Credential Theft

Malicious codexui-android npm package stole OpenAI refresh tokens from 29K developers. Mobile apps with 60K installs also compromised—revoke credentials now.

32+ Red Hat Cloud Services npm packages compromised with Mini Shai-Hulud credential-stealing malware. 80K weekly downloads affected—here's what developers need to know.

New macOS infostealer SHub Reaper impersonates Apple, Microsoft, and Google software to steal passwords, crypto wallets, and iCloud data. Bypasses Tahoe 26.4 mitigations.

A fake Sicoob SDK on NuGet exfiltrated PFX certificates and banking credentials from Brazilian developers, while 14 malicious npm packages harvested AWS keys, Vault tokens, and CI/CD secrets.

Attackers weaponize CVE-2026-35616 to deploy EKZ infostealer via FortiClient EMS management features. Fake Fortinet patch harvests browser passwords and cookies.

Supply chain attack deploys 34 malicious packages across npm, PyPI, and Crates.io to steal crypto wallets, SSH keys, and developer credentials. AI assistants weaponized.

Automated Megalodon campaign pushed 5,718 malicious commits to GitHub repos on May 18, injecting CI/CD workflows that exfiltrate cloud credentials, SSH keys, and secrets. SafeDep links it to TeamPCP.

Leaked Shai-Hulud malware source code fuels new npm supply chain attack. Four malicious packages steal credentials and deploy DDoS bot with TCP/UDP flood capabilities.

Attackers published malicious Nx Console 18.95.0 to VS Code Marketplace, stealing developer credentials via triple-channel exfiltration and Sigstore-signed npm package poisoning.

Attackers seized control of node-ipc by re-registering the maintainer's expired email domain. Three malicious versions now harvest AWS, GCP, Azure keys and more.

SOCRadar documents a persistent phishing operation that stole 2,000+ credentials from aviation, energy, and government sectors over four years using GitHub-hosted infrastructure.

SentinelLABS uncovers PCPJack, a credential-stealing worm that removes TeamPCP infections before harvesting API keys from Docker, Kubernetes, and cloud services. Five CVEs enable worm-like spread.

NWHStealer spreads via fake gaming mods and TradingView scripts, using Bun JavaScript runtime and XOR-encrypted C2 to bypass security tools.

Iranian APT MuddyWater hijacked Microsoft Teams to harvest credentials via live screen-sharing, then dropped Chaos ransomware as a false flag to hide espionage. Rapid7 linked the campaign to 36 victims.

New infostealer MicroStealer evades major antivirus while stealing browser credentials, crypto wallets, and Discord tokens from US and German organizations.

Securonix uncovers DEEP#DOOR, a Python-based backdoor that steals browser passwords, AWS/Azure credentials, and SSH keys while evading detection through bore.pub tunneling and extensive anti-analysis.

New ConsentFix v3 attack automates Microsoft Azure OAuth credential theft using Pipedream webhooks and Cloudflare phishing pages. Pre-trusted apps bypass MFA entirely.

A Vietnamese threat actor dubbed AccountDumpling compromised 30,000 Facebook Business accounts using Google AppSheet emails to bypass spam filters.

Four official SAP CAP ecosystem packages compromised on April 29, harvesting developer credentials, cloud secrets, and CI/CD tokens through malicious preinstall scripts.

TeamPCP threat actors backdoored versions 2.6.2 and 2.6.3 of the popular AI framework, harvesting SSH keys, cloud credentials, and GitHub tokens from millions of developers.

CVE-2026-42363 exposes admin credentials in GeoVision GV-IP Device Utility 9.0.5 via UDP broadcast packets. CVSS 9.3 critical flaw lets LAN attackers decrypt device passwords.

A malicious npm package hijacked Bitwarden CLI's publishing pipeline on April 22, harvesting credentials from 334 developers. Here's what happened.

Microsoft tracks Storm-2755 'Payroll Pirate' using poisoned search results and AiTM phishing to hijack Canadian employee direct deposits. HR systems compromised.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

New Storm infostealer bypasses Chrome's App-Bound Encryption by shipping encrypted credentials to attacker infrastructure for decryption. Endpoint tools can't detect it.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

New DeepLoad malware combines ClickFix delivery with AI-generated obfuscation to bypass security scanners. WMI persistence survives remediation for days.

Attackers compromised the Axios npm package to deploy a cross-platform RAT targeting Windows, macOS, and Linux. Here's what happened and what you need to do.

Malicious LiteLLM versions 1.82.7 and 1.82.8 deployed credential harvester, Kubernetes lateral movement tools, and persistent backdoor. Package sees 3 million daily downloads.

Attackers exploiting CVE-2025-32975 authentication bypass in Quest KACE to hijack admin accounts and deploy credential harvesters. Patched in May 2025—many remain exposed.

VoidStealer v2.0 becomes the first infostealer to extract Chrome's v20_master_key using hardware breakpoints. No injection or privilege escalation required.

Threat group ShinyHunters exploits misconfigured Salesforce Experience Cloud sites, stealing data from 100+ organizations including 921K records from Aura.com.

Russian-linked AuraStealer infostealer uses TikTok videos and 48 C2 domains to steal credentials. ABE bypass defeats Chrome's cookie encryption.

Attackers compromised 889 Starbucks Partner Central accounts using fake login portals, exposing employee names, Social Security numbers, and bank details.

Microsoft exposes Storm-2561 campaign using SEO manipulation to distribute fake Cisco, Fortinet, and Ivanti VPN clients that steal enterprise credentials.

New infostealer MicroStealer uses NSIS, Electron, and Java in a layered delivery chain that bypasses most security tools. Targets browser credentials and crypto wallets.

Researchers discovered five packages on crates.io masquerading as time utilities while exfiltrating developer credentials and API keys to attacker infrastructure.

CVE-2026-1603 allows unauthenticated attackers to steal credential vaults from Ivanti Endpoint Manager. CISA added it to KEV catalog after exploitation detected.

Active phishing campaign uses spoofed email chains to trick LastPass users into revealing master passwords. Attackers generate thousands of URL variants leading to fake SSO pages.

Russian-speaking developers behind AuraStealer infostealer scale infrastructure to 48 command-and-control domains, targeting 110+ browsers and 250+ extensions.

Hudson Rock detects Vidar infostealer exfiltrating OpenClaw AI agent files for the first time. Stolen configs include gateway tokens and cryptographic keys.

Attackers exploit Google Presentations' publish mode to host phishing pages that bypass Google's own security warnings, targeting Vivaldi Webmail users.

Fake maintenance emails urge users to backup their vaults before a deadline, redirecting victims to credential-harvesting sites. The campaign launched over MLK weekend.

Fancy Bear campaigns from February through September 2025 targeted energy, defense, and policy organizations using fake VPN and email login pages.

A threat actor shared Instagram user data including emails and phone numbers for free. Users report receiving suspicious password reset emails within hours of the leak.