VulnHub

Trivy, an open-source vulnerability scanner developed by Aqua Security, has been compromised for the second time in a month. This breach specifically targeted the GitHub Actions workflows 'aquasecurity/trivy-action' and 'aquasecurity/setup-trivy', which are commonly used for scanning Docker container images for vulnerabilities. Attackers hijacked 75 tags to deliver malware that aims to steal sensitive continuous integration and continuous delivery (CI/CD) secrets. This incident is particularly concerning as it exposes users relying on these tools to potential data breaches and security risks. Organizations using these GitHub Actions should take immediate action to secure their environments and monitor for any unauthorized access or data leaks.

The article discusses a supply chain compromise involving the trivy-action GitHub Action, which is widely used for scanning container images for vulnerabilities. Attackers exploited this tool, injecting malicious code that could steal sensitive data from users' repositories. This incident primarily affects developers and organizations using GitHub for their software development processes, as the compromised action could potentially expose secret keys and other confidential information. The situation raises concerns about the security of third-party tools in software development, emphasizing the need for more rigorous vetting of such components. Users are urged to review their GitHub Action configurations and monitor for any unauthorized access to their repositories.

Instances of OpenWebUI AI servers have been compromised by attackers using misconfigurations to install malware for cryptocurrency mining and stealing credentials. This attack campaign, which has been ongoing since late 2024, targets users of the widely used open-source software. The compromised servers could lead to unauthorized access to sensitive data and significant resource drain due to the mining activities. Organizations running OpenWebUI should review their server configurations and implement security measures to prevent such incidents. The growing trend of targeting misconfigured servers raises concerns about the security practices within the tech community.

Researchers have identified a new malware called Speagle that exploits a legitimate software, Cobra DocGuard, to steal sensitive data. The malware takes control of the program's infrastructure, allowing attackers to collect information from infected computers without detection. This data is then sent to a compromised server associated with Cobra DocGuard, making the exfiltration process appear legitimate. Organizations using Cobra DocGuard should be particularly vigilant, as this malware specifically targets its users. The incident raises concerns about the security of trusted software and the potential for attackers to manipulate legitimate tools for malicious purposes.

A recent surge in mobile banking malware has targeted over 1,200 financial apps worldwide, shifting the focus of fraud from traditional methods to user devices. This malware is designed to compromise mobile banking applications, putting sensitive user information at risk. The attack affects a wide range of banking services, potentially impacting millions of users who rely on their smartphones for financial transactions. As attackers continue to evolve their tactics, it’s crucial for financial institutions to enhance their security measures and for users to remain vigilant about the apps they download and the permissions they grant. The ongoing threat emphasizes the need for increased awareness around mobile security practices among both consumers and companies.

Researchers have uncovered a toolkit used by the Beast Ransomware group, detailing their methods from initial reconnaissance to the final encryption of files. This toolkit includes various tools that allow the attackers to gather intelligence on their targets, exploit vulnerabilities, and encrypt victims' data for ransom. The discovery is significant because it provides insight into the operational techniques of the group, potentially helping organizations bolster their defenses against future attacks. Companies in sectors that typically face ransomware threats should pay close attention to these findings and review their security measures accordingly. The information also serves as a reminder of the ongoing risks posed by ransomware actors, who continue to evolve their tactics.

Researchers at Bitdefender have uncovered a malicious extension for the Windsurf IDE that exploits the Solana blockchain to steal developer credentials. This fraudulent extension targets developers who may unknowingly install it, putting their sensitive information at risk. The use of blockchain technology in this attack makes it particularly concerning, as it could allow for more sophisticated tracking and data theft. Developers need to be vigilant about the extensions they install, as this incident highlights the potential dangers associated with seemingly innocuous tools. The implications of such attacks can be significant, affecting not only individual developers but also the broader ecosystem of software development.

