VulnHub

A new campaign is targeting macOS users with the Atomic Stealer malware, using the Script Editor to execute commands in a method similar to a previous ClickFix attack. This tactic tricks users into running malicious scripts, which can lead to sensitive data being stolen. The attack primarily affects macOS computers, putting users’ personal information at risk. Security researchers are urging users to be cautious about running scripts from untrusted sources, as this method can bypass some security measures. Awareness and vigilance are key, as these types of attacks can lead to significant data breaches if not addressed promptly.

Researchers have discovered a malicious code injection in the Python Package Index (PyPI) through a compromised version of the litellm package, specifically version 1.82.8. This version includes a harmful .pth file that executes automatically when Python starts, without needing the litellm module to be imported. This means that any user who installs this package could unknowingly run the malicious code, posing a significant risk to their systems. The incident raises concerns about supply chain security in the Python ecosystem and underscores the need for better security measures, such as Software Bill of Materials (SBOMs) and verification systems. Users of Python and developers relying on this package should take immediate steps to secure their environments and avoid the compromised version.

The FBI has successfully disrupted a network of DNS hijacking attacks linked to the Russian hacking group APT28. This group, also known as Fancy Bear, has been known for targeting various sectors, including government and military organizations. The FBI's action involved disconnecting US-based routers that had been compromised, effectively cutting them off from APT28's control. This incident underscores the ongoing threat posed by foreign cyber actors to US infrastructure and services. By taking these routers offline, the FBI aims to protect users from being redirected to malicious sites that could steal sensitive information or install malware.

The official WordPress site for the open-source decompiler ILSpy has been compromised by malicious actors, leading to a supply chain attack that targets developers. This breach allows attackers to distribute malware disguised as legitimate software, putting users who download from the site at risk. Developers using ILSpy may unknowingly install malware on their systems, which can lead to further exploitation or data breaches. Supply chain attacks like this one are particularly concerning because they exploit trusted sources, making it harder for users to detect malicious activity. As a result, developers need to be cautious about where they download software and ensure they verify the integrity of their tools.

A malicious package named 'hermes-px' has been found on PyPI, posing as an AI inference proxy tool compatible with OpenAI. This package was used by attackers to compromise the internal AI endpoint of a Tunisian university. Once inside, they were able to exfiltrate sensitive data, including prompts and conversations from Anthropic's Claude AI. This incident raises concerns about the security of third-party packages and the potential for serious data breaches if similar tactics are employed elsewhere. Users and developers need to be vigilant about the origins of the code they use to avoid falling victim to such attacks.

The UK security agency has issued a warning about a new series of cyberattacks linked to the Russian hacking group APT28. These attackers are modifying virtual private servers to function as malicious DNS servers, which they then use to hijack routers. This tactic allows them to steal user credentials and potentially gain access to sensitive information. The implications of these attacks are significant, as they could affect a wide range of internet users and organizations relying on compromised routers for secure connections. Users are advised to ensure their router firmware is up-to-date and to monitor their networks for any suspicious activity.

Kaspersky has reported that SparkCat malware has resurfaced on app stores, specifically targeting cryptocurrency users in Asia. This malware has been found in applications available for both iOS and Android devices. Users downloading these apps may unknowingly expose their sensitive information, such as cryptocurrency wallet details, to attackers. This resurgence is particularly concerning given the increasing popularity of cryptocurrency among users, making them prime targets for cybercriminals. As the malware spreads, it underlines the need for users to be vigilant about the apps they download and the permissions they grant.

Hackers have targeted users of Guardarian by publishing 36 malicious NPM packages that masquerade as Strapi plugins. These deceptive packages are designed to execute shell commands, escape container environments, and steal user credentials. This attack poses a serious risk to developers and organizations using Strapi, as the malicious code could lead to significant data breaches or unauthorized access. Users of Strapi should exercise caution and verify the authenticity of any plugins they intend to use, as these packages can compromise their systems. This incident serves as a reminder of the ongoing risks associated with third-party software dependencies.

