VulnHub

A new version of the GlassWorm campaign is targeting software developers by distributing a fake Visual Studio Code extension. This malicious extension acts as a dropper, compiled using the Zig programming language, and can infect multiple integrated development environments (IDEs) on the same machine. By exploiting a trusted platform, attackers can silently install harmful software that compromises development environments. This poses a significant risk to developers and organizations using these tools, as it can lead to unauthorized access to sensitive code and data. Users of various IDEs should be cautious about the extensions they install and ensure they come from verified sources.

Security researchers have identified a new Android banking trojan called Mirax, which is targeting users across Europe. This malware utilizes a method known as Malware-as-a-Service (MaaS) to infect devices, allowing cybercriminals to gain remote access and turn affected smartphones into residential proxy nodes. By doing this, attackers can route their malicious activities through the compromised devices, making it harder to trace their actions back to them. This poses a significant risk to users, as their personal data and banking information could be at risk. The emergence of Mirax highlights ongoing vulnerabilities in mobile security and the need for users to remain vigilant against such threats.

A new infostealer called 'Storm' has emerged, capable of hijacking user sessions by decrypting data on the server side rather than locally. This technique allows attackers to bypass traditional security measures like passwords and multi-factor authentication (MFA). Researchers from Varonis have demonstrated how the infostealer sends sensitive browser data directly to the attackers' servers, raising significant concerns about user privacy and account security. The implications are serious, as organizations relying on standard security protocols may find themselves vulnerable to these sophisticated attacks. Companies should be vigilant and assess their security measures to protect against this evolving threat.

Kaspersky's GReAT team has reported on a new campaign involving JanelaRAT, a type of remote access trojan that specifically targets financial information from users in Latin America. This malware is designed to steal sensitive data, including banking credentials, by infecting victims' devices through a series of sophisticated techniques. The infection process and the functionality of the malware have both been updated, making it more dangerous than previous versions. This campaign is particularly concerning as it highlights the ongoing risks to financial security for users in the region, especially given the rise of online banking and digital transactions. Users in Latin America need to be aware of this threat and take steps to protect their financial information.

Recent research has identified thirty-six malicious npm packages related to the Strapi framework that have been linked to Redis remote code execution (RCE), database theft, and persistent command and control (C2) capabilities. In addition, malicious LNK files are being used to distribute a Python-based backdoor. The Kimsuky Group has also been noted for changing their distribution techniques to enhance their attacks. These developments pose serious risks to developers and organizations using these tools, as they could lead to unauthorized access and data breaches. It is crucial for users to be vigilant and ensure they are using secure versions of these packages to avoid falling victim to these threats.

The GlassWorm campaign has evolved significantly since its inception in 2025, now utilizing a Zig-based dropper embedded in a fake Integrated Development Environment (IDE) extension. This method targets developer tools, allowing attackers to compromise systems through malicious software packages. Initially starting with harmful npm packages, the campaign has escalated to large-scale supply chain attacks affecting platforms like GitHub, npm, and Visual Studio Code. Additionally, the attackers have deployed Remote Access Trojans (RATs) via counterfeit browser extensions. This evolution raises concerns for developers and organizations, as it highlights the growing sophistication of supply chain threats in the software development ecosystem.

In October 2025, researchers identified a new malware strain named LucidRook, which is targeting non-governmental organizations (NGOs) in Taiwan. The malware is delivered through RAR or 7-Zip archives that use social engineering tactics to entice users into executing a dropper called LucidPawn. This method of distribution raises concerns about the security of NGOs, which often handle sensitive information and may not have the same level of cybersecurity resources as larger organizations. The attacks reflect a growing trend of cybercriminals focusing on specific groups, potentially aiming to disrupt their operations or steal valuable data. As these organizations face increasing risks, the need for heightened security measures becomes more critical.

