Credential Theft
-
Fake LinkedIn emails abuse Adobe service in phishing campaign
A phishing campaign is using fake LinkedIn business emails and Adobe Target to hide credential theft, with attackers disguising HTML attachments as PDFs and redirecting victims to a real LinkedIn page after login.
-
TrapDoor supply chain attack spreads across npm, PyPI and Crates.io
A coordinated supply chain campaign has spread malicious packages across npm, PyPI and Crates.io, targeting developers with code that steals credentials, wallets, SSH keys and cloud secrets.
-
Malicious node-ipc versions found stealing cloud and developer secrets
Three malicious node-ipc npm versions were found stealing developer and cloud secrets, according to a technical analysis by Socket. The code targets dozens of credential types and uses a direct exfiltration path to a fake Azure domain.
-
New Linux PamDOORa backdoor sold on cybercrime forum, researchers say
Researchers disclosed PamDOORa, a Linux backdoor sold on a Russian cybercrime forum for up to $1,600. The PAM-based tool can provide persistent SSH access, harvest credentials and tamper with logs, though no real-world use has been seen.
-
PCPJack credential stealer targets cloud systems and removes TeamPCP traces
Researchers said PCPJack is a new cloud-focused credential stealer that targets exposed services, removes TeamPCP-related artifacts and uses multiple exploits to spread across compromised environments.
-
CloudZ malware used Phone Link to target Windows data, researchers say
Researchers said CloudZ malware used a Pheno plugin to abuse Windows Phone Link on Windows 10 and 11, aiming to steal credentials and one-time passwords in an intrusion active since at least January 2026.
-
PyPI Lightning package hit by credential-stealing malware
Python package Lightning was compromised on PyPI, with two malicious releases published on April 30, 2026. Security researchers said the code targeted developer credentials and could spread through package ecosystems.
-
Python backdoor DEEP#DOOR uses tunneling service to hide remote access
Researchers disclosed DEEP#DOOR, a Python backdoor that uses a public tunneling service for command and control, steals credentials and includes multiple persistence and defense evasion features.
-
UNC6692 Uses Microsoft Teams Help Desk Impersonation to Push Custom Malware
UNC6692 used Microsoft Teams help desk impersonation, email bombing and a custom malware chain to target corporate users, according to Mandiant. The activity included credential harvesting, remote access, tunneling and later-stage network movement.
-
Bitwarden CLI hit by npm supply chain compromise in Checkmarx-linked campaign
Bitwarden said its CLI package was briefly compromised on npm on April 22, 2026, in a supply chain attack that targeted developer secrets and CI/CD credentials through version 2026.4.0.
