2026-04-24 AI创业新闻
UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware
A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. “As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization,” Google-owned Mandiant said in a report published today. UNC6692 has been attributed to a large email campaign that’s designed to overwhelm a target’s inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem.
It’s worth noting that this combination of bombarding a victim’s email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates . Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. In a report published last week, ReliaQuest revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart.
The goal of the conversation is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, and then weaponize it to drop additional payloads. “From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026,” ReliaQuest researchers John Dilgen and Alexa Feminella said . “This activity demonstrates that a threat group’s most effective tactics can long outlive the group itself.” The attack chain detailed by Mandiant, on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once it’s clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
The phishing page is named “Mailbox Repair and Sync Utility v2.1.5.” The script is designed to perform initial reconnaissance, and then install SNOWBELT, a malicious Chromium-based browser extension, on the Edge browser by launching it in headless mode along with the “–load-extension” command line switch . “The attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes,” Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair said. “The script also checks the victim’s browser. If the user is not using Microsoft Edge, the page displays a persistent overlay warning.
Using the SNOWBELT extension, UNC6692 downloaded additional files including SNOWGLAZE, SNOWBASIN, AutoHotkey scripts, and a ZIP archive containing a portable Python executable and required libraries.” The phishing page is also designed to serve a Configuration Management Panel with a prominent “Health Check” button that, when clicked, prompts users to enter their mailbox credentials for ostensibly authentication purposes, but, in reality, is used to harvest and exfiltrate the data to another Amazon S3 bucket. The SNOW malware ecosystem is a modular toolkit that works together to facilitate the attacker’s goals. While SNOWBELT is a JavaScript-based backdoor that receives commands and relays them to SNOWBASIN for execution, SNOWGLAZE is a Python-based tunneler to create a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control (C2) server. The third component is SNOWBASIN, which operates as a persistent backdoor to enable remote command execution via “cmd.exe” or “powershell.exe,” screenshot capture, file upload/download, and self-termination.
It runs as a local HTTP server on ports 8000, 8001, or 8002. Some of the other post-exploitation actions carried out by UNC6692 after gaining initial access are as follows - Use a Python script to scan the local network for ports 135, 445, and 3389 for lateral movement, establish a PsExec session to the victim’s system via the SNOWGLAZE tunneling utility, and initiate an RDP session via the SNOWGLAZE tunnel from the victim system to a backup server. Utilize a local administrator account to extract the system’s LSASS process memory with Windows Task Manager for privilege escalation. Use the Pass-The-Hash technique to move laterally to the network’s domain controllers using the password hashes of elevated users, download and run FTK Imager to capture sensitive data (e.g., Active Directory database file) and write it to the \Downloads folder, and exfiltrate it using the LimeWire file upload tool.
“The UNC6692 campaign demonstrates an interesting evolution in tactics, particularly the use of social engineering, custom malware, and a malicious browser extension, playing on the victim’s inherent trust in several different enterprise software providers,” the tech giant said. “A critical element of this strategy is the systematic abuse of legitimate cloud services for payload delivery and exfiltration, and for command-and-control (C2) infrastructure. By hosting malicious components on trusted cloud platforms, attackers can often bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.” The disclosure comes as Cato Networks detailed a voice phishing-based campaign that leverages similar help desk impersonation on Microsoft Teams to guide victims into executing a WebSocket-based trojan dubbed PhantomBackdoor via an obfuscated PowerShell script retrieved from an external server. “This incident shows how help desk impersonation delivered through a Microsoft Teams meeting can replace traditional phishing and still lead to the same outcome: staged PowerShell execution followed by a WebSocket backdoor,” the cybersecurity company said .
“Defenders should treat collaboration tools as first-class attack surfaces by enforcing help desk verification workflows, tightening external Teams and screen-sharing controls, and hardening PowerShell.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Bitwarden CLI has been compromised as part of the newly discovered and ongoing Checkmarx supply chain campaign , according to new findings from JFrog and Socket. “The affected package version appears to be @bitwarden/cli@2026.4.0 , and the malicious code was published in ‘bw1.js,’ a file included in the package contents,” the application security company said . “The attack appears to have leveraged a compromised GitHub Action in Bitwarden’s CI/CD pipeline, consistent with the pattern seen across other affected repositories in this campaign.” In a post on X, JFrog said the rogue version of the package “steals GitHub/npm tokens, .ssh, .env, shell history, GitHub Actions and cloud secrets, then exfiltrates the data to private domains and as GitHub commits.” Specifically, the malicious code is executed by means of a preinstall hook, resulting in the theft of local, CI, GitHub, and cloud secrets. The data is exfiltrated to the domain “audit.checkmarx[.]cx” and to a GitHub repository as a fallback if the primary method fails.
The entire series of actions is listed below - It launches a credential stealer that targets developer secrets, GitHub Actions environments, and artificial intelligence (AI) coding tool configurations, including Claude, Kiro, Cursor, Codex CLI, and Aider. The stolen data is encrypted with AES-256-GCM and exfiltrated to audit.checkmarx[.]cx, a domain impersonating Checkmarx. If GitHub tokens are found, the malware weaponizes them to inject malicious Actions workflows into repositories and extract CI/CD secrets. “A single developer with @bitwarden/cli@2026.4.0 installed can become the entry point for a broader supply chain compromise, with the attacker gaining persistent workflow injection access to every CI/CD pipeline the developer’s token can reach,” StepSecurity said .
While the malicious version is no longer available for download from npm, Socket said the compromise follows the same GitHub Actions supply chain vector identified in the Checkmarx campaign. As part of the effort, threat actors have been found abusing stolen GitHub tokens to inject a new GitHub Actions workflow that captures secrets available to the workflow run, and uses harvested npm credentials to push malicious versions of the package to read the malware to downstream users. According to security researcher Adnan Khan, the threat actor is said to have used a malicious workflow to publish the malicious bitwarden CLI. “I believe this is the first time a package using NPM trusted publishing has been compromised,” Khan added .
Bitwarden CLI Attack Chain | Source: OX Security It’s suspected that the threat actor known as TeamPCP is behind the latest attack aimed at Checkmarx. As of writing, TeamPCP’s X account has been suspended for violating the platform’s rules. OX Security, in a breakdown of the attack, said it identified the string “Shai-Hulud: The Third Coming” in the package, suggesting this could likely be the next phase of the supply chain attack campaign that came to light last year. Reference to the “Shai-Hulud: The Third Coming” “The latest Shai Hulud incident is just the latest in a long chain of threats targeting developers around the world.
User data is being publicly exfiltrated to GitHub, often going undetected because security tools typically don’t flag data being sent there,” Moshe Siman Tov Bustan, Security Research Team Lead at OX Security, said. “This makes the risk significantly more dangerous: anyone searching GitHub can potentially find and access those credentials. At that point, sensitive data is no longer in the hands of a single threat actor – it’s exposed to anyone.”
Like in the case of the Checkmarx incident, the stolen data is exfiltrated to public repositories created under victim accounts using a Dune-themed naming scheme in the same format “
“The shared tooling strongly suggests a connection to the same malware ecosystem, but the operational signatures differ in ways that complicate attribution,” Socket said. “This suggests either a different operator using shared infrastructure, a splinter group with stronger ideological motivations, or an evolution in the campaign’s public posture.” When reached for comment, Bitwarden confirmed the incident and said it stemmed from the compromise of its npm distribution mechanism following the Checkmarx supply chain attack, but emphasized that no end-user data was accessed as part of the attack. The entire statement shared with The Hacker News is reproduced verbatim below - The Bitwarden security team identified and contained a malicious package that was briefly distributed through the npm delivery path for @bitwarden/cli@2026.4.0 between 5:57 PM and 7:30 PM (ET) on April 22, 2026, in connection with a broader Checkmarx supply chain incident. The investigation found no evidence that end user vault data was accessed or at risk, or that production data or production systems were compromised.
