Cybercrime
-
Leaked Shai-Hulud malware resurfaces in npm infostealer campaign
Four malicious npm packages infected with a Shai-Hulud clone were published over the weekend, stealing credentials, secrets and crypto wallet data. One package also added DDoS features, and the combined downloads reached 2,678.
-
Grafana says GitHub token breach let intruder download codebase
Grafana said a stolen token let an unauthorized party access its GitHub environment and download code. The company said no customer data was exposed and that the attacker later tried to extort payment.
-
Researchers say GemStuffer abused more than 150 RubyGems to store scraped council data
Researchers said GemStuffer abused more than 150 RubyGems packages to store scraped data from U.K. council portals, using the registry as an exfiltration channel and raising questions about package registry abuse.
-
RubyGems pauses new signups after major malicious attack
RubyGems has temporarily paused new account signups after what the article described as a major malicious attack involving hundreds of packages. Mend.io said it will share more details once the incident is contained.
-
New TrickMo variant uses TON for Android command control, researchers say
Researchers say a new TrickMo Android trojan variant used TON for command and control and targeted banking and crypto wallet users in France, Italy and Austria. The malware added network reconnaissance, SSH tunnelling and SOCKS5 proxying features.
-
Instructure reaches ransom agreement after Canvas data breach
Instructure said it reached an agreement with an unauthorized actor after a Canvas breach that exposed data tied to thousands of schools and universities, including about 275 million records. The company said stolen data was returned and no customers will be separately extorted.
-
Checkmarx says modified Jenkins plugin was published in supply chain attack
Checkmarx said a modified Jenkins AST plugin was published to the Jenkins Marketplace and warned users to stay on an older safe version. The incident is the latest attack linked to TeamPCP in a broader supply chain campaign.
-
Attackers exploit cPanel flaw to deploy Filemanager backdoor
Attackers linked to Mr_Rot13 are exploiting CVE-2026-41940 in cPanel and WHM to install the Filemanager backdoor, with more than 2,000 source IPs seen in activity, according to a technical analysis by QiAnXin XLab.
-
TrickMo Android banker adds TON blockchain for covert communications
A new TrickMo Android banking malware variant is targeting users in Europe and using the TON blockchain for covert command and control traffic, according to a technical analysis. The malware adds new network and tunneling commands and targets banking and crypto wallets.
-
Google says hackers used AI to help find and weaponize a zero-day 2FA bypass
Google said it found what it believes is the first known in-the-wild use of AI for vulnerability discovery and exploit generation, after attackers used a zero-day Python script to bypass two-factor authentication on an open-source admin tool.
