MAL-2026-6274 Malicious code in web3-token-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0c826bf782895b60580b94e3a28a2c4562d3742420ce81e9895ad8568da57890 The package advertises itself as a Web3 fee utility but its main export is a dropper. index.js line 140 base64-decodes a platform-specific command...

Malicious code in fastercoding (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c302e448868fcff3110a45d20b53d9d887cfb5aa31bb66df90702f2767246b4 The package exposes a single public function run re-exported from init.py which, on Windows, downloads BackgroundSyncService.exe from...

MAL-2026-6208 Malicious code in fastercoding (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c302e448868fcff3110a45d20b53d9d887cfb5aa31bb66df90702f2767246b4 The package exposes a single public function run re-exported from init.py which, on Windows, downloads BackgroundSyncService.exe from...

Malicious code in fastercode (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14de4534d4cf2290f5f54bc5929fa799b73dff2e6a03aa879ade141dfc6ea054 The package advertises itself as a Python performance helper "Make your Python code run faster" and exposes a single public function run. On Windows,...

Argamal: Malware hidden in hentai games

In April 2026, we discovered a new malware campaign targeting players of "hentai" games. Once launched, the infected games install a previously unknown malicious implant on the user's machine. After a few days, the implant downloads and executes a Trojan, resulting in full system compromise and...

Malicious code in chainutils (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 149995e4a1c4d289fa58be2adcab4095dca7c429097ad6735afef8270e7e4cb3 During import, package triggers malicious code. First, it ensures persistency e.g., through the autostart registry key. Then, based on the encrypted config, an...

Malicious code in pynosist (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 ef7a4db1443361fe93b268c7ad8f38c5c290d5334162b57c2b534c97acbc2b5d The campaign is built from a benign-like package e.g. genosys and the malicious dependency e.g. pynosist. The dependency uses a PTH file to trigger malicious...

Windows Persistence via UserInitMprLogonScript

This module establishes persistence by setting the UserInitMprLogonScript value in HKCU\Environment. During user logon, userinit.exe checks this value and executes the specified command or binary. The module writes a payload executable to disk and points UserInitMprLogonScript to that payload...

PYSEC-2026-3 Two telnyx versions published containing credential harvesting malware

After an API token exposure from an exploited Trivy dependency, two new releases of telnyx were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Compromised versions execute code during importing the telnyx...

Two telnyx versions published containing credential harvesting malware

After an API token exposure from an exploited Trivy dependency,two new releases of telnyx were uploaded to PyPI containing automatically activated malware,harvesting sensitive credentials and files, and exfiltrating to a remote API.Compromised versions execute code during importing the telnyx...

DRILLAPP Backdoor Targets Ukraine, Abuses Microsoft Edge Debugging for Stealth Espionage

Ukrainian entities have emerged as the target of a new campaign likely orchestrated by threat actors linked to Russia, according to a report from S2 Grupo's LAB52 threat intelligence team. The campaign, observed in February 2026, has been assessed to share overlaps with a prior campaign mounted b...

OPENSUSE-SU-2026:20260-1 Security update for mosquitto

This update for mosquitto fixes the following issues: Changes in mosquitto: - update to 2.0.23 boo1258671 Fix handling of disconnected sessions for perlistenersettings true Check return values of openssl getexdata and setexdata to prevent possible crash. This could occur only in extremely unlikel...

Malicious code in config-toolkit (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f672e0a6f875d710a8851da211ff30828bda3755c9f9aebcb56fd0430b134ae5 During installation, package installs a script that listens for remote commands and executes them. The script is also added to autostart configuration and...

Malicious code in adminbypasser (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 867991d0e6c74f15c2f231c002867172a4e03044a328676cf9b2ec07a7e48f68 Package silently downloads remote code and adds its execution to the autostart. During analysis, the remote domain no longer existed. --- Category: MALICIOUS -...

Google Warns of Active Exploitation of WinRAR Vulnerability CVE-2025-8088

Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads. "Discovered and patched in July 202...

Burp Extension Persistence

This module adds a java based malicious extension to the Burp Suite configuration file. When burp is opened, the extension will be loaded and the payload will be executed. Tested against Burp Suite Community Edition v2024.9.4, on Ubuntu Desktop 24.04. Tested against Burp Suite Community Edition...

Accessibility Features (Sticky Keys) Persistence via Debugger Registry Key

This module makes it possible to apply the 'sticky keys' hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog. The module modifies the Debug registry setting for certain...

New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code

Cybersecurity researchers have disclosed details of a new Python-based information stealer called VVS Stealer also styled as VVS $tealer that's capable of harvesting Discord credentials and tokens. The stealer is said to have been on sale on Telegram as far back as April 2025, according to a repo...

Exploit for Path Traversal in Rarlab Winrar

CVE-2025-8088 WinRAR path traversal tool ⚠ This tool is...

📄 Notepad++ 8.8.7 DLL Hijacking

Notepad++ version 8.8.7 DLL hijacking proof of concept exploit. ============================================================================================================================================= | Title : Notepad++ 8.8.7 Unsafe Plugin Persistence AutoLoad | | Author : indoushka | |...