-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

Search results for credential stealer | Breaking Cybersecurity News | The Hacker News

W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

W4SP Stealer Discovered in Multiple PyPI Packages Under Various Names

Dec 24, 2022 Software Security / Supply Chain
Threat actors have published yet another round of malicious packages to Python Package Index (PyPI) with the goal of delivering information-stealing malware on compromised developer machines. Interestingly, while the malware goes by a variety of names like ANGEL Stealer, Celestial Stealer, Fade Stealer, Leaf $tealer, PURE Stealer, Satan Stealer, and @skid Stealer, cybersecurity company Phylum found them all to be copies of  W4SP Stealer . W4SP Stealer primarily functions to siphon user data, including credentials, cryptocurrency wallets, Discord tokens, and other files of interest. It's created and published by an actor who goes by the aliases BillyV3, BillyTheGoat, and billythegoat356. "For some reason, each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name," the researchers  said  in a report published earlier this week. The 16 rogue modules are as follows: modulesecurity, inform...
AutoHotkey-Based Password Stealer Targeting  US, Canadian Banking Users

AutoHotkey-Based Password Stealer Targeting US, Canadian Banking Users

Dec 29, 2020
Threat actors have been discovered distributing a new credential stealer written in AutoHotkey (AHK) scripting language as part of an ongoing campaign that started early 2020. Customers of financial institutions in the US and Canada are among the primary targets for credential exfiltration, with a specific focus on banks such as Scotiabank, Royal Bank of Canada, HSBC, Alterna Bank, Capital One, Manulife, and EQ Bank. Also included in the list is an Indian banking firm ICICI Bank. AutoHotkey  is an open-source custom scripting language for Microsoft Windows aimed at providing easy hotkeys for macro-creation and software automation that allows users to automate repetitive tasks in any Windows application. The multi-stage infection chain commences with a malware-laced Excel file that's embedded with a Visual Basic for Applications (VBA)  AutoOpen  macro, which is subsequently used to drop and execute the downloader client script ("adb.ahk") via a legitimate portable AHK...
Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

May 19, 2026 Supply Chain Attack / Developer Security
Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. "Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository," StepSecurity researcher Ashish Kurmi said . The payload is a "multi-stage credential stealer and supply chain poisoning tool" that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further comm...
cyber security

The Systems That Power America Are Under Threat. Is Your ICS/OT Program Ready?

websiteSANS InstituteCritical infrastructure / Webinar
Discover where federal ICS programs are most exposed and what closing the skills gap requires in practice.
cyber security

Inside Device Code Phishing: Live Demos, Real Kits, and What's Next

websitePush SecurityPhishing Attack / Webinar
Device code attacks are up 37x this year, with 18+ kits in the wild. Now available on-demand.
TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

Mar 24, 2026 DevSecOps / Vulnerability
Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor known as TeamPCP, the cloud-native cybercriminal operation also behind the Trivy supply chain attack . The workflows, both maintained by the supply chain security company Checkmarx, are listed below - checkmarx/ast-github-action checkmarx/kics-github-action Cloud security company Sysdig said it observed an identical credential stealer as the one used in TeamPCP's operations targeting Aqua Security's Trivy vulnerability scanner and its associated GitHub Actions, about four days after the breach on March 19, 2026. The Trivy supply chain compromise is being tracked under the CVE identifier CVE-2026-33634 (CVSS score: 9.4). "This suggests that the stolen credentials from the Trivy compromise were used to poison additional actions in affected repositories," Sysdig said . The stealer, referred to as "TeamPCP Cloud stealer," is desig...
Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer

May 23, 2026 Supply Chain Attack / Malware
Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to Laravel-Lang to deliver a comprehensive credential-stealing framework. The affected packages include - laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes laravel-lang/actions "The timing and pattern of the newly published tags point to a broader compromise of the Laravel Lang organization's release process, rather than a single malicious package version," Socket said . "The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart." More than 700 versions associated with these packages have been identified, indicating automated mass tagging or republishing. It's suspected that the attacker may have managed to obtain access to organization-level credentials, repository automation, or release infrastructure. What makes the att...
Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

May 28, 2026 Vulnerability / Endpoint Security
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver a credential-stealing malware family dubbed EKZ Infostealer. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said . "Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell." The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later. A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and...
New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT

