MAL-2026-5592 Malicious code in 0x2ai-demo6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f4a43a40af9e707d98ed55406b0ff32dccaad352fccf5d1eaaca41b9959d924 On npm install, scripts/postinstall.cjs writes .mcp.json into the installer's working directory INITCWD wiring Claude Code to a packaged MCP server...

CVE-2026-50213 Bulk User Private Data Harvesting

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

CVE-2026-50213 Bulk User Private Data Harvesting

The account validation endpoint /v1/User/validate returns comprehensive user profile data sheets, which can be crawled by iterating predictable identification strings...

MAL-2026-4552 Malicious code in etherproxy-lite (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5756836b470f645f316696cbaedb1aedc21cde7fc921714bfbf70f2d528ad5b4 The bundled dist/index.js reads process.env values and posts data to https://api.telegram.org via a hardcoded fetch call line 97, with additional...

MAL-2026-2826 Malicious code in dom-utils-lite (npm)

dom-utils-lite and centralogger, with identical payloads. On npm install, a postinstall hook fetches the attacker’s SSH public key from a Supabase storage bucket, appends it to /.ssh/authorizedkeys, harvests the victim’s IP, username, and hostname, then uploads that metadata to the same Supabase...

Citizen Lab: Law Enforcement Used Webloc to Track 500 Million Devices via Ad Data

Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. The tool was developed by Israeli company Cobwebs Technologies...

Fake ChatGPT Ad Blocker Chrome Extension Caught Spying on Users

A fake Chrome browser extension called 'ChatGPT Ad Blocker' was harvesting conversations of ChatGPT users in the name of offering an ad-free experience...

Keenadu Firmware Backdoor Infects Android Tablets via Signed OTA Updates

A new Android backdoor that's embedded deep into the device firmware can silently harvest data and remotely control its behavior, according to new findings from Kaspersky. The Russian cybersecurity vendor said it discovered the backdoor, dubbed Keenadu , in the firmware of devices associated with...

Following the digital trail: what happens to data stolen in a phishing attack

Introduction A typical phishing attack involves a user clicking a fraudulent link and entering their credentials on a scam website. However, the attack is far from over at that point. The moment the confidential information falls into the hands of cybercriminals, it immediately transforms into a...

Malicious code in nspacercesolve (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8a8c6f18d1f22d3d0f0b9902a176d91fdfe33270faea47c835a0078955b85914 During installation, the package looks for a flag file and exfiltrates it. Similar content is in the main file. There is no other purpose of the package ---...

Watch out for Walmart gift card scams

You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and "partner offers"—without ever...

Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data

Cybersecurity researchers have shed light on two different Android trojans calledBankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to...

Nation-State Hackers Deploy New Airstalk Malware in Suspected Supply Chain Attack

A suspected nation-state threat actor has been linked to the distribution of a new malware called Airstalk as part of a likely supply chain attack. Palo Alto Networks Unit 42 said it's tracking the cluster under the moniker CL-STA-1009 , where "CL" stands for cluster and "STA" refers to...

Aisuru Botnet Shifts from DDoS to Residential Proxies

Aisuru , the botnet responsible for a series of record-smashing distributed denial-of-service DDoS attacks this year, recently was overhauled to support a more low-key, lucrative and sustainable business: Renting hundreds of thousands of infected Internet of Things IoT devices to proxy services...

A week in security (September 29 – October 5)

Last week on Malwarebytes Labs: From threats to apology, hackers pull child data offline after public backlash Your Meta AI conversations may come back as ads in your feed Scam Facebook groups send malicious Android malware to seniors Sendit tricked kids, harvested their data, and faked messages,...

Threat Exposure as a Narrative: If Attackers Tell a Story, Why Don’t We?

Running short on time but still want to stay in the know? Well, we’ve got you covered! We’ve condensed all the key takeaways into a handy audio summary. Our AI-driven podcasts are fit for on the go. Security teams are losing the communication battle to cybercriminals who intuitively understand...

Combining Threat Intelligence with IoT Scanning to Predict Cyber Attack

While the Web has become a global platform for communication, malicious actors, including hackers and hacktivist groups, often disseminate ideological content and coordinate activities through the "Dark Web", an obscure counterpart of the conventional web. Presently, challenges such as informatio...

Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance...

MAL-2025-617 Malicious code in outlookapi (npm)

The package contains several malicious PowerShell and VBS scripts used to harvest browser data, take screenshots, log keystrokes, and establish startup persistence. It also bundles a password stealer and exfiltrates stolen data via Slack and Discord webhooks. --- -= Per source details. Do not edi...

Malicious code in outlookapi (npm)

The package contains several malicious PowerShell and VBS scripts used to harvest browser data, take screenshots, log keystrokes, and establish startup persistence. It also bundles a password stealer and exfiltrates stolen data via Slack and Discord webhooks. --- -= Per source details. Do not edi...