A new backdoor called PamDOORa has emerged as a serious and growing threat to Linux systems, targeting one of the most trusted components of the operating system to silently steal SSH credentials.

The malware was advertised for sale on a Russian-speaking cybercrime forum called Rehub, with its complete source code initially listed at $1,600 before the seller slashed the price to $900. That sudden drop raised red flags among researchers, suggesting either limited buyer interest or a deliberate rush to offload the tool quickly.

PamDOORa works by hijacking the Pluggable Authentication Module, or PAM, framework that Linux systems use to handle user logins and identity verification.

Unlike traditional malware that plants itself as a visible running process, this backdoor injects a malicious module directly into the authentication layer, where it waits silently for login attempts and harvests credentials before they can be logged. This makes it especially dangerous because the attack happens at a level most monitoring tools do not watch closely.

Researchers from Group-IB identified the technique being used in this backdoor and noted that it exploits pam_exec, a standard PAM module designed to run external commands during authentication events.

The Group-IB DFIR team found that this specific abuse method had not yet been included in the MITRE ATT&CK framework, making it a novel technique that many security teams may not be actively defending against.

How PamDOORa Operates on Linux Systems

The threat actor behind PamDOORa operates under the alias “darkworm” on the Rehub forum and demonstrates notable technical knowledge of Linux internals. Analysis of code snippets shared in the advertisement showed realistic and credible techniques that align with known PAM exploitation methods. The seller was assessed as more technically capable and serious compared to other individuals reusing the same alias on lower-tier forums.

What makes PamDOORa especially concerning is not just what it does, but how well it hides. The backdoor is built to manipulate authentication log files including lastlog, btmp, utmp, and wtmp, wiping away any trace that an attacker connected to the server. This means incident response teams called in to investigate a breach may unknowingly have their own credentials stolen the moment they SSH into the compromised machine.

PamDOORa is designed as a post-exploitation tool, meaning the attacker must already have root access before deploying it. Once installed, the backdoor injects a malicious PAM module that produces a file called pam_linux.so, loaded into the authentication stack alongside legitimate system modules.

This design allows it to blend in with normal system files rather than replacing them, making detection significantly harder.

The backdoor grants persistent SSH access through a combination of a specific TCP port and a secret “magic password” that only the attacker knows. A special routine scans open connections and applies conditional logic to identify when the attacker is connecting, granting silent access while normal users see nothing unusual.

Credentials submitted by legitimate users during login are intercepted within the PAM stack, encrypted using XOR with a runtime-generated key, and written to /tmp with randomly generated filenames and timestamps.

Anti-Forensics and the Challenge of Detection

What sets PamDOORa apart from simpler backdoors is its built-in anti-forensic capability. The tool actively erases attacker login traces from system logs, leaving behind only failed login entries that investigators are likely to dismiss as noise.

Since credential theft happens inside the PAM layer, application-level logging tools never capture the stolen data, and detection methods focused on user-space processes will miss it entirely.

Security teams are advised to treat any compromised Linux server as having fully exposed credentials, regardless of how limited the breach appears.

Researchers recommend enabling SELinux and AppArmor for stronger process isolation, installing Auditd with DISA-STIG recommended rules to monitor changes to system files, and deploying rkhunter to detect rootkits and unauthorized software. Disabling root login over SSH, locking the root account, and restricting sudo access to authorized users only are essential steps in reducing the attack surface that PamDOORa relies on.

Indicators of Compromise (IoCs):-

Based on information disclosed in the source material, the following indicators were identified from the malicious script executed during SSH authentication:-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PamDOORa Backdoor Attacking Linux Systems to Steal SSH Credentials appeared first on Cyber Security News.

A newly identified malware campaign is targeting senior executives and government investigators across Southeast Asia, using a modular Remote Access Trojan capable of stealing credentials, capturing screenshots, and maintaining deep persistence on infected systems.

The operation, dubbed Operation GriefLure, is running two simultaneous campaigns hitting Vietnam’s military-linked telecom sector and the Philippine healthcare industry.

What makes this threat especially alarming is how it reaches victims. Attackers are not guessing or fabricating stories. In one case, they harvested real legal documents from an ongoing data breach lawsuit, including signed police reports, corporate admission letters, and personal medical records.

Victims who opened the archive received a completely authentic document on screen, with no sign that anything had gone wrong behind the scenes.

Researchers at Seqrite Labs identified and named the campaign, noting that the entire system compromise completes in under 10 seconds with zero visible indicators to the victim. The malware arrives inside a nested compressed archive delivered through a targeted spear phishing email, and its infection chain is engineered to bypass most conventional security tools.

The operation targets two groups simultaneously. The first campaign focuses on senior executives at Viettel Group, Vietnam’s largest telecom operator running under the Ministry of National Defence, as well as cybercrime investigators from Thanh Hoa Provincial Police.

The second targets compliance and audit staff at St. Luke’s Medical Center in the Philippines, using a fabricated whistleblower complaint that invokes alleged financial fraud and accreditation violations worth over PHP 1.5 million.

Both campaigns use the same underlying infrastructure and payload, confirming a single threat actor running a coordinated, modular attack operation across two countries at the same time.

Modular RAT With Credential Theft and Screenshot Capture

At the technical core of this campaign sits a sophisticated modular RAT acting as a multi-purpose implant. Once loaded into memory through a layered execution chain, it harvests credentials from web browsers including Chrome’s stored login data, cookies, and history. It also targets FTP client configurations, remote access tools like Sunlogin and ToDesk, and SSH session files from Xshell, making it a serious threat to anyone who manages privileged system access.

The screenshot capture module retrieves full screen dimensions, accounts for multi-monitor setups, and dynamically adjusts image resolution based on network conditions before transmitting a reconstructed BMP image to the attacker’s command-and-control server. The malware also scans all running processes to build a profile of installed security products, then adjusts its behavior accordingly to reduce detection.

The payload is never stored as a complete file inside the archive. Binary chunks disguised as ordinary document files are assembled at runtime using Windows’ native copy command, and a time-based mechanism randomizes the payload hash on every execution to defeat signature-based scanning. The final executable is then injected into a trusted Windows process, making it appear as normal system activity to most forensic tools.

Infrastructure, Attribution, and Defensive Measures

The malware communicates with a hardcoded command-and-control domain, whatsappcenter[.]com, hosted on IP address 38[.]54[.]122[.]188. This server sits within KAOPU-HK, a Hong Kong-based network with a documented history of providing abuse-resistant hosting to threat actors across Asia-Pacific. Passive intelligence tags the host as bulletproof infrastructure, a strong indicator of deliberate operational security.

Seqrite researchers assess with moderate-to-high confidence that this campaign is linked to a China-nexus threat cluster. Supporting indicators include the use of bulletproof Chinese hosting, an embedded security detection list that enumerates vendors such as 360Safe, Qianxin, and Sangfor, direct targeting of WeChat data within the credential harvesting module, and a broader Southeast Asian footprint spanning military telecom and healthcare.

Organizations in telecom, government, and healthcare across Southeast Asia should treat this as an active and evolving threat. Security teams are advised to block the known C2 domain and IP, monitor for LNK file executions that invoke ftp.exe, flag any process dropping chunked doc files into the Public directory, and audit systems for signs of explorer.exe being respawned under a restricted security context. Because this attack weaponizes genuine legal documents and trusted system binaries, standard user awareness training alone will not stop it.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Deploy Modular RAT With Credential Theft and Screenshot Capture Capabilities appeared first on Cyber Security News.

A dangerous new infostealer campaign is targeting some of the most sensitive data people store on their computers. Disguised as a legitimate installer for OpenClaw, a popular open-source personal AI assistant, the malware silently takes over systems and goes after over 250 browser extensions tied to crypto wallets and password managers. The campaign has been active since at least February 2026.

The attack begins at a convincing fake website, openclaw-installer.com, registered on March 9, 2026, which leads visitors to a file called OpenClaw_x64[.]7z. That archive contains a 130MB Rust-based executable padded with fake documentation to pass security scans. The size was deliberate. It clears antivirus file-size thresholds and breaks automated sandbox upload limits in a single move.

Researchers at Netskope Threat Labs uncovered the campaign and documented what they call the “Hologram” wave, a second and significantly more advanced iteration of the operation.

The dropper’s own manifest makes no attempt to hide its purpose, openly naming itself “Hologram” with the description “Decoy entity generator for tactical misdirection.”

Once the fake installer runs, it checks for signs that it is inside a virtual machine or sandbox. It scans for BIOS strings tied to virtual machines, suspicious software libraries, and hardware profiles that do not match real systems.

Hackers Use Fake OpenClaw Installer

If those checks pass, it waits for actual mouse movement before doing anything else. Automated sandboxes do not move the mouse, so the malware sits still and never gets flagged.

After confirming it is on a real machine, the dropper disables Windows Defender, opens firewall ports, and downloads six modular components that work together. The attacker receives a confirmation in their private Telegram channel once all six modules load successfully.

The credential theft component of this campaign is broad and organized. The malware fetches a targeting list from an attacker-controlled Azure DevOps organization, covering 250 browser extensions.

