Infostealer

Five NuGet packages typosquatting popular Chinese .NET libraries have racked up 65,000 downloads while stealing browser credentials, crypto wallets, and SSH keys from developer machines.

Malvertising campaign abuses Google Ads and Claude.ai shared chats to deliver MacSync infostealer. Victims searching for Claude downloads get tricked into running malicious terminal commands.

A typosquatted OpenAI repository on Hugging Face delivered Rust-based infostealer malware to Windows users, racking up 244K downloads before removal.

NWHStealer spreads via fake gaming mods and TradingView scripts, using Bun JavaScript runtime and XOR-encrypted C2 to bypass security tools.

New infostealer MicroStealer evades major antivirus while stealing browser credentials, crypto wallets, and Discord tokens from US and German organizations.

Attackers compromised elementary-data version 0.23.3 on PyPI, pushing malicious code to 1.1 million monthly users. The infection extended to Docker images via automated workflows.

Securonix uncovers DEEP#DOOR, a Python-based backdoor that steals browser passwords, AWS/Azure credentials, and SSH keys while evading detection through bore.pub tunneling and extensive anti-analysis.

Malwarebytes uncovers campaign using fake TradingClaw website to distribute Needle Stealer malware. The infostealer hijacks browsers to harvest credentials, crypto wallets, and financial data from traders.

Attackers use SEO poisoning to push malicious Claude Code installers to developers. The two-stage macOS malware steals credentials, crypto wallets, and establishes persistent backdoor access.

Multiple campaigns distribute NWHStealer infostealer through counterfeit Proton VPN installers, gaming modifications, and YouTube-promoted downloads. Targets browser data and 25+ crypto wallets.

Security researchers expose 108 malicious Chrome extensions operating under five fake publishers, stealing Google OAuth tokens, Telegram sessions, and injecting ads. Over 20,000 users affected.

eSentire researchers expose Omnistealer, a North Korean infostealer storing payloads in blockchain transactions. 300,000 credentials compromised across government and defense sectors.

Google's DBSC ties authentication cookies to hardware TPM chips, making stolen sessions worthless. Chrome 146 for Windows now protects against infostealer attacks.

ClickFix attackers bypass macOS 26.4 Terminal paste scanning by using applescript:// URLs to launch Script Editor. Same payload, new delivery vector.

Attackers compromised CPUID's website API for six hours, redirecting CPU-Z and HWMonitor downloads to trojanized installers that steal browser credentials using advanced evasion techniques.

Kaspersky discovers new SparkCat malware variants on Apple App Store and Google Play that use OCR to steal cryptocurrency wallet recovery phrases from photo galleries.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

New Storm infostealer bypasses Chrome's App-Bound Encryption by shipping encrypted credentials to attacker infrastructure for decryption. Endpoint tools can't detect it.

Kaspersky exposes CrystalX RAT, a new malware-as-a-service combining stealer, RAT, and prankware. It rotates screens, swaps mouse buttons, and drains crypto via clipboard hijacking.

New research maps the infostealer lifecycle from infection to dark web sale. Microsoft Entra ID appears in 79% of 2.05 million credential logs analyzed in 2026.

Russian-linked AuraStealer infostealer operates 48 C2 domains, steals crypto wallets and 2FA tokens, and spreads through fake software activation videos on TikTok.

TeamPCP compromised the popular telnyx Python SDK on PyPI, hiding credential-stealing malware inside WAV audio files. Versions 4.87.1 and 4.87.2 affected—downgrade immediately.

Malwarebytes researchers detected a Vidar infostealer campaign using fake CAPTCHA pages on compromised WordPress sites. ClickFix technique tricks users into running malicious PowerShell.

A new macOS infostealer combines ClickFix social engineering with Nuitka-compiled Python to evade detection. First documented campaign pairing these techniques.

Armenian national Hambardzum Minasyan extradited to face charges for developing RedLine malware infrastructure. Follows 2024 international takedown operation.

Fake copyright infringement notices target healthcare and government organizations in Germany and Canada with fileless PureLog Stealer malware. Campaign uses language-matched lures.

New Torg Grabber infostealer targets 728 cryptocurrency wallet extensions and 103 password managers. Spreads via ClickFix clipboard hijacking with Cloudflare-based exfiltration.

Hackers infected a contractor's device to steal Okta credentials, then pivoted to Crunchyroll's Zendesk. Support ticket data for 6.8 million subscribers extracted.

VoidStealer v2.0 becomes the first infostealer to extract Chrome's v20_master_key using hardware breakpoints. No injection or privilege escalation required.

New infostealer parasitizes legitimate document security software, exfiltrating data through trusted server infrastructure. Targets include Dongfeng-27 ballistic missile documents.

Multiple threat actors deploy DarkSword, a six-CVE iOS exploit chain stealing crypto wallets, credentials, and messages from millions of vulnerable iPhones.

Three ClickFix campaigns target macOS users with MacSync infostealer disguised as ChatGPT and AI coding tools. Latest variant adds in-memory execution to evade detection.

Russian-linked AuraStealer infostealer uses TikTok videos and 48 C2 domains to steal credentials. ABE bypass defeats Chrome's cookie encryption.

New infostealer MicroStealer uses NSIS, Electron, and Java in a layered delivery chain that bypasses most security tools. Targets browser credentials and crypto wallets.

Malicious GitHub repositories exploiting Bing AI search results to distribute infostealers and GhostSocks proxy malware. Fake OpenClaw installers turn victims into residential proxies.

Attacker leverages infostealer-compromised credentials to extort restaurant POS provider HungerRush, sending threatening emails directly to customers demanding response.

Russian-speaking developers behind AuraStealer infostealer scale infrastructure to 48 command-and-control domains, targeting 110+ browsers and 250+ extensions.

Malicious QuickLens browser add-on combines Google Lens functionality with ClickFix social engineering to drain cryptocurrency wallets through fake CAPTCHA prompts.

Threat actors bypass ClawHub security by hiding Base64 payloads in fake troubleshooting comments. Atomic Stealer delivered to unsuspecting OpenClaw users.

Kaspersky exposes Arkanix Stealer, a Python and C++ infostealer likely built with LLM assistance. After two months of targeting crypto wallets and VPNs, the operation vanished.

Microsoft Defender Experts track expanding infostealer campaigns hitting macOS via ClickFix prompts, malicious DMG installers, and Python-based stealers. DigitStealer, MacSync, and AMOS lead the wave.

Hudson Rock detects Vidar infostealer exfiltrating OpenClaw AI agent files for the first time. Stolen configs include gateway tokens and cryptographic keys.

CTM360 exposes 4,000+ malicious Google Groups delivering Lumma Stealer and Ninja Browser malware. Attackers pose as tech support in forums to bypass network detection.

Researchers expose three Chrome extension campaigns stealing Meta Business Suite exports, VK accounts, and AI chatbot conversations from over 760,000 users.

Flare research finds enterprise identity compromise doubled in 2025, with Microsoft Entra ID appearing in 79% of logs. Session cookies enable MFA bypass at scale.