VulnHub

The latest Malware newsletter from Security Affairs reports on several significant cybersecurity threats. One notable incident involves new malware specifically targeting users of Cobra DocGuard software, potentially compromising sensitive data. Additionally, Iranian cyber actors have been using Telegram as a command and control channel to distribute malware to predetermined targets, raising concerns about state-sponsored cyber activities. The newsletter also discusses the Trivy supply chain attack, which has now expanded to include compromised Docker images, putting many containerized applications at risk. Lastly, a new malware called VoidStealer has been identified, which manipulates Chrome debugging tools to extract user information. These developments highlight ongoing vulnerabilities in software and the tactics employed by cybercriminals and state actors alike.

TeamPCP, a group known for supply chain attacks, has targeted the Telnyx Python package by releasing two malicious versions (4.87.1 and 4.87.2) on March 27, 2026. These versions, available on the Python Package Index (PyPI), are designed to steal sensitive user data by hiding their credential-stealing features within .WAV files. This incident poses a significant risk to developers and organizations that rely on the Telnyx package for their applications, as it can lead to unauthorized access to sensitive data. Users who downloaded these versions may unknowingly expose their credentials, making it crucial for the community to act swiftly to mitigate potential damage.

Researchers at Endor Labs have reported that the TeamPCP group has compromised the Telnyx package on the Python Package Index (PyPI). Versions 4.87.1 and 4.87.2 of the Telnyx SDK, which is used for the Telnyx AI Voice Agent service, were modified to include malicious code. The first version contained non-functional malicious code, while the second version may pose a greater risk. This incident highlights the ongoing risks associated with supply chain attacks, where attackers modify legitimate software to distribute malware. Developers and organizations using this SDK should be vigilant and consider removing or updating their versions immediately to mitigate any potential threats.

Recent reports indicate that nation-state malware is increasingly being made available on the Dark Web and even leaked on platforms like GitHub. This development poses a significant risk to organizations that may lack the resources or expertise to defend against such sophisticated attacks. The sale of these exploit kits means that even smaller companies, which typically may not be in the crosshairs of state-sponsored attackers, could become targets simply due to their vulnerability. The ease of access to powerful hacking tools could empower a wider range of attackers, making it crucial for all organizations to enhance their cybersecurity defenses. This situation raises serious concerns about the overall security landscape and the potential for widespread exploitation of vulnerable systems.

A new malware known as EtherRAT is using Ethereum smart contracts to hide its command and control (C2) infrastructure, making it difficult for security systems to detect. The malware employs a technique called EtherHiding, which allows it to obscure its activities within the blockchain. Once deployed, EtherRAT can steal cryptocurrency wallets and sensitive credentials from infected devices. This poses a significant risk to users involved in cryptocurrency transactions, as they may unknowingly expose their assets to attackers. Researchers are warning that as this malware evolves, more users could fall victim to theft and fraud, particularly in the growing landscape of decentralized finance.

Researchers at CyberProof have identified a significant rise in PXA Stealer malware attacks, with a 10% increase targeting financial institutions in the first quarter of 2026. This malware is particularly concerning because it is designed to steal sensitive information from banking customers. Attackers use Telegram as a channel to exfiltrate the stolen data, which raises red flags about the security measures in place for protecting financial transactions. This surge in attacks could have serious implications for both banks and their clients, potentially leading to financial losses and privacy breaches. As the threat evolves, financial institutions must strengthen their defenses and educate users on recognizing potential scams and threats.

Mirai malware has evolved into numerous variants, including notable ones like Aisuru and KimWolf, which are fueling the growth of botnets that target vulnerable Internet of Things (IoT) devices. These variants are being used in large-scale attacks, posing significant risks to users worldwide. Researchers are warning that many IoT devices, often lacking adequate security measures, are at high risk of being compromised by these evolving threats. As these botnets expand, the potential for widespread disruption increases, highlighting the urgent need for manufacturers and users to improve security protocols for their devices. This situation emphasizes the ongoing challenge of securing IoT ecosystems against sophisticated malware attacks.

A new type of malware called Torg Grabber is targeting users by stealing sensitive information from around 850 browser extensions, with over 700 specifically linked to cryptocurrency wallets. This malware is designed to capture private keys, passwords, and other critical data, posing a significant risk to individuals who manage their digital assets online. The widespread nature of this attack means that many popular wallet extensions could be compromised, leaving users vulnerable to financial theft. Researchers are urging users to be cautious about which extensions they install and to regularly update their security practices. This incident highlights the ongoing challenges in keeping digital assets safe from evolving cyber threats.

The Python package LiteLLM has been compromised by the TeamPCP threat group, which has embedded credential-stealing malware within it. This incident raises concerns for developers and organizations that rely on Python's package index (PyPI) for software components, as they may unwittingly download malicious code. The malware is designed to capture sensitive information, potentially putting user accounts and organizational data at risk. Users who have downloaded LiteLLM should take immediate action to remove the package and check for any unauthorized access to their accounts. This incident serves as a reminder of the vulnerabilities associated with third-party packages and the importance of verifying software integrity before installation.

Researchers at Expel have raised concerns about malicious Chrome extensions that are targeting users' conversations with AI tools. These extensions, often disguised as useful add-ons, can secretly collect and transmit sensitive information, including chat history and personal data. Users who install these extensions unknowingly expose their private interactions to potential attackers. This incident is particularly concerning as AI technology becomes more integrated into daily tasks, increasing the risk of data breaches. Users are advised to be cautious about the extensions they install and to regularly review their browser settings for any unauthorized additions.

Recent cyberattacks attributed to the group TeamPCP have targeted several popular tools including Checkmarx's KICS code scanner, the Trivy security scanner, and the VS Code plug-ins, as well as the LiteLLM AI library. These attacks suggest a coordinated effort to compromise supply chain security, affecting developers and organizations that rely on these tools for secure coding practices. As the threat landscape evolves, it is crucial for users of these products to remain vigilant and monitor for any suspicious activities. The ongoing nature of these attacks raises concerns about the security of software development environments, emphasizing the need for robust security measures. Companies using these tools should consider reviewing their security protocols to mitigate potential risks.

TeamPCP, a known threat actor, has compromised the popular Python package litellm by injecting malicious code into versions 1.82.7 and 1.82.8. This compromise was linked to earlier incidents involving the Trivy and KICS tools. The malicious versions contain a credential harvester, a toolkit for lateral movement within Kubernetes environments, and a persistent backdoor. Security companies like Endor Labs and JFrog have confirmed the issue, raising concerns for developers and organizations using this package. The presence of these backdoors could allow attackers to gain unauthorized access to sensitive information and systems, making it crucial for users to act quickly to protect their environments.

Attackers have hacked Trivy, an open-source security tool, and released malicious versions of the software. This incident raises concerns as Mandiant warns that it could affect up to 10,000 downstream users who rely on Trivy for security assessments. The presence of compromised versions may lead to a significant rise in extortion attempts against these users. The situation emphasizes the risks associated with using open-source tools, particularly when they become targets for malicious actors. Organizations that use Trivy need to be vigilant and assess their security protocols to mitigate potential fallout.