Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: credential-theft (19 articles)Clear

North Korea hides malware in fake Rollup npm packages to steal developer secrets

JFrog found a new set of malicious npm packages, linked to North Korea, that impersonate legitimate Rollup polyfill tooling closely enough to pass a quick dependency review, down to matching names and metadata. Installing them pulls in hidden second-stage packages disguised as SVG utilities, which fetch and run a JavaScript payload while checking that they are not in a sandbox or cloud build. The malware hunts for developer secrets, and notably targets the configuration and history of AI coding tools like Cursor alongside AWS, Azure, SSH, and npm credentials. Because build plugins run on developer machines and in CI, a single poisoned dependency can expose source code, tokens, and cloud keys.

Check
Check whether any projects or build pipelines pulled the flagged Rollup-lookalike npm packages, and review developer machines and CI for exposed npm tokens, cloud keys, SSH keys, and AI coding tool configurations.
Affected
Developers and CI pipelines that installed the lookalike Rollup polyfill packages; the malware steals npm tokens, cloud and SSH credentials, source code, and secrets from AI coding tool configurations on the machine.
Fix
Pin and verify dependencies and scrutinize lookalike package names before installing, keep secrets out of developer and CI environments where possible, rotate any exposed credentials, and monitor for suspicious install-time network activity.

AI agent runs an entire ransomware attack after breaking in through Langflow

Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.

Check
Find any internet-exposed Langflow or similar AI application servers, confirm they are patched and off the internet, and check whether cloud or AI service credentials sit in environments those tools can read.
Affected
Organizations running exposed, unpatched Langflow servers, especially with cloud and AI service credentials nearby; attackers used the old flaw and an automated agent to steal secrets and ransom production databases.
Fix
Patch Langflow and never expose its code-running endpoints, keep secrets in a proper manager away from web-reachable tools, lock down outbound traffic and database admin access, and watch runtime behavior.

BioShocking attack convinces AI browsers they are in a game, then steals credentials

Researchers at LayerX detailed BioShocking, an attack that manipulates AI browser agents into ignoring their safety rules by convincing them they are inside a fictional game. Using a web page with a puzzle that rewards deliberately wrong answers, the attack gets the agent to accept a false reality, after which it treats a request to open a page and copy its contents as just another step. In the demonstration, that page redirected to the victim's work GitHub repository and the agent handed over SSH credentials, treating the theft as finishing the game. None of the six AI browser agents tested flagged it as a rule violation.

Check
Review where AI browser agents are used and what logged-in accounts they can reach, and test whether an agent follows instructions from web content telling it the normal rules no longer apply.
Affected
Users of AI browser agents that act on logged-in sessions; an attacker-controlled page can trick the agent into ignoring its rules and stealing credentials or data from sites the user uses.
Fix
Require user confirmation before an agent reads from logged-in accounts, limit which sites and data agents can touch, and prefer AI browsers that flag when content tries to override their instructions.

Microsoft pulls 119 Edge extensions that hid malware inside images and fonts

Microsoft has removed 119 malicious Microsoft Edge extensions, tied to a single actor active since at least 2021, that hid their payloads inside ordinary image and font files using steganography. The extensions posed as ad blockers, VPNs, translators, and similar tools, worked as advertised, and stayed dormant for days while passing evasion checks, which let them survive in the store for years and reach up to 2.6 million installs. Beyond ad fraud and affiliate hijacking, the more dangerous variants stole Google credentials and two-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies for session hijacking, with extra aggression against corporate and banking targets. Microsoft has published indicators of compromise.

Check
Open your browser's extensions page and check installed add-ons against Microsoft's published list of StegoAd extension IDs, and review endpoints for the campaign's indicators of compromise across Chromium browsers.
Affected
Users who installed any of the 119 extensions, which posed as ad blockers, VPNs, and similar tools; stolen cookies and two-factor codes let attackers hijack sessions and accounts without passwords.
Fix
Remove any matching extension and treat the browser as compromised: reset Google and WordPress passwords, review sign-in activity, and prefer hardware security keys over SMS codes. Govern extensions with allowlists.

