Tag: malicious
-
NDSS 2025 Try to Poison My Deep Learning Data? Nowhere To Hide Your Trajectory Spectrum!
Session 12D: ML Backdoors Authors, Creators & Presenters: Yansong Gao (The University of Western Australia), Huaibing Peng (Nanjing University of Science and Technology), Hua Ma (CSIRO’s Data61), Zhi Zhang (The University of Western Australia), Shuo Wang (Shanghai Jiao Tong University), Rayne Holland (CSIRO’s Data61), Anmin Fu (Nanjing University of Science and Technology), Minhui Xue (CSIRO’s…
-
Flaws in four popular VS Code extensions left 128 million installs open to attack
Tags: access, api, attack, cloud, credentials, cve, flaw, infrastructure, malicious, microsoft, risk, supply-chain, tool, update, vulnerability, xssMicrosoft quietly patched its own extension: The fourth vulnerability played out differently. Microsoft’s Live Preview extension, with 11 million downloads, contained a cross-site scripting flaw that, according to OX Security, let a malicious web page enumerate files in the root of a developer’s machine and exfiltrate credentials, access keys, and other secrets.The researchers reported the…
-
ClawHavoc Infects OpenClaw’s ClawHub with 1,184 Malicious Skills, Exposing Data Theft Risks
A large-scale supply chain poisoning campaign dubbed ClawHavoc has hit OpenClaw’s official skill marketplace, ClawHub, with at least 1,184 malicious “Skills” historically published on the platform. The incident highlights how fast-growing AI agent ecosystems can become high-value malware distribution channels when plugins are easy to publish and users routinely grant agents broad system access. OpenClaw (previously known…
-
Foxveil Malware Loader Uses Cloudflare, Netlify, and Discord to Bypass Detection
A new malware loader, dubbed Foxveil, that abuses trusted platforms such as Cloudflare Pages, Netlify, and Discord to stage and deliver malicious payloads while evading traditional detection methods. Active since at least August 2025, the loader is used as an initial-stage component, establishing a foothold on victim machines, executing shellcode in memory, and preparing the…
-
OpenClaw AI ‘Log Poisoning’ Flaw Enables Malicious Content Injection
A severe >>log poisoning<< vulnerability has been discovered in the popular OpenClaw AI assistant, potentially allowing attackers to manipulate the agent's behaviour through indirect prompt injection. OpenClaw, an open-source autonomous agent known for its deep system integrations and ability to manage complex tasks, has recently seen massive adoption. However, its ability to self-debug and read…
-
Update Chrome now: Zero-day bug allows code execution via malicious webpages
Google has released an emergency update to patch an actively exploited zero-day”, the first Chrome zero-day of the year. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/02/update-chrome-now-zero-day-bug-allows-code-execution-via-malicious-webpages/
-
New ‘ClickFix’ Malware Payload Targets Browser Cache, Warns Cybersecurity Experts
Threat actors on underground forums are now promoting a new “ClickFix” payload-delivery technique that hides malware in the browser cache to evade endpoint detection and response (EDR) tools. The seller pitches the method as an evolution of existing ClickFix/FileFix social”‘engineering chains, claiming it can execute malicious code via Windows File Explorer without generating obvious network…
-
Malicious Fork of Legitimate Triton App Discovered on GitHub, Exposing New Malware Threat
Attackers have weaponized a malicious fork of the legitimate Triton macOS client for omg.lol, turning a trusted open-source project into a delivery channel for Windows malware hosted on GitHub. The campaign abuses GitHub’s forking model, misleading README content, and obscure asset paths to trick users into downloading a trojanized archive named Software_3.1.zip. The malicious actor…
-
Malicious Fork of Legitimate Triton App Discovered on GitHub, Exposing New Malware Threat
Attackers have weaponized a malicious fork of the legitimate Triton macOS client for omg.lol, turning a trusted open-source project into a delivery channel for Windows malware hosted on GitHub. The campaign abuses GitHub’s forking model, misleading README content, and obscure asset paths to trick users into downloading a trojanized archive named Software_3.1.zip. The malicious actor…
-
Malicious Chrome Extension Exposes Facebook Business Manager Accounts to 2FA and Analytics Theft
A malicious Google Chrome extension, CL Suite by @CLMasters, which masquerades as a productivity tool for Meta Business Suite while silently stealing sensitive authentication data. Although the extension markets itself as a solution to >>remove verification popups<>generate 2FA codes,<< its actual function is to exfiltrate Two-Factor Authentication (2FA) seeds, one-time codes, and detailed business […] The…
-
QR Codes Exploited for Phishing Attacks and Malware Spread on Mobile Devices
QR code abuse has become a significant mobile threat vector, with attackers using it to deliver phishing pages, trigger in”‘app account takeovers, and distribute malicious applications outside official app stores. Because people routinely scan QR codes for payments, menus and app downloads, these attacks often bypass enterprise protections by shifting the interaction onto less”‘protected personal…
-
Exploitable Flaws Found in Cloud-Based Password Managers
‘Malicious Server Threat Model’ Threatens ‘Zero Knowledge Encryption’ Guarantees. Claims by leading stand-alone password managers that their implementation of zero knowledge encryption means stored passwords can withstand the worst of hacker assaults are vastly overblown, say academic security researchers. They said vendors are in the process of patching the flaws they found. First seen on…
-
Over 500,000 VKontakte accounts hijacked through malicious Chrome extensions
Researchers said they identified a network of five Chrome extensions, marketed as tools to change themes and enhance the VK user experience, that took control of infected accounts and manipulated settings without users’ consent. First seen on therecord.media Jump to article: therecord.media/500000-vkontakte-accounts-hijacked-chrome-extensions
-
OpenAI Snags OpenClaw Creator for Agent Push