New EVALUSION ClickFix Campaign Delivers Amatera Stealer and NetSupport RAT

Nov 17, 2025
Cybersecurity researchers have discovered malware campaigns using the now-prevalent ClickFix social engineering tactic to deploy Amatera Stealer and NetSupport RAT . The activity, observed this month, is being tracked by eSentire under the moniker EVALUSION . First spotted in June 2025, Amatera is assessed to be an evolution of ACR (short for "AcridRain") Stealer, which was available under the malware-as-a-service (MaaS) model until sales of the malware were suspended in mid-July 2024. Amatera is available for purchase via subscription plans that go from $199 per month to $1,499 for a year. "Amatera provides threat actors with extensive data exfiltration capabilities targeting crypto-wallets, browsers, messaging applications, FTP clients, and email services," the Canadian cybersecurity vendor said. "Notably, Amatera employs advanced evasion techniques such as WoW64 SysCalls to circumvent user-mode hooking mechanisms commonly used by sandboxes, Anti-Vi...
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Jun 12, 2026 Linux / Supply Chain Attack
Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets. When it lands with root, it can also load an eBPF rootkit to hide itself. The AUR is Arch Linux's community package collection, and it is separate from the official Arch repositories, which were not affected. If you installed or updated an AUR package on or after June 11, check it against the current affected-package lists before trusting the host. The list of names is large, still growing, and not yet complete. This attack goes after the trust model, not a software flaw. The compromised packages kept their names, their histories, and the trust that came with them. Only the build instructions changed. The trap sat in the recipe, leaving the package itself looking exactly like the software users meant to install. No exploit, no ze...
 Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages

Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages

Apr 11, 2023 Software Security / Cryptocurrency
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. The  two-stage attack  culminates in the deployment of a .NET-based persistent backdoor, called Impala Stealer, which is capable of gaining unauthorized access to users' cryptocurrency accounts. "The payload used a very rare obfuscation technique, called '.NET AoT compilation,' which is a lot more stealthy than using 'off the shelf' obfuscators while still making the binary hard to reverse engineer," JFrog told The Hacker News in a statement. .NET  AoT compilation  is an  optimization technique  that allows apps to be ahead-of-ti...
Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging

Feb 15, 2026 Malware / Threat Intelligence
Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the " nslookup " (short for nameserver lookup ) command to execute a custom DNS lookup triggered via the Windows Run dialog. ClickFix is an increasingly popular technique that's traditionally delivered via phishing, malvertising, or drive-by download schemes, often redirecting targets to bogus landing pages that host fake CAPTCHA verification or instructions to address a non-existent problem on their computers by running a command either through the Windows Run dialog or the macOS Terminal app. The attack method has become widespread over the past two years since it hinges on the victims infecting their own machines with malware, thereby allowing the threat actors to bypass security c...
Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

Mar 24, 2026 Cryptocurrency / Supply Chain Attack
Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data. The activity is being tracked by ReversingLabs as the Ghost campaign. The list of identified packages, all published by a user named mikilanjillo, is below - react-performance-suite react-state-optimizer-core react-fast-utilsa ai-fast-auto-trader pkgnewfefame1 carbon-mac-copy-cloner coinbase-desktop-sdk "The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs," Lucija Valentić, software threat researcher at ReversingLabs, said in a report shared with The Hacker News. The identified Node.js libraries, besides falsely claiming to download additional packages, insert random delays to give the impression that the installation process is underway. At one point du...
Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices

Python-Based WhatsApp Worm Spreads Eternidade Stealer Across Brazilian Devices

Nov 19, 2025 Malware / Cyber Attack
Cybersecurity researchers have disclosed details of a new campaign that leverages a combination of social engineering and WhatsApp hijacking to distribute a Delphi-based banking trojan named Eternidade Stealer as part of attacks targeting users in Brazil. "It uses Internet Message Access Protocol (IMAP) to dynamically retrieve command-and-control (C2) addresses, allowing the threat actor to update its C2 server," Trustwave SpiderLabs researchers Nathaniel Morales, John Basmayor, and Nikita Kazymirskyi said in a technical breakdown of the campaign shared with The Hacker News. "It is distributed through a WhatsApp worm campaign, with the actor now deploying a Python script, a shift from previous PowerShell-based scripts to hijack WhatsApp and spread malicious attachments. The findings come close on the heels of another campaign dubbed Water Saci that has targeted Brazilian users with a worm that propagates via WhatsApp Web known as SORVEPOTEL, which then acts as a c...
FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

