RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: social-engineering (15 articles)Clear
threat
2026-04-04

Axios npm attack attributed to North Korean hackers UNC1069 - part of broader campaign targeting open-source maintainers

The Axios supply chain attack we covered on March 31 has now been attributed to UNC1069, a North Korean threat group linked to BlueNoroff that specializes in financially motivated attacks against crypto exchanges and financial institutions. Google's Mandiant confirmed the attackers social-engineered the lead maintainer through a fake video call, deploying a RAT via the compromised npm account. Socket warns this wasn't a one-off - the same actors have compromised accounts spanning some of the most widely depended-upon packages in the npm registry.

axiosnpmnorth-koreaunc1069bluenoroffsupply-chainsocial-engineering
Check
Re-check your environments for axios 1.14.1 or 0.30.4. If you found and removed them previously, verify credential rotation was completed.
Affected
axios 1.14.1 and 0.30.4 on npm. Socket warns additional high-trust npm packages may be compromised by the same actor - monitor for advisories.
Fix
Pin to axios 1.14.0 or 0.30.3. Rotate all credentials on any system that ran the poisoned versions. Block sfrclak[.]com and 142.11.206.73 on port 8000. Enforce OIDC-backed provenance verification for critical npm dependencies.
breach
2026-04-03

Hims & Hers discloses breach after ShinyHunters steal millions of Zendesk support tickets via Okta SSO

Telehealth giant Hims & Hers - nearly $1 billion in annual revenue, millions of subscribers - disclosed that hackers stole customer support tickets from its Zendesk instance between February 4-7. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO credentials through social engineering, then pivoting into the Zendesk platform. Stolen data includes names, contact information, and details from support requests. No medical records or doctor communications were compromised. The company took two months to disclose.

shinyhunterszendeskoktatelehealthdata-breachsocial-engineering
Check
Review whether your organization uses Zendesk with Okta SSO integration - this same attack pattern has hit multiple companies recently.
Affected
Any organization using Zendesk integrated with Okta SSO for authentication. Hims & Hers, ManoMano, and Crunchyroll were all breached through this pattern.
Fix
Enforce phishing-resistant MFA (FIDO2 hardware keys) on all Okta accounts - standard TOTP/push MFA can be bypassed by social engineering. Audit Okta sign-in logs for SSO sessions accessing Zendesk from unusual locations. Review third-party SaaS integrations connected through your identity provider.
defense
2026-03-30

macOS Tahoe 26.4 blocks ClickFix paste attacks in Terminal - update your Mac fleet now

Apple shipped an undocumented security feature in macOS Tahoe 26.4 that directly targets ClickFix attacks - the social engineering technique behind the Infinity Stealer campaign we covered last week. When a user tries to paste a potentially harmful command into Terminal, macOS now intercepts it with a warning before anything executes. The feature only covers Apple's built-in Terminal app, not third-party alternatives like iTerm2. A 'Paste Anyway' option remains for power users.

applemacosclickfixterminalsocial-engineering
Check
Check if your Mac fleet is running macOS Tahoe 26.4 or later.
Affected
Any macOS user on versions prior to 26.4 who may encounter ClickFix social engineering attacks via fake CAPTCHA pages or tech support sites.
Fix
Update to macOS Tahoe 26.4. Push the update via MDM for managed fleets. Train staff to never paste commands from websites into Terminal regardless of the prompt - the protection only covers Terminal.app, not third-party terminals.
threat
2026-03-28

New Infinity Stealer malware targets macOS through fake Cloudflare CAPTCHA pages

A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.

macosinfostealerclickfixsocial-engineering
Check
Alert your team - especially Mac users - to never paste unknown commands into Terminal from websites.
Affected
Any macOS user who encounters a Cloudflare-style CAPTCHA asking them to open Terminal.
Fix
Train staff to recognize fake CAPTCHA pages. Block the domain update-check[.]com. Run endpoint detection on macOS devices.
threat
2026-03-27

Fake VS Code security alerts flooding GitHub Discussions to spread malware

Thousands of fake Visual Studio Code vulnerability warnings are being posted across GitHub Discussions in automated waves - all from freshly created accounts. The posts use realistic titles like 'Severe Vulnerability - Immediate Update Required' with fabricated CVE IDs to pressure developers into downloading malware from Google Drive links. The payloads fingerprint victims before delivering secondary attacks, acting as a traffic distribution system.

githubvscodephishingsocial-engineeringdevelopers
Check
Warn your development team - never download VS Code updates from GitHub Discussion links or Google Drive.
Affected
Any developer using GitHub who encounters a VS Code security alert in Discussions with an external download link.
Fix
Only update VS Code through the built-in updater or code.visualstudio.com. Verify any CVE IDs against NVD or CISA KEV before acting on them.