Tag: malicious
-
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer’s cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it.Tracked as CVE-2026-12957 (CVSS 8.5), the bug sat in how Amazon’s AI coding assistant handled…
-
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem.”The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse,…
-
Third-Party Breach at Polymarket Leads to $2.94M Crypto Theft
Polymarket confirmed hackers stole funds from some users after attackers injected malicious code through a compromised third-party vendor. Polymarket confirmed that a security breach at a third-party vendor allowed attackers to inject malicious code into its website, leading to the theft of funds from an undisclosed number of users. The company said it has contained…
-
Hackers Use Malicious Minecraft Fabric Mods to Deploy LoaderClient and WeedHack Stealer
Hackers are weaponizing malicious Minecraft Fabric mods to deliver LoaderClient. This stage-one malware loader steals session data and hands it off to the WeedHack stealer through a fileless, blockchain-backed execution chain. The campaign stands out for its use of EtherHiding, where the command-and-control URL is pulled from an Ethereum smart contract instead of a conventional…
-
Malicious hackers exploit Cisco zero-day for highest access level at communications service provider
Mandiant detailed the incident in a blog post Wednesday, but it’s unclear who was behind it or if they managed to get broad visibility into the victim’s internal traffic. First seen on cyberscoop.com Jump to article: cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/
-
Malicious Edge extension abuses Native Messaging as bridge to malware
A malicious Microsoft Edge extension dubbed ‘Edgecution’ has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware/
-
Shai-Hulud Hades Payload Hits 20 Leo/RStreams npm Packages in Fresh Supply Chain Attack
A fresh supply-chain wave by the Shai-Hulud/Hades family that infected 20 npm packages in the Leo/RStreams ecosystem, an AWS-native event streaming SDK widely used for Kinesis, Firehose, Lambda and S3-based pipelines. The malicious releases were detected shortly after publication and, while not a dramatic redesign of prior Hades/Miasma variants, demonstrate the malware family’s continued operational…
-
More Malicious OpenClaw Skills Threaten AI Supply Chain
OpenClaw removed five packages from ClawHub, its skills marketplace, that bypassed security checks even though they included infostealers and other threats. First seen on darkreading.com Jump to article: www.darkreading.com/cyber-risk/malicious-openclaw-skills-clawhub-threaten-ai-supply-chain
-
Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords
JFrog warns of malicious npm packages that mimic PostCSS tooling, drop a Windows RAT, and target Chrome-stored passwords through a staged infection setup route. First seen on hackread.com Jump to article: hackread.com/fake-npm-packages-postcss-tool-steal-chrome-password/
-
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads tracks a fresh Anatsa campaign that abused trust in a seemingly useful document-reader app to reach a large install base before its payload was activated. The malicious app was published as a document reader and file utility, a category that normally attracts…
-
Payouts King Initial Access Broker Deploys Edgecution Malware Through Malicious Edge Extension
A concerted campaign by an initial access broker with ties to the Payouts King ransomware ecosystem that leverages a novel browser-based delivery technique to establish persistent host-level control. The actor deploys a malicious Microsoft Edge extension dubbed >>Edgecution<< which abuses the Chrome native messaging protocol to reach a Python backdoor running on the endpoint, effectively…
-
Amazon Prime Day fuels surge in malicious domains, researchers warn
Tags: maliciousFirst seen on scworld.com Jump to article: www.scworld.com/brief/amazon-prime-day-fuels-surge-in-malicious-domains-researchers-warn
-
‘Cordyceps’: Mushrooming Malicious Pull Requests Threaten Developer Workflows
The CI/CD workflow weakness affects Microsoft’s Azure Sentinel, Google’s AI Agent Development Kit, Apache’s Doris analytics database, Cloudflare’s Workers SDK, and Python Software Foundation’s Black. First seen on darkreading.com Jump to article: www.darkreading.com/application-security/cordyceps-malicious-pull-requests-developer-workflows
-
New macOS ClickFix attack silently mounts DMGs to push infostealer
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/new-macos-clickfix-attack-silently-mounts-dmgs-to-push-infostealer/
-
GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
GitHub is moving to strengthen software supply chain security by updating “actions/checkout” to block pwn request attacks that exploit the risky use of the “pull_request_target workflow” trigger to run malicious code with the workflow’s full privileges.Effective June 18, 2026, the latest version of “actions/checkout,” the official GitHub action for checking out a repository into the…
-
SocGholish Takedown Highlights Malicious TDS Threats
