Tag

Infostealer

All articles tagged with #infostealer

CrashStealer macOS infostealer fakes Apple’s crash reporter to swipe credentials and crypto wallets
technology1 day ago

CrashStealer macOS infostealer fakes Apple’s crash reporter to swipe credentials and crypto wallets

A new macOS information-stealing malware named CrashStealer disguises itself as Apple’s CrashReporter to harvest Keychain data, browser credentials, and more than 80 crypto wallet extensions. Delivered via a signed, Apple-notarized dropper and launched with a fake system prompt, it exfiltrates encrypted data (AES-256-GCM) to a C2 server after collecting files from user directories. Researchers note its stealthy, self-re-signing persistence and its distinct client-side encryption and native C++ implementation, with the campaign gated behind a PIN and active since May 2026.

Malware hijacks Steam Workshop wallpaper packs via Wallpaper Engine to drop backdoors and miners
technology28 days ago

Malware hijacks Steam Workshop wallpaper packs via Wallpaper Engine to drop backdoors and miners

Kaspersky researchers warn that threat actors have seeded malware-laden wallpaper packages on Steam Workshop, exploiting Wallpaper Engine’s executable wallpapers to auto-run when opened, delivering backdoors, credential-stealing components for Steam accounts, crypto miners, and other malware families (DarkKomet, Lumma, Vidar, RanEngine, ransomware). Steam has removed several malicious apps, but new payloads are likely as attackers continue abusing the platform; users should treat downloaded wallpapers as untrusted and scan Workshop content with up-to-date antivirus.

Arch AUR Breach Hits 400+ Packages with Rootkit and Credential Stealer
technology1 month ago

Arch AUR Breach Hits 400+ Packages with Rootkit and Credential Stealer

Over 400 Arch User Repository packages were compromised after a spoofed maintainer injected malicious post-install steps that install a rogue npm package (atomic-lockfile) containing a Linux ELF with an eBPF rootkit and credential-stealing capabilities. The malware targets developer data and tokens across tools like Slack, Teams, Discord, GitHub, Vault, and SSH, and can exfiltrate data via HTTP. Researchers from IFIN and Sonatype describe two attack methods: hijacking orphaned PKGBUILD files to run npm post-install, and abusing a trusted maintainer identity to push malicious commits. Arch is removing the malicious commits and banning accounts; affected users should review indicators of compromise, rotate credentials, and consider reinstalling Arch if compromised.

Kash Patel's merch site hacked to push malware through a fake Cloudflare check
technology1 month ago

Kash Patel's merch site hacked to push malware through a fake Cloudflare check

A Based Apparel storefront tied to Kash Patel was compromised: visitors encountered a modified Cloudflare verification page and were urged to copy a code into their terminal, which installed a Mac-specific infostealer malware designed to harvest credentials, browser data, crypto extension info, and keychain items, with a suspected payment skimmer also present. The attack leveraged a malicious WordPress plugin, while initial access remains unclear. Patel has distanced himself from the store, and there’s no confirmed FBI involvement at this time.

Fake OpenAI Privacy Filter Repo Delivers Windows Infostealer on Hugging Face
security2 months ago

Fake OpenAI Privacy Filter Repo Delivers Windows Infostealer on Hugging Face

A clone of OpenAI's Privacy Filter on Hugging Face impersonated the legitimate model to distribute a Windows infostealer via a loader that downloads payloads through Base64, JSON Keeper, and PowerShell, then sets up a one-shot scheduled task to run the final malware and exfiltrate data (screenshots, crypto wallets, browser data) to a remote domain while attempting to evade detection by disabling AMSI/ETW; the repo peaked at #1 with about 244,000 downloads before being disabled, and researchers link it to similar loaders and ValleyRAT-related campaigns targeting open-source ecosystems.

Mac malware slips into Claude chats via Google ads
technology2 months ago

Mac malware slips into Claude chats via Google ads

Researchers uncovered a malvertising campaign that abuses Google Ads and Claude.ai shared chats to deliver macOS malware. Sponsored results mislead users to claude.ai while a Claude chat guides them to paste a terminal command that downloads a polymorphic loader and a second-stage payload executed via osascript, enabling remote code execution; some variants also exfiltrate browser data and Keychain contents. The operation uses two separate infrastructures and even performs locale checks to skip certain targets. To stay safe, download Claude apps directly from claude.ai and avoid following terminal commands shown in chats or ads.

