macOS ClickFix Attacks Harvest Credentials via AppleScript Stealers

macOS users beware: a sneaky ClickFix campaign is using AppleScript stealers to harvest credentials from 14 browsers, 16 cryptocurrency wallets, and over 200 extensions. This targeted attack has already made off with a staggering amount of sensitive info - and it's still on the loose.

https://osintsights.com/macos-clickfix-attacks-harvest-credentials-via-applescript-stealers?utm_source=mastodon&utm_medium=social

#Macos #Clickfix #Applescript #Infostealer #CredentialHarvesting

Zhackowali ich, bo pracownik SaaS z którego korzystali pobrał cheaty do gier. Czyli dlaczego trzeba uważać na OAuth!

Jaka piękna katastrofa! W tej historii jest wszystko: infekcja nie jednego, a dwóch niezbyt roztropnych pracowników różnych “technicznych” firm. Przeskok z jednej zainfekowanej infrastrukry na drugą, bo żadna z firm nie korzystała z zasady minimalnych przywilejów a można odnieść wrażenie, że w ogóle z żadnych mechanizmów bezpieczeństwa. I wreszcie grupa atakujących, która kradnie tożsamość innej grupie oraz plujący jadem internetowi przeciwnicy vibecodingu, którzy z widłami poszli na firmę, bo przecież wiadomo, że “każdy programista AI to debil”. A okazało się, że AI nie miało z tym atakiem niczego wspólnego.
Od czego się zaczęło?
19 kwietnia na znanym hackerskim forum pojawiła się informacja o tym, że popularna wśród vibecoderów platforma Vercel została zhackowana. Atakujący podpisujący się jako ShinyHunters wystawili na sprzedaż klucze i dostępy do bazy danych firmy. Zrobiło się gorąco w środowisku, bo Vercel stoi też za narzędziem v0 oraz popularną biblioteką Next.js, a to od razu przywołało ostatnie głośne ataki supply chain.

Na początku oczywiście spekulowano, że przełamanie zabezpieczeń to wynik użycia beztroskiego vibecodingu do budowy i konfiguracji mechanizmów bezpieczeństwa Vercela. Bo firma z vibecodingiem jest kojarzona. Ale prawda okazała jeszcze bardziej bolesna. Źródłem ataku był łańcuch dwóch pracowników.

Pierwszy to pracownik zewnętrznej firmy — Contex.ai, który pobierał …cheaty do gry Roblox zainfekowane infostealerem Lumma. Dzięki temu atakujący mieli dostęp do infrastruktury firmy Contex.ai oraz danych jej klientów. Dwa miesiące [...]

#AI #EskalacjaPrzywilejów #GoogleWorkspace #Infostealer #Malware #SaaS #Stealer #Vercel

https://niebezpiecznik.pl/post/zhackowali-ich-bo-pracownik-saas-z-ktorego-korzystali-pobral-cheaty-do-gier-czyli-dlaczego-trzeba-uwazac-na-oauth/

macOS ClickFix Campaign: AppleScript Stealers & New Terminal Protections

A sophisticated ClickFix campaign targets both Windows and macOS users through fake CAPTCHA pages that trick victims into executing malicious commands. The macOS variant deploys an AppleScript-based infostealer that harvests sensitive data including keychain databases, credentials, and session cookies from 12 browsers, over 200 browser extensions, and 16 cryptocurrency wallets. The malware employs a persistent, non-closable dialog box mimicking legitimate system prompts to force victims into providing their system password. Stolen session cookies enable attackers to bypass multi-factor authentication by hijacking active sessions. The campaign uses client-side JavaScript to filter victims by user-agent, directing desktop users to OS-specific payloads while ignoring mobile devices. Latest macOS updates include native terminal security warnings designed to alert users against pasting potentially malicious commands.

