45 matches found
Malicious code in ts-bn-proto (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address data-stream.space, executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet...
Malicious code in polymarket-clob-maths (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-clob-maths uses a dropper technique: a postinstall hook fetches a remote bundle from trabalhos-flax.vercel.app and executes a syncSession function that runs a...
Malicious code in decimal-format-core (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. decimal-format-core uses a dropper technique: a postinstall hook executes scripts/install-check.cjs at install time, which fetches a second-stage infostealer payload from the C2 domain logstream-api.online...
MAL-2026-6688 Malicious code in console-fmt-cli (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. console-fmt-cli uses a side-loader technique: it declares decimal-format-core =3.0 as a dependency, which contains a dropper that executes at install time via a postinstall hook. The dropper fetches a...
MAL-2026-6692 Malicious code in polymarket-trading-developer-tools (npm)
Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign targeting Polymarket developers. polymarket-trading-developer-tools uses a dropper technique: a postinstall hook downloads configuration from pm-trading-dev-tools-be.vercel.app and exfiltrates data to the...
Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users
Fake Anthropic websites are being used to target Claude Code users with a fileless infostealer campaign that steals browser credentials and evades detection...
Malicious code in eo-terminal (npm)
Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan RAT disguised as "terminal changelog logger utilities." The package README describes a completely different package terminal-logger-utils, indicating a...
MAL-2026-4345 Malicious code in eo-terminal (npm)
Part of a multi-package malicious campaign by npm author toskypi, eo-terminal is a fully-featured infostealer and remote access trojan RAT disguised as "terminal changelog logger utilities." The package README describes a completely different package terminal-logger-utils, indicating a...
Fake Claude Code Installer Targets Developers With Browser Credential Stealer
Researchers at Ontinue have discovered an undocumented malware campaign targeting developers with fake Claude Code installers to steal browser passwords and cookies...
ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories
Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like...
CVE-2026-43575 OpenClaw 2026.2.21 < 2026.4.10 - Authentication Bypass in Sandbox noVNC Helper Route
OpenClaw versions 2026.2.21 before 2026.4.10 contain an authentication bypass vulnerability in the sandbox noVNC helper route that exposes interactive browser session credentials. Attackers can access the noVNC helper route without bridge authentication to gain unauthorized access to the...
OpenClaw 安全漏洞
OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw from 2026.2.21 to 2026.4.10 contained security vulnerabilities. These vulnerabilities were due to a sandbox noVNC auxiliary routing mechanism that allowed authentication bypass, potentially...
PT-2026-38230
Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.21 through 2026.4.9 Description An authentication bypass exists in the sandbox noVNC helper route, which exposes interactive browser session credentials. This allows attackers to access the noVNC helper route without...
New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud Credentials
Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEPDOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batc...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge...
CVE-2026-20170
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This...
DeepLoad Malware Uses ClickFix and WMI Persistence to Steal Browser Credentials
A new campaign has leveraged the ClickFix social engineering tactic as a way to distribute a previously undocumented malware loader referred to as DeepLoad. "It likely uses AI-assisted obfuscation and process injection to evade static scanning, while credential theft starts immediately and captur...
Malicious code in pyclogger (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 b43b78466684583bb9a90ced072406566a033523e3b0d2b9032a4dae763ac84c Package contains an infostealer exfiltrating Discord tokens and saved browser credentials to a hardcoded location. --- Category: MALICIOUS - The campaign has...
MAL-2026-1099 Malicious code in pyclogger (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 b43b78466684583bb9a90ced072406566a033523e3b0d2b9032a4dae763ac84c Package contains an infostealer exfiltrating Discord tokens and saved browser credentials to a hardcoded location. --- Category: MALICIOUS - The campaign has...
EUVD-2020-29871
Malware in sbrugna...