Infostealer

Attackers compromised Laravel Lang packages by rewriting GitHub tags, distributing a credential-stealing malware targeting cloud credentials, secrets, keys, browser data, and cryptocurrency wallets across Windows, Linux, and macOS systems.

Nimbus Manticore, an Iranian IRGC-affiliated threat actor, resurfaced during Operation Epic Fury, employing AppDomain Hijacking, SEO poisoning, and a new MiniFast backdoor while targeting the aviation and software sectors.

The SHub Reaper stealer combines credential theft, wallet hijacking, and document exfiltration with persistent backdoor access on macOS, distributed through fake WeChat and Miro installers while spoofing Apple, Google, and Microsoft to evade detection.

A new variant of the 'SHub' macOS infostealer, dubbed Reaper, uses AppleScript to display a fake security update message and install a backdoor, ultimately stealing browser data, financial documents, and cryptocurrency wallet information while bypassing Terminal-based mitigations in macOS.

Hackers injected credential-stealing malware into newly published versions of the node-ipc npm package in a supply chain attack, collecting cloud credentials, SSH keys, CI/CD secrets, and other sensitive data, exfiltrating it through DNS TXT queries.

A steganography-based malware campaign uses PawsRunner to deliver the PureLogs infostealer, highlighting evolving delivery methods.

The Gremlin stealer malware has evolved with advanced obfuscation techniques, crypto clipping, and session hijacking capabilities to steal sensitive information from compromised systems.

The Atomic macOS Stealer (AMOS) is a prevalent malware-as-a-service targeting macOS, distributed via social engineering techniques like ClickFix ruses and fake installers, designed to steal sensitive data such as credentials and cryptocurrency wallets, leading to potential account compromise and further attacks.

Attackers are using Google Ads malvertising and weaponized Claude.ai shared chats to trick macOS users into downloading and executing malware, leading to credential theft and system compromise.

A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.

The ClickFix campaign targets macOS users with fake utility fixes, tricking them into running malicious Terminal commands to install infostealing malware such as Macsync, Shub Stealer, and AMOS.

The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.

TeamPCP compromised CI/CD pipelines and GitHub accounts of multiple companies by deploying an infostealer to extract credentials from CI environments, .env files, and cloud tokens, impacting projects like Trivy, KICS, and LiteLLM.

SnappyClient is a multi-functional malware delivered via HijackLoader that steals data from browsers, takes screenshots, logs keystrokes, and establishes a remote terminal for attacker command and control.

A new exploit dubbed 'DarkSword' is being actively exploited in infostealer campaigns targeting iPhones, potentially leading to unauthorized data access and device compromise.

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

Traccar GPS Tracking System 6.11.1 is vulnerable to Cross-Site WebSocket Hijacking (CSWSH), enabling attackers to steal sensitive GPS data by exploiting a lack of origin validation.