SocGholish uses traffic distribution systems (TDSs) to provide initial access into victims’ networks for cybercrime groups such as the notorious Evil Corp. First seen on darkreading.com Jump to article: www.darkreading.com/cyber-risk/socgholish-takedown-malicious-tds-threats
-
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT).The list of identified packages, is below – aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads)All the packages were published over the past month by an npm user named First seen on thehackernews.com Jump…
-
Cybercriminals Abuse TDS Infrastructure to Bypass Firewalls and Hide Malicious Destinations
Cybercriminals are increasingly abusing traffic distribution systems (TDSs) to evade defenses, conceal malicious destinations, and funnel victims into phishing, fraud, and malware campaigns. Once considered a legitimate marketing tool to route visitors to different content or offers, TDS infrastructure is now being repurposed as a stealthy redirection layer that complicates detection and response for network…
-
Critical FFmpeg Vulnerability Lets Hackers Execute Remote Code via Malicious Media Files
A critical memory corruption vulnerability in FFmpeg has been disclosed, allowing for remote code execution through specially crafted media files. This flaw, tracked as CVE-2026-8461 and named “PixelSmash,” affects the MagicYUV decoder within FFmpeg’s libavcodec library and has a CVSS score of 8.8. Discovered by JFrog Security Research, the vulnerability arises from a heap out-of-bounds…
-
WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool
Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software.Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia,…
-
CalPhishing Campaigns Use Outlook Calendar Invites to Deliver Persistent Phishing Lures
A growing trend in which attackers weaponize Microsoft 365 collaboration features to deliver persistent phishing lures via Outlook calendar invites. By abusing Microsoft 365 Groups and Outlook calendar functionality, threat actors move malicious intent out of a single suspicious message and into routine productivity workflows, increasing the chance that targets will treat the interaction as…
-
CalPhishing Campaigns Use Outlook Calendar Invites to Deliver Persistent Phishing Lures
A growing trend in which attackers weaponize Microsoft 365 collaboration features to deliver persistent phishing lures via Outlook calendar invites. By abusing Microsoft 365 Groups and Outlook calendar functionality, threat actors move malicious intent out of a single suspicious message and into routine productivity workflows, increasing the chance that targets will treat the interaction as…
-
North Korean Hackers Poison Mastra AI Framework
Tags: ai, attack, backdoor, credentials, framework, hacker, malicious, microsoft, north-korea, software, supply-chain, theft, toolMore Than 140 npm Packages Carried Credential-Stealing Code. Microsoft says North Korean-linked BlueNoroff compromised a Mastra npm maintainer account and published more than 140 malicious packages, using a software supply-chain attack to distribute infostealers, backdoors and credential theft tools through AI development environments. First seen on govinfosecurity.com Jump to article: www.govinfosecurity.com/north-korean-hackers-poison-mastra-ai-framework-a-32042
-
Microsoft fixes AutoGen Studio flaw that enabled code execution
A vulnerability chain dubbed AutoJack in Microsoft’s AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/microsoft-fixes-autogen-studio-flaw-that-enabled-code-execution/
-
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER.According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the…
-
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER.According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the…
-
Malicious npm Package Masquerades as PostCSS Utility to Deliver PowerShell Downloader
A malicious npm package, postcss-minify-selector-parser, has been discovered masquerading as a benign PostCSS utility and delivering a multi-stage Windows remote access trojan (RAT). The imposter deliberately mimics the widely used postcss-selector-parser a legitimate library with more than 150 million weekly downloads by reusing the same keyword space (postcss, selector, parser, css) and depending on the…
-
GitHub Actions Checkout Adds Protection Against Malicious pull_request_target Workflows
GitHub has implemented a major security enhancement in its Actions ecosystem with the release of actions/checkout v7, which aims to address a long-standing class of vulnerabilities known as “pwn requests.” This update was announced on June 18, 2026, and introduces safer defaults for workflows triggered by the pull_request_target event. This event is one of the…
-
OXLOADER Uses MBA Obfuscation and Control-Flow Flattening to Bypass Static Detection
A previously undocumented Windows loader, tracked as OXLOADER, that combines sophisticated obfuscation and unconventional staging to evade static detection and sandbox analysis while delivering the new CASTLESTEALER infostealer via malvertising. The campaign leveraged malicious Google Ads impersonating Node.js and API Monitor, redirecting victims through intermediary domains to Storj-hosted batch scripts that download and execute OXLOADER…