Once the issue was detected, compromised access was revoked, the malicious npm release was deprecated, and remediation steps were initiated immediately. The issue affected the npm distribution mechanism for the CLI during that limited window, not the integrity of the legitimate Bitwarden CLI codebase or stored vault data. Users who did not download the package from npm during that window were not affected. Bitwarden has completed a review of internal environments, release paths, and related systems, and no additional impacted products or environments have been identified at this time.
A CVE for Bitwarden CLI version 2026.4.0 is being issued in connection with this incident. (This is a developing story. Please check for more details.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy.
Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work, giving attackers easy access. AI tools are also part of the problem now.
They trust bad input and take real actions, which makes the damage bigger. Then there are quieter issues. Apps take data they should not. Devices behave in strange ways.
Attackers keep testing what they can get away with. No noise. Just ongoing damage. Here is the list for this week’s ThreatsDay Bulletin.
State-backed crypto heist North Korea Likely Behind KelpDAP $290M Crypto Heist Inter-blockchain communication protocol LayerZero has revealed that North Korean threat actors tracked TraderTraitor may have been behind the recent hack of decentralized finance (DeFi) project KelpDAO, resulting in the theft of $290 million. “The attack was specifically engineered to manipulate or poison downstream RPC infrastructure by compromising a quorum of the RPCs the LayerZero Labs DVN relied upon to verify transactions,” LayerZero said. KelpDAO, in a post on X, said, “Two RPC nodes hosted by LayerZero were compromised. A simultaneous DDoS attack was launched against the third RPC node.
- This was an attack on LayerZero’s infrastructure. Kelp’s own systems were not involved in building or operating that infrastructure.” Meanwhile, the Arbitrum Security Council has
- temporarily frozen
- the 30,766 ETH being held in the address on Arbitrum One that is connected to the KelpDAO exploit. In an analysis published today, Chainalysis
- said
- “Crucially, this was not a smart contract hack, but a sophisticated attack on off-chain infrastructure. The attackers compromised internal RPC nodes and DDoS’d external nodes to feed false data to a single-point-of-failure verification network (a 1-of-1 DVN setup).
This tricked the Ethereum contract into releasing funds based on a phantom token ‘burn’ on the source chain.” It’s worth noting that TraderTraiter was attributed to the mega Bybit hack in early 2025 that led to the theft of $1.5 billion in digital assets. Recently, Lazarus Group was also linked to the $285 million theft from the Drift Protocol. Active RCE exploits MajorDoMo Flaws Come Under Exploitation Separately, VulnCheck has warned of attacks attempting to exploit two flaws in MajorDoMo, a smart home automation platform. While CVE-2026-27175 is a critical command injection vulnerability that started seeing exploitation on April 13, CVE-2026-27174 allows unauthenticated remote code execution via the PHP console in the admin panel and was first detected on April 18.
“CVE-2026-27175 was exploited to drop a PHP webshell that delivers persistent backdoor access,” VulnCheck said . “CVE-2026-27174 saw exploitation that ended in a Metasploit php/meterpreter/reverse_tcp staged payload.” Other vulnerabilities that have witnessed exploitation efforts include CVE-2025-22952 , an SSRF in Elestio Memos, and CVE-2024-57046 , an authentication bypass in NETGEAR DGN2200 routers. Supply chain malware surge New Malicious Packages Discovered A number of malicious packages have been discovered in the npm registry: ixpresso-core , forge-jsx , @genoma-ui/components, @needl-ai/common, rrweb-v1 , cjs-biginteger, sjs-biginteger, bjs-biginteger , @fairwords/websocket, @fairwords/loopback-connector-es, @fairwords/encryption , js-logger-pack , and @kindo/selfbot . These packages come with features to steal sensitive data from compromised hosts, perform system reconnaissance, andimplant an SSH backdoor by injecting the attacker’s public key into ~/.ssh/authorized_keys, deliver an information stealer, and spread the XWorm remote access trojan (RAT).
The packages published under the “@fairwords” scope have also been found to self-propagate to all npm packages using the victim’s token and attempt cross-ecosystem propagation to PyPI via .pth file injection. New versions of js-logger-pack have since been found to leverage the Hugging Face repository to poll for updates and use it as a data-theft destination. Also detected was the compromise of @velora-dex/sdk (version 9.4.1) to decode and execute a Base64 payload that fetches a shell script from a remote server that, in turn, downloads and persists a Go-based remote access trojan called minirat on macOS systems. Another legitimate package to be compromised was mgc (versions 1.2.1 through 1.2.4), which was injected with a dropper that detects the operating system and fetches a platform-specific RAT from a GitHub Gist to exfiltrate valuable data.
AI prompt injection surge 10 Indirect Prompt Injection Payloads Flagged Forcepoint has detected 10 new indirect prompt injection (IPI) payloads targeting artificial intelligence (AI) agents with malicious instructions designed to achieve financial fraud, data destruction, API key theft, and AI denial-of-service attacks. “Regardless of the specific payload technique or attacker intent, every case follows the same fundamental sequence: the attacker poisons web content, hides the payload from human view, waits for an AI agent to ingest the page, exploits the LLM’s inability to distinguish trusted instructions from attacker-controlled content, and triggers a real-world action with a covert exfiltration return channel back to the attacker,” the company said . Covert browser data access Claude Desktop Grants Additional Permissions to Itself The Claude desktop app has been found granting itself permission to access web browser data, even if some browsers haven’t even been installed on a user’s computer, web privacy expert Alexander Hanff said. The app has been spotted placing configuration files in preset locations for Chromium-based browsers like Brave, Google Chrome, Microsoft Edge, and Vivaldi.
The Native Messaging manifest files pre-authorize Claude to interact with the browser even before the user installs it. The issue has been described as a case of dark pattern that violates privacy laws in the E.U. Hardware display protection U.K. NCSC Unveils SilentGlass The U.K.
National Cyber Security Centre (NCSC) has unveiled a new technology called SilentGlass that’s designed to protect video connections from cyber attacks. “SilentGlass, a plug-and-play device, actively blocks anything unexpected or malicious between HDMI and Display Port connections and screens,” NCSC said . “Already successfully deployed on Government estates, SilentGlass is now available for anyone to buy and use. It has been approved for use in the most high-threat environments.” Passkeys replace passwords NCSC Endorses Passkeys In a related development, the NCSC also endorsed passkeys as the default authentication standard and the “first choice of login” for access to all digital services.
“Passkeys are a newer method for logging into online accounts, which do much of the heavy lifting for users, only requiring user approval rather than needing to input a password,” NCSC said . “This makes passkeys quicker and easier to use and harder for cyber attackers to compromise.” It also said the majority of cyber harms to individuals begin with criminals stealing or compromising login details, which makes passkey adoption a “huge leap” in boosting resilience to phishing attacks. More than 50% of active Google services users in the U.K. are said to be already using passkeys.
Backdoor sabotage claims Iran Claims U.S. Used Backdoors to Disable Networking Equipment During War Reports from Iranian media have claimed that hardware made by Cisco, Juniper, Fortinet, and MikroTik either rebooted or disconnected during recent attacks on Iran, despite the country being cut off from the global internet. “The most striking and suspicious aspect of this incident is its precise timing and the lack of access to the international internet at that moment,” Iranian news website Entekhab said . “This disruption occurred at a time when international gateways were effectively blocked or inaccessible; therefore, attributing this chain collapse to ‘a simple cyber attack from beyond the borders’ is not only unconvincing but also reveals the traces of deep-seated sabotage embedded within the equipment.” The report hypothesizes the presence of hidden firmware backdoors or rogue implants within compromised devices, creating a dormant botnet that’s activated when a certain event occurs without the need for internet access.
