cryptocurrency | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targeted users of a service called Chimera Sandbox , which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm ( DGA ) in order...

Cybersecurity researchers have shed light on a previously undocumented Rust-based information stealer called Myth Stealer that's being propagated via fraudulent gaming websites. "Upon execution, the malware displays a fake window to appear legitimate while simultaneously decrypting and executing malicious code in the background," Trellix security researchers Niranjan Hegde, Vasantha Lakshmanan Ambasankar, and Adarsh S said in an analysis. The stealer, initially marketed on Telegram for free under beta in late December 2024, has since transitioned to a malware-as-a-service (MaaS) model. It's equipped to steal passwords, cookies, and autofill information from both Chromium- and Gecko-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox. The operators of the malware have been found maintaining a number of Telegram channels to advertise the sale of compromised accounts as well as provide testimonials of their service. The...

Cybersecurity researchers have flagged a supply chain attack targeting over a dozen packages associated with GlueStack to deliver malware. The malware, introduced via a change to "lib/commonjs/index.js," allows an attacker to run shell commands, take screenshots, and upload files to infected machines, Aikido Security told The Hacker News, stating these packages collectively account for nearly 1 million weekly downloads. The unauthorized access could then be used to perform various follow-on actions like mining cryptocurrency, stealing sensitive information, and even shutting down services. Aikido said the first package compromise was detected on June 6, 2025, at 9:33 p.m. GMT.  The list of the impacted packages and the affected versions is below - @gluestack-ui/utils version 0.1.16 (101 Downloads) @gluestack-ui/utils version 0.1.17 (176 Downloads) @react-native-aria/button version 0.2.11 (174 Downloads) @react-native-aria/checkbox version 0.2.11 (577 Downloads) @re...

India's Central Bureau of Investigation (CBI) has revealed that it has arrested six individuals and dismantled two illegal call centers that were found to be engaging in a sophisticated transnational tech support scam targeting Japanese citizens. The law enforcement agency said it conducted coordinated searches at 19 locations across Delhi, Haryana, and Uttar Pradesh on May 28, 2025, as part of an initiative called Operation Chakra V, which aims to combat cyber-enabled financial crimes. The cybercrime syndicates, per the CBI, defrauded foreign nationals, mainly Japanese citizens, by masquerading as technical support personnel from various multinational corporations, including Microsoft.  "The syndicate operated call centers designed to appear as legitimate customer service centers, through which victims were deceived into believing that their electronic devices were compromised," the agency said . "Under this pretext, victims were coerced into transferring funds ...

The U.S. Department of Justice (DoJ) on Wednesday announced the seizure of cryptocurrency funds and about 145 clearnet and dark web domains associated with an illicit carding marketplace called BidenCash. "The operators of the BidenCash marketplace use the platform to simplify the process of buying and selling stolen credit cards and associated personal information," the DoJ said . "BidenCash administrators charged a fee for every transaction conducted on the website." BidenCash launched in March 2022 to fill the void left by the shutdown of Joker's Stash a year earlier and several other carding forums like UniCC . Since the time it went operational, the illegal bazaar ("bidencash[.]asia," "bidencash[.]bd," and "bidencash[.]ws") is estimated to have supported more than 117,000 customers, facilitated the trafficking of over 15 million payment card numbers and personally identifiable information, and generated no less than $17 mi...

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in Golang, offering cross-platform support for both Windows and Linux systems," security researchers Santiago Pontiroli, Gabor Molnar, and Kirill Antonenko said in a report shared with The Hacker News. "Inspired by popular frameworks such as Cobalt Strike and Sliver, Chaos RAT provides an administrative panel where users can build payloads, establish sessions, and control compromised machines." While work on the "remote administration tool" started way back in 2017, it did not attract attention until December 2022 , when it was put to use in a malicious campaig...

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx, ReversingLabs, Safety, and Socket in recent weeks. The list of identified packages across these platforms are listed below - Socket noted that the two malicious gems were published by a threat actor under the aliases Bùi nam, buidanhnam, and si_mobile merely days after Vietnam ordered a nationwide ban on the Telegram messaging app late last month for allegedly not cooperating with the government to tackle illicit activities related to fraud, drug trafficking, and terrorism. "These gems silently exfiltrate all data sent to the Telegram API by redirecting traffic through a command-and-control (C2...

