Tag: malicious
-
Why Kubernetes controllers are the perfect backdoor
Tags: access, api, automation, backdoor, compliance, container, control, kubernetes, malicious, mitre, service, threatFigure 1: Anatomy of a controller-based attack. The malicious webhook intercepts legitimate pod creation requests and injects a backdoor sidecar before the object is persisted to etcd. Niranjan Kumar Sharma As illustrated in Figure 1, this webhook acts as a controller. Every time a legitimate pod is created (e.g., a payment service), the API server sends…
-
Telnyx Python SDK Backdoored on PyPI to Steal Cloud Credentials
The popular Telnyx Python SDK on PyPI to deploy a multi”‘stage credential”‘stealing operation that targets cloud infrastructure, Kubernetes clusters, and developer environments at scale. On March 27, 2026, TeamPCP uploaded two malicious Telnyx SDK releases, versions 4.87.1 and 4.87.2, directly to PyPI at around 03:51 UTC, bypassing the normal GitHub”‘backed release flow used by the…
-
Russian CTRL Toolkit Delivered via Malicious LNK Files Hijacks RDP via FRP Tunnels
Cybersecurity researchers have discovered a remote access toolkit of Russian-origin that’s distributed via malicious Windows shortcut (LNK) files that are disguised as private key folders.The CTRL toolkit, according to Censys, is custom-built using .NET and includes various executables” to facilitate credential phishing, keylogging, Remote Desktop Protocol (RDP) hijacking, and reverse tunneling First seen on thehackernews.com…
-
Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave
Russia-linked TA446 is using the DarkSword iOS exploit kit in targeted phishing campaigns to compromise iPhone users. Russia-linked APT group TA446 (aka SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) is using the DarkSword exploit kit in targeted spear-phishing campaigns against iOS devices. The attacks rely on malicious emails to compromise iPhones, highlighting a growing threat from…
-
Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave
Russia-linked TA446 is using the DarkSword iOS exploit kit in targeted phishing campaigns to compromise iPhone users. Russia-linked APT group TA446 (aka SEABORGIUM, ColdRiver, Callisto, and Star Blizzard) is using the DarkSword exploit kit in targeted spear-phishing campaigns against iOS devices. The attacks rely on malicious emails to compromise iPhones, highlighting a growing threat from…
-
Malicious Browser Extensions Hijack Users’ AI Chats in New “Prompt Poaching” Attack
A new wave of malicious browser extensions is quietly harvesting sensitive user interactions with AI tools, in a growing threat now dubbed “prompt poaching.” The rise of AI assistants in everyday browsing has created a usability gap. Most users interact with AI tools in isolated tabs, manually copying and pasting content for analysis or summarization.…
-
Open VSX Scanner Vulnerability Lets Malicious Extensions Go Live
Open VSX, the extension marketplace used by VS Code forks such as Cursor and Windsurf, recently fixed a critical vulnerability in its newly introduced pre-publish scanning pipeline that could allow malicious extensions to bypass security checks and go live undetected. The issue, dubbed “Open Sesame,” stemmed from a fail-open condition in the scanning workflow. While…
-
Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
TeamPCP hackers compromised the Telnyx package on the Python Package Index today, uploading malicious versions that deliver credential-stealing malware hidden inside a WAV file. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/backdoored-telnyx-pypi-package-pushes-malware-hidden-in-wav-audio/
-
BianLian Ransomware Spreads via Fake Invoice SVG Images in New Attacks
Researchers at WatchGuard have identified a new phishing campaign targeting companies in Venezuela. Using malicious SVG image files… First seen on hackread.com Jump to article: hackread.com/bianlian-ransomware-fake-invoice-svg-images-attacks/
-
U.S. CISA adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog
Tags: cisa, credentials, cve, cybersecurity, exploit, flaw, infrastructure, kev, malicious, vulnerabilityThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an Aquasecurity Trivy flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Aquasecurity Trivy flaw, tracked as CVE-2026-33634 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog. On March 19, 2026, attackers used compromised credentials to release a malicious…
-
CISA Adds Critical Aquasecurity Trivy Scanner Vulnerability to KEV Catalog
Tags: cisa, cve, cyber, cybersecurity, exploit, flaw, infrastructure, kev, malicious, open-source, vulnerabilityThe Cybersecurity and Infrastructure Security Agency (CISA) has urgently added a critical flaw affecting Aquasecurity’s Trivy scanner to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2026-33634, this security weakness involves embedded malicious code that targets continuous integration and continuous deployment (CI/CD) environments. Because Trivy is a widely adopted open-source vulnerability scanner used natively within…
-
TeamPCP Hackers Focus on AI Developers, Planting Malicious Code to Disrupt Projects
Tags: ai, attack, credentials, cyber, exploit, group, hacker, intelligence, malicious, security-incident, supply-chain, threat, toolThe FBI Cyber Division has issued a critical alert following a massive supply chain attack orchestrated by the threat actor group TeamPCP. The hackers successfully compromised two widely used developer tools, creating a cascading security incident for organizations building artificial intelligence software. By exploiting weak credential management and leveraging AI-assisted coding, the group distributed malicious…
-
TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files