The other possibility is a supply chain compromise. “If the chips or installation files of Cisco and Juniper products are compromised before entering the country, even replacing the operating system will not solve the problem, because the root of the problem is embedded in the hardware and read-only memory (ROM),” the report said. These arguments have found purchase in China, whose state media agency Xinhua called U.S.-made equipment the “real trojan horse.” The disclosure comes as DomainTools revealed that the various hacktivist personas adopted by Iran, such as Homeland Justice, Karma, and Handala , “constitute a coordinated, MOIS-aligned cyber influence ecosystem operating under multiple branded identities that serve distinct but complementary operational roles.” Ransomware infighting escalates Krybit Ransomware Hacks 0APT Site The Krybit ransomware group has hacked the website of rival ransom group 0APT after the latter threatened to dox Krybit’s members. According to security firm Barricade , 0APT leaked the complete database of the Krybit ransomware operation, including victim records, plaintext credentials, Bitcoin wallets, encryption tokens, and a 56MB exfiltration file inventory.
In return, Krybit has hit back by compromising 0APT’s server within 48 hours, defacing their data leak site, and publishing source code, bash history, Nginx logs, and system files. To rub salt into the wound, the group listed 0APT as victim #1 on their own leak site. Stealth malware-as-a-service New FUD Crypt Cryptor Service There is a new cryptor-as-a-service platform called FUD Crypt (fudcrypt[.]net). “For $800 to $2,000 per month, subscribers upload an arbitrary Windows executable and receive a multi-stage deployment package that attempts automatic DLL sideloading, in-memory AMSI and ETW interference, silent UAC elevation via CMSTPLUA, and Windows Defender tamper via Group Policy on Enterprise builds,” Ctrl-Alt-Intel said .
Formbook phishing surge Phishing Campaigns Deliver Formbook Malware Two different phishing campaigns targeting Greek, Spanish, Slovenian, Bosnian, Latin, and Central American companies are using different techniques to deliver Formbook malware. “FormBook is a data-stealing malware that targets Windows systems, primarily distributed through phishing emails with malicious attachments,” WatchGuard said . “It collects sensitive information like login credentials, browser data, and screenshots, using advanced evasion techniques to avoid detection.” Stealth .NET execution abuse Operation PhantomCLR Targets Middle East and EMEA A highly sophisticated, multi-stage post-exploitation framework has been observed targeting organizations in the Middle East and EMEA financial sectors. “The threat actor leverages a legitimate, digitally signed Intel utility (IAStorHelp.exe) by abusing the .NET AppDomainManager mechanism, effectively turning a trusted binary into a stealthy execution container,” CYFIRMA said .
“This approach allows malicious code to be executed within a trusted environment. It bypasses conventional security controls without modifying the original signed binary.” Because AppDomainManager hijacking enables stealth execution within a trusted signed binary, it allows malicious code to run without modifying the original executable, effectively bypassing code-signing trust controls. The attack begins with a phishing email containing a ZIP archive, which contains an LNK file masquerading as a PDF document to execute “IAStorHelp.exe.” It’s currently not known who is behind the campaign, but the level of sophistication, modular design, and operational discipline suggest capabilities consistent with advanced threat actors. RAT plus adware bundle New Campaign Distributes RAT and Adware A new malware campaign is spreading both a remote access trojan and adware together, allowing attackers to establish persistent access and make financial profits.
The attack has been found to leverage a loader to deliver Gh0st RAT trojan and CloverPlus adware, an unwanted software designed to install advertising components and change browser behavior, such as startup pages and pop-up ads, per Splunk . macOS stealth execution abuse Living-off-the-Land in macOS In a new analysis, Cisco Talos revealed that bad actors can bypass security controls in Apple macOS by repurposing native features like Remote Application Scripting (RAS) for remote execution and abusing Spotlight metadata (Finder comments) to stage payloads in a way that evades static file analysis. “Because Finder is scriptable over RAE, the comment of a file on a remote machine can be set via the “eppc://” protocol. By Base64 encoding a payload locally, a multi-line script can be stored within this single string field.
The make new file command handles the creation of the target file, ensuring that no pre-existing file is required,” Talos said . “The payload resides entirely within the Spotlight metadata, a location that remains largely unexamined by standard endpoint detection and response (EDR) solutions. This creates a stealthy staging area where malicious code can persist on the disk without triggering alerts associated with suspicious file contents.” In addition, attackers can move toolkits and establish persistence using built-in protocols such as SMB, Netcat, Git, TFTP, and SNMP operating entirely outside the visibility of standard SSH-based telemetry. In some cases, adversaries can also bypass built-in restrictions by using Terminal as a proxy for execution, encoding payloads in Base64 and deploying them in stages.
LLM agent testing framework Terrarium Framework for Evaluating Multi-Agent Systems A group of academics has released a hackable, modular, and configurable open-source framework called Terrarium for studying and evaluating decentralized LLM-based multi-agent systems (MAS). “As the capabilities of agents progress (e.g., tool calling) and their state space expands (e.g., the internet), multi-agent systems will naturally arise in unique and unexpected scenarios,” the researchers said , adding it acts as “an isolated playground for studying agent behavior, vulnerabilities, and safety. It enables full customization of the communication protocol, communication proxy, environment, tool usage, and agents.” AI data privacy purge Clarifai Deletes OkCupid Data According to Reuters , AI company Clarifai said it has deleted 3 million profile photos taken from dating site OkCupid in 2014. It follows a settlement reached last month between the U.S.
Federal Trade Commission (FTC) and Match Group, OkCupid’s owner. Clarifai is said to have certified the data deletion to the FTC on April 7, 2026, and deleted any models that trained on the data. The company also emphasized that it hadn’t shared the data with third parties. The FTC opened the investigation in 2019, after The New York Times reported that Clarifai had built a training database using OkCupid dating profile photos.
The behavior was a direct violation of OkCupid’s privacy policy, although Clarifai was not accused of wrongdoing. Zero-credential RCE chain Active Exploitation of CVE-2026-34197 VulnCheck said it’s seeing active exploitation of the Apache ActiveMQ Jolokia remote code execution chain that strings together CVE-2026-34197 and CVE-2024-32114 . “CVE-2024-32114 removes authentication from the Jolokia endpoint entirely on ActiveMQ versions 6.0.0 through 6.1.1,” VulnCheck’s Jacob Baines said . “Combined with CVE-2026-34197, that is zero-credential RCE.” Stealth phishing lure Spike in Phishing Using Empty Email Subject Lines There has been a surge in phishing emails utilizing empty subject lines as a way to lure users to actually click and open the email without the usual warning cues.
Known as silent subject or null subject phishing, the technique is designed to exploit blind spots in email defenses, as it allows such emails to bypass security filters that rely on analyzing the subject lines for specific keywords that may indicate potential phishing or scam. “Emails with empty subject lines evade user suspicion by exploiting human curiosity,” CyberProof said . “The primary objective of a silent subject campaign is to gain initial access through social engineering, leading to credential compromise, unauthorized access, and potential lateral movement within targeted environments, especially focusing on high-value or VIP users.” Industrial-scale SIM farms ProxySmart as a SIM Farm-as-a-Service A Belarus-based turnkey solution is assisting SIM farm operators in supporting cybercrime on an industrial scale. Infrawatch said that it identified 87 instances of ProxySmart control panels in 17 countries that are linked to at least 24 commercial proxy providers and 35 cellular providers.
The footprint spans 94 phone farm locations, distributed across 19 U.S. states, as well as countries in Europe and South America. ProxySmart provides an end-to-end platform for operating and monetizing mobile proxy infrastructure, including farm management, device control, customer provisioning, retail proxy sales, and payment handling. It’s accessible via a web-based control panel that’s self-hosted by the farm operator.
Devices in the farms are either physical Android phones or USB 4G/5G modems. The phones are enrolled via an unsigned Android APK package downloaded from the ProxySmart website, with SMS send and receive capability included. Modems are managed through ModemManager, an open-source USB dongle management tool. The ProxySmart service is written in Python and obfuscated using PyArmour.
