CVE: Mini Shai-Hulud Malware
Mini Shai-Hulud malware has compromised hundreds of npm packages, with the threat actor TeamPCP embedding a self-replicating worm that installs persistent backdoors and steals sensitive data.
44 articles
Mini Shai-Hulud malware has compromised hundreds of npm packages, with the threat actor TeamPCP embedding a self-replicating worm that installs persistent backdoors and steals sensitive data.
A new SHub macOS infostealer variant, dubbed Reaper, steals sensitive browser data and hijacks crypto wallet apps by spoofing Apple security updates.
The REMUS infostealer has emerged with a focus on session theft, MaaS, and rapid evolution, drawing attention from security researchers.
The 'mini Shai-Hulud' malware campaign has infected hundreds of open-source software packages, embedding credential-stealing code into development tools downloaded millions of times a week.
Hundreds of npm and PyPI packages have been compromised in a Shai-Hulud supply-chain campaign, delivering credential-stealing malware to developers.
The Australian Cyber Security Center warns of ongoing ClickFix attacks distributing Vidar Stealer info-stealing malware through compromised WordPress websites.
TCLBanker malware self-spreads over WhatsApp and Outlook, targeting 59 banking, fintech, and cryptocurrency platforms, with capabilities including live screen streaming and keylogging.
Hackers are using Google Ads and Claude.ai shared chats to distribute Mac malware, targeting users searching for 'Claude mac download' with fake installation guides.
The PCPJack worm is stealing credentials from exposed cloud infrastructure and removing TeamPCP infections, with researchers believing it may be the work of a former TeamPCP affiliate.
The PCPJack worm removes TeamPCP infections and steals credentials across multiple cloud environments, targeting services such as AWS, Kubernetes, and GitHub.
The JDownloader website was compromised to distribute malicious Windows and Linux installers, affecting users who downloaded installers between May 6 and May 7, 2026.
A fake Claude AI website is delivering a new Windows malware called Beagle, which provides attackers with remote access to compromised systems.
A sophisticated Linux backdoor, Quasar Linux RAT, has been identified to steal developer credentials across the software supply chain.
A new Linux malware, Quasar Linux, targets software developers with rootkit, backdoor, and credential-stealing capabilities, enabling potential supply-chain attacks.
A fresh wave of the GlassWorm supply chain campaign has seeded 73 'sleeper' extensions into the OpenVSX marketplace, six of which have already been activated to deliver malware while the remainder are considered dormant or suspicious.
A newly tracked threat actor, UNC6692, overwhelms victims with emails then impersonates IT helpdesk staff on Microsoft Teams to trick them into installing a modular malware framework dubbed Snow.
Trigona ransomware operators are using a custom-built command-line exfiltration utility to steal data faster and avoid triggering security solutions that flag publicly available tools like Rclone and MegaSync.
CISA has updated Emergency Directive 25-03 to warn that patching vulnerable Cisco firewall devices does not remove the Firestarter backdoor, which infected at least one US federal agency through zero-day exploitation.
A threat group tracked as UNC6692 is leveraging Microsoft Teams impersonation and email bombing to deliver a sophisticated custom malware suite called 'Snow,' designed for deep network compromise and credential theft.
U.S. and U.K. cybersecurity agencies are warning that a sophisticated backdoor called Firestarter is burrowing into Cisco Firepower and Secure Firewall devices, surviving patches, reboots, and firmware updates through deep hooks into the ASA core process.
SentinelOne has uncovered Fast16, a Lua-based sabotage malware predating Stuxnet that targeted precision engineering software and bears hallmarks of US state-sponsored development, with confirmed use in a 2005 attack.
Industrial cybersecurity firm Dragos has labeled ZionSiphon, a piece of malware reportedly designed to sabotage Israeli water infrastructure, as little more than hype — riddled with logic errors, hallucinated code, and no genuine capability to harm operational technology environments.
A newly identified ransomware operation called Kyber is striking Windows servers and VMware ESXi hosts, with one variant deploying Kyber1024 post-quantum key protection. Rapid7 analyzed two distinct variants in March 2026 during an active incident response engagement.
