication, automation, breach, control, credentials, crypto, data, data-breach, endpoint, exploit, intelligence, malicious, malware, open-source, pypi, risk, service, software, supply-chain, theft, threat, unauthorized, worm

<div cla TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer machines including tokens, API keys, and more. From there, the malware publishes additional compromised packages under hijacked credentials, abusing developer trust in open source ecosystems to spread. Impacted organizations should remove the malware immediately, examine…
Self-Propagating npm Malware Turns Trusted Packages Into Attack Paths

Apr 23, 2026 8:39 PM

Tags: access, api, attack, authentication, automation, breach, control, credentials, crypto, data, data-breach, endpoint, exploit, intelligence, malicious, malware, open-source, pypi, risk, service, software, supply-chain, theft, threat, unauthorized, worm

<div cla TL;DR An open source malware campaign dubbed CanisterSprawl has been observed in npm, stealing sensitive data from developer machines including tokens, API keys, and more. From there, the malware publishes additional compromised packages under hijacked credentials, abusing developer trust in open source ecosystems to spread. Impacted organizations should remove the malware immediately, examine…
Luxury cosmetics giant Rituals discloses data breach impacting member personal details

Apr 23, 2026 8:39 PM

Tags: access, breach, data, data-breach, hacker, unauthorized

Rituals disclosed a breach where hackers accessed and downloaded some My Rituals members’ data, including names and addresses. Luxury cosmetics giant Rituals disclosed a data breach impacting My Rituals members after attackers gained unauthorized access to its systems and downloaded part of the database. The security breach occurred earlier this month, and the company is…
New Checkmarx supply-chain breach affects KICS analysis tool

Apr 23, 2026 6:39 PM

Tags: breach, data, docker, hacker, supply-chain, tool

Hackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
New Checkmarx supply-chain breach affects KICS analysis tool

Apr 23, 2026 6:39 PM

Tags: breach, data, docker, hacker, supply-chain, tool

Hackers have compromised Docker images, VSCode and Open VSX extensions for the Checkmarx KICS analysis tool to harvest sensitive data from developer environments. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-checkmarx-supply-chain-breach-affects-kics-analysis-tool/
Vercel says some of its customers’ data was stolen prior to its recent hack

Apr 23, 2026 5:39 PM

Tags: breach, data

The app and website hosting company has found evidence of a second compromise of customer accounts after expanding its initial investigation following a breach in early April. First seen on techcrunch.com Jump to article: techcrunch.com/2026/04/23/vercel-says-some-of-its-customers-data-was-stolen-prior-to-its-recent-hack/
Cosmetics giant Rituals discloses data breach affecting customers

Apr 23, 2026 5:39 PM

Tags: breach, data, data-breach

Dutch cosmetics giant Rituals disclosed a data breach after attackers stole the personal information of an undisclosed number of customers from its “My Rituals” membership database. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/cosmetics-giant-rituals-discloses-data-breach-affecting-customers/
Hacker with a special interest in breaching sports institutions ends behind bars

Apr 23, 2026 4:39 PM

Tags: breach, data, hacker

French police have arrested a suspected hacker linked to a series of data breaches affecting organizations in the country. Citing authorities, Le Parisien reported that the … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/23/france-hacker-arrested-data-breaches-sports-federations/
Vercel Confirms Security Breach Affecting Customer Accounts

Apr 23, 2026 3:39 PM

Tags: access, breach, cloud, cyber, incident response, law

Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the company says the incident affected a limited number of customer accounts and stored data. The cloud platform provider disclosed that it is actively investigating the incident with help from outside incident response experts and has also notified law enforcement. According…
Vercel Confirms Security Breach Affecting Customer Accounts

Apr 23, 2026 3:39 PM

Tags: access, breach, cloud, cyber, incident response, law

Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the company says the incident affected a limited number of customer accounts and stored data. The cloud platform provider disclosed that it is actively investigating the incident with help from outside incident response experts and has also notified law enforcement. According…
Vercel Confirms Security Breach Affecting Customer Accounts