“ProxySmart is publicly associated with a Belarus-based vendor footprint and offers an end-to-end stack for operating and monetizing a physical farm, including device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures,” the company said . “Technical analysis indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.” SIM farms enable a range of cybercrime activity such as smishing, premium-rate number fraud, bot sign-ups, and one-time password interception. In response to the findings, ProxySmart disputed its characterization as a SIM farm, stating it’s a “data-path proxy management platform” and that its mobile proxy infrastructure “underpins a wide range of legitimate commercial and research activity” including advertising verification, brand protection, price monitoring, and anti-fraud model training, among others. Telegram under CSAM probe Ofcom Probes Telegram for CSAM Ofcom, the U.K.’s independent communications regulator, has launched an investigation into Telegram under the country’s Online Safety Act to examine whether the platform is being used to share child sexual abuse material (CSAM) and is doing enough to combat the threat.
“We received evidence from the Canadian Centre for Child Protection regarding the alleged presence and sharing of child sexual abuse material on Telegram, and carried out our own assessment of the platform,” Ofcom said . “In light of this, we have decided to open an investigation to examine whether Telegram has failed, or is failing, to comply with its duties in relation to illegal content.” In a statement shared with The Record, Telegram said it “categorically denies Ofcom’s accusations,” adding it has “virtually eliminated the public spread of CSAM on its platform through world-class detection algorithms and cooperation with NGOs.” Earlier this year, Ofcom also commenced a probe into X to determine whether the service is taking necessary steps to take down illegal content, including non-consensual intimate images and CSAM. EU cracks disinfo ops E.U. Sanctions Pro-Russian Organizations for Disinformation The European Union imposed sanctions on two pro-Russian organizations accused of spreading disinformation and supporting the Kremlin’s hybrid influence operations against Europe and Ukraine.
The measures target Euromore and the Foundation for the Support and Protection of the Rights of Compatriots Living Abroad (Pravfond). The move is part of the E.U.’s broader effort to counter Russian information and influence operations targeting Europe since the start of Moscow’s full-scale invasion of Ukraine in 2022. The E.U. has imposed sanctions on 69 individuals and 19 entities linked to Russian hybrid warfare.
Bot farm dismantled Ukraine Dismantles Bot Farm Ukrainian authorities have dismantled a bot farm that’s alleged to have supplied thousands of fake social media accounts to Russian intelligence services for use in disinformation campaigns against Ukraine. The suspected organizer of the network has been detained in the northern city of Zhytomyr, and nearly 20,000 fraudulent online profiles that were used in information operations have been blocked. The suspect is believed to have sold more than 3,000 fake Telegram accounts each month to Russian clients. The accounts were created using Ukrainian mobile phone numbers and then advertised on online platforms used by pro-Russian actors.
If convicted, the suspect faces up to six years in prison. Malicious extensions surge StealTok Campaign Steals User Data More than 130,000 users have downloaded and installed malicious Chrome and Edge extensions that, while offering the promised functionality, also implement covert tracking, remote configuration capabilities, and data collection mechanisms.The 12 extensions posed as tools to download TikTok videos and were available through the official Chrome and Edge stores. The activity has been codenamed StealTok. The extensions have been found to use remote configuration to bypass store review.
“Beyond privacy concerns, the use of remote configuration endpoints introduces a significant security risk, enabling post-installation behavior changes that bypass marketplace review mechanisms,” LayerX said . Joomla SEO spam backdoor PHP Backdoor Targets Joomla Sites to Inject SEO Spam In a new campaign spotted by Sucuri, threat actors are planting a new PHP-based backdoor on Joomla sites to inject SEO spam. The injected script acts as a remote loader to send information about the infected website and awaits further instructions from an attacker-controlled server. “Attackers inject malicious code that silently serves spam content to visitors and search engines, all without the site owner knowing,” Sucuri said .
“The goal is simple: abuse the site’s reputation to push traffic towards products the attacker wants to promote.” Post-exfiltration data trade Criminal Platform Leak Bazaar Peddles Stolen Data with a Twist A new service called Leak Bazaar has been promoted on the Russian-speaking TierOne forum that claims to process data stolen from extortion and ransomware attacks and turn it into “something more legible, more selective and precise, and making it marketable for the general population to ingest.” It’s advertised by a user named Snow, who joined the forum on March 3, 2026. “What Leak Bazaar is really offering is not a DLS or Data or Dedicated Leak Site in the conventional sense, but a post-exfiltration service layer,” Flare said . “It is trying to reassure both suppliers and buyers that the platform can solve the most frustrating part of data theft, which is that a large percentage of exfiltrated material is too noisy, too unstructured, or too cumbersome to use without additional labor.” RDP scanning concentration Just 21 IP Addresses Behind About 50% of All RDP Scanning GreyNoise has disclosed that a small cluster of 21 IP addresses is now responsible for generating nearly half of all the RDP scanning traffic on the public internet. The addresses are registered to ColocaTel (AS213438), a company based in the Seychelles.
According to the threat intelligence firm, mass internet scanning activity is now preceding vendor vulnerability disclosures more frequently than before, with 49% of surges arriving within 10 days of disclosure and 78% within 21 days.In a related development, security researcher Morgan Robertson revealed that almost three-quarters of Perforce P4 source code management servers connected to the internet are misconfigured and leaking source code and sensitive files. “The default Perforce settings allow unauthenticated users to create accounts, list existing users, access passwordless accounts, and, until version 2025.1, allowed syncing repositories remotely; potentially exposing intellectual property across more than a dozen sectors, including gaming, healthcare, automotive, finance, and government,” Robertson said . “Action is recommended for all Perforce administrators to ensure security hardening, including setting stronger authentication requirements, disabling automatic account creation, and raising security levels.” Emerging threat groups surge New Threat Actors in the Wild Various new hacktivist, data extortion, and ransomware crews have been spottedin the wild. These include Harakat Ashab al-Yamin al-Islamia , World Leaks , Lamashtu , Payouts King , BravoX , Black Shrantac , NBLOCK , Ndm448 , Chip , Ransoomed , and Zollo .
None of this is new. That is the problem. Old paths still open, basic checks still skipped, and trust still given where it should not be. Attackers are not doing anything magical, they are just faster and less careful because they do not need to be.
The fixes are known but ignored. Patch early, check what you install, limit access, and stop trusting inputs by default. Most of the damage comes from things that were easy to prevent. Same story next week.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
[Webinar] Mythos Reality Check: Beating Automated Exploitation at AI Speed
Imagine a world where hackers don’t sleep, don’t take breaks, and find weak spots in your systems instantly. Well, that world is already here. Thanks to AI, attackers are now launching automated, large-scale exploits faster than ever before. The time you have to fix a vulnerability before it gets attacked is shrinking to zero.
We call this the Collapsing Exploit Window , and it means your standard patching routine is officially too slow. If you are fighting AI-speed attacks with manual-speed defenses, your systems are at a breaking point. It’s time to rethink everything. Join our highly anticipated webinar featuring expert guest Ofer Gayer, Vice President of Product at Miggo Security, and learn how to beat the bots at their own game: Mythos and the Collapsing Exploit Window: Rethink Vulnerability Prioritization at AI Speed .
Here is exactly what you will walk away with: The Truth About Mythos: We are cutting through the hype. Learn what Mythos actually represents and why it matters to your daily security. The AI Attack Wave: See exactly how AI is helping attackers discover and exploit vulnerabilities at lightning speed. The Deadly Patch Gap: Understand why the gap between a new threat and your patch is widening, and why the old way of fixing things is broken forever.
Your New AppSec Blueprint: Stop guessing. Get real, practical steps to prioritize real-world risks, including expert secrets on virtual patching. 👤 Who needs to be there? CISOs, AppSec Leaders, and Security Architects.
