malware9 articles
AI Chatbots Are Sending Users Straight to Cryptojacking Malware
If you ask an AI chatbot to recommend a useful tool or service and it helpfully provides a link, you might want to think twice before clicking. Security researchers have identified a pattern where chatbot recommendations are directing users toward sites hosting cryptojacking malware, software designed to quietly hijack your hardware and mine cryptocurrency for someone else's benefit.
One Hacker Group Is Turning Software Supply Chains Into a Self-Replicating Nightmare
A cybercriminal group called TeamPCP has carried out an unprecedented wave of software supply chain attacks, hiding malware in hundreds of open source tools to breach companies including GitHub, OpenAI, and the European Commission's website. Their self-perpetuating strategy involves stealing developer credentials to compromise more tools, recently automated through a self-spreading worm called Mini Shai-Hulud, resulting in over 500 corrupted software packages across 20 attack waves in just a few months. Security experts warn that organisations should rotate authentication tokens regularly, avoid auto-updating open source tools, and vet new code before deployment, as the group shows no signs of slowing down.
Supply Chain Attack Hits Packagist: Eight PHP Packages Compromised via GitHub-Delivered Malware
Eight packages on Packagist, the primary dependency registry for PHP projects, were quietly backdoored in a supply chain attack that used GitHub infrastructure to serve Linux malware.
One Hacker Group Is Turning Software Supply Chain Attacks Into a Production Line
A cybercriminal group called TeamPCP has carried out an unprecedented wave of software supply chain attacks, embedding malware in over 500 open source tools to infiltrate hundreds of companies, including GitHub, Anthropic, and the European Commission's public website. The group exploits a self-perpetuating cycle — compromising developer tools to steal credentials, then using those credentials to poison more tools — and has recently automated attacks using a self-spreading worm called Mini Shai-Hulud. Security experts warn that organisations must practice better credential hygiene, carefully vet software updates, and avoid automatically installing the latest versions of open source packages to protect themselves.
FBI Director's Merch Site Is Serving Malware to macOS Users
FBI Director Kash Patel's merchandise website, BasedApparel.com, was found hosting a "ClickFix" malware attack that tricks macOS users into running a malicious command by disguising it as a Cloudflare human-verification process. Victims are prompted to copy what appears to be a simple verification code, but the clipboard actually receives a hidden obfuscated command that, when run in Terminal, executes a script designed to steal browser credentials and cryptocurrency wallet data. The attack likely resulted from hackers compromising the site, and the malicious payload was flagged by 27 antivirus engines as a Trojan/infostealer.
Megalodon Attack Poisons Thousands of GitHub Repos via CI/CD Hijacking
Someone has been systematically targeting GitHub repositories at scale.
Microsoft Dismantles Shady Code-Signing Operation Fuelling Ransomware Campaigns
Microsoft has taken down a malware-signing service that threat actors were using to get ransomware and other malicious software past Windows security defences. The operation targeted a cybercriminal outfit providing a kind of laundering service for malware, giving it legitimately signed certificates so it looked trustworthy to the operating system.
Another npm Account Hijacked, 314 Packages Poisoned in Under Half an Hour
A compromised npm account infected 314 JavaScript packages — including popular ones like size-sensor and echarts-for-react with millions of monthly downloads — with malware that steals credentials for cloud platforms, GitHub, and npm, and uses GitHub as a command-and-control backdoor. The attack, which unfolded in just 22 minutes, follows the same pattern as a similar incident three weeks ago and is part of an ongoing wave of npm supply chain attacks dubbed "Shai-Hulud." Developers who installed affected versions are advised to rotate all credentials, while npm owner GitHub has said little about the continuing series of incidents.
Reaper Malware Hits macOS: Steals Passwords, Drains Crypto Wallets, Then Quietly Moves In
A new macOS malware variant called Reaper, an updated version of the SHub stealer, targets users by spoofing trusted domains like Apple, Microsoft, and Google to steal passwords, cryptocurrency wallet credentials, and sensitive files. Unlike earlier versions, it bypasses Apple's Terminal entirely by using macOS Script Editor to execute its malicious payload, circumventing defences added in macOS Tahoe 26.4. The malware also establishes persistent backdoor access by disguising itself as a Google Software Update process, allowing attackers to remotely execute code on compromised machines every 60 seconds.