Cybersecurity researchers uncovered a targeted spear-phishing campaign using 27 malicious npm packages to host browser-based phishing lures mimicking document-sharing portals and Microsoft sign-in pages, primarily targeting organizations in critical infrastructure sectors across multiple countries. The campaign leverages package CDNs for resilient hosting, employs anti-analysis techniques, and hard-codes specific email addresses, with the goal of stealing login credentials. The activity highlights ongoing threats in the software supply chain, emphasizing the need for stringent dependency verification and monitoring.
Cybersecurity researchers have identified three malicious VS Code extensions linked to the GlassWorm campaign, which uses invisible Unicode characters to hide malware, steal credentials, and spread in a worm-like fashion. Despite removal efforts, the threat has resurfaced, leveraging blockchain-based command-and-control infrastructure to maintain resilience. The attack has affected victims worldwide, including a major Middle Eastern government, and has expanded to target GitHub repositories.
Google reports a significant increase in account hacking attacks, primarily through phishing and credential theft, with an 84% rise last year and ongoing threats in 2025. The company provides a step-by-step guide for users to recover their accounts, emphasizing the importance of using trusted devices and following security protocols. Experts highlight that attackers often use legitimate email accounts for credential harvesting, posing risks beyond Google users. Users are advised to stay vigilant and follow recommended security practices to protect their accounts.
Cybersecurity researchers have discovered a new undetected Linux backdoor called Plague, which exploits PAM modules to silently bypass authentication, maintain persistent SSH access, and evade detection through advanced obfuscation and environment tampering, posing a significant threat to Linux systems.
A massive leak of over 16 billion passwords from major online services like Apple, Google, and Facebook raises significant security concerns, especially for crypto users, as it could lead to increased account takeovers and thefts. The breach highlights vulnerabilities such as password reuse and weak authentication, urging users to update passwords, enable 2FA, and secure recovery data.
Pakistan's National Cyber Emergency Response Team has urged citizens to change all social media passwords following a massive global data leak exposing 184 million account credentials, which poses risks like account takeovers, identity theft, and targeted scams. Immediate action, including creating strong, unique passwords and enabling multi-factor authentication, is recommended to mitigate potential damages.
Security researchers from Perception Point have identified a new two-step phishing attack method using Microsoft Visio (.vsdx) files to evade detection and steal credentials. These attacks exploit the familiarity of Visio files in workplaces, embedding malicious URLs that lead victims to fake Microsoft 365 login pages. The attack involves instructing users to hold down the Ctrl key to access these URLs, bypassing automated security systems. Enhanced email security and two-factor authentication are recommended to mitigate these threats.
Snowflake has warned that a targeted credential theft campaign is affecting a limited number of its cloud customers, with threat actors using stolen credentials obtained through infostealing malware to access accounts with single-factor authentication. The company, along with CrowdStrike and Mandiant, has found no evidence of a platform vulnerability or compromised Snowflake personnel credentials. Organizations are urged to enable multi-factor authentication and restrict network traffic to trusted locations. The U.S. CISA and Australia's ACSC have issued similar advisories following the spike in malicious activity.
Threat actors associated with Kinsing are exploiting the recently disclosed Linux privilege escalation flaw, Looney Tunables, in a new experimental campaign aimed at breaching cloud environments. The attackers are also extracting credentials from the Cloud Service Provider (CSP), marking the first documented instance of active exploitation of Looney Tunables. Kinsing actors have a history of quickly adapting their attack chains to exploit newly disclosed security flaws, and in this case, they are using a critical remote code execution vulnerability in PHPUnit to gain initial access. The ultimate goal of the attack is to extract CSP credentials for future attacks, indicating a potential broadening and intensification of the Kinsing operation in cloud-native environments.