If you are in charge of keeping the gates locked and you know legacy vulnerability management isn’t cutting it anymore—this is for you. Stop letting automated exploits outpace your team. Learn how to secure your organization in the age of AI. 📅 Claim your spot right now before it’s too late.
Register now. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Project Glasswing Proved AI Can Find the Bugs. Who’s Going to Fix Them?
Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can . Mythos Preview, the model that led to Project Glasswing, found vulnerabilities across every major operating system and browser. Some of these bugs had survived decades of human audits, aggressive fuzzing, and open-source scrutiny.
One had been sitting for 27 years in OpenBSD, generally considered to be one of the world’s most secure operating systems. It’s tempting to file this under “ AI lab says their AI is too dangerous, “ the same playbook OpenAI ran with GPT-2. Not so fast; there’s a material difference this time. Mythos didn’t just find individual CVEs.
It chained four independent bugs into an exploit sequence that bypassed both the browser renderer and the OS sandboxing It performed local privilege escalation in Linux through race conditions It built a 20-gadget ROP chain targeting FreeBSD’s NFS server, distributed across packets. Claude Opus 4.6, Anthropic’s previous frontier model, failed at autonomous exploit development almost entirely. Mythos hit a 72.4% success rate in the Firefox JS shell . This isn’t theoretical, nor some new three-to-five-year prediction.
This is about to be a real-world engineering reality. Why Project Glasswing Exposes the Real Cybersecurity Gap Here’s the number that should keep security leaders awake at night: fewer than 1% of the vulnerabilities found by Mythos were patched . Let that sink in for a moment. The most powerful vulnerability discovery engine ever built ran against the world’s most critical software, and the ecosystem couldn’t absorb the output.
Glasswing solved the finding problem. Nobody solved the problem of fixing. Why Defenders Can’t Keep Up: Calendar Speed vs. Machine Speed This is the structural issue the cybersecurity industry has been circling for years.
AI just made it impossible to ignore. Defenders operate on calendar speed . They: Gather intelligence Build a campaign Simulate the threats Mitigate Repeat That cycle takes about four days on a good day . Attackers, especially those now leveraging LLMs at every stage of their operation, are moving at machine speed .
For an up-to-the-minute take, David B. Cross, CISO at Atlassian, will be speaking at the Autonomous Validation Summit on May 12 about what this looks like from the inside, why periodic testing can’t keep pace with adversaries that operate autonomously, and what defenders should be doing instead. AI-Powered Attacks Are Already Autonomous Earlier this year, a threat actor deployed a custom MCP server hosting an LLM as part of their attack chain against FortiGate appliances. The AI handled everything: Automated backdoor creation Internal infrastructure mapping fed directly to the model Autonomous vulnerability assessment, and AI-prioritized execution of offensive tools for domain admin access.
The result? 2,516 organizations across 106 countries were compromised in parallel. The entire chain, from initial access through credential dumping to data exfiltration, was autonomous. The only human involvement was reviewing the results afterward.
AI-based Vulnerability Discovery Is Outpacing Remediation The gap between attacker speed and defender speed isn’t new. What’s new is that a small but worrisome gap just became a canyon. Autonomous systems like AISLE discovered 13 out of 14 OpenSSL CVEs in recent coordinated releases, bugs that had survived years of human review. XBOW became the top-ranked hacker on HackerOne in 2025, surpassing all human participants.
The median time from disclosure to weaponized exploit dropped from 771 days in 2018 to single-digit hours by 2024. By 2025, the majority of exploits will be weaponized before being publicly disclosed. Now add Mythos-class discovery to this picture. You don’t get a safer world automatically.
You get a tsunami of legitimate findings that still require human verification , organizational process, business continuity considerations, and patch cycles that haven’t fundamentally changed in a decade. How to Build a Mythos-Ready Security Program The instinct after Glasswing is to ask: “How do we find more bugs?” That’s actually the wrong question. The right one is: “When thousands of exploitable vulnerabilities land on your desk tomorrow morning, can your program actually process them? “ For most organizations, the honest answer is no.
And the reason isn’t a lack of tools or talent; it’s a structural dependency on periodic , human-initiated processes that were designed for a world where vulnerabilities trickled in, not one where they arrived in a tsunami. We can’t fix every vulnerability. We can’t apply every hardening option. That’s not defeatism , that’s the pragmatic starting point for any security program that actually works.
The question that matters isn’t “is this CVE critical?” but “ is this vulnerability exploitable in my environment, right now, given what I have deployed? “ A Mythos-ready security program needs three fundamental pieces. First: Signal-Driven Validation Over Scheduled Testing When a new threat emerges, when an asset changes, or when a configuration drifts, defenses need to be tested against that specific change in that moment. Not during the next quarterly pentest.
Not when someone can find an open calendar slot. The entire concept of “scheduled validation” assumes a stable threat landscape, and today, that assumption is dead on arrival . Second: Environment-Specific Context Over Generic CVSS Scores Glasswing will produce an avalanche of CVEs. Yet most vulnerability management programs are still prioritized by CVSS scores.
This context-free metric tells you how bad a bug could be in theory , not whether it’s exploitable in your specific infrastructure , given your controls and business risk. When the volume of findings suddenly goes from hundreds to thousands , context-free prioritization won’t just slow you down; it’ll break your process entirely . Third: Closed-Loop Remediation Without a Manual Handoff The current model can’t survive in a world where adversaries exploit CVEs within hours of disclosure. You know the drill: Scanner finds a bug Analyst triages it The ticket goes to a different team Someone patches it weeks later Nobody re-validates That chain of manual handoffs is exactly where the system disintegrates.
- If the cycle from finding to fix to re-validation can’t run without humans shuttling tickets between queues, it clearly isn’t running anywhere near machine speed. This isn’t about buying more tools. It’s about defenders leveraging their
- one asymmetric advantage
- you know your organization’s topology, attackers don’t . That’s a significant advantage, but only if you can act on it at machine speed.
How Autonomous Exposure Validation Closes the Gap — and Where Picus Comes in This is the part where I’m going to be really transparent about who’s writing this. At Picus Security, we build a platform for Autonomous Exposure Validation . So, full disclosure, I have a perspective here that comes with an inherent bias. Take it accordingly.
What Glasswing crystallized for us, and for a lot of the CISOs we’ve been speaking with, is that the validation step within any exposure management program just became the most critical bottleneck. Finding vulnerabilities is about to get radically easier and more efficient Patching them is going to remain painfully slow. The only lever you can pull in between is knowing which ones actually matter to your environment. That’s validation.
From Four Days to Three Minutes: How Agentic Workflows Change the Cycle We built Picus Swarm, the AI team powering autonomous, real-time validation, to compress the traditional four-day cycle into minutes. It’s a set of AI agents that work together to do what used to require handoffs between four separate teams: A researcher agent ingests and vets threat intelligence. A red teamer agent maps it against your environment to generate a safety-checked attacker playbook. A simulator agent executes across your actual endpoints and cloud, gathering telemetry and proof data.
A coordinator agent bridges findings to remediation, opening tickets, triggering SOAR playbooks, pushing indicators of attack to your EDR, and re-validating after fixes land. Every action is traceable and auditable, andevery agent operates within guardrails you define. The whole chain, from a new CISA alert to validated, remediation-ready findings, runs in about three minutes. When a Mythos-class model drops thousands of findings on your organization, you need something that can immediately tell you which of these are exploitable in your environment.
Which controls would hold, which would fail, and what’s the vendor-specific fix? The Uncomfortable Truth Project Glasswing is going to be measured by one metric: how many vulnerabilities get patched before they get exploited. Not how many are found, not how impressive the exploit chains are, but whether the ecosystem can digest what AI is about to produce. Visibility alone has never been enough, 83% of cybersecurity programs still show no measurable results.
