Zscaler ThreatLabz discovered three malicious npm packages—bitcoin-main-lib, bitcoin-lib-js, and bip40—that deploy a Node.js remote access trojan named NodeCordRAT which uses Discord for command-and-control. The malware exfiltrates Chrome credentials, .env files, and MetaMask data (including LevelDB .ldb files and seed phrases) and was distributed via postinstall scripts and PM2; #NodeCordRAT #bip40
Tag: MACOS
Logitech’s Options+ and G Hub apps on macOS failed due to an expired code-signing certificate, disrupting user customizations and productivity. Logitech released updated versions to fix the issue, emphasizing the importance of timely software updates. #Logitech #Certificates
A critical vulnerability in Dolby audio decoders (CVE-2025-54957) was patched in the January 2026 Android security update, affecting devices including Pixel. Researchers warn this flaw could lead to out-of-bounds write exploits, especially when combined with other vulnerabilities. #DolbyDDplus #AndroidSecurity…
Securonix alerts about the advanced ClickFix campaign targeting the hospitality industry, involving phishing emails with fake Booking.com reservations and fake CAPTCHA errors. The malware ultimately deploys a resilient DCRat variant through a complex infection chain, including browser errors and PowerShell commands. #ClickFix #DCRat #Phishing #BlueScreenOfDeath…
![Cybersecurity News | Daily Recap [02 Jan 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [02 Jan 2026]")
Daily Recap, threat actors and campaigns continue to target cryptocurrency wallets and cloud services, with Trust Wallet theft linked to a Shai-Hulud NPM supply-chain attack and a new GlassWorm wave trojanizing wallets on macOS. Another notable round-up highlights phishing via Google Cloud email, unpatched Adobe ColdFusion server campaigns, Covenant Health’s data breach affecting 478,000 people, and ongoing ThreatsDay Bulletin coverage of GhostAd Drain, macOS attacks, proxy botnets, and cloud exploits. #ShaiHulud #GlassWorm #TrustWallet #macOS #GoogleCloud #AdobeColdFusion #CovenantHealth #GhostAdDrain #ThreatsDayBulletin
The latest wave of the GlassWorm campaign targets macOS developers with malicious VSCode extensions, aiming to steal credentials and cryptocurrency wallet data. Despite increased defenses, the malware has re-emerged, now using advanced encryption and targeting hardware wallets. #GlassWorm #VSCodeExtensions
2025 was marked by significant cybersecurity incidents including high-profile data breaches, advanced cyberattacks, and increasingly sophisticated threat actor activities. Notable events include the PornHub data breach, the ByBit crypto heist, and the rise of AI-powered attacks. #PornHubDataBreach #ByBitCryptoHeist #AIpromptInjections
The beginning of 2026 reveals a landscape of subtle and targeted cyber threats, with hackers evolving their tactics even during holidays. Key incidents include malware scams, exploitation campaigns, and backdoored devices, highlighting the increasing sophistication of cyber adversaries. #KMSAuto #ColdFusionExploitation…
Cybersecurity experts have identified a new modification of the Shai Hulud malware strain embedded in npm packages, demonstrating increased obfuscation and evasion tactics. Additionally, a malicious Maven package exploiting typosquatting techniques has been taken down, highlighting supply chain security challenges. #ShaiHulud #MavenMalware…
ErrTraffic is a new cybercrime platform that automates ClickFix social engineering attacks to deceive users into downloading malicious payloads. It leverages fake glitches on compromised websites to increase infection success rates, targeting multiple operating systems. #ErrTraffic #ClickFix #Lumma #Vidar #Cerberus #AtomicStealer #LinuxBackdoors
Cybercriminals are increasingly using sophisticated ClickFix tools like ErrTraffic v2 to trick users into executing malicious scripts through visual deceptions and fake glitches. These tools are sold cheaply, with high conversion rates, and can target multiple platforms while bypassing modern defenses. #ErrTraffic #ClickFix
A China-linked APT group, Evasive Panda, conducted targeted cyber espionage campaigns using DNS poisoning to deliver the MgBot backdoor. The group has shown advanced techniques to evade detection and maintain persistence on victim systems. #EvasivePanda #MgBot…
Daily Recap, CISA warns of active exploitation of the Digiever DS-2105 Pro remote-code-execution flaw and a severe MongoDB RCE, both now listed in Known Exploited Vulnerabilities. The activity includes threats from APT37 and campaigns like IconCat and PCPcat, signaling espionage-style operations and large-scale server compromises. #DigieverRCE #APT37
Jamf Threat Labs analyzed a newly observed MacSync Stealer dropper delivered as a code-signed, notarized Swift application distributed via a DMG (zk-call-messenger-installer-3.9.2-lts.dmg) that silently downloads and executes a base64-encoded second-stage payload using a Swift helper and shelling out to /bin/zsh. The campaign abuses notarization and signing to evade early detection, removes com.apple.quarantine, thwarts sandbox/offline analysis with internet checks and rate-limiting, and uses domains such as gatemaden.space and focusgroovy[.]com for payload delivery. #MacSyncStealer #JamfThreatLabs
Evasive Panda ran targeted adversary-in-the-middle campaigns from November 2022 to November 2024, using poisoned DNS responses and fake updaters to deliver a new loader that ultimately deployed the MgBot implant. The operation used DLL sideloading, in-memory process injection, and a DPAPI+RC5 hybrid encryption scheme to create victim-unique encrypted payloads and long-lived C2 infrastructure. #EvasivePanda #MgBot