Pulse ID: 69e6db546f646b9818b7bf0d
Pulse Link: https://otx.alienvault.com/pulse/69e6db546f646b9818b7bf0d
Pulse Author: AlienVault
Created: 2026-04-21 02:05:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #Cookies #CyberSecurity #InfoSec #InfoStealer #Java #JavaScript #Mac #MacOS #Malware #Mimic #OTX #OpenThreatExchange #Password #RCE #Windows #Word #bot #cryptocurrency #AlienVault

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Pulse ID: 69e6fb953f412155415f7e5d
Pulse Link: https://otx.alienvault.com/pulse/69e6fb953f412155415f7e5d
Pulse Author: Tr1sa111
Created: 2026-04-21 04:22:45

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #VPN #Windows #bot #Tr1sa111

Dal Roblox script al breach di Vercel: come un infostealer ha quasi compromesso la supply chain di Next.js

https://insicurezzadigitale.com/dal-roblox-script-al-breach-di-vercel-come-un-infostealer-ha-quasi-compromesso-la-supply-chain-di-next-js/

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

Multiple campaigns are distributing NWHStealer through diverse delivery methods including fake VPN downloads, hardware utilities, and gaming modifications. The malware collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods were identified: one using a free web hosting provider distributing malicious ZIP files with self-injection, and another using fake websites with DLL hijacking that injects code into RegAsm processes. The stealer targets over 25 cryptocurrency wallets and multiple browsers, using AES-CBC encryption for command-and-control communications and employing UAC bypass techniques for privilege escalation.

Pulse ID: 69e27c47d37f66809a367479
Pulse Link: https://otx.alienvault.com/pulse/69e27c47d37f66809a367479
Pulse Author: AlienVault
Created: 2026-04-17 18:30:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #ELF #Encryption #GitHub #InfoSec #InfoStealer #Malware #OTX #OpenThreatExchange #Password #Passwords #RCE #VPN #Windows #Word #YouTube #ZIP #bot #cryptocurrency #AlienVault

Proton VPN: falsa app ruba tutti i dati dal computer
I ricercatori di Malwarebytes hanno individuato un sito web che distribuisce una versione fasulla di Proton VPN. Le ignare vengono ingannate dal design simile a quello originale e scaricano un archivio ZIP che contiene un infostealer. In molti paesi è prevista l’introduzione della verifica dell’età (anche in Europa), quindi i cybercriminali sfrutteranno l’occasione a proprio vantaggio.

#protonvpn #infostealer #proton

https://www.punto-informatico.it/proton-vpn-falsa-app-ruba-dati-computer/

Infostealer-Malware NWHStealer auf gefakten ProtonVPN-Download-Seiten

Mehr:
https://maniabel.work/archiv/1457

#InfoStealer #NWHStealer #YoutubeUni #Maleware #ProtonVPN infosec #up2date

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere | Malwarebytes

Pulse ID: 69e24b399265b525ec5bdd33
Pulse Link: https://otx.alienvault.com/pulse/69e24b399265b525ec5bdd33
Pulse Author: CyberHunter_NL
Created: 2026-04-17 15:01:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #InfoStealer #MalWareBytes #Malware #OTX #OpenThreatExchange #VPN #Windows #bot #CyberHunter_NL

[Translation] How a “dream job invitation” turns into an attack

It all starts with a notification that feels familiar and exciting for any developer: “You’ve been shortlisted for an AI developer position.” The company looks impressive — DLMind, an “AI innovation lab.” The recruiter appears legitimate — Tim Morenc, CEDS, with a polished LinkedIn profile, professional communication style, and mutual connections.

But behind this friendly outreach is BeaverTail — a malicious operation designed to steal your code, credentials, and developer assets.

The attack is part of a broader pattern associated with North Korean cyber operations, including groups such as Lazarus Group.

How the attack works

The victim is approached via LinkedIn or similar platforms

A convincing fake company and recruiter profile is used

A “technical assignment” or test task is provided

The task contains malicious code or a compromised dependency

Once executed, it extracts sensitive data such as:

GitHub / Git credentials

SSH keys

API tokens

browser session data

Why it works

The campaign relies on social engineering rather than technical exploitation:

trust in recruitment processes

desire for career opportunities

familiarity of developer workflows (GitHub, npm, Python, etc.)

Key takeaway

Any unsolicited “test assignment” should be treated as potentially hostile code. Execution environments must be isolated, and credentials should never be exposed in evaluation setups.

---

#hashtags
#cybersecurity #infosec #malware #socialengineering #phishing #infostealer #supplychainattack #github #developers #techsecurity #beavertail #lazarusgroup