Daily Cyber News

npm, PyPI, and RubyGems Packages Caught Exfiltrating Developer Data to Discord Channels

Cybersecurity researchers have uncovered several malicious packages in the npm, Python (PyPI), and RubyGems ecosystems that are exfiltrating sensitive developer data using Discord webhooks as their command-and-control (C2) channels. These compromised packages allow attackers to send stolen information directly to Discord channels they control. Discord Webhooks Used as a Stealthy Data Channel Discord webhooks provide […]

npm, PyPI, and RubyGems Packages Caught Exfiltrating Developer Data to Discord Channels Read More »

Researchers Reveal TA585’s MonsterV2 Malware Capabilities, Full Attack Chain

Cybersecurity researchers have exposed a previously undocumented threat actor, TA585, which delivers an off-the-shelf malware called MonsterV2 through targeted phishing campaigns. Proofpoint researchers describe TA585 as operating a self-owned, end-to-end attack chain, managing infrastructure, delivery, and payload installation without relying on third-party distribution services. Background and delivery methods TA585 has used multiple delivery techniques in

Researchers Reveal TA585’s MonsterV2 Malware Capabilities, Full Attack Chain Read More »

RondoDox Botnet Exploits 50+ Vulnerabilities from 30 Vendors in Ongoing Attacks

Cybersecurity researchers have uncovered an ongoing wave of RondoDox botnet campaigns that now exploit more than 50 security vulnerabilities affecting over 30 technology vendors. Trend Micro described this campaign as an “exploit shotgun” strategy, where attackers target a broad spectrum of internet-exposed infrastructure including routers, DVRs, NVRs, CCTV systems, web servers, and other network-connected devices.

RondoDox Botnet Exploits 50+ Vulnerabilities from 30 Vendors in Ongoing Attacks Read More »

Astaroth Banking Trojan Uses GitHub to Stay Active After Multiple Takedowns

Security researchers have uncovered a new Astaroth banking trojan campaign that uses GitHub as a fallback infrastructure, allowing the malware to remain operational even after traditional command and control servers are taken down. By hosting encrypted configuration data on GitHub, the attackers make the campaign more resilient, and victims continue to be compromised across multiple

Astaroth Banking Trojan Uses GitHub to Stay Active After Multiple Takedowns Read More »

175 Malicious npm Packages Used in Credential Phishing Campaign with Over 26,000 Downloads

Security researchers have discovered 175 malicious packages on the npm registry, collectively downloaded about 26,000 times, that were used as part of a credential phishing campaign named Beamglea. The campaign used npm and unpkg.com as free hosting to serve redirect scripts, which in turn sent victims to Microsoft credential harvesting pages, increasing the realism and

175 Malicious npm Packages Used in Credential Phishing Campaign with Over 26,000 Downloads Read More »

Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Divert Employee Salaries

A cyber threat group identified as Storm-2657 has been observed taking over employee accounts with the intent of redirecting salary payments to attacker-controlled bank accounts. According to a report from the Microsoft Threat Intelligence team, “Storm-2657 is actively targeting various U.S.-based organizations, especially employees in sectors such as higher education, to infiltrate third-party Human Resources

Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Divert Employee Salaries Read More »

Fortra Discloses Full Timeline of CVE-2025-10035 Exploitation, from Detection to Patch

Fortra has officially disclosed the complete timeline of events surrounding the exploitation of CVE-2025-10035, a critical vulnerability in its GoAnywhere Managed File Transfer (MFT) software. The flaw has reportedly been under active attack since at least September 11, 2025. Investigation and Initial Discovery According to Fortra, the investigation began on September 11 after a customer

Fortra Discloses Full Timeline of CVE-2025-10035 Exploitation, from Detection to Patch Read More »

Stealit Malware Abuses Node.js Single Executable Feature, Hides in Game and VPN Installers

Security researchers have uncovered an active malware campaign, named Stealit, that uses a newer Node.js capability to ship malicious code as single-file executables, enabling infections on systems without Node.js installed. Researchers at Fortinet FortiGuard Labs also note some variants are built with the Electron framework, making delivery simpler and more covert. How the malware is

Stealit Malware Abuses Node.js Single Executable Feature, Hides in Game and VPN Installers Read More »

CL0P-Linked Hackers Exploit Oracle Software Flaw to Breach Multiple Organizations

Dozens of organizations may have been impacted after threat actors exploited a zero-day vulnerability in Oracle E-Business Suite, starting around August 9, 2025, researchers from Google Threat Intelligence Group, GTIG, and Mandiant reported. The intrusion campaign, which shows hallmarks associated with the Cl0p ransomware brand, used a chain of vulnerabilities to gain remote code execution,

CL0P-Linked Hackers Exploit Oracle Software Flaw to Breach Multiple Organizations Read More »

ClayRat Spyware Targets Android Users Using Fake WhatsApp, TikTok Apps

A sophisticated Android spyware campaign, known as ClayRat, has been actively targeting users in Russia by exploiting fake apps and deceptive websites. The threat actors are impersonating widely-used apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick victims into installing malware. According to Zimperium researcher Vishnu Pratapagiri, once installed, ClayRat can collect SMS messages, call

ClayRat Spyware Targets Android Users Using Fake WhatsApp, TikTok Apps Read More »