Jul 02, 2026 Network Security / Ransomware
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment for the first time," SOCRadar said in a new report published Wednesday. The company said it tracked scanning activity against approximately 11,250 FortiGate portals in more than 150 countries, followed by confirmed admin-level access on 409 targets and successful completion of the full attack chain on 354 of them. In all, at least 12 ransomware deployments have resulted from this access, causing hundreds of endpoints to be encrypted across affected organizations. The large-scale credential-harvesting operation, which came to light last month, involved the threat actors sys...
Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years

Ebury Botnet Malware Compromises 400,000 Linux Servers Over Past 14 Years

May 15, 2024 Malware / Financial fraud
A malware botnet called  Ebury  is estimated to have compromised 400,000 Linux servers since 2009, out of which more than 100,000 were still compromised as of late 2023. The findings come from Slovak cybersecurity firm ESET, which characterized it as one of the most advanced server-side malware campaigns for financial gain. "Ebury actors have been pursuing monetization activities [...], including the spread of spam, web traffic redirections, and credential stealing," security researcher Marc-Etienne M.Léveillé  said  in a deep dive analysis. "[The] operators are also involved in cryptocurrency heists by using AitM and credit card stealing via network traffic eavesdropping, commonly known as server-side web skimming." Ebury was first documented over a decade ago as part of a campaign codenamed  Operation Windigo  that targeted Linux servers to deploy the malware, alongside other backdoors and scripts like Cdorked and Calfbot to redirect web traffic and ...
Two New Platforms Found Offering Cybercrime-as-a-Service to 'Wannabe Hackers'

Two New Platforms Found Offering Cybercrime-as-a-Service to 'Wannabe Hackers'

Jul 15, 2017
Cybercrime has continued to evolve and today exists in a highly organised form. Cybercrime has increasingly been commercialised, and itself become big business by renting out an expanded range of hacking tools and technologies, from exploit kits to ransomware, to help anyone build threats and launch attacks. In past few years, we have witnessed the increase in the popularity of malware-as-a-service (MaaS), which is today a prosperous business on the underground black market that offers an array of services, including ransomware-as-a-service , DDoS-as-a-service , phishing-as-a-service, and much more. Two such services have recently been spotted by two separate group of researchers, which we have detailed in this article. Ovidiy Stealer — $7 Password-Stealing Malware For Everyone A new credential stealing malware that targets primarily web browsers is being marketed at Russian-speaking web forums for as cheap as $7, allowing anyone with even little technical knowledge ...
New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets

New Stealthy Bandit Stealer Targeting Web Browsers and Cryptocurrency Wallets

May 27, 2023 Cryptocurrency / Malware
A new stealthy information stealer malware called Bandit Stealer has caught the attention of cybersecurity researchers for its ability to target numerous web browsers and cryptocurrency wallets.  "It has the potential to expand to other platforms as Bandit Stealer was developed using the Go programming language, possibly allowing cross-platform compatibility," Trend Micro  said  in a Friday report. The malware is currently focused on targeting Windows by using a legitimate command-line tool called  runas.exe  that allows users to run programs as another user with different permissions. The goal is to escalate privileges and execute itself with administrative access, thereby effectively bypassing security measures to harvest wide swathes of data. That said, Microsoft's access control mitigations to prevent unauthorized execution of the tool means an attempt to run the malware binary as an administrator requires providing the necessary credentials. "By usin...
AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

Oct 01, 2024 Cryptocurrency / Threat Intelligence
The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition." "This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in cryptocurrencies," Recorded Future's Insikt Group said in an analysis of version 0.7.0 of the malware. "The malware can recognize seed phrase images on the client side and send them back to the command-and-control (C2) server for further exploitation." First discovered in the wild in September 2022, Rhadamanthys has emerged as one of the most potent information stealers that are advertised under the malware-as-a-service (MaaS) model, alongside Lumma and others. The malware continues to have an active presence despite suffering bans from underground forum...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources