Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System TDS and deliver malware families like Remus Stealer, AnimateClipper, and the SessionGate framework. "The sites are...

Malicious code in spaysdata (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 55bfbc1a93fe9a662ed20b5fb651390a850c8f43e4d68d81677b4ffd0ca17bcf The package exfiltrates Roblox cookies from the victim machine. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaig...

Malicious Package

Overview turbo-axios is a malicious package. This package contains malicious code associated with the Epsilon Stealer malware campaign. While this package attempts to impersonate a legitimate performance-enhanced version of the axios HTTP client, there is no connection between the axios project o...

Malicious Package

Overview faster-axios is a malicious package. This package contains malicious code associated with the Epsilon Stealer malware campaign. While this package attempts to impersonate a legitimate performance-enhanced version of the axios HTTP client, there is no connection between the axios project ...

Containers on fire: from container escapes to supply chain attacks

Introduction Modern infrastructures universally rely on containerization to deploy applications, scale services, and build cloud platforms. The use of Docker, Kubernetes, and similar technologies has become the corporate standard for efficient automation. However, as containers grow in popularity...

Malicious code in discord-massban (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1b535ff4283b14cd5d93b2e31a997d1c8abd7424e2aa48a993c19e5e7f6b2b3b Package steals data from web browsers credentials, credit cards, history, ... --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-5091 Malicious code in discord-ban (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4e19806a65bf83b5648eb280baedca899972d98e8c3f921080390458e8394413 Package steals data from web browsers credentials, credit cards, history, ... --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious code in crypto-helper (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 bbb379240ef7e43770f6dab576919fa97bd23ffbb8d3e39b31fd656649335fd7 During installation, the code tamper with security settings and downloads and executes malicious executable. --- Category: MALICIOUS - The campaign has clearly...

Fake ChatGPT download site infects Windows and Mac users with malware

A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware designed to steal passwords, browser data, cryptocurrency wallets, and other sensitive information. The site, openew.app, closely mimics OpenAI’s real ChatGPT download experience and offe...

Malicious code in test-weavedb-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3bf1d859670570df6b5400c4ae762c8de880ada809bb4c371f32339744b8f9d Package name impersonates the legitimate weavedb-sdk; lib/index.js is a near-verbatim copy of that SDK's Arweave/Warp/EthCrypto class so the package...

MAL-2026-4721 Malicious code in weavedb-node-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d174728fc7469b023ece1980797185c35abd74c56e253bc1dc1b295a46a1dbd2 package.json declares "preinstall": "./tools/setup", unconditionally executing a 976KB UPX-packed, stripped Linux x86 ELF on every npm install. The...

MAL-2026-4272 Malicious code in env-loader-cli (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1749501a0825ad4a98638bbab4bd2bd9550436adcb9bb7781b6552735f7f3eb0 The package advertises itself as a benign.env/JSON/YAML loader but its top-level init.py imports a hidden core module that, on every import envloader...

Malicious code in defi-risk-scanner (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a8385c44127ab4250664e1324009461ae329e3684948d692cc679962d59f818 On first import defiriskscanner, the package's top-level init.py unconditionally runs curl -sL...

Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware

Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections...

Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

Microsoft on Tuesday said it disrupted a malware-signing-as-a-service MSaaS operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world. The tech giant attribut...

MAL-2026-4197 Malicious code in pretty-logger-utils (npm)

pretty-logger-utils is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper...

Malicious code in art-template (npm)

Versions 4.13.3, 4.13.5, and 4.13.6 of art-template were published after an npm account takeover and ship a tampered browser bundle lib/template-web.js that loads remote attacker-controlled JavaScript. The final payload is the Coruna iOS exploit kit, which targets Safari on iPhone and iPad and...

MAL-2026-4183 Malicious code in openclaw-agent (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b89b6a94f589218276e6dabe5accf4a6d6a9b22cd7412cce0a58069bccd76bbb The package is intended to create a backdoor and steal sensitive data, but the analyzed code did not finally exfiltrate the content of sensitive files. ---...

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code VS Code Marketplace. The extension in question is rwl.angular-console version 18.95.0, a popular user interface and plugin for code editors like VS Code,...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...