That list includes 201 crypto wallets such as MetaMask, Phantom, Coinbase, OKX, Rabby, and Ronin, plus 49 password managers and authenticator apps including Bitwarden, LastPass, 1Password, NordPass, KeePass, and Google Authenticator.

Because the list lives in a remote Git repository rather than hardcoded in any binary, the attacker can update targets without rewriting the malware. The list of apps being targeted can quietly grow without triggering new detections. Separately, the malware also accesses Ledger Live data on the filesystem, giving the attacker two independent theft paths.

The six stage-2 modules each carry a specific role. One collects hardware fingerprints to decide whether the victim is worth a full attack. Another opens a persistent connection to the attacker’s server.

A third loads a hidden .NET assembly entirely in memory using a Rust component called clroxide, a technique never before documented in a crimeware campaign. Persistence is layered across registry autoruns, a Windows logon hijack, a scheduled task, and Telegram-based droppers that survive even if the main implant is removed.

A Rapidly Evolving Threat With Rotating Infrastructure

What makes this campaign so hard to shut down is how the attacker handles their infrastructure. The command server address is never hardcoded in the malware. Instead, the implant reads it from a Telegram channel description, so if a domain gets blocked, it pulls a new one on the next check-in. During active analysis, the attacker rotated every layer before findings were published.

All victim data, including usernames, IP addresses, and timestamps, is routed through Hookdeck, a legitimate webhook relay service. This keeps the attacker’s Telegram bot token out of network traffic entirely, making it very difficult to trace the real command backend.

Security teams should watch for behavioral signals that survive domain rotation. These include unusually large installer files, PowerShell launched from dropped binaries with fragmented command names, outbound traffic to webhook relay domains, Azure DevOps connections from non-development processes, and firewall rules being opened programmatically on ports 56001 through 57002. Blocking individual domains alone is not enough. Application-level inspection and behavioral detection are necessary to catch what this campaign is doing inside trusted services.

Indicators of Compromise (IoCs):-

File Hashes

Domains

IP Addresses

Dead-drop and Staging URLs

Mutexes

Registry Keys

Files and Paths

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Use Fake OpenClaw Installer to Steal Crypto Wallet and Password Manager Credentials appeared first on Cyber Security News.

A newly discovered malware called ZiChatBot has been found quietly using the REST APIs of a legitimate team chat application called Zulip to receive and carry out commands from its operators.

This approach is unusual because the malware never communicates with a private server that security tools could flag or block, making it harder to detect through standard network monitoring.

The threat was uncovered after a series of malicious Python packages were found on PyPI, the widely used Python Package Index, starting in July 2025. The attacker uploaded packages designed to look like common development libraries, tricking Python developers into installing them.

Once installed, these packages silently dropped the ZiChatBot payload onto the victim’s system without raising obvious alerts.

Analysts at Securelist identified and named the malware after analyzing samples through their threat analysis pipeline. Their research confirmed ZiChatBot targets both Windows and Linux systems, making it a cross-platform threat capable of reaching a wide range of developers and machines.

The Kaspersky Threat Attribution Engine flagged a 64% code similarity between the ZiChatBot dropper and a dropper previously linked to the OceanLotus APT group.

OceanLotus, also known as APT32, is a well-established threat group that has historically focused on targets in the Asia-Pacific region. However, recent activity shows the group pushing beyond its traditional boundaries, including campaigns in the Middle East and now a global supply chain attack through PyPI. This shift reflects a clear effort by the group to broaden its reach by targeting trusted public platforms that developers rely on daily.

ZiChatBot Malware Uses Zulip REST APIs as Its Command Channel

The malicious packages have since been removed from PyPI, and the Zulip organization used by the attackers has been officially deactivated. Still, researchers warn that already-infected systems may still attempt to contact the deactivated Zulip endpoint, meaning cleanup on compromised machines remains critical.

ZiChatBot takes an inventive but dangerous approach to command and control by routing all activity through Zulip’s public REST API. Rather than contacting a suspicious external server, the malware sends HTTP requests to a legitimate service, letting its traffic blend in with normal developer communication. Authentication is handled through an API token embedded within each HTTP request header.

The malware operates through two separate channel-topic pairs within the Zulip platform. One pair sends basic system information about the infected machine back to the attacker. The other retrieves messages containing shellcode, which ZiChatBot executes in a new thread. Once a command runs, the malware replies with a heart emoji in the chat to signal completion, showing how carefully attackers disguised operations as routine activity.

The Windows version of ZiChatBot is a DLL file named libcef.dll, loaded through a legitimate executable called vcpktsvr.exe. It establishes persistence by writing a registry auto-run entry, ensuring it restarts when the user logs in. On Linux, the payload sits at /tmp/obsHub/obs-check-update and uses a crontab entry to keep access alive on the infected system.

PyPI Supply Chain Attack Used to Deliver the Payload

The attack started with three fake Python libraries uploaded to PyPI, each named to closely resemble tools that developers use in everyday projects. The packages, uuid32-utils, colorinal, and termncolor, appeared harmless based on their listed descriptions. In reality, each carried a dropper that silently extracted and installed ZiChatBot during the normal library import process.

The termncolor package was especially deceptive since it contained no obviously malicious code on its own. Instead, it listed the malicious colorinal package as a dependency, so anyone who installed termncolor would unknowingly trigger the full infection chain. This layered method made the attack far less visible to automated tools that only scan surface-level code.

The dropper used AES encryption in CBC mode to hide sensitive strings and embedded payloads. After deploying ZiChatBot, it used shellcode to self-delete, wiping traces of the initial infection. Researchers advise adding helper.zulipchat.com to network denylists to identify any machines still reaching out to the now-deactivated attacker infrastructure.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server appeared first on Cyber Security News.

A new banking trojan known as TCLBANKER has been quietly making rounds, and its delivery method is as clever as it is concerning. Attackers are using a trojanized version of a legitimate, digitally signed installer to slip malware onto victims’ machines without raising immediate suspicion.

The campaign, tracked as REF3076, bundles a malicious MSI installer inside a ZIP file and exploits the trust people place in recognizable software names.

The infection begins when a victim runs what appears to be a legitimate Logitech application installer. Inside the package, threat actors have weaponized the Logi AI Prompt Builder, abusing a technique called DLL sideloading to sneak a malicious file into the process. Once the application starts, it automatically loads the harmful DLL without the user ever knowing anything went wrong.

Analysts at Elastic Security Labs identified this new Brazilian banking trojan, assessing it to be a significant evolution of an older malware family known as MAVERICK and SORVEPOTEL. The campaign appears to be in its early stages, with developer artifacts and an incomplete phishing page suggesting the attackers are still actively building out their infrastructure.

TCLBANKER primarily targets users in Brazil, specifically those who visit banking, fintech, and cryptocurrency websites. The trojan monitors the victim’s browser in real time, watching for visits to any of 59 targeted financial domains.

Hackers Abuse Signed Logitech Installer

When a match is found, it opens a live connection to the attacker’s command server and puts the operator in full control.

The scope of potential damage goes well beyond simple credential theft. The malware can display fake full-screen overlays that look like real banking interfaces, freeze the apparent desktop to confuse victims, and kill the Task Manager to prevent users from ending the malicious process. It is a coordinated operation designed to make fraud feel seamless from the attacker’s side.

The attackers took care to make the infection chain look as normal as possible. The malicious ZIP file contains an MSI installer that mimics the legitimate Logi AI Prompt Builder, a real Flutter-based application.

When installed, the trojanized package drops a fake DLL called screen_retriever_plugin.dll, which masquerades as a genuine Flutter plugin and gets loaded automatically at startup.

The loader inside this DLL is packed with tricks to avoid detection. It checks whether the system is running inside a sandbox or virtual machine, verifies that the user’s default language is Brazilian Portuguese, and even measures timing to catch emulation frameworks that speed up sleep calls.

If anything seems off, the malware simply stops running without leaving obvious traces. This environment-gating approach means the payload only decrypts itself on real, qualifying machines.

Self-Spreading Worm Modules Amplify the Threat

What makes TCLBANKER particularly dangerous is not just what it does on a single machine, but how far it can spread from there. The malware comes with two worm modules designed to send itself to the victim’s contacts using channels those contacts already trust.

The first hijacks the victim’s active WhatsApp Web session in the browser, silently messaging Brazilian contacts with a link to download the malware. The second abuses Microsoft Outlook through automation, sending phishing emails directly from the victim’s own email account.

Because these messages come from real, known senders, they are far harder for security filters to catch. The Outlook bot first harvests the victim’s contact list, then sends targeted emails that look completely authentic.

Elastic researchers noted that all command and file-serving infrastructure runs on Cloudflare Workers under a single account, making it easy for operators to rotate infrastructure quickly when needed.

Organizations and individuals can take several steps to reduce exposure. Keeping security software updated ensures the latest detection signatures are in place.

Being cautious about ZIP files or MSI installers received through messaging apps or email, even from known contacts, is critical given this trojan’s self-spreading behavior. Monitoring for unusual scheduled tasks, unexpected DLL loads alongside legitimate software, and suspicious outbound connections can also help flag infections early.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Signed Logitech Installer to Deploy TCLBANKER Banking Trojan appeared first on Cyber Security News.

A sophisticated new malware framework called PCPJack has been found actively targeting cloud environments across the internet, hunting for exposed services and stripping away credentials at scale.