Apr 23, 2026 3:39 PM

Tags: access, breach, cloud, cyber, incident response, law

Vercel has confirmed a security breach involving unauthorised access to certain internal systems, and the company says the incident affected a limited number of customer accounts and stored data. The cloud platform provider disclosed that it is actively investigating the incident with help from outside incident response experts and has also notified law enforcement. According…
Telco Privacy Violation? Fine! No, Telco Privacy Violation, Fine. Supreme Court to Determine if FCC Can Charge Telcos for Data Breaches

Apr 23, 2026 2:39 PM

Tags: breach, cybersecurity, data, law, privacy

The intersection of constitutional law and cybersecurity enforcement, specifically the Seventh Amendment right to a jury trial in regulatory data privacy cases. Central Conflict: Whether federal agencies (like the FCC, SEC, or FTC) can administratively impose monetary penalties for data misuse without a jury, or if such actions are “Suits at common law” requiring Article…
Some Interrail travellers told to cancel passports as hacked data posted online

Apr 23, 2026 2:39 PM

Tags: breach, dark-web, data, email, phone, security-incident

Eurail, which sells passes, says data being ‘offered for sale on dark web’ after December breach affecting 300,000 peopleHolidaymakers across Europe are facing the stress and expense of getting new passports after their personal data was posted on the dark web following a hack of the Interrail company Eurail.Personal data, including passport numbers, names, phone…
Malicious npm Package Hijacks Hugging Face for Malware Delivery

Apr 23, 2026 1:39 PM

Tags: ai, breach, cyber, data, malicious, malware

Malicious npm package js-logger-pack is now abusing Hugging Face not just as a malware CDN, but also as a live exfiltration backend for stolen data, turning a popular AI platform into part of a full-featured cross”‘platform implant chain. Earlier campaign phases already used Hugging Face as a simple hosting point for those binaries, but the latest builds…
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach

Apr 23, 2026 12:39 PM

Tags: access, breach, network, security-incident, unauthorized

Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems.The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to…
University of Warsaw Data Breach Exposes 200,000+ Sensitive Files on Darknet

Apr 23, 2026 10:39 AM

Tags: breach, cyberattack, dark-web, data, data-breach

Over 200,000 files containing sensitive personal information from the University of Warsaw have been leaked online. The University of Warsaw cyberattack, which targeted the institution’s digital systems, resulted in the publication of the stolen data on the darknet in mid-April 2026. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/university-of-warsaw-cyberattack/
Xinference PyPI Breach Exposes Developers to Cloud Credential Theft

Apr 23, 2026 10:39 AM

Tags: attack, breach, cloud, credentials, cyber, data, malicious, pypi, software, supply-chain, theft, threat, tool

A severe supply chain attack has compromised the popular Python package Xinference, exposing developers to massive data theft. Threat actors uploaded malicious versions of the tool to the Python Package Index (PyPI), embedding a heavily obfuscated infostealer into the code. Xinference has over 600,000 total downloads, making this a significant security event for the software…
Malicious pgserve, automagik developer tools found in npm registry

Apr 23, 2026 5:39 AM

Tags: access, attack, breach, cloud, control, corporate, credentials, crypto, data, firewall, github, infrastructure, least-privilege, malicious, malware, network, open-source, password, radius, risk, service, software, tactics, theft, threat, tool, worm

Advice to victimized developers: Developers who have downloaded the malicious versions of pgserver and automagik need to act fast, says Tanya Janca, head of Canadian secure coding consultancy SheHacksPurple.”Rotate every credential you can think of, right now, before you do anything else,” she said. “Then harden your CI/CD network egress controls so your build runners…
Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not

Apr 23, 2026 1:39 AM

Tags: breach, data, hacker, Internet

A company that ran anonymous tip lines for 35,000 American schools – handling reports of bullying, weapons, and self-harm – boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called Internet Yiff Machine thought that sounded like a challenge, with predictable results… First seen on grahamcluley.com Jump…
The Invisible Threat: Business Logic Flaws in Modern Applications and Why Scanners Miss Them

Apr 22, 2026 10:39 PM

Tags: breach, business, exploit, flaw, malicious, threat, vulnerability

<div cla In today’s security landscape, some of the most dangerous vulnerabilities aren’t flagged by automated scanners at all. These are the business logic flaws: subtle mistakes in an application’s design or workflow that malicious actors can exploit by doing the unexpected. As a result, companies can be blindsided by breaches even when their vulnerability…
You’re Not Watching MCPs. Anthropic’s Vulnerability Shows Why You Should Be.

