Spraying for Access: Iran-Aligned Actors Turn Weak Credentials into Intelligence

T1589: A chronology of key points of the cyber-attack on the BBC.. and the details of what they are looking out for, as well as the key information they need to know.

Pulse ID: 69f97946a50d50c961d505f9
Pulse Link: https://otx.alienvault.com/pulse/69f97946a50d50c961d505f9
Pulse Author: Tr1sa111
Created: 2026-05-05 04:59:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BBC #CyberSecurity #InfoSec #Iran #OTX #OpenThreatExchange #bot #Tr1sa111

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

A fifth wave of the PhantomRaven NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dependency techniques to bypass static analysis. Malicious packages self-reference dependencies pointing to attacker-controlled servers at pack[.]nppacks[.]com, which deliver droppers that harvest developer credentials, system information, CI/CD tokens, GitHub repository names, and email addresses from Git configurations, NPM settings, and environment variables. The campaign specifically targets DeFi cryptocurrency developers, cloud infrastructure engineers working with Azure CDK, and AI application developers. All collected data is exfiltrated via POST requests to mozbra.php on the C2 server. Infrastructure analysis reveals connections to a legitimate Pakistani IT services company domain, suggesting potential accou...

Pulse ID: 69f8acdd6038448e350edbb9
Pulse Link: https://otx.alienvault.com/pulse/69f8acdd6038448e350edbb9
Pulse Author: AlienVault
Created: 2026-05-04 14:27:41

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Azure #Cloud #CyberSecurity #ELF #Email #GitHub #InfoSec #NPM #OTX #OpenThreatExchange #PHP #Pakistan #RAT #SupplyChain #Troll #bot #cryptocurrency #developers #AlienVault

Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability

Pulse ID: 69f8aef239e0a49c51b70b21
Pulse Link: https://otx.alienvault.com/pulse/69f8aef239e0a49c51b70b21
Pulse Author: CyberHunter_NL
Created: 2026-05-04 14:36:34

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Government #InfoSec #Military #OTX #OpenThreatExchange #Vulnerability #bot #CyberHunter_NL

The New Hacking Tool That Lets Anyone Launch Their Own Spyware Company | Certo Software

The Intercept has uncovered a new Android surveillance tool that can be sold to anyone who wants to spy on a victim’s phone, for a fee of up to $60 (£40).

Pulse ID: 69f8af28babf44aed796e40a
Pulse Link: https://otx.alienvault.com/pulse/69f8af28babf44aed796e40a
Pulse Author: CyberHunter_NL
Created: 2026-05-04 14:37:28

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Android #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RCE #SpyWare #bot #CyberHunter_NL

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and macOS Backdoors

An ongoing campaign has been discovered delivering Linux and macOS backdoors through poisoned Python packages uploaded to PyPI repository. The activity is attributed with medium confidence to Gleaming Pisces, a North Korean financially motivated threat actor affiliated with the Reconnaissance General Bureau. The campaign delivered PondRAT, identified as a lighter version of the known POOLRAT remote administration tool. Multiple malicious packages including real-ids, coloredtxt, beautifultext, and minisound were used to establish an evasive infection chain. The threat actor aims to compromise supply chain vendors through developer endpoints to ultimately access their customers' systems. Code analysis reveals significant similarities between PondRAT and previously attributed Gleaming Pisces malware, including identical function names, encryption keys, and execution flows. Both Linux and macOS variants were identified, demonstrating the group's expanding cross-platform capabilities targeting the cryptocurrenc...

Pulse ID: 69f837f3d2d59a26f6d3acf3
Pulse Link: https://otx.alienvault.com/pulse/69f837f3d2d59a26f6d3acf3
Pulse Author: AlienVault
Created: 2026-05-04 06:08:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DRat #Encryption #Endpoint #InfoSec #Korea #Linux #Mac #MacOS #Malware #NorthKorea #OTX #OpenThreatExchange #PyPI #Python #RAT #SupplyChain #bot #AlienVault

Inside Vect Ransomware-as-a-Service

Vect ransomware emerged in January 2026 as a new threat actor operating a Ransomware-as-a-Service program with strategic partnerships that significantly expand its reach. The group has partnered with TeamPCP, known for supply chain attacks compromising security tools like Trivy, KICS, and LiteLLM, and BreachForums, distributing affiliate keys to forum members. With 25 published victims primarily targeting the United States and Technology sector, Vect maintains an open affiliate program requiring only a $250 invite code. The operation offers multi-platform ransomware payloads for Windows, Linux, and ESXi with sophisticated lateral movement capabilities and tiered commission structures reaching 89% for top affiliates. Analysis reveals connections to the defunct Devman ransomware through shared code strings and ransom note similarities, suggesting possible rebranding or code reuse.