What’s changing the equation is closing the gap between seeing and proving: knowing whether a potential vulnerability would actually compromise your environment. That’s validation. And in a post-Glasswing world, it’s the only thing standing between a flood of discoveries and a flood of breaches. We’re hosting the Autonomous Validation Summit on May 12 & 14 with Frost & Sullivan, featuring practitioners from Kraft Heinz and Glow Financial Services, along with our CTO, Volkan Erturk.
Together, we’ll be taking a deeper dive into this specific problem. » Register here. Note: This article was written by Sıla Özeren Hacıoğlu , Security Research Engineer at Picus Security. Found this article interesting?
This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper . “The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal,” Slovakian cybersecurity company ESET said in a report shared with The Hacker News. “GopherWhisper abuses legitimate services, notably Discord, Slack, Microsoft 365 Outlook, and file.io for command-and-control (C&C) communication and exfiltration.” The group was first discovered in January 2025 following the discovery of a never-before-seen backdoor codenamed LaxGopher on a system belonging to a Mongolian governmental entity. GopherWhisper is assessed to be active at least since November 2023.
Besides LaxGopher, some of the other malware families part of the threat actor’s arsenal are Golang-based tools to receive instructions from the C&C server, execute them, and send the results back. Also used by the threat actor is a file collection tool to gather files of interest and exfiltrate them in compressed format to the file[.]io file sharing service and a C++ backdoor that offers remote control over compromised hosts. Telemetry data from ESET shows that about 12 systems associated with the Mongolian governmental institution were infected by the backdoors, with C&C traffic from the attacker-controlled Discord and Slack servers indicating dozens of other victims. Exactly how GopherWhisper obtains initial access to the target networks is currently not known.
But a successful foothold is followed by attempts to deploy a wide range of tools and implants - JabGopher , an injector that executes the LaxGopher (“whisper.dll”) backdoor. LaxGopher , a Go-based backdoor that uses Slack for C2 to execute commands via “cmd.exe” and publish the results back to the Slack channel, as well as download additional malware. CompactGopher , a Go-based file collection utility dropped by LaxGopher to filter files of interest by extensions (.doc, .docx, .jpg, .xls, .xlsx, .txt, .pdf, .ppt, and .pptx.), compress them into ZIP files, encrypt the archives using AES-CFB-128, and exfiltrate them to file[.]io. RatGopher , a Go-based backdoor that uses a private Discord server to receive C&C messages, execute commands, and publish the results back to the configured Discord channel, as well as upload and download files from file[.]io.
SSLORDoor , a C++-based backdoor that uses OpenSSL BIO for communication via raw sockets on port 443 to enumerate drives, perform file operations, and run commands based on C&C input via “cmd.exe.” FriendDelivery , a malicious DLL that serves as a loader and injector for BoxOfFriends. BoxOfFriends , a Go-based backdoor that uses the Microsoft Graph API to craft draft emails for C2 using hard-coded credentials, with the earliest Outlook account created for this purpose (“barrantaya.1010@outlook[.]com”) created on July 11, 2024. “Timestamp inspection of the Slack and Discord messages showed us that the bulk of them were being sent during working hours, i.e., between 8 a.m. and 5 p.m., which aligns with China Standard Time,” ESET researcher Eric Howard said.
“Furthermore, the locale for the configured user in Slack metadata was also set to this time zone. We therefore believe that GopherWhisper is a China-aligned group.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to the Vercel network and environment variable read events in its logs. “Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods,” the company said in an update. In both cases, Vercel said it notified affected parties.
It did not disclose the exact number of customers who were impacted. The development comes after the company that created the Next.js framework acknowledged the breach originated with a compromise of Context.ai after it was used by a Vercel employee, enabling the attacker to seize control of their Google Workspace account and then use it to gain access to their Vercel account. “From there, they were able to pivot into a Vercel environment, and subsequently maneuvered through systems to enumerate and decrypt non-sensitive environment variables,” Vercel noted. Further investigation by Hudson Rock has revealed that one of Context.ai employees was infected with Lumma Stealer in February 2026 after searching for Roblox auto-farm scripts and game exploit executors, indicating that this event may have been the “patient zero” that triggered the whole chain of malicious actions.
“We now understand that the threat actor has been active beyond that startup’s [referring to Context.ai] compromise,” Vercel CEO Guillermo Rauch said in an X post. “Threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers.” It’s unclear if Vercel employees’ use of the Context AI Office Suite was sanctioned or an instance of shadow AI , which refers to the unauthorized use of artificial intelligence (AI) tools within SaaS apps without formal IT review or vetting, exposing organizations to unintended risks. The AI Office Suite has since been deprecated by Context.ai. “OAuth integrations are useful because they reduce friction,” Tanium said.
“They’re also dangerous because they can inherit trust from the user and the organization. When attackers abuse an approved integration, they may avoid some of the controls teams rely on for direct account compromise.” “What stands out operationally is less the volume of data exposed and more the attackers’ velocity and ability to enumerate internal environments before detection. That changes the job for defenders. The challenge shifts from prevention to rapid scoping and blast-radius reduction.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages
Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device. The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction. “Notifications marked for deletion could be unexpectedly retained on the device,” Apple said in an advisory. The shortcoming affects the following devices - iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later - Fixed in iOS 26.4.2 and iPadOS 26.4.2 iPhone XR, iPhone XS, iPhone XS Max, iPhone 11 (all models), iPhone SE (2nd generation), iPhone 12 (all models), iPhone 13 (all models), iPhone SE (3rd generation), iPhone 14 (all models), iPhone 15 (all models), iPhone 16 (all models), iPhone 16e, iPad mini (5th generation - A17 Pro), iPad (7th generation - A16), iPad Air (3rd - 5th generation), iPad Air 11-inch (M2 - M3), iPad Air 13-inch (M2 - M3), iPad Pro 11-inch (1st generation - M4), iPad Pro 12.9-inch (3rd - 6th generation), and iPad Pro 13-inch (M4) - Fixed in iOS 18.7.8 and iPadOS 18.7.8 The update comes weeks after a report from 404 Media that the U.S.
Federal Bureau of Investigation (FBI) managed to forensically extract copies of incoming Signal messages from a defendant’s iPhone in connection with an attack on the Prairieland ICE detention center facility , even after the app was deleted, by taking advantage of the fact that copies of the content were saved in the device’s push notification database. It’s not known why the notifications’ content was logged in the device to begin with, but the latest update suggests it was a bug. That said, it’s unclear when this issue was introduced, and if there have been prior cases where such data may have been captured by authorities using forensic tools. While Signal already has an option to prevent the content of incoming messages from being displayed in notifications, the development highlighted how physical access to a device can facilitate the extraction of sensitive data from at-risk users.
“For most app notifications, there’s no simple way to easily figure out what metadata might be gleaned from a notification, or if the notification is unencrypted or not,” the Electronic Frontier Foundation (EFF) said . “It’s also good to reconsider whether any app should be sending you notifications to begin with.” To prevent the message content from showing in notifications, users can navigate to their profile > Notifications > Show, and select one of the following: “Name only” or “No name or message.” “Note that no action is needed for this fix to protect Signal users on iOS,” Signal said in a post on X. “Once you install the patch, all inadvertently-preserved notifications will be deleted, and no forthcoming notifications will be preserved for deleted applications.” “We’re grateful to Apple for the quick action here, and for understanding and acting on the stakes of this kind of issue. It takes an ecosystem to preserve the fundamental human right to private communication.” Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain
Cybersecurity researchers have warned of malicious images pushed to the official “ checkmarx/kics “ Docker Hub repository. In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The Docker repository has been archived as of writing. “Analysis of the poisoned image indicates that the bundled KICS binary was modified to include data collection and exfiltration capabilities not present in the legitimate version,” Socket said.
