Credential Theft
-
Malicious npm packages spread self-propagating worm through stolen developer tokens
Researchers found a self-propagating npm supply chain worm in April 2026 that stole developer secrets, reused npm tokens to publish poisoned packages and also included PyPI propagation logic.
-
DeepLoad malware uses ClickFix lure and WMI to spread and steal credentials
A new DeepLoad malware campaign is using ClickFix lures, Windows tools and WMI to steal credentials, hide activity and reinfect cleaned hosts, according to a technical analysis from ReliaQuest.
-
Phishing campaign targets TikTok for Business accounts with bot-blocking pages
A phishing campaign is targeting TikTok for Business accounts with bot-blocking pages that redirect through Google Storage and use a Cloudflare Turnstile check, then present fake login pages designed to capture credentials and session cookies.
-
CL-UNK-1068 espionage campaign targets critical sectors across Asia
Palo Alto Networks Unit 42 reported a years-long CL-UNK-1068 campaign that targeted critical sectors across Asia, using web server exploits, web shells and credential theft tools to steal sensitive files and maintain persistent access.
-
Mustang Panda deploys updated COOLCLIENT backdoor to steal endpoint data
An updated COOLCLIENT backdoor linked to Mustang Panda was used in 2025 to steal keystrokes, browser credentials and files from government endpoints across Myanmar, Mongolia, Malaysia and Russia, according to a technical analysis by Kaspersky.
-
Phishing campaign leverages stolen credentials to deploy legitimate RMM for persistent access
Researchers reported a dual-wave phishing campaign that harvests Outlook, Yahoo and AOL credentials to register with LogMeIn and deploy LogMeIn Resolve via a signed executable named GreenVelopeCard.exe to maintain persistent remote access.
-
ownCloud urges users to enable MFA after credential theft reports
ownCloud urged users to enable multi-factor authentication after attackers used credentials stolen by infostealer malware to access self-hosted file sharing instances. The advisory recommends MFA, password resets, session invalidation, and log review.
-
Two Chrome extensions intercepted traffic and exfiltrated credentials, researchers say
Researchers reported two Chrome extensions named Phantom Shuttle that posed as VPN/speed-test tools but injected hard-coded proxy credentials, routed traffic through attacker-controlled proxies and exfiltrated user credentials and other sensitive data to a command-and-control server.
-
Researchers Flag Four New Phishing Kits That Automate Credential Theft and MFA Bypass
Security firms have identified four phishing kits — BlackForce, GhostFrame, InboxPrime AI and Spiderman — that automate credential theft, bypass multi-factor authentication and mass-produce phishing emails, with researchers warning the tools lower barriers for large-scale attacks.
-
Researchers disclose Sturnus Android banking trojan that can capture messages and take over devices
Security researchers say a new Android banking trojan called Sturnus can capture decrypted messages from apps like WhatsApp, Telegram and Signal, present fake bank login screens, and allow remote control of infected devices; ThreatFabric reports the campaign so far is limited to Southern and Central Europe.
