1498 matches found
HelloNet campaign — new malicious modules launched through the ViPNet update system
UPD 16.07.2026: Added rules to protect companies using our SIEM system Kaspersky SIEM, and listed events for developing custom detection rules or conducting Threat hunting. UPD 16.07.2026: Added detection of the malicious activity using Kaspersky Managed Detection and Response. UPD 16.07.2026:...
Malicious code in nottuff16 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 570cc848bb0e31176fc13945f1cfbd39b64a671de7e2d1913b6951513c0b21b8 The tarball ships auto-publish.sh, a script that republishes the same payload under 100 distinct npm names ishowfeet1-ishowfeet20, nottuff1-nottuff30...
MAL-2026-6925 Malicious code in typescript-base58 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b860a9c4960f55c236ca5e14781f5dcfb60752d4367cb9aeb30762d3b023004e [email protected] is a one-line re-export of the 'base58-core' package. The README advertises 'Zero dependencies' while package.json declares a...
Malicious code in autotel-eventcatalog (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21a008fc4c3a9bff3d0c920364ff6e56ab62ff607408a040e7e959ad3cb461d9 No concrete installer-harm evidence was identified for this package version. No lifecycle-script droppers, credential reads, hardcoded exfiltration...
MAL-2026-5218 Malicious code in autotel-devtools (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e1bce8c001a8e85b493ccdd8af1e3e57f3578d1026e6d5d147374b0a68467313 autotel-devtools ships bundled CommonJS and ESM artifacts dist/cli.cjs, dist/cli.js, dist/index.cjs, dist/index.js, dist/server/index.cjs,...
MAL-2026-5264 Malicious code in node-env-resolver-dotenvx (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1935de81fae9e35f6c7373f982092558f30d269b205a6edf0d847fb86d0bf3b5 The package was found to contain malicious code or consuming dependency that contains malicious code Source: google-open-source-security...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that hides inside binary executable files triggered by a postinstall script. IronWorm is a sophisticated, Rust-based infostealer that functions as a self-replicating supply-chain attack. Its primary characteristi...
China-Aligned Groups Ramp Up Attacks: Dragon Weave Hits Czech Republic & Taiwan
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial...
Fake software on GitHub and SourceForge distribute Deno RAT
During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links ...
How a Webmail Log File Became a Root-Level Backdoor
THREAT ANALYSIS May 2026 · Forensic Case Study A forensic breakdown of how an attacker turned CyberPanel's SnappyMail logging into a persistent webshell that survived every WordPress cleanup attempt. A WordPress site owner reported redirect malware on their site. They found that clicking anywhere...
Malicious code in @antv/g6-wx (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-3995 Malicious code in @antv/g6-react-node (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...
Embedded Malicious Code
Overview durabletask is an A Durable Task Client SDK for Python Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a malicious payload. A malicious actor linked to the @antv appears to have compromised the GitHub account associated with the package and dumpe...
Malicious code in async-http-tools (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 85e8a68bad6595a817f1dabed757662e2a04cfec7b45a86d9bfd61a7a78d14d1 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...
Hackers stole hundreds of thousands of Roblox accounts: Here’s what to do
More than 610,000 Roblox accounts were reportedly stolen. Was yours or your child's among them? Ukrainian police arrested three individuals in Lviv who allegedly orchestrated one of the largest Roblox account theft operations to date. Between October 2025 and January 2026, the hacking group is sa...
Malicious code in getcardslib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 88c984b34b3bacb405ca57d999a20be2a2c4c1b3ad75fa7e60f8d6e814b30ab5 The package getcardslib was found to contain malicious code. Source: ghsa-malware ce7e3143ce06f31e15162fef48924c625caddc3e6cc75c9640b053c38ad2665c An...
Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka
A previously undocumented macOS infostealer has surfaced during our routine threat hunting. We initially tracked it as NukeChain , but shortly before publication, the malware’s operator panel became publicly visible, revealing its real name: Infiniti Stealer. This malware is designed to steal...
That “job brief” on Google Forms could infect your device
We've identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan RAT. It's not the malware that's new, but how the attack starts. Instead of the usual phishing email or fake...
Speagle Malware Hijacks Cobra DocGuard to Steal Data via Compromised Servers
Cybersecurity researchers have flagged a new malware dubbed Speagle that hijacks the functionality and infrastructure of a legitimate program called Cobra DocGuard. "Speagle is designed to surreptitiously harvest sensitive information from infected computers and transmit it to a Cobra DocGuard...