Apr 22, 2026 10:39 PM

Tags: access, ai, api, attack, authentication, breach, control, credentials, cve, data, framework, hacker, infrastructure, injection, LLM, remote-code-execution, risk, saas, siem, supply-chain, threat, update, vulnerability

Last week, researchers at OX Security published findings that should stop every security leader in their tracks. They discovered a critical vulnerability baked directly into Anthropic’s Model Context Protocol SDK, affecting every supported language: Python, TypeScript, Java, and Rust. The result: remote code execution on any system running a vulnerable MCP implementation, with direct access…
France confirms data breach at government agency that manages citizens’ IDs

Apr 22, 2026 10:39 PM

Tags: breach, data, data-breach, government, hacker

The French government agency that issues and manages national IDs, passports, and other documents announced that hackers stole the personal information of an unspecified number of citizens. First seen on techcrunch.com Jump to article: techcrunch.com/2026/04/22/france-confirms-data-breach-at-government-agency-that-manages-citizens-ids/
France confirms data breach at government agency that manages citizens’ IDs

Apr 22, 2026 10:39 PM

Tags: breach, data, data-breach, government, hacker

The French government agency that issues and manages national IDs, passports, and other documents announced that hackers stole the personal information of an unspecified number of citizens. First seen on techcrunch.com Jump to article: techcrunch.com/2026/04/22/france-confirms-data-breach-at-government-agency-that-manages-citizens-ids/
Fake Google Antigravity Installer Can Steal Accounts in Minutes

Apr 22, 2026 9:39 PM

Tags: breach, google, malware

Fake Antigravity downloads are enabling fast account takeovers using hidden malware and stolen session cookies. The post Fake Google Antigravity Installer Can Steal Accounts in Minutes appeared first on TechRepublic. First seen on techrepublic.com Jump to article: www.techrepublic.com/article/news-fake-google-antigravity-downloads-steal-accounts-minutes/
Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

Apr 22, 2026 8:40 PM

Tags: breach, cybersecurity, data, supply-chain, worm

Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens.The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an…
Discord-Linked Group Accessed Anthropic’s Claude Mythos AI in Vendor Breach

Apr 22, 2026 8:40 PM

Tags: ai, breach, group

Anthropic is investigating a vendor breach after a Discord-linked group accessed its Claude Mythos AI model, with no evidence of impact on core systems. First seen on hackread.com Jump to article: hackread.com/discord-access-anthropic-claude-mythos-ai-breach/
Cyberattack on French government agency triggers phishing alert

Apr 22, 2026 7:39 PM

Tags: breach, cyberattack, data, data-breach, government, phishing

France Titres, a French government agency, has disclosed a data breach that may have exposed user data from its online portal. France Titres, also known as the Agence … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2026/04/22/france-titres-online-portal-data-breach/
French police arrest suspected hacker behind dozens of data breaches

Apr 22, 2026 6:40 PM

Tags: breach, data, hacker

French authorities have arrested a suspected hacker believed to be behind dozens of data breaches targeting public institutions, sports federations and private organizations across the country. First seen on therecord.media Jump to article: therecord.media/french-hacker-cyberattacks-arrest
Cosmetics giant Rituals confirms data breach of customer membership records

Apr 22, 2026 6:40 PM

Tags: breach, data, data-breach

The cosmetics retailer, which counts 41 million customers in its membership data, declined to provide an accurate total number of customers affected. First seen on techcrunch.com Jump to article: techcrunch.com/2026/04/22/cosmetics-giant-rituals-confirms-data-breach-of-customer-membership-records/