Blackpoint discovered a new Node.js-based implant called RoadK1ll during an incident response engagement. It's not a traditional RAT - it carries no large command set. Instead, it does one thing well: turn a compromised machine into a controllable relay point that lets attackers pivot to internal systems that would normally be unreachable from outside. It communicates over WebSocket, blends into normal web traffic, supports multiple concurrent connections, and auto-reconnects if disrupted.
A new macOS infostealer called Infinity Stealer tricks users through fake Cloudflare CAPTCHA pages - a technique called ClickFix. Victims paste a command into Terminal thinking they're verifying their identity, but it silently installs malware. The payload is compiled with Nuitka - turning Python into native macOS binaries that are much harder for security tools to detect. It steals browser credentials, Keychain data, and crypto wallets.
The leaked DarkSword iOS exploit kit is already being weaponized. Proofpoint attributes a new spear-phishing campaign to TA446 (also known as COLDRIVER/Star Blizzard), a Russian FSB-linked group that has never previously targeted Apple devices. The emails spoof Atlantic Council discussion invitations and redirect iPhone users to the exploit kit, which deploys the GHOSTBLADE dataminer. Proofpoint warns the targeting is unusually broad - hitting government, finance, legal, and education sectors.
Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.
One group, four major compromises, nine days. TeamPCP started by backdooring Aqua Security's Trivy vulnerability scanner on March 19 - then used the stolen CI/CD credentials to poison LiteLLM, Checkmarx tools, and Telnyx one after another. Each compromised tool handed them the keys to the next target. They've now partnered with the Vect ransomware gang to turn stolen access into extortion.
Thousands of fake Visual Studio Code vulnerability warnings are being posted across GitHub Discussions in automated waves - all from freshly created accounts. The posts use realistic titles like 'Severe Vulnerability - Immediate Update Required' with fabricated CVE IDs to pressure developers into downloading malware from Google Drive links. The payloads fingerprint victims before delivering secondary attacks, acting as a traffic distribution system.
A new phishing campaign is hijacking TikTok for Business accounts using adversary-in-the-middle (AITM) reverse proxy pages - meaning it captures credentials, session cookies, and MFA codes in real time. Victims land on cloned TikTok or Google Careers pages after clicking links that redirect through legitimate Google Storage URLs. The real kicker: most users log in via Google SSO, so one compromise gives attackers both TikTok and Google accounts.
A government-grade iPhone hacking toolkit called DarkSword was leaked on GitHub on March 23 - and researchers say it's trivially easy to use. Written entirely in HTML and JavaScript, anyone can host it and hack iPhones running iOS 18.4 through 18.7.1. It chains six vulnerabilities including three zero-days for full device takeover, stealing messages, location data, and crypto wallets. Roughly a quarter of all iPhones remain on vulnerable versions.
TrustStrike Labs