Security researchers have identified two new malware strains specifically targeting Linux-based network devices. These malicious programs are being used by financially motivated cybercriminals, marking a shift from their previous association with nation-state espionage. The malware can facilitate distributed denial-of-service (DDoS) attacks and enable unauthorized cryptocurrency mining. This development is concerning as it indicates that attackers are now exploiting vulnerabilities that were once primarily used for geopolitical purposes. Organizations using Linux network devices need to be vigilant and enhance their security measures to protect against these evolving threats.

The Vidar 2.0 malware campaign is specifically targeting gamers by disguising malicious links as attractive images on GitHub. These links lure users into downloading malware that can steal cryptocurrency and gaming account credentials. Gamers, who often seek an advantage in their online activities, are particularly vulnerable to this tactic. The campaign's use of a trusted platform like GitHub makes it even more deceptive. It's crucial for gamers to be cautious about the sources of the links they click and to verify the legitimacy of downloads to protect their accounts and digital assets.

A malicious Chrome extension called ShieldGuard was discovered to be a crypto scam masquerading as a security tool. This extension primarily targeted users looking to protect their cryptocurrency wallets but instead siphoned off sensitive wallet information and drained user data. Researchers found that once installed, the extension would exploit its permissions to access and transfer funds from users' crypto wallets. This incident affects anyone who installed the ShieldGuard extension, highlighting the ongoing risks of using unverified browser extensions in the cryptocurrency space. Users are urged to be cautious and only download extensions from reputable sources to safeguard their assets.

Researchers have identified a new version of the Vidar Stealer malware, known as Vidar 2.0, which is being distributed through fake game cheats on platforms like GitHub and Reddit. This malware targets users looking for free cheats for popular games, tricking them into downloading malicious software instead. Once installed, Vidar 2.0 can steal sensitive information, including passwords, credit card details, and other personal data. This method of delivery raises concerns as it exploits trusted platforms, making it harder for users to recognize the threat. Gamers and users of these platforms should be particularly cautious when downloading software that claims to be free game cheats, as it could lead to serious security breaches.

Kaspersky's Security Operations Center has identified a new Horabot campaign targeting users in Mexico. This campaign involves sophisticated tactics that aim to compromise systems and steal sensitive information. Researchers have provided insights into how the attack is carried out, which can help security teams identify and respond to the threat effectively. The focus on Mexico suggests that local businesses and individuals may be particularly vulnerable, highlighting the need for increased awareness and protective measures. Understanding the methods used in this campaign can assist in preventing future attacks and safeguarding valuable data.

The ForceMemo attack is a new tactic used by the GlassWorm malware, targeting developers by compromising their systems through malicious extensions for Visual Studio Code and Cursor. Once the malware infiltrates a developer's environment, it steals sensitive information, including GitHub tokens, which can then be used to access and manipulate code repositories. This poses a significant risk to software projects, as attackers can potentially alter or insert malicious code into popular Python repositories. Developers and organizations relying on GitHub for collaboration and version control should be particularly vigilant. It's crucial for users to ensure their development tools are secure and to monitor their accounts for any suspicious activity.

In the latter half of 2025, there was a significant rise in credential theft incidents, primarily driven by advancements in infostealer malware and AI-powered social engineering tactics. Attackers are increasingly logging into accounts rather than using traditional methods to break in. This trend affects not only individual users but also organizations that store sensitive data, making them more vulnerable to breaches. The use of sophisticated malware makes it easier for cybercriminals to harvest login credentials, which can lead to unauthorized access and data theft. Companies and users alike need to be vigilant and implement stronger security measures to protect against these evolving threats.

The GlassWorm malware has resurfaced, launching a coordinated attack on over 400 code repositories and packages across platforms like GitHub, npm, and VSCode/OpenVSX. Researchers discovered that this supply-chain campaign targets developers by compromising popular software extensions and packages, potentially allowing attackers to inject malicious code into legitimate projects. This incident affects a wide range of developers and organizations relying on these platforms for their software development needs. The implications are significant, as compromised code can lead to broader security vulnerabilities in applications that utilize these affected packages. Developers are urged to audit their dependencies and ensure they're using trusted sources to mitigate the risk of infection.