Amazon Q Developer flaw let a malicious repo steal a developer's cloud keys

Wiz Research found a high-severity flaw in Amazon Q Developer, Amazon's AI coding assistant, that let a malicious code repository run commands and steal a developer's cloud credentials simply by being opened. The bug (CVE-2026-12957) lay in how Amazon Q handled Model Context Protocol servers: it read an MCP configuration file from the open workspace and automatically launched the servers it defined. Because those servers run as local processes that inherit the developer's full environment, a single config file committed to a repo could reach AWS keys, cloud tokens, API secrets, and SSH agent sockets, turning a git clone into a full compromise. Amazon has patched the issue and published an advisory.

Check
Confirm Amazon Q Developer is updated to the patched version, and review whether developers open untrusted repositories in AI coding assistants that can auto-launch Model Context Protocol servers from in-repo configuration files.
Affected
Developers using vulnerable versions of Amazon Q Developer (CVE-2026-12957) who open untrusted repositories; a malicious MCP configuration file could run commands and steal cloud credentials from the developer's environment.
Fix
Update Amazon Q Developer, treat opening a repository in an AI assistant as running its code, disable automatic MCP server launching where possible, and isolate untrusted repos without real credentials.

56 million accounts surface in latest infostealer log compilation

Breach-tracking service Have I Been Pwned has added a fresh batch of stealer logs covering 56,278,397 accounts, harvested by infostealer malware from infected computers. Unlike a single company breach, stealer logs are credentials and session data scraped directly from victims' devices, often capturing the exact website-and-password pairs a person types, plus browser cookies that can let attackers skip login entirely. Because the data comes from malware on individual machines, exposure cuts across countless unrelated services. The scale is a reminder that infostealer infections, frequently spread through cracked software, malicious ads, and fake downloads, remain one of the biggest sources of credential theft.

Check
Check whether your email or your organization's domains appear in Have I Been Pwned's stealer-log dataset, and look for signs of infostealer infection such as unexpected logins or browser-session anomalies.
Affected
Anyone whose device was infected by infostealer malware; exposed data includes saved website passwords and browser session cookies that can bypass logins across many unrelated services.
Fix
Reset passwords for exposed accounts from a clean device, invalidate active sessions, enable phishing-resistant MFA, and run endpoint malware scans to find and remove the underlying infostealer.

IronWorm Rust npm worm hits 36 packages, steals Anthropic/OpenAI/AWS credentials via eBPF rootkit and Tor; GitHub Actions used for exfil

JFrog has documented IronWorm, a new npm supply-chain worm that has infected 36 packages with an infostealer targeting 86 environment variables and 20 credential files - including OpenAI, AWS, Anthropic, and npm credentials, Vault configs, SSH keys, and Exodus wallet files. Written in Rust, it hides behind an eBPF kernel rootkit and communicates over Tor. It self-propagates using stolen npm Trusted Publishing secrets to trojanize the victim's own packages. JFrog found the same commit names as Shai-Hulud (commit author 'claude,' timestamps faked up to 13 years old) and suspects an evolution of TeamPCP's payload. Notably, it exfiltrates secrets by uploading them as innocuous-looking GitHub Actions build artifacts, avoiding external C2.

Check
Audit npm dependencies and CI for the 36 IronWorm-affected packages and preinstall scripts dropping Rust ELF binaries. Search build artifacts for disguised secret files. Rotate npm, AWS, OpenAI, Anthropic credentials.
Affected
Developers and CI systems that installed IronWorm-trojanized npm packages. It steals OpenAI/AWS/Anthropic/npm credentials, Vault configs, SSH keys, and wallets, then self-propagates via stolen Trusted Publishing secrets.
Fix
Remove affected packages, pin via lockfile, and rotate every credential reachable from affected hosts. Hunt for eBPF rootkit artifacts and Tor traffic. Review GitHub Actions build artifacts for exfiltrated secrets.