The worm zeroes in on Docker, Kubernetes, Redis, and MongoDB deployments, turning misconfigured or vulnerable systems into footholds for credential theft and financial fraud. What sets it apart from most cloud-targeting malware is its unusual decision to skip cryptocurrency mining entirely, suggesting the operators are focused on a different kind of profit.

PCPJack starts its infection chain with a shell script called bootstrap.sh, which runs quietly on Linux-based cloud systems. That script prepares the environment, installs Python, downloads six specialized modules, sets up persistence, and launches the main orchestrator.

One of its first actions is to scan for and actively remove all traces of a rival threat group called TeamPCP, essentially taking over compromised machines that someone else had already infected, making it unusually competitive among cloud threat actors.

Researchers at SentinelOne identified PCPJack as a credential theft framework with worm-like spreading capabilities. According to SentinelOne security researcher Alex Delamotte, the toolset “harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts.”

The research team believes the actor behind PCPJack may be a former TeamPCP member who left the group and started their own separate operation, given the technical overlap found between both campaigns.

The malware collects an unusually wide range of secrets, including SSH keys, Slack tokens, WordPress database credentials, OpenAI and Anthropic API keys, cloud provider tokens, and cryptocurrency wallet files.

It then encrypts all stolen data using X25519 ECDH and ChaCha20-Poly1305 before sending it to a Telegram channel, broken into small chunks to comply with message size limits. The attacker even tracks whether their cleanup of TeamPCP infections was successful, signaling deliberate and targeted competitive intent rather than opportunistic attack behavior.

PCPJack’s Worm-Like Propagation and CVE Exploitation

PCPJack spreads by actively scanning external cloud infrastructure for exposed services including Docker, Kubernetes, Redis, MongoDB, and RayML. The worm downloads hostname data from Common Crawl parquet files and uses them as scanning targets, letting it discover new victims without hardcoding any addresses directly into the code.

This design allows the attacker to cover up to 104 million potential entries during each cycle without requiring centralised coordination.

The worm exploits five publicly known vulnerabilities to break into new systems. These include CVE-2025-29927, an authentication bypass in Next.js middleware; CVE-2025-55182, a server-side deserialization flaw in React and Next.js known as “React2Shell”; CVE-2026-1357, an unauthenticated file upload vulnerability in WPVivid Backup; CVE-2025-9501, a PHP injection flaw in W3 Total Cache; and CVE-2025-48703, a shell injection issue in CentOS Web Panel.

Once inside, the worm harvests SSH keys and moves laterally by enumerating Kubernetes clusters and Docker daemons, then replicating itself to every reachable host.

Sliver Backdoor and Enterprise-Wide Credential Targeting

SentinelOne’s analysis also uncovered a Sliver-based backdoor on the attacker’s staging server, compiled in three variants to support x86_64, x86, and ARM system architectures. This backdoor grants the operator persistent remote access even after initial exploitation ends.

The binaries are saved locally as update.bin, update-386.bin, and update-arm.bin, designed to blend in with legitimate system maintenance file names to avoid immediately raising suspicion.

Beyond cloud infrastructure, PCPJack also targets messaging platforms, financial services, and enterprise productivity tools. The malware scans for credentials tied to services like Discord, DigitalOcean, Grafana Cloud, Google API, HashiCorp Vault, and 1Password, expanding potential damage far beyond a single environment. This wide reach points toward extortion, spam campaigns, and credential resale as the most likely endgame.

To reduce exposure, security teams should enforce multi-factor authentication across all cloud accounts and services. Using IMDSv2 in AWS environments is recommended to prevent metadata theft, and proper authentication must be enforced for Docker and Kubernetes API endpoints.

Organisations should follow least-privilege principles, avoid storing secrets in plaintext, and regularly audit environment variables and configuration files for sensitive data.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft appeared first on Cyber Security News.

A new and evolving threat has caught the attention of cybersecurity researchers worldwide. A Windows-based information stealer known as NWHStealer has resurfaced with a more sophisticated delivery chain, now using the Bun JavaScript runtime as part of its infection process.

This shift makes it clear that the attackers behind this campaign are actively experimenting with lesser-known tools to stay ahead of security defenses.

NWHStealer is a Rust-based malware capable of stealing sensitive data from infected Windows systems. It spreads through Node.js scripts, MSI installers, and fake software downloads hosted on trusted platforms such as GitHub, GitLab, SourceForge, and Itch.io. Since it blends into legitimate-looking software packages, many users unknowingly download and run it without any suspicion.

Analysts at Malwarebytes identified the new delivery method during routine threat hunting activities.

Researcher Gabriele Orini noted that attackers have now incorporated Bun, a modern JavaScript toolkit built as a high-performance alternative to Node.js, into the malware’s delivery chain. Its relative newness in security circles makes it particularly appealing to attackers trying to slip past detection.

Once inside a system, NWHStealer is highly capable. It collects system information, steals saved browser data and passwords, drains cryptocurrency wallets, and targets applications like Discord, Steam, and FTP clients such as FileZilla.

It can also inject malicious code into browser processes, bypass Windows User Account Control, persist through scheduled tasks, and pull new command-and-control addresses from Telegram to keep the operation alive after partial takedowns.

The scale of this campaign is notable. Attackers continue to create fresh profiles on legitimate platforms to push new lures, making it difficult for moderators to respond quickly. The combination of data theft, persistence, and self-updating infrastructure makes NWHStealer a serious threat to both everyday users and organizations.

Bun Loader, Anti-VM Checks, and Encrypted C2

The infection begins with a ZIP archive disguised as a game trainer, software crack, or utility tool. Detected archive names include MOUSE_PI_Trainer_v1.0.zip, FiveM Mod.zip, TradingView-Activation-Script-0.9.zip, and AutoTune 2026.zip.

Inside sits Installer.exe, which carries JavaScript code bundled with the Bun runtime hidden within its .bun section.

The malicious JavaScript is divided into two key files. The first, sysreq.js, runs PowerShell and WMI commands to check whether the system is a real machine or a virtual one. It inspects CPU count, disk space, screen resolution, hardware manufacturers, and even the username, using a scoring system to decide whether to proceed with infection or stop entirely. This anti-VM layer is designed to avoid detection in automated security analysis environments.

The second file, memload.js, handles communication with the attacker’s command-and-control server. Strings and configurations are encrypted using XOR combined with base64 encoding, making static analysis much harder. The loader sends a report containing the victim’s public IP, system details, and a screenshot to the C2, then fetches an AES-encrypted payload and deploys NWHStealer directly into memory with minimal traces on disk.

Some analyzed ZIP files also include a secondary loader called dw.exe inside a folder labeled “DW.” A Readme.txt inside the archive tells users to run dw.exe manually if the main installer fails, giving attackers a fallback option if the primary C2 server goes offline. This dual-loader setup reflects a deliberate backup plan to ensure delivery regardless of temporary disruptions.

Staying Safe From NWHStealer

Given how widely this stealer is distributed, users should take practical steps to protect themselves. Only download software from official, verified sources and avoid file-sharing platforms unless the publisher’s identity and reputation are clearly established.

Always check a file’s digital signature before running it, as legitimate software will carry consistent, verifiable signing details.

It is also worth inspecting any downloaded archive before opening it. Malicious archives often have unusual file structures, mismatched content, or naming patterns that do not match what was advertised.

Staying cautious with downloads that seem too good to be true, whether a game cheat, a software activator, or a free tool, remains one of the most effective defenses against threats like NWHStealer.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New NWHStealer Delivery Chain Uses Bun Loader, Anti-VM Checks, and Encrypted C2 appeared first on Cyber Security News.

Hackers are using convincing fake pages for Claude AI to trick users into running malware on their own systems. The campaign, known as “InstallFix” or the Fake Claude Installer threat, marks a sharp shift in how cybercriminals exploit the trust people place in artificial intelligence tools.

Instead of targeting software vulnerabilities, these attackers are targeting human behavior, knowing that users will follow installation steps without question.

The method is simple and effective. Attackers set up fake Claude AI installation pages and use paid Google Ads to push those pages to the top of search results.

When someone searches for “Claude Code” or “Claude Code install,” a sponsored link appears first, looking exactly like a trusted result. One click leads to a fraudulent site that provides step-by-step instructions with commands tailored to the user’s operating system, either Windows or macOS.

Researchers at Trend Micro identified and documented the campaign, noting that the malware is not a simple infection. It is a multi-stage attack chain that collects system information, disables security features, creates scheduled tasks to survive reboots, and connects to attacker-controlled servers for further instructions.

Confirmed attacks span the United States, Malaysia, the Netherlands, and Thailand, hitting industries from government and education to electronics and food and beverage.

How the Fake Installer Attack Works

What makes this campaign especially dangerous is that it targets both technical and non-technical users. Developers who work with command-line tools are often comfortable copying setup commands from documentation pages, and non-technical users are equally likely to follow on-screen steps that look official. The attackers crafted these fake pages to closely resemble a real Claude installation guide, making the deception very hard to spot.

The threat goes beyond a single download. After the user runs the malicious command, the infection unfolds across multiple stages, each designed to evade detection and remain hidden. Trend Micro’s telemetry confirmed outbound network connections to attacker-controlled servers, and the indicators found align closely with those tied to RedLine Stealer campaigns from 2023.