Steinberger to Lead AI Giant’s Multi-Agent Development Team. Peter Steinberger is joining OpenAI to lead development of personal agents, culminating weeks of viral attention paid to his OpenClaw open-source artificial intelligence assistant project. Security experts dubbed it a dumpster fire after hackers were quick to add malicious functions. First seen on govinfosecurity.com Jump to article:…
-
The Promptware Kill Chain
Attacks against modern generative artificial intelligence (AI) large language models (LLMs) pose a real threat. Yet discussions around these attacks and their potential defenses are dangerously myopic. The dominant narrative focuses on “prompt injection,” a set of techniques to embed instructions into inputs to LLM intended to perform malicious activity. This term suggests a simple,…
-
Microsoft alerts on DNS-based ClickFix variant delivering malware via nslookup
Microsoft warns of a new ClickFix variant that tricks users into running DNS commands to fetch malware via nslookup. Microsoft has revealed a new ClickFix variant that deceives users into running a malicious nslookup command through the Windows Run dialog to retrieve a second-stage payload via DNS. ClickFix typically uses fake CAPTCHA or error messages…
-
Noodlophile Malware Authors Use Fake Job Ads and Phishing Schemes to Evolve Tactics
Hey folks in the threat”‘hunting world looks like our coverage of the Noodlophile infostealer has struck a nerve with its creators. The operators used inflated engagement metrics and fake popularity scores to lure victims into downloading malicious ZIP archives. Once executed, these payloads quietly harvested user credentials, crypto”‘wallet data, browser information, and more all exfiltrated through Telegram…
-
Leaky Chrome extensions with 37M installs caught divulging your browsing history
Encrypted exfiltration made detection difficult: The researcher said in a blog post that several of these extensions attempted to hide the nature of transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, preventing automated inspection.”Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ-String compression, and full AES-256…
-
Leaky Chrome extensions with 37M installs caught shipping your browsing history
Encrypted exfiltration made detection difficult: The researcher said in a blog post that several of these extensions attempted to hide the nature of transmitted data. Outbound payloads were frequently encrypted or encoded before transmission, preventing automated inspection.”Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ-String compression, and full AES-256…
-
Hackers Exploit ‘Summarize with AI’ Feature to Inject Malicious Prompts into AI Recommendations
Hackers and marketers are increasingly abusing “Summarize with AI” buttons and AI-share links to quietly plant persistent instructions in AI assistants’ memory, a growing attack trend Microsoft calls AI Recommendation Poisoning. By silently biasing what assistants “remember” as trusted or preferred sources, these attacks can warp recommendations on high”‘impact topics like health, finance, and security without…
-
Malicious npm and PyPI packages linked to Lazarus APT fake recruiter campaign
Researchers found malicious npm and PyPI packages tied to a fake recruitment campaign linked to North Korea’s Lazarus Group. ReversingLabs researcher uncovered new malicious packages on npm and PyPI connected to a fake job recruitment campaign attributed to the North Korea-linked Lazarus Group. The campaign uses deceptive hiring themes to trick developers into downloading infected…
-
CTM360: Lumma Stealer and Ninja Browser malware campaign abusing Google Groups
CTM360 reports 4,000+ malicious Google Groups and 3,500+ Google-hosted URLs used to spread the Lumma Stealer infostealing malware and a trojanized “Ninja Browser.” The report details how attackers abuse trusted Google services to steal credentials and maintain persistence across Windows and Linux systems. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/ctm360-lumma-stealer-and-ninja-browser-malware-campaign-abusing-google-groups/
-
Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps
Threat actors are abusing Pastebin comments to distribute a new ClickFix-style attack that tricks cryptocurrency users into executing malicious JavaScript in their browser, allowing attackers to hijack Bitcoin swap transactions and redirect funds to attacker-controlled wallets. First seen on bleepingcomputer.com Jump to article: www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/
-
NDSS 2025 Automated Mass Malware Factory
Session 12B: Malware Authors, Creators & Presenters: Heng Li (Huazhong University of Science and Technology), Zhiyuan Yao (Huazhong University of Science and Technology), Bang Wu (Huazhong University of Science and Technology), Cuiying Gao (Huazhong University of Science and Technology), Teng Xu (Huazhong University of Science and Technology), Wei Yuan (Huazhong University of Science and Technology),…
-
Malicious Chrome Extensions Hijack 500,000 VK Accounts in Stealth Campaign
Malicious Chrome extensions hijacked over 500K VK accounts using multi-stage payloads and stealthy persistence techniques. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/threats/malicious-chrome-extensions-hijack-500000-vk-accounts-in-stealth-campaign/
-
Four new reasons why Windows LNK files cannot be trusted
Hidden command-line arguments: Beyond target spoofing, Beukema demonstrated a technique for hiding malicious command-line instructions behind legitimate executables. LNK files can launch trusted Windows binaries while passing attacker-controlled instructions through embedded arguments, enabling “living-off-the-land” (LOLBINs) execution without pointing directly to malware.According to the researcher, this can be done by manipulating the input passed into certain…
-
How to find and remove credential-stealing Chrome extensions
Researchers have uncovered 30 Chrome extensions stealing user data. Here’s how to check your browser and remove any malicious extensions step by step. First seen on securityboulevard.com Jump to article: securityboulevard.com/2026/02/how-to-find-and-remove-credential-stealing-chrome-extensions/