Category: cyber-security-news

Trojanized OpenVSX Extension Spreads GlassWorm Across VS Code, Cursor, and Windsurf A fake developer extension published on the OpenVSX marketplace is silently spreading a known malware strain called GlassWorm to every code editor installed on a developer’s machine. The malicious package disguises itself as a legitimate productivity tool and uses a compiled native binary to…

DesckVB RAT Uses Obfuscated JavaScript and Fileless .NET Loader to Evade Detection A new Remote Access Trojan known as DesckVB has been targeting systems in 2026, using obfuscated JavaScript and a fileless .NET loader to stay hidden from traditional security tools. The malware gives attackers full remote control over a victim’s machine, making it a…

New RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader. The malware targets Chinese-speaking users by disguising itself as trusted software such as Google Chrome and Microsoft Teams. Its core strength lies in a layered…

New Silver Fox Campaign Hides ValleyRAT Inside Fake Telegram Chinese Language Pack Installer A new malware campaign linked to the Silver Fox APT group has been discovered, using a fake Telegram Chinese language pack installer to secretly deliver ValleyRAT — a powerful remote access trojan — onto targeted machines. The malicious file, disguised as a…

Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks A new ransomware campaign is putting organizations on high alert. A financially motivated threat group known as Storm-1175 has been running fast-paced attacks targeting vulnerable, internet-facing systems — and deploying the Medusa ransomware as the final blow. What makes this group especially dangerous…

Hackers Use Fake TradingView Premium Posts on Reddit to Deliver Vidar and AMOS Stealers A threat actor has been running an active campaign on Reddit, using fake posts that promise free TradingView Premium access to deliver two malware families — Vidar on Windows and AMOS on macOS. The operation is still live, with new posts…

New ResokerRAT Uses Telegram Bot API to Control Infected Windows Systems A new Remote Access Trojan (RAT) called ResokerRAT has been found targeting Windows systems by abusing Telegram’s widely used Bot API to receive commands and send stolen data back to attackers. Unlike traditional malware that relies on custom command-and-control servers, this threat routes all…

36 Malicious npm Strapi Packages Used to Deploy Redis RCE and Persistent C2 Malware A coordinated supply chain attack has been uncovered targeting developers who build applications on Strapi, a widely used open-source content management system. Thirty-six malicious npm packages disguised as legitimate Strapi plugins were published to the npm registry, carrying payloads designed to…

North Korea-Linked Hackers Compromise Axios npm Package in Major Supply Chain Attack A North Korea-linked threat group has successfully hijacked one of the most widely used JavaScript libraries on the internet, injecting malware into millions of potential development environments. On March 31, 2026, attackers gained access to the Axios Node Package Manager (npm) package using…

New WhatsApp Attack Chain Uses VBS Scripts, Cloud Downloads, and MSI Backdoors A new malware campaign is actively using WhatsApp to deliver harmful files directly to Windows users, exploiting the widespread trust placed in everyday messaging apps. The threat actors send malicious Visual Basic Script (VBS) files through WhatsApp messages, knowing that users rarely question…

Remcos RAT Infection Chain Hides Behind Obfuscated Scripts and Trusted Windows Binaries Cybercriminals are getting better at hiding their tracks, and a recently uncovered Remcos RAT campaign is proof of that. This attack does not rely on a single malicious file dropped onto a system. Instead, it uses a carefully built, multi-stage chain that starts…

Hackers Backdoor Telnyx Python SDK on PyPI to Steal Credentials Across Windows, macOS, and Linux A threat actor group known as TeamPCP has been caught backdooring the Telnyx Python SDK on PyPI — a popular cloud communications library with over 700,000 downloads in February alone. On March 27, 2026, two malicious versions of the package,…

New npm Supply Chain Attack Uses undicy-http to Deploy Screen-Streaming RAT and Browser Injector A malicious npm package named undicy-http has surfaced inside the Node.js developer ecosystem, quietly compromising machines of developers who mistakenly install it. The package impersonates undici, the official HTTP client library bundled with Node.js that handles millions of weekly downloads. Despite sharing a near-identical…

XLoader Malware Upgrades Obfuscation Tactics and Hides C2 Traffic Behind Decoy Servers A well-known information-stealing malware called XLoader has received significant upgrades in its latest versions, making it considerably harder to detect and analyze than before. Originally derived from a malware family known as FormBook, which first surfaced in 2016, XLoader was rebranded and relaunched…

New DeepLoad Malware Uses ClickFix and AI-Generated Evasion to Breach Enterprise Networks A newly discovered malware named DeepLoad is targeting enterprise environments, turning a single user action into persistent, credential-stealing access that survives reboots and outlasts standard cleanup efforts. What sets this campaign apart is how every stage of the attack was deliberately built to…

Hackers Deploy RoadK1ll Pivoting Malware to Turn Compromised Hosts Into Network Relays A new piece of malware called RoadK1ll has been found silently converting compromised machines into controllable network relay points. Unlike most malware that arrives loaded with commands and attack tools, RoadK1ll is deliberately lean, built around one goal: giving attackers a reliable and…

VoidLink Malware Framework Shows that AI-assisted Malware is Not Experimental Anymore For years, cybersecurity professionals debated whether AI could truly be weaponized to build dangerous malware at scale. That debate is now settled. VoidLink, a Linux-based malware framework discovered in early 2026, has crossed a threshold the security community long feared — AI-assisted malware has…

New Silver Fox Campaign Hits Japanese Businesses With Tax-Themed Phishing Lures Japan’s tax season has become a hunting ground for a well-organized threat actor known as Silver Fox. As Japanese companies enter their annual cycle of tax filing, salary reviews, and personnel changes, this group is taking full advantage of the moment — sending highly…

Fake Cloudflare CAPTCHA Pages Spread Infiniti Stealer Malware on macOS Systems A new macOS malware that was undocumented previously, is quietly tricking users through fake Cloudflare human verification pages. Called Infiniti Stealer, this threat uses a well-known social engineering trick called ClickFix to convince Mac users into running dangerous commands directly on their own machines,…

Fake npm Install Messages Hide RAT Malware in New Open Source Supply Chain Campaign A new and carefully crafted software supply chain campaign is targeting developers through the npm package registry, using fake installation messages to hide malicious activity. The campaign, which security researchers have named the “Ghost campaign,” began in early February 2026 and…

Fake VS Code Security Alerts on GitHub Used to Push Malware in Widespread Phishing Campaign A large-scale phishing campaign is targeting software developers on GitHub, using fake Visual Studio Code security alerts posted in GitHub Discussions to trick users into downloading malicious software. The attacks are designed to look like legitimate security advisories, warning developers…

China-Linked Hackers Breach Southeast Asian Military Systems in Long-Running Spy Campaign A sophisticated and long-running cyber espionage campaign, tracked as CL-STA-1087, has been quietly targeting military organizations across Southeast Asia since at least 2020. The operation, assessed with moderate confidence to be linked to a China-aligned threat actor, focuses on collecting strategic and operational intelligence rather…

Open Directory Malware Campaign Uses Obfuscated VBS, PNG Loaders and RAT Payloads A sophisticated multi-stage malware campaign has surfaced, deploying obfuscated Visual Basic Script (VBS) files, PNG-embedded loaders, and remote access trojans (RATs) to target systems without leaving a trace on disk. What began as a routine endpoint detection in early 2026 quickly revealed itself…

New Data Leak Site Uncovered Linked to Active Initial Access Broker on Underground Forums The underground cybercriminal world saw a notable development on March 22, 2026, when a new Tor-based leak site called “ALP-001” appeared on the dark web, openly marketing itself as a “Data Leaks / Access Market.” The emergence of this platform points…

New CanisterWorm Steals npm Tokens and Spreads Through Compromised Publisher Accounts A new wave of supply chain attacks is hitting the npm ecosystem through a self-propagating malware campaign known as CanisterWorm. The threat, linked to a group tracked as “TeamPCP,” compromises legitimate publisher namespaces and pushes poisoned package versions, effectively turning trusted developer tools into…

Copyright-Themed Lures Deliver Multi-Stage PureLog Stealer in New Credential Theft Campaign A new malware campaign is targeting organizations across healthcare, government, education, and hospitality sectors using cleverly disguised copyright violation notices to deliver PureLog Stealer, a powerful information-stealing malware. The campaign, first analyzed in March 2026, tricks victims into executing a malicious file that looks…