Malware

Cybercriminals are using TikTok and Instagram Reels videos to distribute Vidar malware through fake software tutorials. One campaign accumulated over 100,000 views promoting 'free Spotify Premium' hacks.

Qilin's affiliate network hit healthcare, manufacturing, and critical infrastructure across nine countries in early June. The gang maintains 12-month dominance.

Attackers adopted orphaned AUR packages to push credential-stealing malware with kernel-level rootkit capabilities. Here's what Arch users need to do now.

BlackFog researchers detail OnyxC2 MaaS stealer pricing at $250/month. Targets browsers, crypto wallets, password managers with DLL sideloading delivery that bypasses VirusTotal detection.

Attackers exploited CVE-2026-26980 SQL injection in Ghost CMS to compromise 700+ websites including Harvard and Oxford, deploying ClickFix social engineering malware through fake CAPTCHA prompts.

Self-replicating Miasma malware compromises 73 Microsoft repositories across Azure, Microsoft, and MicrosoftDocs orgs. GitHub disables access as durabletask package gets reinfected.

GoDaddy researchers uncover campaign infecting 2,000 WordPress sites with malware that extracts commands from invisible Unicode characters in Steam Community comments.

Sophos discovers ransomware framework using Claude Opus 4.5 to automate EDR evasion and Active Directory discovery. Toolkit tested 80+ modules against Sophos, CrowdStrike, and Defender.

Unit 42 uncovers FlutterShell backdoor campaign targeting macOS users through Google-verified shell companies. Malware evades detection via WebView architecture and Apple notarization.

Fortinet exposes C0xmo, a modular Gafgyt variant exploiting CVE-2021-27137 in DD-WRT routers to recruit IoT devices for DDoS attacks while killing rival malware.

Sophos discovered a cryptocurrency miner bundled with Hola Browser for Windows. The malware creates a Windows service, adds Defender exclusions, and mines when idle.

New Magecart campaign stores payment card skimmer payloads in Stripe customer metadata, then exfiltrates stolen cards as fake customer records. CSP rules won't help.

New MaaS stealer ships encrypted browser data to attacker infrastructure for decryption, bypassing endpoint detection. Session hijacking with geo-matched proxies defeats MFA.

Malicious codexui-android npm package stole OpenAI refresh tokens from 29K developers. Mobile apps with 60K installs also compromised—revoke credentials now.

Malware-as-a-service infostealer spreads through malicious Minecraft mods promoted on YouTube. Steals browser credentials, crypto wallets, and Discord tokens.

32+ Red Hat Cloud Services npm packages compromised with Mini Shai-Hulud credential-stealing malware. 80K weekly downloads affected—here's what developers need to know.

New macOS infostealer SHub Reaper impersonates Apple, Microsoft, and Google software to steal passwords, crypto wallets, and iCloud data. Bypasses Tahoe 26.4 mitigations.

A fake Sicoob SDK on NuGet exfiltrated PFX certificates and banking credentials from Brazilian developers, while 14 malicious npm packages harvested AWS keys, Vault tokens, and CI/CD secrets.

Sysdig documents the first AI-agent-driven intrusion: attackers exploited Marimo CVE-2026-39987, then used an LLM agent to pivot through AWS and exfiltrate a PostgreSQL database in under an hour.

Daemon Tools, TanStack, and Nx Console all compromised via supply chain attacks. CVSS scores up to 9.5. CISA mandates federal remediation by June 10.

Attackers weaponize CVE-2026-35616 to deploy EKZ infostealer via FortiClient EMS management features. Fake Fortinet patch harvests browser passwords and cookies.

Malicious repository impersonating OpenAI's Privacy Filter reached 244,000 downloads before removal. Infostealer targeted Windows users via trending Hugging Face page.

Microsoft warns of active campaign using AI chatbot recommendations to distribute GPU mining malware. Attackers target high-end graphics card owners through fake utility downloads.

Malicious npm package mouse5212-super-formatter stole files from Claude AI's working directory. The attacker's own GitHub token was exposed in the code, allowing researchers to trace exfiltration.

New ransomware group Payload uses Babuk-derived code to target Windows and VMware ESXi systems. 12 victims across 7 countries within hours of launching leak site.

Supply chain attack deploys 34 malicious packages across npm, PyPI, and Crates.io to steal crypto wallets, SSH keys, and developer credentials. AI assistants weaponized.

Automated Megalodon campaign pushed 5,718 malicious commits to GitHub repos on May 18, injecting CI/CD workflows that exfiltrate cloud credentials, SSH keys, and secrets. SafeDep links it to TeamPCP.

Attackers compromised 700+ versions of Laravel-Lang PHP packages via tag poisoning, deploying a sophisticated stealer targeting cloud credentials, crypto wallets, and browser data. Packagist pulled affected versions.

Leaked Shai-Hulud malware source code fuels new npm supply chain attack. Four malicious packages steal credentials and deploy DDoS bot with TCP/UDP flood capabilities.

Attackers published malicious Nx Console 18.95.0 to VS Code Marketplace, stealing developer credentials via triple-channel exfiltration and Sigstore-signed npm package poisoning.

REMUS, a 64-bit Lumma Stealer successor, now offers session theft, EtherHiding blockchain C2, and full MaaS infrastructure targeting browser credentials and auth tokens.

SHub Reaper macOS infostealer bypasses Tahoe 26.4 defenses using applescript:// URLs, spoofs Apple, Google, and Microsoft to steal credentials and backdoor systems.

Attackers exploit unauthenticated vulnerability in Funnel Builder plugin to inject payment skimmers on 40,000+ WordPress stores. Patch to 3.15.0.3 immediately.

Attackers seized control of node-ipc by re-registering the maintainer's expired email domain. Three malicious versions now harvest AWS, GCP, Azure keys and more.

RubyGems suspended new account registration after attackers uploaded over 500 malicious packages in a coordinated spam attack targeting the Ruby package ecosystem.

Nitrogen ransomware gang claims 8TB of data including Apple, Nvidia, and Intel files from Foxconn's Wisconsin and Texas facilities. Fourth major ransomware incident for the electronics giant.

Hunt.io uncovers xlabs_v1, a Mirai-based botnet exploiting Android Debug Bridge on port 5555 to conscript IoT devices into a DDoS-for-hire service targeting game servers.

Pharma supplier West Pharmaceutical Services discloses ransomware attack in SEC filing. Attackers exfiltrated data before encrypting systems. Unit 42 investigating.

A new TrickMo variant routes Android trojan traffic through The Open Network, making domain takedowns ineffective. The malware adds SSH tunneling and SOCKS5 proxy capabilities for network pivoting.

TeamPCP compromised 84 versions across 42 TanStack packages on May 11 using GitHub Actions cache poisoning. The malware steals CI/CD credentials and includes a wiper that triggers on token revocation.

Five NuGet packages typosquatting popular Chinese .NET libraries have racked up 65,000 downloads while stealing browser credentials, crypto wallets, and SSH keys from developer machines.

Malvertising campaign abuses Google Ads and Claude.ai shared chats to deliver MacSync infostealer. Victims searching for Claude downloads get tricked into running malicious terminal commands.

Attackers exploited a CMS flaw on JDownloader's website to swap download links with trojanized installers. Windows users got a Python RAT; Linux users got root-persisted ELF binaries.

SentinelLABS uncovers PCPJack, a credential-stealing worm that removes TeamPCP infections before harvesting API keys from Docker, Kubernetes, and cloud services. Five CVEs enable worm-like spread.

A typosquatted OpenAI repository on Hugging Face delivered Rust-based infostealer malware to Windows users, racking up 244K downloads before removal.