Chrome secures sessions by binding cookies to hardware, thwarting infostealer theft
technology3 months ago

Chrome secures sessions by binding cookies to hardware, thwarting infostealer theft

Google Chrome 146 on Windows adds Device Bound Session Credentials (DBSC), cryptographically linking a user’s session to the device’s hardware (TPM on Windows, Secure Enclave on macOS) so stolen session cookies can’t be exploited. New short-lived cookies require possession of the hardware-bound private key, otherwise they expire quickly. macOS support is planned for a future Chrome release. The DBSC protocol, developed with Microsoft and tested with partners like Okta, aims to reduce cookie theft while preserving privacy, with implementation guidance and W3C specs available for developers.

Trivy hit by TeamPCP supply-chain attack through GitHub Actions
security3 months ago

Trivy hit by TeamPCP supply-chain attack through GitHub Actions

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.

Public Database Leak Exposes 149 Million Logins, Highlighting Infostealer Risk
cybersecurity5 months ago

Public Database Leak Exposes 149 Million Logins, Highlighting Infostealer Risk

A publicly accessible database exposed 149 million account credentials, including 48 million Gmail logins and 17 million Facebook logins, along with government, banking, and education accounts. The researcher who found it suspects infostealing malware collected the data, and the provider took the trove down after being alerted; the leak highlights how unsecured databases can become a goldmine for cybercriminals.

Hacker Injects Malware into Early Access Steam Game
technology11 months ago

Hacker Injects Malware into Early Access Steam Game

A threat actor called EncryptHub compromised the early access Steam game Chemia by injecting malware that steals user data, which remains available on Steam and poses a risk to players. The malware includes HijackLoader and Vidar infostealer, and was added through malicious binaries, with the attack possibly involving insider help. Steam has not issued an official statement, and users are advised to avoid downloading the game until further notice.

Minecraft Players Targeted by Malware Masquerading as Game Mods
technology1 year ago

Minecraft Players Targeted by Malware Masquerading as Game Mods

A malware campaign by Stargazers Ghost Network targets Minecraft players with fake mods and cheats, infecting Windows devices to steal credentials, tokens, and cryptocurrency wallets through malicious Java and .NET payloads distributed via GitHub repositories and Pastebin links, with a focus on evading detection and exfiltrating data to Russian-controlled servers.

"PyPI Malware Threatens Windows and Linux Users with Crypto and Info Theft"
cybersecurity2 years ago

"PyPI Malware Threatens Windows and Linux Users with Crypto and Info Theft"

Malicious packages on the PyPI repository have been found to deliver the WhiteSnake Stealer malware on Windows systems, while also targeting Linux hosts with a Python script. The malware, uploaded by a threat actor named "WS," is capable of stealing information, communicating with a C&C server using the Tor protocol, and exfiltrating sensitive data, particularly crypto wallet information. The packages have been observed to overwrite clipboard content with attacker-owned wallet addresses and steal data from browsers, applications, and crypto services. This discovery highlights the ability of a single malware author to disseminate multiple info-stealing malware packages into the PyPI library over time.

"Realst Malware: Protecting Your macOS Sonoma and Cryptocurrency Wallets"
cybersecurity3 years ago

"Realst Malware: Protecting Your macOS Sonoma and Cryptocurrency Wallets"

Cybercriminals are spreading a new infostealer malware called Realst through fake blockchain games, targeting both Windows and macOS users. Some variants of the malware are already targeting macOS 14 Sonoma, which is set to be released in the fall. Realst silently collects web browser data, including stored passwords, and can empty cryptocurrency wallets. To protect against Realst and other malware, users are advised to be cautious when installing software outside the official Mac App Store, verify links before opening them, use strong passwords and two-step authentication, exercise caution when granting permissions, and keep devices and applications up-to-date.