Nx Console 18.95.0 VS Code extension compromised in 11-minute window - kitty.py persistence and credential theft

The Nx team has confirmed that version 18.95.0 of its VS Code extension was malicious and that a few users were compromised. The bad version was available on the marketplace for only 11 minutes on May 18 (12:36 to 12:47 UTC), but that was enough to plant Python-based persistence under ~/.local/share/kitty/cat.py and a macOS LaunchAgent at com.user.kitty-monitor.plist, then steal tokens, secrets, and SSH keys reachable from the machine. The Nx team has shipped a clean 18.100.0 release and published indicators of compromise. This is the second time Nx has been targeted within a year, after the August 2025 s1ngularity supply-chain attack on its npm packages.

Check
Identify VS Code endpoints with the Nx Console extension. Check for ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, /tmp/kitty-*, or any process with __DAEMONIZED=1.
Affected
Anyone who installed Nx Console 18.95.0 from the VS Code marketplace during the 11-minute window on May 18 (12:36-12:47 UTC). A few users are confirmed affected.
Fix
Update Nx Console to 18.100.0. Kill malicious processes, delete IoC files, remove the LaunchAgent, and rotate every credential reachable from the developer machine - tokens, secrets, SSH keys.

New Linux backdoor 'PamDOORa' silently steals SSH credentials from every user logging into a compromised server - and erases its tracks from the logs

Group-IB and Flare disclosed PamDOORa, a new Linux backdoor for sale on the Russian-speaking Rehub cybercrime forum at $900 (down from $1,600). PamDOORa hijacks the Linux Pluggable Authentication Module (PAM) framework that handles SSH logins - so it intercepts every legitimate user's password as they authenticate, before any application-level logging fires. The backdoor injects a malicious pam_linux.so module into the authentication stack rather than replacing files. It also tampers with lastlog, btmp, utmp, and wtmp to erase attacker login traces - meaning incident response teams who SSH in to investigate will have their own credentials silently stolen. Group-IB notes the abuse method is not yet in MITRE ATT&CK.

Check
Audit /etc/pam.d/ for unfamiliar pam_*.so modules, particularly pam_linux.so. Compare loaded PAM modules against your distribution's default set. Hunt /tmp for files with random names containing XOR-encrypted credential captures.
Affected
All x86_64 Linux servers running OpenSSH for remote access. PamDOORa is post-exploitation, so attackers must already have root - but once installed it captures every SSH credential and persists invisibly. Acute risk: any Linux server compromised at any point in the past, regardless of remediation - PamDOORa survives standard cleanup unless PAM-specific auditing was performed.
Fix
Enable SELinux or AppArmor in enforcing mode to constrain PAM module loading. Install Auditd with DISA-STIG rules to alert on /etc/pam.d/ changes. Deploy rkhunter or chkrootkit for routine PAM rootkit detection. Treat any compromised Linux server as having fully exposed credentials - rotate every SSH key, password, and token.

Hackers bought Google ads pointing to a fake GoDaddy WordPress login page - any site manager who clicked saw their credentials stolen

BleepingComputer reports a phishing campaign that bought Google Ads to push a fake GoDaddy ManageWP login page to the top of search results. ManageWP is GoDaddy's centralized dashboard for managing multiple WordPress sites - so a successful phish gives the attacker simultaneous access to dozens or hundreds of sites under one account. The fake page is a near-perfect clone of managewp.com hosted on a typosquat domain; victims who enter credentials are redirected to the real site to mask the theft. Same Google Ads abuse template used recently against AWS, Notion, and other developer-tool brands.

Check
Brief staff who manage WordPress sites that they should never click Google Ads for login pages. Search proxy logs for visits to ManageWP-themed domains other than managewp.com over the past 30 days.
Affected
GoDaddy ManageWP customers, particularly agencies and freelancers managing multiple client WordPress sites under one account. Acute risk: small WordPress agencies whose ManageWP credentials enable simultaneous access to 50-500+ client sites. Anyone using GoDaddy hosting for WordPress.
Fix
Enable two-factor authentication on ManageWP accounts immediately. Reset ManageWP passwords for any user who recently clicked a Google Ads result for the brand. Add a corporate browser policy to suppress Google Ads on developer-tool searches. For agencies: rotate WordPress site credentials linked through ManageWP. Watch for unfamiliar admin user creation across managed sites.