A Mirai-based botnet campaign is actively exploiting CVE-2025-29635, a high-severity command-injection flaw in D-Link DIR-823X routers, more than a year after the vulnerability was first disclosed. The affected routers reached end of life in November 2024, making a vendor patch unlikely.
Kaspersky researchers uncovered a previously unknown wiper malware called Lotus Wiper that was deployed in destructive attacks against Venezuela's energy and utilities sector, erasing data across physical drives and rendering affected machines unrecoverable.
A newly identified data-wiping malware called Lotus was used in targeted attacks against Venezuelan energy and utility organizations, leaving systems in an unrecoverable state through multi-stage disk destruction.
Kaspersky researchers uncovered 26 malicious apps on the Apple App Store impersonating wallets like MetaMask, Coinbase, Trust Wallet, and OneKey, all linked to a campaign called FakeWallet tied to the ongoing SparkKitty operation.
Darktrace researchers have uncovered ZionSiphon, a developing malware strain designed to sabotage water treatment and desalination facilities in Israel by tampering with chlorine levels and pressure controls via ICS protocols.
The Payouts King ransomware operation is leveraging the QEMU open-source emulator to spin up concealed virtual machines on compromised hosts, creating reverse SSH tunnels that completely bypass host-based security solutions.
A newly discovered malware called ZionSiphon targets water treatment and desalination systems, capable of dangerously spiking chlorine levels and hydraulic pressures. A logic flaw currently prevents execution, but researchers warn a simple fix could make it fully operational.
More than 30 WordPress plugins in the EssentialPlugin package were secretly backdoored in August 2025 following an acquisition, with the malicious code recently activated to generate spam pages, redirects, and fake content.
A newly identified malware family called AgingFly is being deployed against Ukrainian local governments, hospitals, and Defense Forces personnel, stealing credentials from Chromium browsers and WhatsApp. Ukraine's CERT team attributed the campaign to threat cluster UAC-0247.
A newly documented ransomware strain called JanaWare has been targeting Turkish home users and small businesses since 2020, demanding just $200–$400 per victim while deliberately evading international researcher scrutiny.
A new subscription-based infostealer named Storm emerged on underground forums in early 2026, shifting credential theft to server-side decryption to evade endpoint security tools and automate session hijacking against SaaS, cloud, and internal platforms.
The popular CPUID hardware utility website was breached and manipulated to serve malicious versions of CPU-Z, HWMonitor, and PerfMonitor, deploying a newly identified RAT capable of stealing credentials and cryptocurrency wallets.
A fraudulent website impersonating Anthropic's Claude AI platform was found distributing PlugX, a remote access trojan with deep ties to espionage operations, through a cleverly staged installer chain.
A new malware-as-a-service platform called Venom Stealer automates every stage of ClickFix-style social engineering attacks, from initial infection to cryptocurrency wallet draining, for as little as $250 a month.
A cybercrime group called TeamPCP has deployed a self-propagating worm that wipes data on systems configured for Iran's timezone or Farsi language, while also conducting supply chain attacks against cloud security tools Trivy and KICS.
Brazilian threat group Water Saci, also known as Augmented Marauder, is running a wormable email campaign deploying the Casbaneiro banking Trojan against Spanish-speaking targets across Latin America and Spain.
A newly discovered Lua-based malware called LucidRook is being deployed against non-governmental organizations and universities in Taiwan via spear-phishing campaigns. Cisco Talos attributes the threat to a group tracked as UAT-10362.
An elusive hacker who went by the handle \"UNKN\" and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and...
The Federal Police in Germany (BKA) has identified two Russian nationals as the leaders of GandCrab and REvil ransomware operations between 2019 and 2021. [...]
A newly discovered infostealer dubbed ChromeShade is harvesting saved passwords, session cookies, and cryptocurrency wallets from millions of endpoints through sophisticated phishing and fake update campaigns.
Threat actors are leveraging large language models and deepfake technology to craft highly personalized phishing attacks at unprecedented scale. Traditional detection methods are struggling to keep pace.