TeamPCP, the threat actor behind the supply chain attack targeting Trivy, KICS, and litellm, has now compromised the telnyx Python package by pushing two malicious versions to steal sensitive data.The two versions, 4.87.1 and 4.87.2, published to the Python Package Index (PyPI) repository on March 27, 2026, concealed their credential harvesting capabilities within a .WAV…
-
Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
Cybersecurity researchers have disclosed details of a now-patched bug impacting Open VSX’s pre-publish scanning pipeline to cause the tool to allow a malicious Microsoft Visual Studio Code (VS Code) extension to pass the vetting process and go live in the registry.”The pipeline had a single boolean return value that meant both ‘no scanners are configured’…
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
Attackers exploit critical Langflow RCE within hours as CISA sounds alarm
Tags: access, advisory, ai, api, attack, cisa, cloud, credentials, cve, cvss, data, data-breach, detection, endpoint, exploit, flaw, framework, github, infrastructure, injection, kev, malicious, monitoring, nvd, open-source, rce, remote-code-execution, software, supply-chain, threat, update, vulnerability, windowscredentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.”This is…
-
LiteLLM Hit in Cascading Supply-Chain Attack
Stolen Credentials From Trivy Breach Let Hackers Push Malware to PyPI. Threat group TeamPCP exploited credentials stolen in the Trivy breach to push malicious versions of LiteLLM to PyPI, exposing developers to credential theft, persistent backdoors and lateral movement tools within hours of publication. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/litellm-hit-in-cascading-supply-chain-attack-a-31210
-
Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka
A new macOS infostealer, NukeChain (now Infiniti Stealer), uses fake CAPTCHA pages to trick users into running malicious commands. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/03/infiniti-stealer-a-new-macos-infostealer-using-clickfix-and-python-nuitka/
-
Xiaomi Phishing Attempt Red Flags You Can’t Afford to Ignore
The blog describes a phishing campaign targeting Xiaomi users, where attackers send realistic emails posing as official communications to trick recipients into clicking malicious links and entering credentials on a fake login page. It highlights how these attacks use convincing branding, urgency, and polished design, often enhanced by AI, to exploit user trust rather than…
-
Xiaomi Phishing Attempt Red Flags You Can’t Afford to Ignore
The blog describes a phishing campaign targeting Xiaomi users, where attackers send realistic emails posing as official communications to trick recipients into clicking malicious links and entering credentials on a fake login page. It highlights how these attacks use convincing branding, urgency, and polished design, often enhanced by AI, to exploit user trust rather than…
-
Xiaomi Phishing Attempt Red Flags You Can’t Afford to Ignore
The blog describes a phishing campaign targeting Xiaomi users, where attackers send realistic emails posing as official communications to trick recipients into clicking malicious links and entering credentials on a fake login page. It highlights how these attacks use convincing branding, urgency, and polished design, often enhanced by AI, to exploit user trust rather than…
-
TikTok for Business accounts targeted in new phishing campaign
Threat actors are targeting TikTok for Business accounts in a phishing campaign that prevents security bots from analyzing malicious pages. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/tiktok-for-business-accounts-targeted-in-new-phishing-campaign/
-
Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Cybersecurity researchers have disclosed a vulnerability in Anthropic’s Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page.The flaw “allowed any website to silently inject prompts into that assistant as if the user wrote them,” Koi Security researcher Oren Yomtov said in a report shared with…
-
Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Cybersecurity researchers have disclosed a vulnerability in Anthropic’s Claude Google Chrome Extension that could have been exploited to trigger malicious prompts simply by visiting a web page.The flaw “allowed any website to silently inject prompts into that assistant as if the user wrote them,” Koi Security researcher Oren Yomtov said in a report shared with…
-
GitHub phishers use fake OpenClaw tokens to drain crypto wallets
Smart, obfuscated malware code: According to OX, the malicious phishing and wallet-stealing code is “highly obfuscated” and resides within the “eleven.js” JavaScript file in the repository.The threat actor used “watery-compost[.]today” to host a C2 server to collect information (including wallet address, transaction value, and name) and drain wallets once they were connected. Commands used by…
-
Researchers uncover WebRTC skimmer bypassing traditional defenses
Researchers found a new skimmer using WebRTC to steal and send payment data, bypassing traditional security controls. Sansec researchers discovered a new payment skimmer that uses WebRTC data channels instead of typical web requests to load malicious code and exfiltrate stolen payment data. >>What sets this attack apart is the skimmer itself. Instead of the usual…
-
An Evolving GlassWorm Malware is Making the Rounds of Code Repositories
Threat researchers with various vendors for the past year have been tracking the efforts of a bad actor dubbed GlassWorm known for dropping malicious extensions in code registries like npm, Open VSX, PyPI, and Microsoft’s Visual Studio Marketplace with the aim of stealing secrets and cryptocurrency. This month, threat researchers wrote about a resurgence in..…