Pulse ID: 69f3e870bcc7ccaa076150b1
Pulse Link: https://otx.alienvault.com/pulse/69f3e870bcc7ccaa076150b1
Pulse Author: AlienVault
Created: 2026-04-30 23:40:32

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #Linux #OTX #OpenThreatExchange #RAT #RansomWare #RansomwareAsAService #SupplyChain #UnitedStates #Windows #bot #AlienVault

That AI Extension Helping You Write Emails? It's Reading Them First

Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications.

Pulse ID: 69f3e871eb2a73cd5c8bee7e
Pulse Link: https://otx.alienvault.com/pulse/69f3e871eb2a73cd5c8bee7e
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #ChatGPT #CyberSecurity #Email #Google #HTTP #HTTPS #InfoSec #InfoStealer #OTX #OpenThreatExchange #Password #Passwords #Proxy #RAT #RCE #RemoteAccessTrojan #Rust #Trojan #Word #bot #AlienVault

Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack

The intercom-client npm package version 7.0.4 was compromised through a malicious GitHub account, introducing credential-stealing malware into a widely used Node.js SDK with approximately 360,000 weekly downloads. The attack deployed two malicious files: setup.mjs, executed via preinstall hook to download an unverified Bun binary, and router_runtime.js, an obfuscated 11.7 MB script targeting Kubernetes, Vault, and cloud credentials. Stolen data was encrypted and exfiltrated through GitHub API. The compromise resembles recent attacks on PyPI lightning package and SAP CAP packages, sharing technical patterns with TeamPCP-linked campaigns including GitHub-based exfiltration and CI/CD targeting. The attack was facilitated by compromised GitHub account nhur, which created malicious workflows and triggered automated CI publishing, affecting developers and CI/CD environments that installed the package.

Pulse ID: 69f3e871f34be9dc34f7bd3d
Pulse Link: https://otx.alienvault.com/pulse/69f3e871f34be9dc34f7bd3d
Pulse Author: AlienVault
Created: 2026-04-30 23:40:33

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Malware #NPM #Nodejs #OTX #OpenThreatExchange #PyPI #RAT #Worm #bot #developers #AlienVault

Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise

A malicious artifact of the widely-used intercom/intercom-php package version 5.0.2 was discovered on Packagist, representing an expansion of the Mini Shai-Hulud supply chain attack from npm into the PHP ecosystem. The compromised package exploits Composer plugin execution to download Bun runtime and execute an obfuscated credential-stealing payload during installation. The malicious code harvests sensitive credentials including GitHub tokens, cloud provider credentials, SSH keys, Kubernetes tokens, and HashiCorp Vault secrets from developer machines and CI/CD environments. Stolen data is encrypted using AES-256-GCM and exfiltrated to attacker-controlled infrastructure. The payload also contains propagation logic to modify GitHub repositories and npm packages using stolen credentials. With approximately 12,700 daily installs, the compromised artifact potentially reached numerous high-value development environments before removal.

Pulse ID: 69f4696df292a40fd0caa46d
Pulse Link: https://otx.alienvault.com/pulse/69f4696df292a40fd0caa46d
Pulse Author: AlienVault
Created: 2026-05-01 08:50:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #GitHub #InfoSec #Mac #NPM #OTX #OpenThreatExchange #PHP #RAT #SSH #SupplyChain #Troll #bot #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.

Pulse ID: 69f4e8812c7240e62187fe72
Pulse Link: https://otx.alienvault.com/pulse/69f4e8812c7240e62187fe72
Pulse Author: AlienVault
Created: 2026-05-01 17:53:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #InfoSec #OTX #OpenThreatExchange #PDF #RAT #RCE #RansomWare #Rclone #Trigona #Word #bot #AlienVault