“The malware could generate an uncensored scan report, encrypt it, and send it to an external endpoint, creating a serious risk for teams using KICS to scan infrastructure-as-code files that may contain credentials or other sensitive configuration data.” Further analysis of the incident has uncovered that related Checkmarx developer tooling may also have been affected, such as recent Microsoft Visual Studio Code extension releases that come with malicious code to download and run a remote addon through the Bun runtime. “The behavior appeared in versions 1.17.0 and 1.19.0, was removed in 1.18.0, and relied on a hard-coded GitHub URL to fetch and run additional JavaScript without user confirmation or integrity verification,” Socket added. The list of affected extensions is below - checkmarx/cx-dev-assist@1.17.0 checkmarx/cx-dev-assist@1.19.0 checkmarx/ast-results@2.63.0 checkmarx/ast-results@2.66.0 Specifically, the compromised Checkmarx extensions come with a multi-stage credential theft and propagation component that, upon extension activation, is downloaded from a GitHub URL as “mcpAddon.js.” The file name implies an attempt to masquerade the malware as a hidden Model Context Protocol (MCP) feature. “The attacker began by injecting a backdated commit (68ed490b) into the ‘Checkmarx/ast-vscode-extension’ repository,” Socket said.
“This commit was deliberately crafted to appear legitimate: it was spoofed to look like it was authored in 2022, attached to a real commit as its parent, and given a benign-looking change. However, it introduced a large (~10MB) file, modules/mcpAddon.js.” It comes with capabilities to harvest developer and cloud credentials, compress and encrypt the results, and transmit them to a threat actor-created public GitHub repository created within victim accounts using stolen GitHub access tokens. The list of captured data is as follows - Github Auth tokens Amazon Web Services (AWS) credentials Microsoft Azure authentication tokens Google Cloud credential databases NPM configuration files SSH keys and configuration files Environment variables Claude and other MCP configuration files Besides staging the exfiltration artifacts in public GitHub repositories as JSON files, the attack chain is engineered to send the tokens and secrets to an HTTPS endpoint under the threat actor’s control: “audit.checkmarx[.]cx/v1/telemetry.” As of writing, there are 51 repositories with the distinct phrase “Checkmarx Configuration Storage” in the README files. As for the compromised Docker images, they have been found to bundle an ELF binary written in Golang named “kics” in an attempt to mimic the KICS scanner.
In reality, it contains malicious functionality to gather sensitive data and send it to the same command-and-control server address as “mcpAddon.js.”
Interestingly, the created repository follows a consistent naming pattern: “
“In effect, the operation was designed not just to steal data from infected environments, but to turn compromised developer and CI/CD access into new exfiltration and supply chain propagation paths.” The malware performs repository discovery, targets those that have configured GitHub Actions secrets, and then creates a new branch for each of them, followed by injecting the rogue workflow (“.github/workflows/format-check.yml”) to extract CI/CD secrets when it’s triggered automatically on push events. Once the workflow is run, the branch and the workflow run are deleted to conceal traces of malicious activity. In the final stage, the attack shifts to a worm-like npm ecosystem propagation, abusing the victim’s npm credentials to extract 250 packages maintained by them and republish each of those packages with the malicious payload to further spread the malware. Organizations that may have used the affected KICS image to scan Terraform, CloudFormation, or Kubernetes configurations should treat any secrets or credentials exposed to those scans as likely compromised.
“The evidence suggests this is not an isolated Docker Hub incident, but part of a broader supply chain compromise affecting multiple Checkmarx distribution channels,” the company noted. Evidence suggests that the threat actor known as TeamPCP may be behind the supply chain compromise. “Thank you OSS distribution for another very successful day at PCP inc.,” TeamPCP wrote in an X post shortly after details of the incident became public knowledge. If this is indeed the case, the development marks the second time Checkmarx has been targeted by TeamPCP in as many months.
In March 2026, the group compromised two of Checkmarx’s GitHub Actions workflows (“ast-github-action” and “kics-github-action”) to push a credential stealer. The incident was part of a broader supply chain attack that also hit Trivy, LiteLLM, and Telnyx. It’s currently not known how the Checkmarx compromise occurred, and if the attackers had lingering access to Checkmarx’s environment following last month’s incident. “Technical evidence shows the attacker had write access to Checkmarx repos between March and April, but we cannot determine from artifacts alone whether this was retained access, re-compromise, or unremediated credentials,” Socket told The Hacker News.
“The orphaned commit technique suggests sustained repo access.” To mitigate the threat, developers who have pulled the affected Checkmarx artifacts should assume compromise and take the following steps - Immediately remove the affected extensions, actions, and container images from developer systems and build environments. Rotate any exposed credentials, including GitHub tokens, npm tokens, cloud credentials, SSH keys, and CI/CD secrets. Review GitHub for unauthorized repository creation and suspicious workflows. Audit npm for unauthorized publication of packages.
Review access logs for unusual secret access, token use, and newly issued credentials in cloud environments. In a statement posted on its site, Checkmarx said it’s actively investigating the security incident and that it did not affect customers using versions or SHAs published prior to the affected timeframes. The following artifacts have been identified as potentially affected - Checkmarx/kics (Docker image) - v2.1.20-debian, v2.1.21-debian, debian, v2.1.21, v2.1.20, alpine, v2.1.20, v2.1.21, latest (Safe version: latest, v2.1.20, alpine, debian) Checkmarx/ast-github-action (GitHub Actions workflow) - 2.3.35 (Safe version: 2.3.36) ast-results (VS Code extension) - 2.63, 2.66 (Safe version: 2.64.0) cx-dev-assist (VS Code extension) - 1.17, 1.19 (Safe version: 1.18.0) Checkmarx is also urging customers to block access to the “audit.checkmarx[.]cx” (IP address: 94.154.172[.]43) and “checkmarx[.]cx” (IP address: 91.195.240[.]123) domains, use pinned SHAs, rotate secrets and credentials if a compromise is detected, and use only safe versions of the aforementioned artifacts. “To date, we have removed the malicious artifacts, revoked and rotated exposed credentials, blocked outbound access to attacker-controlled infrastructure, reviewed our environments for any signs of further compromise,” Checkmarx told The Hacker News.
Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens. The supply chain worm has been detected by both Socket and StepSecurity , with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data, in a tactic reminiscent of TeamPCP’s CanisterWorm to make the infrastructure resilient to takedowns. The list of affected packages is below - @automagik/genie (4.260421.33 - 4.260421.40) @fairwords/loopback-connector-es (1.4.3 - 1.4.4) @fairwords/websocket (1.0.38 - 1.0.39) @openwebconcept/design-tokens (1.0.1 - 1.0.3) @openwebconcept/theme-owc (1.0.1 - 1.0.3) pgserve (1.1.11 - 1.1.14) The malware is triggered during install time via a postinstall hook to steal credentials and secrets from developer environments, and then leverage the stolen npm tokens to push poisoned versions of the packages to the registry with a new malicious postinstall hook so as to expand the reach of the campaign. Captured information includes - .npmrc SSH keys and SSH configurations .git-credentials .netrc cloud credentials for Amazon Web Services, Google Cloud, and Microsoft Azure Kubernetes and Docker configurations Terraform, Pulumi, and Vault material Database password files Local .env* files Shell history files In addition, it attempts to access credentials from Chromium-based web browsers and data associated with cryptocurrency wallet extension apps.
The information is exfiltrated to an HTTPS webhook (“telemetry.api-monitor[.]com”) and an ICP canister (“cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0[.]io”). “It also contains PyPI propagation logic,” Socket said. “The script generates a Python .pth-based payload designed to execute when Python starts, then prepares and uploads malicious Python packages with Twine if the required credentials are present.” “In other words, this is not just a credential stealer. It is designed to turn one compromised developer environment into additional package compromises.” The disclosure comes as JFrog revealed that multiple versions of the legitimate Python package “xinference” (2.6.0, 2.6.1, and 2.6.2) have been compromised to include a Base64-encoded payload that fetches a second-stage collector module responsible for harvesting a wide range of credentials and secrets from the infected host “The decoded payload opens with the comment ‘# hacked by teampcp,’ the same actor marker seen in recent TeamPCP compromises,” the company said .