Researchers have discovered a new malware known as LucidRook, which is written in Lua and is being deployed in targeted spear-phishing campaigns aimed at non-governmental organizations (NGOs) and universities in Taiwan. This malware is particularly concerning because it represents a shift in tactics, focusing on sectors often involved in sensitive and impactful work. Attackers are leveraging deceptive emails to compromise their targets, potentially leading to data breaches or other security incidents. The targeting of educational and humanitarian organizations indicates that attackers are seeking valuable information that could be exploited for various malicious purposes. Organizations in these sectors need to be vigilant and enhance their security measures to defend against such threats.

The North Korean hacking group behind the Contagious Interview campaign has expanded its operations, releasing over a dozen new malicious packages across various programming ecosystems, including npm, PyPI, Go Modules, crates.io, and Packagist. Since the campaign began in January 2025, more than 1,700 harmful packages have been identified. These malicious packages are designed to compromise systems and facilitate malware installation, posing a significant risk to developers and organizations that rely on these ecosystems for software development. Users need to be cautious about the packages they download and verify their sources to avoid falling victim to these attacks.

A recent cybersecurity campaign attributed to APT28, also known as Fancy Bear, has been uncovered by Trend Micro. The attackers are using a new malware called PRISMEX to target Ukraine and its allies. They exploit recently disclosed vulnerabilities, specifically CVE-2026-21509 and CVE-2026-21513, to bypass security measures and gain unauthorized access. This type of espionage can significantly affect national security and the stability of the region, as sensitive information could be compromised. The targeting of Ukraine, in particular, raises alarms given the ongoing conflict in the area, indicating that the stakes are high for both military and political intelligence.

Hackers have compromised the update system for the Smart Slider 3 Pro plugin, which is used in WordPress and Joomla websites. These attackers managed to distribute a malicious version of the plugin that contains multiple backdoors, allowing them to access and control affected sites. This incident puts users of both platforms at risk, as the malicious code can lead to data breaches and unauthorized actions on their websites. Website administrators should be particularly vigilant, as the compromised update could have far-reaching consequences if not addressed promptly. Users are strongly advised to check their installations and update to the latest secure versions to mitigate any potential damage.

A Russian hacking group known as APT28 has been using a novel approach to conduct cyber espionage by exploiting vulnerabilities in small office/home office (SOHO) routers. The attackers modify a single DNS setting in these devices to siphon off login credentials from global organizations. This method allows them to bypass traditional malware detection, making their activities harder to trace. Companies that rely on vulnerable routers for their internet connectivity are particularly at risk, as this could lead to significant data breaches and unauthorized access. Organizations are urged to secure their routers and monitor for suspicious activity to mitigate this risk.

Researchers have discovered a significant cyberattack affecting nearly 100 online stores that use the Magento e-commerce platform. Hackers are embedding credit card-stealing malware within a tiny, pixel-sized Scalable Vector Graphics (SVG) image. This method allows the malicious code to go unnoticed while capturing sensitive payment information from unsuspecting customers. The attack impacts both businesses and their customers, as compromised stores could lead to financial losses and identity theft. Users shopping on these affected sites should be cautious and monitor their financial statements for any unauthorized transactions.

Researchers have identified seven new variants of BPFDoor malware that have advanced capabilities for stealthily compromising major telecommunication networks. This malware can now utilize stateless command-and-control routing, making it more difficult for security teams to detect and mitigate. The implications of this development are significant, as it potentially allows attackers to infiltrate and disrupt critical communication infrastructure. Telecommunication companies should be on high alert and assess their defenses against this evolving threat. The discovery emphasizes the ongoing challenges in securing network environments against sophisticated malware attacks.

A new campaign is targeting macOS users with the Atomic Stealer malware, using the Script Editor to execute commands in a method similar to a previous ClickFix attack. This tactic tricks users into running malicious scripts, which can lead to sensitive data being stolen. The attack primarily affects macOS computers, putting users’ personal information at risk. Security researchers are urging users to be cautious about running scripts from untrusted sources, as this method can bypass some security measures. Awareness and vigilance are key, as these types of attacks can lead to significant data breaches if not addressed promptly.