A recent campaign has seen threat actors impersonating CERT-UA, the Ukrainian Computer Emergency Response Team, to distribute AGEWHEEZE malware. This operation has targeted around 1 million users across various sectors, including government, healthcare, education, and finance. By masquerading as a trusted entity, the attackers aim to deceive users into downloading the malicious software, which can lead to data theft and other security issues. The scale of the attack is concerning, as it affects critical sectors that handle sensitive information. Users in these fields should be particularly vigilant about the sources of software downloads and ensure they are only using verified channels.

Recent analysis has revealed that a malware known as Chaos is now targeting 64-bit Linux servers, primarily associated with groups linked to China. Researchers found that these attackers are employing a two-pronged strategy: one that acts quickly and another that allows for longer dwell times within compromised systems. This dual approach not only increases the chances of successful infiltration but also makes it harder for organizations to detect and respond to the attacks. Given the prevalence of Linux servers in various industries, this development poses a significant risk to a wide range of businesses, potentially leading to data breaches and service disruptions. Companies using Linux servers are urged to enhance their security measures to defend against this escalating threat.

A Chinese cyber group known as TA416 has been targeting European government and diplomatic entities since mid-2025, resuming its activities after a two-year lull. This campaign employs malware like PlugX and uses OAuth-based phishing techniques to compromise systems. TA416 is linked to various other hacking groups, including DarkPeony and RedDelta, indicating a broader network of cyber threats. The resurgence of these attacks raises concerns about the vulnerability of government institutions in Europe, especially given the increasing geopolitical tensions. Authorities and organizations need to bolster their cybersecurity measures to protect sensitive information from these state-sponsored actors.

Recent leaks of the Claude Code source code have been exploited by cybercriminals to distribute Vidar information-stealing malware through fraudulent GitHub repositories. Attackers are creating fake repositories that appear legitimate, luring unsuspecting users into downloading the malicious software. This situation puts many users at risk, especially those who might be searching for the leaked code or related tools on GitHub. The Vidar malware is known for stealing sensitive information such as login credentials and personal data. Users should be cautious when downloading software from unofficial sources and verify the legitimacy of repositories before proceeding.

CrystalRAT is a new type of malware that has emerged in 2023, functioning as a malware-as-a-service platform. It operates on a subscription model, allowing users to access its capabilities, which include remote access to infected systems and features designed for pranks. Researchers from Kaspersky have noted that CrystalRAT bears a strong resemblance to an earlier malware called WebRAT. This is concerning as it lowers the barrier for entry for cybercriminals, enabling even those with limited technical skills to launch attacks. The rise of such services poses a growing threat to individuals and organizations, as they can be exploited for a variety of malicious purposes including data theft and system manipulation.

Recent reports indicate that ransomware attackers are increasingly using legitimate IT tools, such as Process Hacker and IOBit Unlocker, to bypass traditional antivirus software. These tools have deep access to operating system functions, allowing attackers to execute malicious activities without raising alarms. This trend poses significant risks to organizations, as it makes it harder for security systems to detect and prevent these kinds of attacks. Companies must reassess their security measures to account for the misuse of legitimate software, which could compromise sensitive data and disrupt operations. As attackers continue to evolve their tactics, it’s crucial for users and companies to stay vigilant and update their defenses accordingly.

Stryker, a major player in the medical technology sector, recently recovered from a cyberattack attributed to the Iranian hacking group Handala. This attack involved a wiper malware that compromised the company's systems, disrupting operations and potentially affecting patient care and medical device functionality. Although Stryker has announced that its systems are back online, the implications of such an attack raise concerns about the security of healthcare infrastructure. Cyberattacks on medical technology firms can have serious consequences, not only for the companies involved but also for healthcare providers and patients relying on their products. The incident serves as a reminder of the ongoing risks facing the medtech industry and the need for enhanced cybersecurity measures.