Cryptocurrency Theft | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have flagged a new malicious extension in the Open VSX registry that harbors a remote access trojan called SleepyDuck . According to Secure Annex's John Tuckner, the extension in question, juan-bianco.solidity-vlang (version 0.0.7), was first published on October 31, 2025, as a completely benign library that was subsequently updated to version 0.0.8 on November 1 to include new malicious capabilities after reaching 14,000 downloads. "The malware includes sandbox evasion techniques and utilizes an Ethereum contract to update its command and control address in case the original address is taken down," Tuckner added . Campaigns distributing rogue extensions targeting Solidity developers have been repeatedly detected across both the Visual Studio Extension Marketplace and Open VSX. In July 2025, Kaspersky disclosed that a Russian developer lost $500,000 in cryptocurrency assets after installing one such extension through Cursor. In the latest...

Cybersecurity researchers have disclosed details of a new Android banking trojan called Herodotus that has been observed in active campaigns targeting Italy and Brazil to conduct device takeover ( DTO ) attacks. "Herodotus is designed to perform device takeover while making first attempts to mimic human behaviour and bypass behaviour biometrics detection," ThreatFabric said in a report shared with The Hacker News. The Dutch security company said the Trojan was first advertised in underground forums on September 7, 2025, as part of the malware-as-a-service (MaaS) model, touting its ability to run on devices running Android version 9 to 16. It's assessed that while the malware is not a direct evolution of another banking malware known as Brokewell , it certainly appears to have taken certain parts of it to put together the new strain. This includes similarities in the obfuscation technique used, as well as direct mentions of Brokewell in Herodotus (e.g., "BRKWL_...

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix ), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link. The phishing page is said to have prompted the co-maintainer to enter their username, password, and two-factor authentication (2FA) token, only for it to be stolen likely by means of an adversary-in-the-middle ( AitM ) attack and used to publish the rogue version to the npm registry. The following 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident - ansi-regex@6.2.1 ansi-styles@6.2.2 backslash@0.2.1 chalk@5.6.1 chalk-template@1.1.1 color-convert@3.1.1 color-name@2.0.1...

As many as 60 malicious npm packages have been discovered in the package registry with malicious functionality to harvest hostnames, IP addresses, DNS servers, and user directories to a Discord-controlled endpoint. The packages, published under three different accounts, come with an install‑time script that's triggered during npm install, Socket security researcher Kirill Boychenko said in a report published last week. The libraries have been collectively downloaded over 3,000 times. "The script targets Windows, macOS, or Linux systems, and includes basic sandbox‑evasion checks, making every infected workstation or continuous‑integration node a potential source of valuable reconnaissance," the software supply chain security firm said . The names of the three accounts, each of which published 20 packages within an 11-day time period, are listed below. The accounts no longer exist on npm - bbbb335656 cdsfdfafd1232436437, and  sdsds656565 The malicious code, per So...

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors. "The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said . "TraderTraitor activity is often characterized by targeted social engineering directed at multiple employees of the same company simultaneously." The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center, and the National Police Agency of Japan. It's worth noting that DMM Bitcoin shut down its operations earlier this month in the aftermath of the hack. TraderTraitor refers to a North Korea-linked persistent threat activity cluster that has a history of targeting companies in the Web3 sector, luring victims into downloading malware-laced cryptocurrency apps and ultimately ...

Five alleged members of the infamous Scattered Spider cybercrime crew have been indicted in the U.S. for targeting employees of companies across the country using social engineering techniques to harvest credentials and using them to gain unauthorized access to sensitive data and break into crypto accounts to steal digital assets worth millions of dollars. All of the accused parties have been charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft. They include - Ahmed Hossam Eldin Elbadawy, 23, aka AD, of College Station, Texas Noah Michael Urban, 20, aka Sosa and Elijah, of Palm Coast, Florida Evans Onyeaka Osiebo, 20, of Dallas, Texas Joel Martin Evans, 25, aka joeleoli, of Jacksonville, North Carolina; and Tyler Robert Buchanan, 22, aka tylerb, of the U.K. While the name Scattered Spider  is not directly referenced in the indictment document, it has been described as "a loosely organized financi...