The attack begins with a Google Ads placement that intercepts users searching for Claude Code. The fake landing page uses a technique called ClickFix, presenting an OS-specific command framed as a required installation step. On Windows, running the command triggers a hidden chain beginning with mshta.exe, a legitimate Windows tool that attackers commonly abuse to execute remote payloads.

The downloaded file, named claude.msixbundle, appears to be a genuine Microsoft package with valid Marketplace signatures, allowing it to pass basic security checks. Embedded inside is an HTA payload that silently executes a VBScript, with the window resized to zero pixels so nothing appears on screen.

That script launches obfuscated PowerShell commands through the SysWOW64 subsystem, bypassing detection by reconstructing the word “powershell” at runtime using split variables.

The stager generates a unique ID for the victim machine by hashing the computer name and username together. It uses this hash to build a custom command-and-control URL for each victim, fetching the final payload from a subdomain on oakenfjrod[.]ru. This per-victim URL approach makes bulk network-level blocking extremely difficult to execute.

Persistence, Data Theft, and RedLine Stealer Connections

Once the shellcode runs in memory, the malware establishes persistence by creating scheduled tasks, allowing it to survive reboots and keep running silently. Dynamic analysis showed the malware reaching out to external IP addresses, collecting browser data, and targeting e-wallet applications installed on the infected machine.

The indicators tied to this campaign match techniques and infrastructure previously linked to RedLine Stealer.

To reduce risk, organizations should block known malicious domains and IP addresses at the firewall and use DNS filtering to prevent users from reaching suspicious or newly registered domains. Legacy scripting tools like mshta.exe should be restricted wherever possible.

Users should also be trained to avoid running commands from sites reached through sponsored search results, to verify download pages against official vendor websites, and to rely on trusted package managers like npm, pip, brew, or winget rather than manual scripts from unknown sources.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Using Fake Claude AI Installer Pages to Trick Users Into Running Malware on Their Systems appeared first on Cyber Security News.

Phone-based scams are evolving faster than most security filters can keep up with. Attackers are now leaning heavily on Voice over Internet Protocol (VoIP) numbers that disappear before detection systems can flag them, leaving users exposed and defenders scrambling.

These scam campaigns arrive through email, where attackers embed phone numbers directly into message bodies, subject lines, and file attachments.

The goal is simple: get the recipient to call a fraudulent number and hand over sensitive personal or financial details. By keeping victims on a live call, scammers can manipulate targets far more effectively than a link or attachment alone ever could.

Researchers at Cisco Talos identified that this shift toward phone-oriented attack delivery, known as telephone-oriented attack delivery (TOAD), has become one of the leading tactics in modern email threats.

Their analysis, covering a study window from late February to late March 2025, found that the largest scam campaigns all relied on VoIP infrastructure to operate at scale with minimal cost.

Scammers Game the System With VoIP Numbers

What makes VoIP so appealing to scammers is how easily numbers can be obtained and discarded in bulk. With API-driven provisioning available from a small number of providers, threat actors spin up hundreds of numbers quickly, use them briefly, and abandon them before reputation systems catch on. The median phone number lifespan observed during the study was roughly 14 days.

The impact goes well beyond individual users. Organized scam call centers are running campaigns that impersonate major brands like PayPal, Geek Squad, McAfee, and Norton LifeLock, all while directing victims to the same centralized fraudulent operation.

This infrastructure is deliberately built to resist tracing, blending seamlessly into legitimate telecom networks worldwide.

Scammers are not randomly picking phone numbers. They deliberately acquire large sequential blocks of numbers, often by purchasing Direct Inward Dialing (DID) blocks from providers.

When one number gets flagged, they simply rotate to the next in the sequence, a tactic known as sequential number grouping that keeps operations running without interruption.

Cisco Talos found that six of the ten largest campaigns detected during the study period relied entirely on VoIP infrastructure. Sinch was identified as the most commonly abused CPaaS provider, referring to communications-platform-as-a-service companies offering programmable APIs for voice and messaging. These platforms are built for automation and high call volumes, which makes them attractive and widely exploited tools for large-scale scam operations.

The reuse patterns are equally calculated. Of 1,962 unique phone numbers analyzed, 68 were reused across multiple consecutive days. Scammers often apply a cool-down period, pausing a number for several days before bringing it back into a new campaign. This timing is designed to outlast update cycles of third-party reputation services, which can take days to distribute fresh intelligence.

Recycling Lures to Stay Under the Radar

One of the most telling tactics Cisco Talos documented is the recycling of the same phone number across completely unrelated lures. A single number might appear in emails posing as an order confirmation, a subscription renewal, and a financial alert all within a short span. This deliberate variation in lure type helps attackers avoid patterns that automated filters would otherwise quickly detect.

In one campaign, the same number was embedded in both HEIC and PDF attachment formats, showing how attackers avoid relying on a single delivery method. HEIC files, commonly associated with iPhone photos, were used to bypass traditional file-type detection while maintaining high image quality. Talos confirmed seeing campaigns with even broader attachment variety, underscoring just how adaptable these threat actors have become.

Security and telecom teams are advised to move beyond email sender filtering, which grows less effective as senders cycle rapidly through disposable domains. Talos recommends treating phone numbers as primary indicators of compromise and applying clustering techniques to connect seemingly unrelated campaigns that share the same phone infrastructure. Real-time reputation monitoring across communication channels and active collaboration between telecom providers are among the most effective steps toward stopping these organized scam networks.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Scammers Use Short-Lived VoIP Numbers and Reuse Windows to Defeat Reputation-Based Blocking appeared first on Cyber Security News.

A sophisticated China-linked hacker group known as UAT-8302 has been quietly targeting government agencies across South America and southeastern Europe, using a mix of custom malware and widely available open-source tools to steal sensitive data.

The group has been active since at least late 2024 and stepped up its operations against government bodies in southeastern Europe through 2025. Their goal is clear: get in, stay hidden, and walk out with as much information as possible.

What makes UAT-8302 particularly dangerous is its ability to blend in. By pairing legitimate cloud services and open-source tools with custom-built malware, the group makes it harder for defenders to separate genuine network activity from a hostile intrusion.

The attackers display a high level of patience, conducting deep and methodical reconnaissance on every endpoint they can reach before pushing further into the target environment. This careful, deliberate approach is widely recognized as a hallmark of state-sponsored threat operations targeting high-value government infrastructure.

Researchers at Cisco Talos identified UAT-8302 as a China-nexus advanced persistent threat group tasked primarily with gaining and maintaining long-term access to government and related entities around the world.

Talos analysts assessed with high confidence that the group shares tooling with several previously disclosed China-nexus clusters, including a threat cluster they track as LongNosedGoblin. The overlap in tools and techniques points to a close operational relationship between these groups.

UAT-8302’s Custom Malware Arsenal

The post-compromise activity follows a familiar and thorough playbook. Once inside a network, the group collects credentials, gathers Active Directory information, and maps out the entire environment before deploying additional malware.

Tools like Impacket, custom PowerShell scripts, and open-source scanning engines are used to discover every reachable endpoint. This approach ensures that attackers fully understand the scope of the environment they now control before deciding on their next move.

The variety of malware families deployed by UAT-8302 shows the group has access to a well-stocked toolkit. The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant. In one documented intrusion, the group also deployed SNAPPYBEE and ZingDoor together, a tactic independently highlighted by Trend Micro in 2024 reporting on similar China-linked activity.

NetDraft is one of the most notable tools in UAT-8302’s arsenal. It is delivered through a DLL side-loading technique where a benign executable loads a malicious DLL-based loader, which then decodes and runs NetDraft within an existing process on the compromised system.

The malware uses the Microsoft Graph API to communicate with its OneDrive-based command-and-control server, allowing it to blend into normal cloud traffic and avoid detection. Talos tracks the embedded helper library used by NetDraft as “FringePorch.”

CloudSorcerer version 3 behaves differently depending on which process it runs inside. If injected into “dnapimg.exe,” it collects system details and pivots into explorer.exe to receive commands through a named pipe channel.

If running inside “spoolsv.exe,” it contacts a GitHub repository to pull down command-and-control information. This shape-shifting behavior makes detection harder for conventional security tools. Talos also noted the use of SNOWRUST, a Rust-based variant of the SNOWLIGHT stager seen in intrusions attributed to other China-nexus clusters.

Open-Source Tools and Lateral Movement

UAT-8302 relies heavily on open-source tools when moving through compromised networks. After gaining initial access, the group runs scanning tools including gogo, naabu, httpx, and PortQry to map services across internal networks and discover new systems to pivot toward.

Credentials are harvested from MobaXterm sessions and Active Directory using tools like adconnectdump.py and SharpGetUserLoginRDP.

To maintain persistent backdoor access, the group deploys Stowaway, a proxy tunneling tool written in Simplified Chinese, routing outside traffic into infected hosts within the enterprise. SoftEther VPN clients were also observed in use.

Government agencies should keep endpoint detection tools updated to flag these threat signatures, monitor outbound traffic to cloud platforms like OneDrive and GitHub for unusual patterns, and regularly audit scheduled tasks and DLL side-loading behavior across all managed endpoints.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post UAT-8302 Uses Custom Malware and Open-Source Tools to Steal Data From Government Agencies appeared first on Cyber Security News.

Hackers are using fake Google ads to steal login credentials from ManageWP users, GoDaddy’s popular platform for managing WordPress websites from a single dashboard. The campaign, which researchers have dubbed “WrongPress,” plants a fraudulent sponsored search result directly above the real ManageWP listing, trapping users before they even realize something is wrong.

ManageWP is widely used by web developers, digital agencies, and enterprises who need to oversee dozens or even hundreds of client websites at once. Because a single account can control that many sites, stealing one set of credentials gives an attacker a massive foothold into an entire web portfolio.

According to WordPress.org, the ManageWP Worker plugin is active on more than one million websites, making the stakes extraordinarily high.

The attack begins the moment a user types “managewp” into Google. The malicious sponsored result appears at the very top of the page, sitting right above the legitimate one.

Researchers at Guardio Labs were the first to identify this campaign and raise the alarm, warning that even cautious users could fall for the trap simply because the fake result appears so convincingly placed.

What makes this campaign especially difficult to spot is that the fake login page is a near-perfect copy of the real ManageWP screen. There are no obvious red flags for the average user. By the time a victim types their username and password, those credentials have already been silently sent to an attacker-controlled Telegram channel.

Hackers Abuse Google Ads

Guardio Labs confirmed at least 200 unique victims at the time of writing and has been actively reaching out to alert those affected. The research team also managed to infiltrate the attacker’s command-and-control infrastructure, giving them a rare look at the full scale of how this operation runs in real time.

The infection chain is built to dodge Google’s ad review systems and the suspicion of real users alike. When a victim clicks the malicious ad, they first pass through a cloaker, a tool that filters out automated inspectors while letting genuine users through. This step helps the attackers conceal who actually authorized the sponsored result and avoid triggering Google’s ad inspection mechanisms.

Once the cloaker approves a genuine visitor, they are redirected to a fake ManageWP login page where the adversary-in-the-middle, or AiTM, technique takes over. The attacker’s server acts as a live go-between, forwarding stolen credentials to the real ManageWP platform in real time.

The victim is then shown a fake prompt asking for their two-factor authentication code, which the attacker uses simultaneously to complete the actual login, rendering 2FA completely useless.

The operation is managed through a command-and-control server that gives the attacker a live dashboard for steering ongoing phishing sessions. Guardio Labs noted the kit appears to be a private framework rather than a commodity tool sold on underground forums. Embedded in the code was also a Russian-language disclaimer in which the author denies responsibility for illegal activity and prohibits targeting systems based in Russia.

The Broader Risk to WordPress Site Owners

The danger here extends far beyond a single stolen password. Because ManageWP is a centralized hub, one compromised account can hand an attacker control over hundreds of websites simultaneously. Guardio Labs head researcher Nati Tal confirmed that each account typically hosts hundreds of sites, meaning attackers could inject malware, redirect traffic, or harvest visitor data at a sweeping scale.

Security experts advise avoiding sponsored search results when navigating to login pages for services you use regularly. Bookmarking the official URL or typing it directly into the browser address bar is a far safer habit. Users should also monitor their accounts for unexpected logins and consider adopting phishing-resistant authentication methods, such as hardware security keys, where supported.

The WrongPress campaign is a reminder that even routine actions like Googling a login page can carry serious risk. As attackers grow more creative with search advertising abuse, verifying where a link actually leads before clicking has never mattered more.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Abuse Google Ads to Steal Users GoDaddy ManageWP login Credentials appeared first on Cyber Security News.

A new wave of fraudulent Android apps quietly racked up millions of downloads on Google Play before being taken down. These apps, now tracked under the name CallPhantom, promised users something irresistible: the ability to look up the call history of any phone number. What they actually delivered was nothing more than fake data and a very real financial loss.

The scheme worked by exploiting a simple but powerful hook. People are naturally curious about who has called a specific number, and these apps claimed to deliver that information instantly.

Users were shown what looked like partial results and then prompted to pay to unlock the full call history. That history was entirely fabricated right from the start.

Researchers at WeLiveSecurity identified and reported 28 such fraudulent applications on the Google Play Store.

Their analysis found the apps had been cumulatively downloaded over 7.3 million times before Google removed them following ESET’s disclosure in December 2025.

The apps primarily targeted Android users in India and the broader Asia-Pacific region. Many came with India’s country code pre-selected and supported UPI, a payment system widely used across India. A screenshot of the fabricated call history data was even included in the app’s Play Store listing, presented as proof the app actually worked.

Fake Call History Apps on Google Play

Despite looking different on the surface, all 28 apps shared the same core purpose: generate fake communication data and charge victims for access. Subscription packages ranged from weekly to yearly, with the highest price reaching up to $80.

The CallPhantom apps fell into two main clusters. The first group had hardcoded names, country codes, and call log templates embedded directly in their code. These were combined with randomly generated phone numbers and shown to users as partial results, pushing them to pay to see more.

The second cluster asked users to enter an email address, claiming the retrieved call history would be delivered there. No data was generated until after payment, and even then, nothing real was ever sent. The apps had no actual capability to access call logs, SMS records, or WhatsApp data from any device.

This shows how deeply the deception was built into the code, with fixed names and timestamps baked in before the app ever reached a user’s phone.

Three payment methods appeared across the apps. Some used Google Play’s official billing system. Others redirected users to third-party UPI apps, with payment details either hardcoded or fetched dynamically from a Firebase real-time database, letting operators swap receiving accounts at will.

A third method embedded payment card checkout forms directly inside the app, violating Google Play’s payments policy and making refunds significantly harder.

Bypassing Refunds and Staying Under the Radar

One of the most deliberate tactics used by CallPhantom was steering users toward payment channels Google could not reverse. When payments went through third-party UPI apps or direct card entry inside the app, Google had no ability to cancel transactions or issue refunds. Victims were left fully dependent on external payment providers or the scam developers themselves.

In at least one case, the app sent deceptive notifications styled as email alerts, falsely claiming call history results had arrived. Tapping the notification led straight to a subscription screen, keeping the pressure on even after users had exited without paying.

Anyone who subscribed through Google Play’s official billing system may be eligible for a refund, as existing subscriptions were canceled when the apps were removed. Requests must fall within Google’s allowed refund window. For purchases made outside Google Play, contacting the payment provider or card issuer directly to dispute the charge is the recommended step.

The most practical protection is verification before downloading. Checking developer credibility, reading user reviews carefully, and staying skeptical of apps claiming to access private data belonging to other people are all steps that help avoid traps like these.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post 28 Fake Call History Apps on Google Play with 7.3M+ Downloads Trick Users to Steal Payments appeared first on Cyber Security News.

A fresh wave of malicious packages has been quietly spreading through the NuGet ecosystem, one of the most widely used registries in the .NET developer world. Five rogue packages have been discovered posing as legitimate Chinese software libraries, secretly stealing browser credentials, SSH private keys, and cryptocurrency wallet data.

The attack takes a clever approach. Instead of creating obviously suspicious packages, the threat actor built each malicious library on top of real, functional code that developers in Chinese enterprise environments would recognize.

By mimicking trusted tools like AntdUI, a popular WinForms component library, the packages appear legitimate enough to pass casual inspection.

Researchers at Socket.dev identified all five packages, published under a single NuGet account named bmrxntfj. The packages accumulated approximately 64,784 downloads across all versions, placing tens of thousands of developer machines and CI/CD build systems at risk. The campaign traces back to at least September 2025, with all five packages still live at the time of writing.

What makes this campaign persistent is the version rotation technique the operator used. Out of 224 total versions published, 219 were deliberately hidden from public search. By keeping only one version visible while regularly swapping in fresh ones, the attacker invalidated hash-based detection and forced security teams to constantly update their blocklists.

Any developer workstation or build server that ran a package restore referencing these five IDs has potentially been exposed since late 2025. That long lifespan and high download count make this one of the more quietly damaging supply chain threats discovered this year.

Malicious NuGet Packages

The payload fires through a .NET module initializer, which the runtime calls automatically when a matching assembly loads. No user interaction is needed beyond a routine package restore. Once triggered, the malware uses JIT hooking to replace the compiler’s dispatch pointer, gaining control over every method compiled afterward.

A second-stage infostealer named we4ftg.exe then executes. It targets saved credentials across 12 Chromium-based browsers including Chrome, Edge, Brave, Firefox, and Opera, collecting passwords, autofill data, session cookies, and payment cards. It handles both legacy and AppBound Chrome encryption formats, confirming the payload has been recently maintained.

Cryptocurrency assets are a major focus. Browser extension wallets including MetaMask, TronLink, Phantom, Trust Wallet, and Coinbase Wallet are targeted, along with desktop applications like Exodus, Electrum, Atomic, Guarda, Ledger, and Binance. SSH private keys, Outlook profiles, Steam credentials, and files from Documents, Desktop, and Downloads are also collected.

All harvested data is staged under a folder path mimicking a legitimate Microsoft OneDrive directory. Legitimate OneDrive never creates a file by that specific name, making its presence a clear detection signal. Data is then sent to a command-and-control server registered 33 days before the NuGet publishing burst began.

C2 Infrastructure and Attribution

The primary C2 domain resolves to a server in Amsterdam operated through a virtual hosting provider. Its nameservers run through Njalla, a privacy registrar frequently used by threat actors to obstruct takedown requests. The domain was engineered to resemble a legitimate DNS provider so it would blend into routine firewall logs.

A secondary domain linked to an Alibaba Cloud server in Shanghai appears to host the attacker’s development environment. It produced no hits in public malware databases and was not observed receiving stolen data.

Attribution was confirmed through a unique RSA-1024 key embedded in every .NET Reactor-protected package. That same key appeared in four other malicious files on VirusTotal, including memory dumps predating the NuGet campaign by weeks. Labels on those files point to known malware families including Lumma, Quantum, AgentRacoon, and ArrowRAT.

Developers should immediately check project and lock files for any reference to IR.DantUI, IR.Infrastructure.Core, IR.Infrastructure.DataService.Core, IR.iplus32, or IR.OscarUI. Any machine that restored these packages should be treated as compromised, with all credentials, API keys, SSH keys, and wallet seeds rotated. Security teams should configure alerts for connections to the known C2 domain and watch for unexpected file creation at the OneDrive staging path.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious NuGet Packages Target Browser Credentials, SSH Keys, and Crypto Wallets appeared first on Cyber Security News.

A dangerous new piece of malware called Remus has surfaced, quietly picking up where one of the most feared information stealers left off.

Designed to steal browser passwords, cookies, and cryptocurrency wallets, Remus carries the DNA of Lumma Stealer, one of the most technically advanced stealers-as-a-service seen in recent history.

Remus first appeared in the wild around January and February 2026, arriving shortly after Lumma Stealer suffered a major disruption. Between late August and October 2025, alleged core members behind Lumma were exposed through a doxxing campaign that rattled the group’s operations.

Researchers believe some of Lumma’s authors split off or chose to rebuild under a new name, and Remus appears to be the result.

Analysts at Gen Threat Labs identified this new threat, tracing its roots to test builds labeled as Tenzor. Dated September 16, 2025, those builds served as a bridge between Lumma and what would become Remus.

Researchers Vojtech Krejsa and Jan Rubin attributed Remus as a new 64-bit variant of the Lumma family, noting that Lumma was originally a 32-bit operation.

What makes Remus especially concerning is how closely it mirrors Lumma in design and behavior. The two share the same string obfuscation method, anti-virtual machine checks, nearly identical code structure, and a browser encryption bypass that researchers had only ever seen Lumma use. This level of overlap points strongly to a shared origin.

While Lumma campaigns continue globally, Remus is not a direct replacement. It is more of a natural evolution, upgrading the architecture to 64-bit and adding newer evasion techniques. Both threats represent a widening footprint for an actor that has already proven very hard to stop.

Lumma-Style Browser Key Theft

One of Remus’s most alarming inherited capabilities is its method for breaking into browser-protected data. It targets Application-Bound Encryption, a security layer Chromium browsers use to protect sensitive keys stored on disk.

Rather than reading the key off disk, Remus injects a small shellcode into the live browser process to locate and decrypt the master key from inside the browser’s own memory.

This technique had previously only been observed in Lumma Stealer. Remus searches for a specific byte pattern inside the browser’s code, locates the encrypted key in memory, and uses the browser’s own decryption functions to unlock it.

The shellcode Remus injects is more compact at 51 bytes versus Lumma’s 62, suggesting active refinement.

If injection into an existing browser process fails, Remus launches a hidden browser on a separate desktop, invisible to the user.

Unlike Lumma, which used a hardcoded desktop name, Remus generates a random 16-character string each time. This makes detection harder for tools that rely on fixed naming patterns.

EtherHiding and Anti-Analysis Evasion

Beyond encryption bypass, Remus introduces a key upgrade in how it contacts its command-and-control servers. Lumma relied on platforms like Steam and Telegram to store server addresses.

Remus replaces this with EtherHiding, embedding the server address inside an Ethereum blockchain smart contract, making its infrastructure far harder to disrupt.

Because blockchain data is decentralized and cannot be removed by any platform operator, there is no single point of failure for defenders to target.

Remus queries the smart contract at runtime over a public endpoint and pulls the current server address, removing a defensive lever that had worked against Lumma.

Remus also adds checks to detect analysis tools and sandbox environments before executing. It scans for DLLs linked to known analysis platforms and checks for a specific honeypot file on disk.

If either check triggers, the malware exits silently. These capabilities make Remus a stealthier and more sophisticated threat that security teams need to address without delay.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Remus Infostealer Uses Lumma-Style Browser Key Theft and Application-Bound Encryption Bypass appeared first on Cyber Security News.

The aviation and aerospace sector has become one of the most actively targeted industries by ransomware operators and data extortion groups in 2025 and 2026.

From passenger-processing platforms to satellite-dependent navigation systems, attackers are finding that disrupting even a single vendor in the tightly connected aviation ecosystem can produce cascading effects across airlines, airports, and ground operations worldwide.

The risk profile of the aviation sector makes it a particularly attractive target for cybercriminals. Airlines, airports, aerospace manufacturers, ground handlers, reservation platforms, and maintenance providers all operate as an interconnected ecosystem.

An attack on any one node within this system can cause disruption far beyond the entity that was initially compromised, often resulting in delays, manual operations, and cascading impacts on passengers.

The September 2025 cyberattack on Collins Aerospace’s MUSE passenger-processing platform demonstrated this risk clearly, with confirmed disruptions at major European hubs including Heathrow, Brussels, Berlin, and Dublin.

It was later disclosed that the incident involved ransomware, requiring manual recovery operations at multiple airports.

Ransomware Attacks Targeting Aviation

The threat landscape has not slowed in 2026. In April 2026, travel-sector sources reported a separate wave of cyber-related IT disruptions affecting European airports between April 4 and April 6, with impacts to check-in, boarding, baggage handling, and flight schedules.

While technical attribution in the public record remains limited for this event, the reported disruptions highlight that aviation IT environments continue to be under active pressure.

Earlier in January 2026, Tulsa Airports Improvement Trust confirmed that an unauthorized third party accessed and acquired files from its systems between January 17 and January 20.

Ransomware tracking and media reporting later linked this incident to the Qilin ransomware group, which allegedly posted stolen documents on its leak site.

PolySwarm analysts identified multiple malware families and threat actor groups that are actively targeting the aviation and aerospace sector.

These include ransomware families such as Qilin, LockBit, and Cl0p, as well as threat actor groups including Scattered Spider, Refined Kitten, Wicked Panda, and Fancy Bear, each presenting distinct risk profiles and attack motivations.

The analysts noted that shared IT platforms, identity-based intrusion, and supply chain dependencies are among the most concerning attack vectors across this sector in 2026.

Beyond ransomware, the sector also faces growing exposure from satellite-dependent systems and GNSS spoofing. Aerospace and aviation rely on satellite-enabled navigation, communications, weather data, and tracking systems.

Interference with ground stations, satellite communications links, or signal reliability can create upstream disruption, particularly for military aviation, remote routes, and regions affected by geopolitical conflict.

Scattered Spider and Identity-Based Intrusion

One of the most concerning attack vectors currently affecting the aviation sector is identity-based intrusion, largely associated with the threat actor known as Scattered Spider.

The FBI warned in 2025 that Scattered Spider had expanded its targeting to include the airline sector.

The group operates through help-desk social engineering, MFA manipulation, SIM swapping, and impersonation of employees or contractors, which are particularly effective in aviation environments because airlines and airports rely on distributed workforces, third-party IT providers, and shared identity workflows.

What makes Scattered Spider especially dangerous in this context is the scale of potential damage from a single identity compromise.

If an attacker gains access to a shared service provider or identity layer, the compromise can cascade across multiple organizations simultaneously.

For aviation environments, this means that a single successful social engineering attempt targeting a help desk contractor could potentially grant access to systems spanning multiple airlines or airport operators.

Organizations in aviation and aerospace should take several protective steps to reduce their exposure. Shared airport IT platforms must be treated as high-priority single points of failure, and contingency planning for manual operations should be regularly tested and updated.

Identity verification processes, particularly those involving help desks and contractors, need to go beyond standard MFA to resist social engineering and SIM-swapping tactics.

Aviation supply chain partners and third-party vendors should be assessed regularly for security maturity, especially smaller regional providers that may lack dedicated internal security teams.

GNSS interference and satellite dependency risks should be incorporated into operational resilience planning, particularly for routes and operations in geopolitically sensitive regions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Ransomware and Data Extortion Groups Intensify Targeting of Aviation and Aerospace Sector appeared first on Cyber Security News.

A large-scale phishing campaign has been caught using fake “code of conduct” emails to trick employees into giving up their account credentials.

The attackers did not just steal passwords. They went a step further by hijacking active authentication sessions through an adversary-in-the-middle (AiTM) technique, making standard multi-factor authentication (MFA) protection largely ineffective.

The campaign ran between April 14 and 16, 2026, hitting more than 35,000 users across over 13,000 organizations in 26 countries.

The United States was the primary target, accounting for 92% of all affected users. Industries such as healthcare and life sciences (19%), financial services (18%), professional services (11%), and technology and software (11%) were among the most impacted.