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent activity reveals multiple campaigns now targeting European countries while continuing Turkish campaigns and expanding globally to South America," the Dutch security company said . Crocodilus was first publicly documented in March 2025 as targeting Android device users in Spain and Turkey by masquerading as legitimate apps like Google Chrome. The malware comes fitted with capabilities to launch overlay attacks against a list of financial apps retrieved from an external server to harvest credentials. It also abuses accessibility services permissions to capture seed phrases as...

The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. The Treasury accused the Taguig-headquartered company of enabling thousands of websites involved in virtual currency investment scams that caused Americans to lose billions of dollars annually. "Funnull has directly facilitated several of these schemes, resulting in over $200 million in U.S. victim-reported losses," the agency said in a press release. The average loss is estimated to be over $150,000 per individual. Funnull, also called Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), first attracted the attention of the cybersecurity community in June 2024 after it was implicated in the supply chain attack of the widely-used Polyfill[.]io J...

An Iranian national has pleaded guilty in the U.S. over his involvement in an international ransomware and extortion scheme involving the Robbinhood ransomware. Sina Gholinejad (aka Sina Ghaaf), 37, and his co-conspirators are said to have breached the computer networks of various organizations in the United States and encrypted files with Robbinhood ransomware to demand Bitcoin ransom payments. Gholinejad, who was arrested in North Carolina in early January, pleaded guilty to one count of computer fraud and abuse and one count of conspiracy to commit wire fraud. He faces a maximum penalty of 30 years in prison. He is scheduled for sentencing in August 2025. "These cyber attacks caused significant disruptions and tens of millions in losses, including to the City of Greenville, North Carolina, and the City of Baltimore, Maryland," the U.S. Department of Justice (DoJ) said . "Baltimore lost more than $19 million from the damage caused to their computer networks and t...

Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot . Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts. "Rather than scanning the internet, the malware retrieves a list of targets from a command-and-control (C2) server and attempts to brute force SSH credentials," Darktrace said in an analysis shared with The Hacker News. "Upon gaining access, it receives remote commands and establishes persistence using system service files." The botnet malware is designed to obtain initial access via successfully brute-forcing SSH credentials across a list of harvested IP addresses with open SSH ports. The list of IP addresses to target is retrieved from an external server ("ssh.ddos-cc[.]org"). As part of its brute-force attempts, the malware also performs various checks to determine if...

The malware known as Latrodectus has become the latest to embrace the widely-used social engineering technique called ClickFix as a distribution vector. "The ClickFix technique is particularly risky because it allows the malware to execute in memory rather than being written to disk," Expel said in a report shared with The Hacker News. "This removes many opportunities for browsers or security tools to detect or block the malware." Latrodectus, believed to be a successor to IcedID, is the name given to a malware that acts as a downloader for other payloads, such as ransomware. It was first documented by Proofpoint and Team Cymru in April 2024.

As part of the latest "season" of Operation Endgame , a coalition of law enforcement agencies have taken down about 300 servers worldwide, neutralized 650 domains, and issued arrest warrants against 20 targets. Operation Endgame, first launched in May 2024, is an ongoing law enforcement operation targeting services and infrastructures assisting in or directly providing initial or consolidating access for ransomware. The previous edition focused on dismantling the initial access malware families that have been used to deliver ransomware. The latest iteration, per Europol, targeted new malware variants and successor groups that re-emerged after last year's takedowns such as Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE . The interaction action was carried out between May 19 and 22, 2025. "In addition, €3.5 million in cryptocurrency was seized during the action week, bringing the total amount seized during the Operation Endgame to...

Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology, which is headquartered in Beijing, China. As of April 2025, the service has a user base of more than 22 million, per data from the company. "The attack used fake Facebook pages and ads to distribute a malicious file which ultimately led to the execution of a remote access Trojan (RAT), granting attackers remote control of the victim's system and the ability to steal sensitive data," Check Point said . First detected in early 2025, the campaign leads unsuspecting users to a spoofed website such as klingaimedia[.]com or klingaistudio[.]com, where they are asked to create AI-genera...

The official site for RVTools has been hacked to serve a compromised installer for the popular VMware environment reporting utility. "Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience," the company said in a statement posted on its website. "Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Do not search for or download purported RVTools software from any other websites or sources." The development comes after security researcher Aidan Leon revealed that an infected version of the installer downloaded from the website was being used to sideload a malicious DLL that turned out to be a known malware loader called Bumblebee . It's currently not known how long the trojanized version of RVTools had been available for download and how many had installed it before the site was taken offline. In the interim, users are recommended to veri...