cryptocurrency | Breaking Cybersecurity News | The Hacker News

Threat actors are continuing to upload malicious packages to the npm registry so as to tamper with already-installed local versions of legitimate libraries and execute malicious code in what's seen as a sneakier attempt to stage a software supply chain attack. The newly discovered package, named pdf-to-office , masquerades as a utility for converting PDF files to Microsoft Word documents. But, in reality, it harbors features to inject malicious code into cryptocurrency wallet software associated with Atomic Wallet and Exodus. "Effectively, a victim who tried to send crypto funds to another crypto wallet would have the intended wallet destination address swapped out for one belonging to the malicious actor," ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News. The npm package in question was first published on March 24, 2025, and has received three updates since then but not before the previous versions were likely removed by the a...

Threat actors have been observed distributing malicious payloads such as cryptocurrency miner and clipper malware via SourceForge , a popular software hosting service, under the guise of cracked versions of legitimate applications like Microsoft Office. "One such project, officepackage, on the main website sourceforge.net, appears harmless enough, containing Microsoft Office add-ins copied from a legitimate GitHub project," Kaspersky said in a report published today. "The description and contents of officepackage provided below were also taken from GitHub." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. On top of that, hovering over the download button reveals a seemi...

A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims' digital wallets. "Recipients of the bulk spam are targeted with a cryptocurrency seed phrase poisoning attack," Silent Push said in an analysis. "As part of the attack, PoisonSeed provides security seed phrases to get potential victims to copy and paste them into new cryptocurrency wallets for future compromising." Targets of PoisonSeed include enterprise organizations and individuals outside the cryptocurrency industry. Crypto companies like Coinbase and Ledger, and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho are among the targeted crypto companies. The activity is assessed to be distinct from two loosely aligned threat actors Scattered Spider and CryptoChameleon , whi...

The North Korean threat actors behind Contagious Interview have adopted the increasingly popular ClickFix social engineering tactic to lure job seekers in the cryptocurrency sector to deliver a previously undocumented Go-based backdoor called GolangGhost on Windows and macOS systems. The new activity, assessed to be a continuation of the campaign, has been codenamed ClickFake Interview by French cybersecurity company Sekoia. Contagious Interview , also tracked as DeceptiveDevelopment, DEV#POPPER, and Famous Chollima, is known to be active since at least December 2022, although it was only publicly documented for the first time in late 2023. "It uses legitimate job interview websites to leverage the ClickFix tactic and install Windows and macOS backdoors," Sekoia researchers Amaury G., Coline Chavane, and Felix Aimé said , attributing the effort to the infamous Lazarus Group , a prolific adversary attributed to the Reconnaissance General Bureau (RGB) of the Democratic Pe...

Counterfeit versions of popular smartphone models that are sold at reduced prices have been found to be preloaded with a modified version of an Android malware called Triada . "More than 2,600 users in different countries have encountered the new version of Triada, the majority in Russia," Kaspersky said in a report. The infections were recorded between March 13 and 27, 2025.  Triada is the name given to a modular Android malware family that was first discovered by the Russian cybersecurity company in March 2016. A remote access trojan (RAT), it's equipped to steal a wide range of sensitive information, as well as enlist infected devices into a botnet for other malicious activities. While the malware was previously observed being distributed via intermediate apps published on the Google Play Store (and elsewhere) that gained root access to the compromised phones, subsequent campaigns have leveraged WhatsApp mods like FMWhatsApp and YoWhatsApp as a propagation vec...

In one of the largest coordinated law enforcement operations, authorities have dismantled Kidflix, a streaming platform that offered child sexual abuse material (CSAM). "A total of 1.8 million users worldwide logged on to the platform between April 2022 and March 2025," Europol said in a statement. "On March 11, 2025, the server, which contained around 72,000 videos at the time, was seized by German and Dutch authorities." The European law enforcement agency described it as the largest operation undertaken to combat child sexual exploitation. It has been codenamed Operation Stream. The multi-year probe , which commenced in 2022 and involved 38 countries across the world, saw 1,393 identified globally through an analysis of payment transactions, with 79 of them arrested to date for distributing CSAM. Some of the apprehended individuals have also been accused of not only uploading and watching such content but also abused children. In addition, more than 3,000...

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that's primarily designed to target users in Spain and Turkey. "Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging," ThreatFabric said . As with other banking trojans of its kind, the malware is designed to facilitate device takeover ( DTO ) and ultimately conduct fraudulent transactions. An analysis of the source code and the debug messages reveals that the malware author is Turkish-speaking. The Crocodilus artifacts analyzed by the Dutch mobile security company masquerade as Google Chrome (package name: "quizzical.washbowl.calamity"), which act as a dropper capable of  bypassing Android 13+ restrictions .  Once installed and launched, the app requests permission to Android's access...

Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems. "Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers," Sonatype researcher Ax Sharma said . "However, [...] the latest versions of each of these packages were laden with obfuscated scripts." The affected packages and their hijacked versions are listed below - country-currency-map (2.1.8) bnb-javascript-sdk-nobroadcast (2.16.16) @bithighlander/bitcoin-cash-js-lib (5.2.2) eslint-config-travix (6.3.1) @crosswise-finance1/sdk-v2 (0.1.21) @keepkey/device-protocol (7.13.3) @veniceswap/uikit (0.65.34) @veniceswap/eslint-config-pancake (1.6.2) babel-preset-travix (1.2.1) @travix/ui-themes (1.1.5) @coinmasters/types (4.8.16) Analysis of these packages by the software supply chain ...

The U.S. Treasury Department has announced that it's removing sanctions against Tornado Cash, a cryptocurrency mixer service that has been accused of aiding the North Korea-linked Lazarus Group to launder their ill-gotten proceeds. "Based on the Administration's review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring within evolving technology and legal environments, we have exercised our discretion to remove the economic sanctions against Tornado Cash," the Treasury said in a statement. In conjunction with the move, over 100 Ethereum (ETH) wallet addresses are also being removed from the Specially Designated Nationals (SDN) list. The department's Office of Foreign Assets Control (OFAC) added Tornado Cash to its sanctions list in August 2022. It was estimated to have been used to launder more than $7.6 billion worth of virtual assets since its creation in 2019, the Treasury said a...

Users searching for pirated software are the target of a new malware campaign that delivers a previously undocumented clipper malware called MassJacker, according to findings from CyberArk. Clipper malware is a type of cryware (as coined by Microsoft) that's designed to monitor a victim's clipboard content and facilitate cryptocurrency theft by substituting copied cryptocurrency wallet addresses with an attacker-controlled one so as to reroute them to the adversary instead of the intended target. "The infection chain begins at a site called pesktop[.]com," security researcher Ari Novick said in an analysis published earlier this week. "This site, which presents itself as a site to get pirated software, also tries to get people to download all sorts of malware." The initial executable acts as a conduit to run a PowerShell script that delivers a botnet malware named Amadey , as well as two other .NET binaries, each compiled for 32- and 64-bit architect...

The Middle East and North Africa have become the target of a new campaign that delivers a modified version of a known malware called AsyncRAT since September 2024. "The campaign, which leverages social media to distribute malware, is tied to the region's current geopolitical climate," Positive Technologies researchers Klimentiy Galkin and Stanislav Pyzhov said in an analysis published last week. "The attackers host malware in legitimate online file-sharing accounts or Telegram channels set up specially for this purpose." The campaign is estimated to have claimed approximately 900 victims since the fall 2024, the Russian cybersecurity company added, indicating its widespread nature. A majority of the victims are located in Libya, Saudi Arabia, Egypt, Turkey, the United Arab Emirates, Qatar, and Tunisia. The activity, attributed to a threat actor dubbed Desert Dexter , was discovered in February 2025. It chiefly involves creating temporary accounts and news ...

A new mass malware campaign is infecting users with a cryptocurrency miner named SilentCryptoMiner by masquerading it as a tool designed to circumvent internet blocks and restrictions around online services. Russian cybersecurity company Kaspersky said the activity is part of a larger trend where cybercriminals are increasingly leveraging Windows Packet Divert ( WPD ) tools to distribute malware under the guise of restriction bypass programs. "Such software is often distributed in the form of archives with text installation instructions, in which the developers recommend disabling security solutions, citing false positives," researchers Leonid Bezvershenko, Dmitry Pikush, and Oleg Kupreev said . "This plays into the hands of attackers by allowing them to persist in an unprotected system without the risk of detection." The approach has been used as part of schemes that propagate stealers, remote access tools (RATs), trojans that provide hidden remote access, and...

Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries. The package in question is set-utils , which has received 1,077 downloads to date. It's no longer available for download from the official registry. "Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M + downloads)," software supply chain security company Socket said . "This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets." The package aims to target Ethereum developers and organizations working with Python-based blockchain applications, particularly Python-based wallet management libraries like eth-account. Besides embedding the attacker's RSA public key to...

A coalition of international law enforcement agencies has seized the website associated with the cryptocurrency exchange Garantex ("garantex[.]org"), nearly three years after the service was sanctioned by the U.S. Treasury Department in April 2022. "The domain for Garantex has been seized by the United States Secret Service pursuant to a seizure warrant obtained by the United States Attorney's Office for the Eastern District of Virginia under the authority of 18 U.S.C. §§ 981 and 982," reads a seizure banner on the website. The operation was carried out in coordination with the U.S. Department of Justice's Criminal Division, the Federal Bureau of Investigation, Europol, the Dutch National Police, the German Federal Criminal Police Office (Bundeskriminalamt aka BKA), the Frankfurt General Prosecutor's Office, the Finnish National Bureau of Investigation, and the Estonian National Criminal Police. Founded in 2019, Garantex was previously subject to U....