However, in a post shared on X, TeamPCP disputed they were behind the compromise and claimed it was the work of a copycat. Attacks Target npm and PyPI The findings are the latest additions to a long list of attacks that have targeted the open-source ecosystem. This includes two malicious packages, each on npm (kube-health-tools) and PyPI (kube-node-health), that masquerade as Kubernetes utilities, but silently install a Go-based binary to establish a SOCKS5 proxy, a reverse proxy, an SFTP server, and a large language model (LLM) proxy on the victim’s machine. The LLM proxy is an OpenAI-compatible API gateway that accepts requests and routes them to upstream APIs, including Chinese LLM routers like shubiaobiao.
“Beyond providing cheap access to AI, LLM routers like the one deployed here sit on a trust boundary that is easily abused,” Aikido Security researcher Ilyas Makari said . “Because every request passes through the router in plaintext, a malicious operator can […] inject malicious tool calls into responses of coding agents before they reach the client, introducing malicious pip install or curl | bash payloads mid-flight.” Alternatively, the router can be used to exfiltrate secrets from request and response bodies, including API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts. Another sustained npm supply chain attack campaign documented by Panther has impersonated phone insurance provider Asurion and its subsidiaries, publishing malicious npm packages (sbxapps, asurion-hub-web, soluto-home-web, and asurion-core) from April 1 through April 8, 2026, containing a multi-stage credential harvester. The stolen credentials were exfiltrated initially to a Slack webhook and then to an AWS API Gateway endpoint (“pbyi76s0e9.execute-api.us-east-1.amazonaws[.]com”).
By April 7, the AWS exfiltration URL is said to have been obfuscated using XOR encoding. Last but not least, Google-owned cloud security firm Wiz shed light on an artificial intelligence (AI)-powered campaign dubbed prt-scan that has systematically exploited the “ pull_request_target “ GitHub Actions workflow trigger since March 11, 2026, to steal developer secrets. The attacker, operating under the accounts testedbefore, beforetested-boop, 420tb, 69tf420, elzotebo, and ezmtebo, has been found to search for repositories using the trigger, fork those repositories, create a branch with a pre-defined naming convention (i.e., prt-scan-{12-hex-chars}), inject a malicious payload into a file that’s executed during CI, open a pull request, and then steal developer credentials when the workflow is triggered and publish a malicious package version if npm tokens are discovered. “Across over 450 analyzed exploit attempts, we have observed a <10% success rate,” Wiz researchers said.
“In most cases, successful attacks were against small hobbyist projects, and only exposed ephemeral GitHub credentials for the workflow. For the most part, this campaign did not grant the attacker access to production infrastructure, cloud credentials, or persistent API keys, barring minor exceptions.” “The campaign demonstrates that while pull_request_target vulnerabilities remain exploitable at scale, modern CI/CD security practices, particularly contributor approval requirements, are effective at protecting high-profile repositories.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API
The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. “The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses,” the Symantec and Carbon Black Threat Hunter Team said in a report shared with The Hacker News. The cybersecurity company said it identified artifacts uploaded to the VirusTotal platform from India and Afghanistan, suggesting that the two countries may be the target of the espionage activity. Harvester was first publicly documented by Symantec in late 2021, linking it to an information-stealing campaign aimed at telecommunications, government, and information technology sectors in South Asia since June 2021, using a bespoke implant called Graphon that used the Microsoft Graph API for C2.
Subsequent activity flagged in August 2024 connected the hacking group to an attack targeting an unnamed media organization in South Asia with a never-before-seen Go-based backdoor called GoGra. The latest findings suggest that the adversary is continuing to expand its toolset beyond Windows and infecting Linux machines with a new variant of the same backdoor. The attacks employ social engineering to trick victims into opening ELF binaries disguised as PDF documents. The dropper then proceeds to display a lure document while stealthily running the backdoor.
Like its Windows counterpart, the Linux version of GoGra abuses Microsoft’s cloud infrastructure to contact a specific Outlook mailbox folder named “Zomato Pizza” every two seconds using Open Data Protocol (OData) queries. The backdoor scans the inbox for incoming email messages with a subject line starting with the word “Input.” Once an email matching the criteria is received, it decrypts the Base64-encoded message body and executes it as shell commands using “/bin/bash.” The results of the execution are sent back to the operator in an email message with the subject line “Output.” After the exfiltration step is complete, the implant wipes the original tasking message to cover up the tracks. “Despite using different deployment architectures and operating systems, the underlying C2 logic remains unchanged,” Symantec and Carbon Black said, adding the teams “also identified several matching, hard-coded spelling errors across both platforms, which points towards the same developer being behind both tools.” “The use of a new Linux backdoor shows that Harvester is continuing to expand its toolset and actively develop new tooling in order to go after a wider range of victims and machines.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper , the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. “Two batch scripts are responsible for initiating the destructive phase of the attack and preparing the environment for executing the final wiper payload,” the Russian cybersecurity vendor said . “These scripts coordinate the start of the operation across the network, weaken system defenses, and disrupt normal operations before retrieving, deobfuscating, and executing a previously unknown wiper.” Once deployed, the wiper erases recovery mechanisms, overwrites the content of physical drives, and systematically deletes files across affected volumes, effectively leaving the system in an inoperable state.
No extortion or payment instructions are baked into the artifact, indicating that the aggressive wiper activity is not motivated by financial gain. It’s worth noting that the wiper was uploaded to a publicly available platform in mid-December 2025 from a machine in Venezuela, weeks before the U.S. military action in the country in early January 2026. The sample was compiled in late September 2025.
It’s currently not known if these two events are related, but Kaspersky noted that the sample was uploaded “during a period of increased public reports of malware activity targeting the same sector and region,” suggesting the wiper attack is extremely targeted in nature. The attack chain begins with a batch script that triggers a multi-stage sequence responsible for dropping the wiper payload. Specifically, it attempts to stop the Windows Interactive Services Detection (UI0Detect) service, which is used to alert users when a background service running in Session 0 attempts to display a graphical interface or interactive dialog. UI0Detect has been removed from modern versions of Windows.
The presence of such a setting indicates that the batch script is designed to operate on machines running versions prior to Windows 10 version 1803, which eliminated the feature. The script then checks for a NETLOGON share and accesses a remote XML file, after which it checks for the presence of a corresponding file with the same name in a local directory defined previously (“C:\lotus” or “%SystemDrive%\lotus”). Irrespective of whether such a local file exists, it proceeds to execute a second batch script. “The local check most likely tries to determine whether the machine is part of an Active Directory domain,” Kaspersky said.
“If the remote file is not found, the script exits. In cases where the NETLOGON share is initially unreachable, the script introduces a randomized delay of up to 20 minutes before retrying the remote check.” The second batch script, if not run already, enumerates local user accounts, disables cached logins, logs off active sessions, deactivates network interfaces, and runs the “diskpart clean all” command to wipe all identified logical drives on the system. It also recursively mirrors folders to overwrite existing contents or delete them using the robocopy command-line utility, and calculates available free space and utilizes fsutil to create a file that fills the entire drive to exhaust storage capacity and impair recovery. Once the compromised environment is prepared for destructive activity, the Lotus Wiper is launched to delete restore points, overwrite physical sectors by writing all zeroes, clear the update sequence numbers (USN) of the volumes’ journals, and erase all the system’s files for each mounted volume.
Organizations and government organizations are advised to monitor for NETLOGON share changes, potential credential dumping or privilege escalation activity, and the use of native Windows utilities like fsutil, robocopy, and diskpart to perform the destructive actions. “Given that the files included certain functionalities targeting older versions of the Windows operating system, the attackers likely had knowledge of the environment and compromised the domain long before the attack occurred,” Kaspersky said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.