108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.

Pulse ID: 69de5f631a2f4bca81392ccd
Pulse Link: https://otx.alienvault.com/pulse/69de5f631a2f4bca81392ccd
Pulse Author: AlienVault
Created: 2026-04-14 15:38:11

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #ChromeExtension #Cloud #CyberSecurity #Google #InfoSec #Malware #MalwareAsAService #OTX #OpenThreatExchange #RAT #Telegram #Troll #YouTube #bot #AlienVault

Q1 2026 malware statistics report for Windows web servers

Analysis of Windows web server attacks during Q1 2026 reveals that Internet Information Services (IIS) and Apache Tomcat servers face persistent threats through web shell exploitation. The Larva-26001 threat actor has been targeting domestic IIS servers for several years, deploying privilege escalation tools including JuicyPotato, BadPotato, and exploiting CVE-2019-1458. Following privilege escalation, attackers utilize port-forwarding tools like HTran and PortTranC to redirect traffic to RDP port 3389, enabling remote control of compromised systems. Attack vectors include file upload vulnerabilities, Web Framework-WAS vulnerabilities, and unpatched RCE services. Additional malicious activities involve deployment of backdoors, CoinMiners, and proxy tools for internal network compromise.

Pulse ID: 69de008da466f2dc89165990
Pulse Link: https://otx.alienvault.com/pulse/69de008da466f2dc89165990
Pulse Author: AlienVault
Created: 2026-04-14 08:53:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#APAC #Apache #BackDoor #CoinMiner #CyberSecurity #ICS #InfoSec #Malware #OTX #OpenThreatExchange #Proxy #RCE #RDP #Tomcat #Windows #bot #AlienVault

30 WordPress-Plugins nach Übernahme mit Backdoors versehen.

Ein Angreifer hat vertrauenswürdige WordPlugins-Plugins übernommen, manipuliert und so tausende Websites gefährdet.

https://blog.fedispace.de/30-wordpress-plugins-nach-uebernahme-mit-backdoors-versehen/

#WordPress #Plugins #Backdoor

Someone bought 30 WordPress plugins and planted a backdoor in all of them (anchor.host)

https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

#WordPress #backdoor #webdev #web #security #programming

Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor

Pulse ID: 69ddc2843b479a135d03d176
Pulse Link: https://otx.alienvault.com/pulse/69ddc2843b479a135d03d176
Pulse Author: Tr1sa111
Created: 2026-04-14 04:28:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #InfoSec #NPM #OTX #OpenThreatExchange #SSH #bot #Tr1sa111

Someone Bought 30 #WordPress Plugins and Planted a #Backdoor in All of Them 👀

https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

https://anchor.host/someone-bought-30-wordpress-plugins-and-planted-a-backdoor-in-all-of-them/

#HackerNews #WordPress #Security #Backdoor #Plugins #Cybersecurity #Malware

Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor

On April 10, 2026, a malicious npm package named [email protected] was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.

Pulse ID: 69dd07b82c8afdcdfda7a898
Pulse Link: https://otx.alienvault.com/pulse/69dd07b82c8afdcdfda7a898
Pulse Author: AlienVault
Created: 2026-04-13 15:11:52

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #Email #InfoSec #Lazarus #Linux #NPM #OTX #OpenThreatExchange #RAT #RCE #SSH #bot #developers #AlienVault

Tracking an OtterCookie Infostealer Campaign Across npm

Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.

Pulse ID: 69dd05a672cf30caf5d26e06
Pulse Link: https://otx.alienvault.com/pulse/69dd05a672cf30caf5d26e06
Pulse Author: AlienVault
Created: 2026-04-13 15:03:02

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DPRK #InfoSec #InfoStealer #Java #JavaScript #Korea #Linux #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SSH #SupplyChain #bot #developers #AlienVault

Threat Actor Targets Arabian Gulf Region With PlugX

In March 2026, a China-nexus threat actor launched a sophisticated campaign targeting countries in the Arabian Gulf region, exploiting renewed Middle East conflict themes within 24 hours of escalation. The attack utilized Arabic-language lures depicting missile strikes and employed a multi-stage infection chain beginning with weaponized ZIP archives containing malicious LNK and CHM files. The campaign deployed a heavily obfuscated PlugX backdoor variant through DLL sideloading, with components using control flow flattening and mixed boolean arithmetic techniques. The backdoor supports HTTPS command-and-control communications, DNS-over-HTTPS resolution, and multiple plugins for system manipulation. Based on tools, techniques, and procedures including specific RC4 decryption keys and rapid geopolitical weaponization, the activity is attributed with medium confidence to Mustang Panda.

Pulse ID: 69dd0041c90648fbae253073
Pulse Link: https://otx.alienvault.com/pulse/69dd0041c90648fbae253073
Pulse Author: AlienVault
Created: 2026-04-13 14:40:01

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Arabic #BackDoor #China #CyberSecurity #DNS #HTTP #HTTPS #InfoSec #LNK #MiddleEast #OTX #OpenThreatExchange #PlugX #SideLoading #ZIP #bot #AlienVault