Mastodawn

Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

Pulse ID: 6a01c2363e7f67fcbed473cb
Pulse Link: https://otx.alienvault.com/pulse/6a01c2363e7f67fcbed473cb
Pulse Author: AlienVault
Created: 2026-05-11 11:49:10

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Hackread.com May 8

Microsoft researchers warn of a new #ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Read: https://hackread.com/fake-macos-troubleshooting-sites-steal-icloud-clickfix/

#CyberSecurity #macOS ##AMOS #SHubStealer #Scam

Fake macOS Troubleshooting Sites Used to Steal iCloud Data in ClickFix Scam

Microsoft researchers warn of a new ClickFix campaign targeting macOS with fake guides on Medium and Craft to deploy AMOS and SHub Stealer via Terminal commands.

Hackread - Cybersecurity News, Data Breaches, AI and More

CyberVeille.ch May 8

📢 Campagne ClickFix macOS : trois vagues d'infostealers via fausses commandes Terminal
📝 ## 🔍 Contexte

Publié le 6 mai 2026 par la Microsoft Defender Security Resea...
📖 cyberveille : https://cyberveille.ch/posts/2026-05-08-campagne-clickfix-macos-trois-vagues-d-infostealers-via-fausses-commandes-terminal/
🌐 source : https://www.microsoft.com/en-us/security/blog/2026/05/06/clickfix-campaign-uses-fake-macos-utilities-lures-deliver-infostealers/
#_mainhelper #AMOS #Cyberveille

Campagne ClickFix macOS : trois vagues d'infostealers via fausses commandes Terminal

🔍 Contexte Publié le 6 mai 2026 par la Microsoft Defender Security Research Team, cet article documente l’évolution d’une campagne ClickFix ciblant les utilisateurs macOS, active depuis fin janvier 2026. La campagne exploite des plateformes de contenu légitimes (Medium, Craft, Squarespace) pour héberger de fausses instructions de dépannage. 🎯 Mécanisme d’infection Les victimes sont incitées à copier-coller des commandes Terminal encodées en Base64 présentées comme des utilitaires système. Contrairement aux bundles applicatifs soumis à Gatekeeper, les scripts exécutés via Terminal échappent aux vérifications de signature et de notarisation Apple.

CyberVeille

OTX Bot May 8

ClickFix campaign uses fake macOS utilities lures to deliver infostealers

Threat actors are leveraging ClickFix-style social engineering tactics to distribute infostealers targeting macOS users through fake system utility lures. Attackers host malicious Terminal commands on blog sites and content platforms, disguised as troubleshooting advice for macOS issues. When executed, these commands download infostealers including Macsync, Shub Stealer, and AMOS, which exfiltrate browser credentials, cryptocurrency wallets, iCloud data, Keychain entries, and media files. The campaign has evolved to use Terminal-based script execution that bypasses Gatekeeper verification. Three distinct campaigns employ different tradecraft, with some replacing legitimate cryptocurrency wallet applications with trojanized versions and establishing persistence through LaunchAgents and LaunchDaemons that masquerade as legitimate services.

Pulse ID: 69fb97e43f09a3b9ae3a39b9
Pulse Link: https://otx.alienvault.com/pulse/69fb97e43f09a3b9ae3a39b9
Pulse Author: AlienVault
Created: 2026-05-06 19:35:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #Cloud #CyberSecurity #ICS #InfoSec #InfoStealer #Mac #MacOS #OTX #OpenThreatExchange #RAT #ScriptExecution #SocialEngineering #Trojan #bot #cryptocurrency #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

OTX Bot Apr 29

AMOS Stealer delivered via Cursor AI agent session

Pulse ID: 69f19249610906a8b5470a4b
Pulse Link: https://otx.alienvault.com/pulse/69f19249610906a8b5470a4b
Pulse Author: Tr1sa111
Created: 2026-04-29 05:08:25

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #CyberSecurity #InfoSec #OTX #OpenThreatExchange #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange

Daniel Apr 28

Video-Tutorial: AMOS hardware sprites & colour palette management
In his latest AMOS video, @yawning_angel explores hardware sprites and demonstrates how to display 32 colours on a 16-colour screen using a hardware sprite.

https://www.amiga-news.de/en/news/AN-2026-04-00130-EN.html

#Amiga #AMOS #video #tutotrial

amiga-news.de - Video-Tutorial: AMOS hardware sprites & colour palette management

OTX Bot Apr 27

AMOS Stealer delivered via Cursor AI agent session

On April 23, 2026, Field Effect MDR identified AMOS Stealer malware delivered through a novel technique exploiting Cursor AI agent sessions running Claude Code. The attack employed social engineering to manipulate operators into prompting the AI agent to download and execute malicious AppleScript loaders. The heavily obfuscated scripts performed sandbox evasion checks, collected sensitive data including credentials, SSH keys, browser data, and cryptocurrency wallets, then exfiltrated compressed archives to remote servers within two minutes. The malware prompted users for local account credentials through fake macOS system dialogs, subsequently using elevated permissions to install persistent implants masquerading as legitimate system services. This delivery mechanism makes detection challenging as malicious commands blend with typical agentic coding behavior, representing an evolution in AMOS Stealer tactics beyond traditional SEO poisoning methods.

Pulse ID: 69ec44ff58f20f2cb01e0a1c
Pulse Link: https://otx.alienvault.com/pulse/69ec44ff58f20f2cb01e0a1c
Pulse Author: AlienVault
Created: 2026-04-25 04:37:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AMOS #Browser #CyberSecurity #ICS #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SEOPoisoning #SSH #SocialEngineering #bot #cryptocurrency #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange