-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Credential Theft | Breaking Cybersecurity News | The Hacker News

Category — Credential Theft
Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Jul 02, 2026 Malware / Cyber Attack
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM) tooling, credential access, and hands-on-keyboard procedures used for lateral movement," Arctic Wolf said in a report published this week. "Anubis affiliates repeatedly abused legitimate remote access and administration tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity while maintaining control of victim systems." Anubis is a ransomware-as-a-service (RaaS) group that first emerged in late 2024 as a rebrand of Sphinx ransomware. The ransomware operation was formally announced on the Ransomware and Advanced Malware Protection (RAMP) underground forum in Febr...
ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API

Jul 02, 2026 API Security / Cyberespionage
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "Because the Google API relies on the OAuth 2.0 protocol for authorization, applications can use an OAuth token to access requested email resources." The adversary is said to have developed Umbrij to acquire this token and use it to connect to the browser's management console in headless mode via a remote debugging port. Subsequently, a series of requests was issued to obtain an OAuth authorization code, which was then exchanged for an access token to reach the target resources via the API. The technique has been codenamed Shadow Token via Remote Debug (STRD) b...
FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Jul 02, 2026 Network Security / Ransomware
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time," SOCRadar said in a new report published Wednesday. The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations. The large-scale credential-harvesting operation, which came to light last month, involved the threat actors sys...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos

Jul 02, 2026 Malware / Vulnerability Research
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC , travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine.  YesWeHack and Sekoia  published their joint findings on July 1 and warned that, as of that report, the malware and its servers were still live, so do not run any of these PoCs. The trick is where the code sits. The visible PoC looks clean. The malware hides in a Python package that the PoC pulls in as a dependency, so it slips past a quick code review. How the trap works The bait is time pressure. When a big flaw drops, researchers race to test it and grab community PoCs to move fast. This campaign turns that habit into an infection route. The chain, in plain terms: You clone the repo and r...
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer

Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer

Jun 30, 2026 AI Security / Vulnerability
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer . The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0), a critical authentication bypass vulnerability impacting the OpenID Connect (OIDC) flow that an unauthenticated attacker could exploit to obtain a fully authenticated "Technician session by submitting a forged token containing arbitrary identity claims. "TaskWeaver is a heavily obfuscated Node.js loader, delivered as jquery.js and executed through node.exe, that implements an encrypted, reusable payload delivery channel rather than a fixed set of post exploitation commands," Blackpoint Cyber said in an analysis. "The observed second stage payload, Djinn Stealer, targets Windows, macOS, and Linux systems." Djinn Stealer is designed to harvest credentials associated with cloud...
New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials

New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials

Jun 30, 2026 Agent Security / Browser Security
Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind  BioShocking , a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user's credentials and sending them to an attacker. The targets included OpenAI's ChatGPT Atlas, Perplexity's Comet, and Anthropic's Claude browser extension. An AI browser is one that can act for you, not just read pages. Switch it to agent mode, and it can click, type, and reach into the sites you are already signed into. That access is the whole point, and it is also the problem. The trick works because of how these agents read. The web page and your own instructions arrive as a single stream of text. That lets a malicious page slip in commands dressed up as ordinary content or game rules, and the agent cannot reliably tell the difference. Researchers call this  indirect prompt injection . How the trick works
Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

Jun 29, 2026 Browser Security / Ad Fraud
Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it  StegoAd , a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021. The extensions were the kind people install without a second thought: ad blockers, VPNs, translators, video downloaders. Each one did its job and earned reviews. The malicious code stayed dormant until the extension cleared a stack of evasion checks, which is how it sat in the store for years. Combined, the 119 extensions had an install base of up to 2.6 million users. Microsoft is clear that this is a ceiling, not a victim count. A multi-day delay, server-side validation, and a 10% execution gate on some variants meant the payload never fired for many installs. How many people were actual...
Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

Jun 29, 2026 Supply Chain Attack / Cryptocurrency
Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. "This attack avoids the most common npm execution paths through lifecycle scripts, perhaps in an attempt to remain 'compatible' with npm v12's security hardenings ," JFrog said in a technical analysis. "The package hides execution inside a VS Code task, configured to run automatically when the project folder is opened in VS Code. From there, the malware retrieves encrypted JavaScript from blockchain transaction data, connects to attacker-controlled infrastructure, launches a socket.io backdoor, and eventually deploys a Python infostealer. The names of the identified npm packages are listed below - html-to-gutenberg fetch-page-assets (which lists html-to-gutenberg as a dependency) The two packages were uploaded to npm on May 25, 2026, an...
Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials

Jun 27, 2026 Messaging Security / Cyber Espionage
The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S. The systematic cyber attacks aimed at stealing sensitive information from the victims, the agency added. "The goal of these 'hacks' is to gain access to sensitive military, political, and economic information exchanged by users, as well as to steal their personal data," the agency warned in a post shared on Telegram. To pull off the operation, the attackers send SMS messages that masquerade as the messaging platform's support bot and urge users to disclose their account credentials.  The SSU noted that these attacks include not only organizations, officials or public figures, but also personal accounts belonging to Ukrainian nati...
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

Jun 26, 2026 AI Security / Vulnerability
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as  CVE-2026-12957  (CVSS 8.5), the bug sat in how Amazon's AI coding assistant handled Model Context Protocol (MCP) servers. Wiz Research, which found and reported it, showed that a single config file dropped in a repo was enough to go from git clone to cloud compromise. How the attack worked Amazon Q read an MCP configuration file, .amazonq/mcp.json, from the open workspace and launched the servers it defined. MCP servers are local processes that an AI assistant can spawn to reach databases, APIs, or build tools, so starting one means running commands on the machine. Those processes inherited the developer's full environment. That usually means AWS keys, cloud CLI tokens, API secrets, and SSH agent sockets. ...
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Jun 26, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said . The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. The list of affected packages is below - hexo-deployer-wrangler@1.0.4 hexo-shoka-swiper@0.1.10 leo-auth@4.0.6 leo-aws@2.0.4 leo-cache@1.0.2 leo-cdk-lib@0.0.2 leo-cli@3.0.3 leo-config@1.1.1 leo-connector-elasticsearch@2.0.6 leo-connector-mongo@3.0.8 leo-connector-mysql@3.0.3 ...
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Jun 24, 2026 Cybercrime / Law Enforcement
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," Europol said in a statement. The development comes days after authorities from the Netherlands, Canada, Germany, and the U.S. disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. As part of the two-week-long action, cryptocurrency assets of criminal origin valued at more than $47 million have been identified, flagged, and restricted from use. In addition, as many as 27 million stolen login credentials have been recovered, and the malware distribution network has been hindered by dismantling 326 servers and 142 domains...
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks

Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks

Jun 24, 2026 Open Source / Supply Chain Security
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. The "critical exploitable pattern" has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and Cloudflare. "The flaw is exploitable by any unauthenticated user," Elad Meged, founding engineer and security researcher at Novee Security, said . "No org membership or special privileges; a free account is enough to forge approvals, push code, or steal credentials." The penetration-testing company's scan of about 30,000 high-impact repositories has revealed more than 300 to be fully exploitable, enabling attacker-controlled code execution, credential theft, and supply chain compromise, which can have severe downstream impacts. The core of the problem tri...
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

Jun 23, 2026 Initial Access Broker / Firewall Security
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign , active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." Central to the operation is a Golang-based tool called FortigateSniffer that takes advantage of the FortiOS built-in diagnostic command -diagnose sniffer packet to passively capture authentication traffic from the infected appliances. Appearing in both Window...
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT

Jun 23, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named " abdrizak " and continue to be available for download from npm as of writing.  "Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as layered AES/custom-codec packages and depend on the legitimate postcss-selector-parser," JFrog said in an analysis. "Postcss-minify-selector presents itself as a PostCSS selector minifier and depends on postcss-minify-selector-parser." As for "postcss-minify-selector-parser," the name is a reference to " postcss-selector-parser ," a widely used npm library with more than 1...
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

Jun 19, 2026 Ransomware / Endpoint Security
The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller . "They also incorporate third-party or leaked tools such as HexKiller, ThrottleBlood, and HavocKiller," ESET security researcher Jakub Souček said in a report shared with The Hacker News. "These tools are standardized through a shared defense-evasion layer, impersonating predominantly security vendors using fake version information, and copied legitimate certificates and icons." The Slovakian cybersecurity company also called out the ransomware crew for its ability to "unusually quickly operationalize" newly disclosed proof-of-concept (PoC) exploits related to an attack technique called bring your...
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023

Jun 18, 2026 Vulnerability / Enterprise Security
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said . "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, technology and health care among the most targeted sectors." INC's Windows and Linux/ESXi encryptors have also been rewritten in Rust to facilitate easier cross-platform development and better resist reverse engineering efforts. Attacks deploying the ransomware are characterized by the use of an updated credential dumper capable of targeting newer Veeam backup deployments that use the salted DPAPI credential encryp...
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Jun 12, 2026 Linux / Supply Chain Attack
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate from the official Arch repositories, which were not affected. If you installed or updated an AUR package on or after June 11, check it against the current affected-package lists before trusting the host. The list of names is large, still growing, and not yet complete. This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them. Only the build instructions changed. The trap sat in the recipe, leaving the package itself looking exactly like the software users meant to install. No exploit, no ze...
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

Jun 12, 2026 Linux / Network Security
Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant , says it backdoored the PAM and OpenSSH components that decide who is allowed to sign in, planting its access where ordinary cleanup could not reach it. The network it targeted had no direct internet access, so the group first staged through internet-facing systems to get there. The earliest traces go back to 2016. Instead of dropping new malware that a scanner might catch, the attacker changed the trusted login programs themselves. Nothing obvious appeared, and no exploit was needed, so the activity looked like normal administration. On many machines, the attacker replaced the main PAM login module with backdoored copies. Some let them in with a secret password; others quietly recorded real usernames and passwords as people logged in. Researchers found nine separate ver...
INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator

INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator

Jun 12, 2026 Cybercrime / Phishing
An INTERPOL-led operation last month resulted in the disruption of Sniper Dz , a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz , took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that's said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts. "Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructu...
Expert Insights Articles Videos
Cybersecurity Resources