The emails were sent in multiple distinct waves, starting at 06:51 UTC on April 14 and concluding at 03:54 UTC on April 16.

The phishing emails were crafted to look like internal compliance or regulatory notices. Display names used in the messages included “Internal Regulatory COC,” “Workforce Communications,” and “Team Conduct Report.”

Subject lines such as “Internal case log issued under conduct policy” warned recipients that a code of conduct review had been opened against them.

Each message instructed users to open a personalized PDF attachment to review their case materials. A green banner at the bottom of the emails falsely stated that the contents had been encrypted using Paubox, a legitimate HIPAA-compliant service, to give the campaign a professional and trustworthy appearance.

Microsoft Defender Research analysts identified and tracked this campaign across multiple organizations, noting that the messages were distributed through a legitimate email delivery service and likely originated from a cloud-hosted Windows virtual machine.

The team noted that attacker-controlled sending domains were used, including addresses such as cocpostmaster@cocinternal.com and nationalintegrity@harteprn.com.

Researchers also noted that the email templates used polished, enterprise-style HTML layouts with preemptive authenticity statements, making them far more convincing than typical phishing messages.

Once a recipient opened the attached PDF, which carried filenames like “Awareness Case Log File – Tuesday 14th, April 2026.pdf” and “Disciplinary Action – Employee Device Handling Case.pdf”, they were directed to click a “Review Case Materials” link.

This link led to attacker-controlled landing pages hosted on domains such as compliance-protectionoutlook[.]de, where a Cloudflare CAPTCHA was presented to filter out automated security tools and sandboxes.

Inside the Multi-Stage Attack Chain

After passing the first CAPTCHA, users landed on an intermediate page that claimed the requested documentation was encrypted and required account verification.

This page prompted users to click a “Review and Sign” button and then enter their email address, followed by a second CAPTCHA involving image selection.

Once these steps were completed, users saw a confirmation message stating that their “case” was being prepared.

The final stage varied depending on whether the user was on a mobile device or a desktop. In both cases, users were told their case materials had been “securely logged” and “time-stamped,” and they were asked to sign in to schedule a discussion.

Clicking “Sign in with Microsoft” launched a real Microsoft authentication page, but the entire session was being proxied in real time by the attacker.

This is the core of an AiTM attack as the attacker sits between the user and the legitimate service, capturing authentication tokens the moment they are issued.

These tokens give direct account access without needing the user’s password again, bypassing standard MFA entirely.

Organizations and users should take the following steps to reduce risk from this type of attack. Reviewing recommended settings for Exchange Online Protection and enabling Zero-hour auto purge (ZAP) in Defender for Office 365 helps quarantine malicious messages after delivery.

Turning on Safe Links and Safe Attachments adds another detection layer for PDF-embedded phishing links. Enabling network protection in Microsoft Defender for Endpoint and encouraging use of browsers that support SmartScreen help block access to attacker-controlled domains.

Organizations should also enable phishing-resistant MFA methods such as FIDO keys, Windows Hello, or the Microsoft Authenticator app, and apply Conditional Access policies to strengthen privileged accounts.

Running user awareness training and phishing simulation exercises helps staff recognize social engineering tactics like this campaign.

Finally, configuring automatic attack disruption in Microsoft Defender XDR can limit the impact of active intrusions while security teams work to contain the threat.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Code of Conduct Phishing Emails Target 35,000 Users in Multi-Stage AiTM Attack appeared first on Cyber Security News.

Threat actors are increasingly turning to Amazon’s own cloud email infrastructure to deliver phishing messages that look completely genuine, passing every standard security check along the way.

Phishing has always been about deception. Attackers craft emails designed to look real, hoping recipients will trust what they see and hand over their credentials or money.

For years, security tools have gotten better at spotting suspicious senders, unknown domains, and failed email authentication checks.

So attackers adapted. Instead of building fake infrastructure, they are now hijacking real, trusted services to do the dirty work.

The latest target of this strategy is Amazon Simple Email Service, widely known as Amazon SES, a cloud-based platform used by businesses around the world to send transactional and marketing emails reliably.

Amazon SES is deeply embedded in the AWS ecosystem, which makes it a trusted name for both users and security filters alike.

Emails sent through this service carry valid SPF, DKIM, and DMARC authentication headers, meaning they pass every technical check that most email security systems run.

The Message-ID headers in these messages almost always include “.amazonses.com,” further reinforcing the appearance of legitimacy.

From a purely technical standpoint, a phishing email sent through Amazon SES looks no different from a legitimate business communication. This is precisely what makes the abuse of this platform so dangerous.

Securelist researchers identified a clear and growing uptick in phishing campaigns abusing Amazon SES in early 2026.

The team noted that attackers are exploiting this platform not because it is vulnerable in the traditional sense, but because it is legitimate.

By routing phishing emails through trusted infrastructure, threat actors effectively sidestep reputation-based blocklists.

Blocking the sender’s IP address is not a viable solution either, because doing so would cut off all legitimate emails sent through Amazon SES for any organization, generating an unmanageable volume of false positives.

The most common lure observed in early 2026 involved fake notifications from electronic signature services, such as emails impersonating Docusign.

Victims received messages asking them to click a link to review and sign a document. The link appeared to point to amazonaws.com, which most users would consider safe.

Clicking it redirected victims to a credential-harvesting form hosted on AWS infrastructure, making the deception even harder to detect.

Beyond credential theft, attackers have also been using Amazon SES to conduct Business Email Compromise (BEC) campaigns, where they impersonate employees and send fabricated invoice threads to finance departments, requesting urgent wire transfers.

The PDF attachments in these BEC emails contained no malicious URLs or QR codes, only forged payment details and supporting documents designed to appear as a legitimate business exchange.

How Attackers Gain Access

The entry point for these campaigns is almost always leaked IAM (AWS Identity and Access Management) access keys.

Developers routinely expose these keys by leaving them in public GitHub repositories, ENV configuration files, Docker images, or unsecured S3 buckets.

Attackers use automated scanning tools, including bots built on the open-source utility TruffleHog, specifically designed to hunt for exposed secrets across public code repositories.

Once a key is found, the attacker verifies its sending permissions and email limits, then begins blasting out phishing messages at scale.

The entire operation takes advantage of someone else’s legitimate account, meaning the sending IP carries a clean reputation and the emails arrive with full authentication stamps intact.

This makes detection at the gateway level extremely difficult, because the email is technically doing everything right.

Securelist researchers recommend that organizations treat IAM access key security as a top priority. Applying the principle of least privilege ensures that keys carry only the permissions required for specific tasks, reducing the damage potential if a key is exposed.

Transitioning from static IAM access keys to AWS IAM roles is a stronger approach, as roles provide scoped, temporary permissions.

Enabling multi-factor authentication, configuring IP-based access restrictions, setting up automated key rotation, and running regular security audits all help reduce exposure.

Using the AWS Key Management Service to manage encryption keys centrally also adds an important layer of control.

On the user side, emails should never be trusted based solely on the sender name or domain.

Unexpected documents should be verified through a separate communication channel before any action is taken, and every link in an email body should be inspected carefully before clicking.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Attackers Abuse Amazon SES to Send Authenticated Phishing Emails That Bypass Security appeared first on Cyber Security News.

Tracking Advanced Persistent Threat (APT) groups has never been a simple task. For years, security organizations have relied on identifying consistent behaviors, tools, and infrastructure to pin activity to a known threat actor.

But that approach is showing serious cracks, as APT groups are not the rigid, predictable entities they were once assumed to be.

The old method of following Tactics, Techniques, and Procedures (TTPs) was practical when threat actors stayed consistent.

The problem today is that adversaries change operators, swap tools, rebuild infrastructure, and reshape objectives, sometimes within a single campaign cycle.

This leaves analysts working with fragmented signals and no reliable thread to connect the dots. The growing gap between how defenders track threats and how those threats actually behave has pushed researchers toward a fundamentally different way of thinking about attribution.

DarkAtlas analysts identified this structural gap and introduced a campaign-based attribution framework designed to address the limitations of traditional group-centric models.

Rather than treating APT groups as fixed identities, the framework focuses on discrete, time-bound clusters of activity called campaigns, where each cluster is defined by its objectives, infrastructure patterns, and operational behavior.

The key insight is that continuity between campaigns does not require identical TTPs. Instead, it is inferred through partial overlaps across multiple independent evidence layers.

The framework draws on what researchers describe as the “Ship of Theseus” problem in attribution. If an adversary group replaces every component of its operation, from personnel to tools to infrastructure, is it still the same group? Traditional attribution models would struggle to answer that question confidently.

The new campaign-linkage approach sidesteps this paradox by measuring relationships between campaigns rather than assuming a stable group identity.

This framework does not eliminate uncertainty. Instead, it introduces a confidence-based attribution model where conclusions are expressed as high, medium, or low confidence depending on how many independent evidence layers converge.

High-confidence attribution requires strong, multi-layered overlap across strategic, operational, technical, infrastructure, and human dimensions.

Medium confidence reflects partial alignment, and low confidence applies when only a single dimension shows similarity or when data is limited.

How the Overlap Model Works in Practice

At the core of the framework is what DarkAtlas researchers call the Overlap Model, a multi-dimensional correlation approach that replaces single-indicator attribution with layered analysis.

