Malicious code in typelimagic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7fcef0c386cca43024460aa4a1b47a99109e4ba02159a8fbe426c12f9884a83e Clone of a legitimate library. The added code scans system for sensitive files, with the focus on crypto currency wallets, and exfiltrate them. Previous versio...

MAL-2026-2963 Malicious code in typelimagic (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 7fcef0c386cca43024460aa4a1b47a99109e4ba02159a8fbe426c12f9884a83e Clone of a legitimate library. The added code scans system for sensitive files, with the focus on crypto currency wallets, and exfiltrate them. Previous versio...

FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected ap...

FakeWallet crypto stealer spreading through iOS apps in the App Store

In March 2026, we uncovered more than twenty phishing apps in the Apple App Store masquerading as popular crypto wallets. Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distributing trojanized versions of legitimate wallets. The infected ap...

New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files

Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data...

CVE-2025-69893

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

We’ve uncovered multiple campaigns distributing an infostealer we track as NWHStealer , using everything from fake VPN downloads to hardware utilities and gaming mods. What makes this campaign stand out isn’t just the malware, but how widely and convincingly it’s being spread. Once installed, it...

MAL-2026-2827 Malicious code in js-logger-pack (npm)

js-logger-pack is a fake npm logger that the attacker developed openly on the registry over 23 versions across two weeks 2026-04-01 to 2026-04-15. Version 1.1.20, published hours after initial detection, is a re-obfuscation of the same payload with a new hash — same C2, same capabilities. Early...

EUVD-2025-209448

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...

CVE-2025-69893

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...

Omnistealer uses the blockchain to steal everything it can

A new infostealer dubbed Omnistealer is turning the blockchain into a permanent malware hosting platform, which is bad news for both companies and everyday users. It’s pretty common for malware to store its payload on a public platform, ideally one that adds some trustworthiness to the download...

CVE-2025-69893

A side-channel vulnerability exists in the implementation of BIP-39 mnemonic processing, as observed in Trezor One v1.13.0 to v1.14.0, Trezor T v1.13.0 to v1.14.0, and Trezor Safe v1.13.0 to v1.14.0 hardware wallets. This originates from the BIP-39 standard guidelines, which induce non-constant...

CVE-2025-69893

CVE-2025-69893 describes a side-channel vulnerability in BIP-39 mnemonic processing observed in Trezor hardware wallets (One v1.13.0–v1.14.0, T v1.13.0–v1.14.0, Safe v1.13.0–v1.14.0). The root cause is non-constant time execution and specific branch patterns during word search dictated by the BIP...

EngageLab SDK Flaw Exposed 50M Android Users, Including 30M Crypto Wallet Installs

Details have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit SDK called EngageLab SDK that could have put millions of cryptocurrency wallet users at risk. "This flaw allows apps on the same device to bypass Android security sandbox...

Intent redirection vulnerability in third-party SDK exposed millions of Android wallets to potential risk

In this article 1. Technical details 2. Disclosure timeline 3. Mitigation and protection guidance 4. References 5. Learn more During routine security research, we identified a severe intent redirection vulnerability in a widely used third-party Android SDK called EngageSDK. This flaw allows apps ...

New macOS Malware notnullOSX Targets Crypto Wallets Over $10K

macOS Malware notnullOSX targets crypto wallets over $10K, using fake apps, Terminal tricks, and backdoors to steal funds and sensitive data...

New ClickFix Attack Uses Node.js Malware via Tor to Steal Crypto

Netskope Threat Labs report a new ClickFix attack using fake CAPTCHAs to deploy Tor-backed NodeJS malware and drain crypto wallets on Windows...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matching 40+ patterns AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc. - Reads SSH keys, .npmrc,...

Embedded Malicious Code

Overview @fairwords/websocket is a WebSocket Client & Server Implementation for Node. Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matching 40+ patterns...

Embedded Malicious Code

Overview @fairwords/loopback-connector-es is a Basic Elasticsearch datasource connector for Loopback. Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matchin...