No single artifact, whether a reused IP address, a shared tool, or a matching technique, is treated as sufficient evidence of continuity. Attribution confidence builds only when multiple dimensions align independently.

The model examines six analytical layers. The strategic layer looks at geopolitical alignment and targeting intent, which tends to remain stable even as tactics evolve.

The operational layer tracks targeting patterns, campaign timing, and victim sequencing. The tactical layer maps procedural execution against frameworks like MITRE ATT&CK, while the technical layer examines custom malware characteristics, encryption routines, and build artifacts.

The infrastructure layer studies domain naming conventions, TLS certificate reuse, and DNS behavior, and the human layer captures operator-specific traits like coding style, language artifacts, and OPSEC habits.

Together, these layers feed into a Campaign Linkage Graph, a structured network where each node represents a distinct campaign and each edge represents a weighted relationship between campaigns.

Strong links indicate substantial overlap across multiple layers, medium links reflect partial alignment, and weak links flag tentative connections that require further validation.

This graph-based approach handles adversary evolution naturally, absorbing tooling changes as new nodes, treating infrastructure rotation as weaker but traceable connections, and capturing group fragmentation as branching paths within the network.

Security teams and threat intelligence practitioners should consider the following based on the framework’s findings:-

• Move away from single-indicator attribution and require multi-layer evidence before drawing conclusions about campaign origin or group identity.
• Treat TTPs as behavioral signals rather than fingerprints, since adversaries routinely modify or share techniques across groups to create false attribution trails.
• Adopt a campaign-centric tracking model where each operation is logged as a discrete unit, making it easier to build relationship graphs over time without depending on group labels.
• Assign confidence tiers to all attribution assessments and revisit earlier conclusions as new campaign data emerges, particularly when infrastructure or tooling patterns resurface.
• Focus additional monitoring resources on stable indicators such as victimology and geopolitical timing, which persist longer than tools or infrastructure.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Attribution Framework Connects APT Campaigns Through Strategic, Operational, and Technical Layers appeared first on Cyber Security News.

A fake website claiming to offer an official macOS version of the popular text editor Notepad++ has been making rounds online, raising serious cybersecurity concerns across the tech community.

The site, operating under the domain notepad-plus-plus-mac.org, falsely presents itself as the official release of Notepad++ for Apple devices, misleading thousands of users who simply want a trusted code editor on their Mac.

What makes this situation more dangerous is that the website has already managed to fool reputable tech media outlets, including MacRumors and AlternativeTo, into reporting it as a legitimate product launch.

Notepad++ has been a Windows-exclusive text editor for over two decades, and its creator Don Ho has never released any version for macOS.

The fake site, however, boldly claimed that “Notepad++ is now natively available for macOS” with “no Wine, no emulation” and marketed itself as “a full native port for Apple Silicon and Intel Macs.”

To make things worse, the site even used Don Ho’s name and biography on its author page without any permission, creating a false sense of official endorsement.

Ho personally reached out to the site owner to address the trademark violation, but as of May 5, 2026, he has received no reply.

Analysts at International Cyber Digest were among the first to publicly flag the threat, pointing out that the website uses the Notepad++ trademark and the founder’s identity without authorization.

Their warning reached nearly 40,000 views within hours of being posted, signaling just how widespread the confusion had become.

Readers on X’s community notes also added context, clarifying that the site represents an unofficial community port and is not affiliated with the original Notepad++ development team in any capacity.

The developer behind the site, Andrey Letov, a software engineer from New York, built his application based on the open-source Notepad++ code.

While forking open-source software is generally acceptable, branding an independent fork with the original product’s name, logo, and founder’s identity crosses a clear legal and ethical line.

Don Ho acknowledged in a public statement that he has nothing against open-source forking itself, but the issue is the deliberate use of his name and trademark, which creates direct confusion among end users and the press alike.

In the worst case, as Ho himself warned, a product carrying the Notepad++ name could be used to distribute malware or a backdoor to unsuspecting users.

This incident also arrives against a backdrop of Notepad++ already having faced a serious supply chain attack between June and December 2025, where state-sponsored Chinese hackers from the Lotus Blossom group compromised the official Notepad++ update infrastructure and delivered a malicious backdoor called Chrysalis to targeted users.

That prior incident makes the community especially sensitive to anything mimicking the Notepad++ brand.

How the Fake Site Could Harm You

The core risk with any unofficial software build marketed under a trusted name is that users have no way to verify what is actually packaged inside the installer.

Threat actors routinely use this technique, known as brand impersonation or typosquatting, to serve malware, infostealers, or remote access trojans under the cover of a well-known application.

In past campaigns, security researchers have documented fake Notepad++ sites delivering payloads through DLL sideloading methods, where a malicious library file is placed alongside a legitimate binary to silently execute malicious code on the victim’s machine.

When a user downloads an installer from an unverified source, the machine can become compromised without any visible signs, making detection difficult until significant damage is done.

Users should only download Notepad++ or any software from its official website at notepad-plus-plus.org.

Avoid installing applications from third-party domains, even if they appear professional or receive media coverage. Always verify the publisher and check for digital signatures before running any installer.

If you have already downloaded the Mac version from notepad-plus-plus-mac.org, scan your device with a trusted security tool immediately.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Beware of Fake ‘Notepad++ for Mac’ Website, Possibly Could Harm your Machine appeared first on Cyber Security News.

The npm ecosystem has long been a target for supply chain attacks, where threat actors exploit the open nature of public package registries to push malicious code into developer environments.

With pnpm 11, the package manager takes a direct step to address this growing risk by enabling key security protections out of the box, making it harder for freshly published malicious packages to silently reach production systems.

For years, every major package manager shipped with an implicit assumption: install whatever is published, no questions asked.

That default behavior has repeatedly allowed attackers to publish a poisoned version of a popular package and watch automated pipelines pull it in within minutes.

Recent supply chain campaigns across the Node.js, Python, and PHP ecosystems have relied on installer-time hooks to download platform-specific payloads, steal credentials, and exfiltrate secrets targeting developers and CI/CD systems.

The attacks used preinstall or postinstall hook mechanisms to download and execute an obfuscated runtime payload, eventually targeting developer and CI/CD secrets.

Researchers at Socket.dev identified and documented how these campaigns move across npm, PyPI, and Packagist registries, noting that most malicious package versions get detected within hours of publication but the damage is done when tools install them the moment they appear.

This pattern, where newly published malicious versions exploit a short window before detection, is exactly what pnpm 11’s new defaults are designed to close.

pnpm 11 arrives as the Go, Rust, and PHP ecosystems were registering responses to a fresh-package supply chain campaign that compromised packages across npm, PyPI, and Packagist.

For GoSvelte target teams, this release showed how much the role of package managers has changed. They are no longer just tools for resolving and installing dependencies, but are increasingly where supply chain security decisions get enforced.

The update introduces three hardened defaults: a Minimum Release Age of 1,440 minutes (24 hours), blocking of exotic subdependencies by default, and a new Allow Builds model for controlling which packages can execute build scripts during installation.

Teams can override these settings when needed, but the default posture now favors security over immediacy.

Supply Chain Protection On by Default

The most impactful change in pnpm 11 is the Minimum Release Age setting, which now defaults to 1,440 minutes.

Newly published package versions are not resolved until they are at least one day old, reducing exposure during the highest-risk window immediately after publication.

Teams can adjust this value using minimumReleaseAge in their configuration, and specific packages can bypass the wait period using minimumReleaseAgeExclude for cases such as critical hotfixes or security patches.

pnpm 11 also turns on Block Exotic Subdeps by default through the blockExoticSubdeps setting. Exotic subdependencies are transitive packages that resolve from non-standard sources, such as Git repositories or direct tarball URLs, rather than the normal registry.

Blocking them reduces the chance that packages can quickly introduce less critical dependency sources into the install graph, narrowing one of the paths attackers use to hide unexpected code in a dependency tree.

Recent supply chain campaigns rarely rely on just one technique, and defaults that reduce unexpected sources make those chains harder to complete.

The new allowBuilds model gives teams a cleaner way to govern which packages are allowed to execute build scripts during installation.

Instead of scattering a build-script allowlist policy across multiple settings, teams now define it from a package name pattern that maps to booleans.

This change is especially timely because lifecycle scripts remain one of the most used execution paths in npm attacks.

The new Allow Builds model does not remove the need for any dependency review, but it gives teams a clearer way to govern which packages are allowed to execute build scripts during installation.

Teams running pnpm 11 with the new defaults should audit their existing pnpm-workspace.yaml for any onlyBuiltDependencies or ignoredBuiltDependencies entries and migrate them to the new allowBuilds map.

Organizations trying to reduce install-time execution risk should treat minimumReleaseAge as a baseline control, keeping an escape path open for emergency updates via minimumReleaseAgeExclude.

For monorepos or environments relying on git-sourced direct dependencies, the blockExoticSubdeps default should be reviewed carefully to avoid breaking resolution for intentional exotic sources in top-level package.json files, since the setting only restricts transitive dependencies from using such sources.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post pnpm 11 Turns On Minimum Release Age by Default to Reduce npm Supply Chain Risk appeared first on Cyber Security News.