Source code environments are considered high-value targets because they reveal the inner workings of security products. Even limited access can give attackers insights into detection logic, configurations, or potential weaknesses that could be studied for future exploitation or used in supply chain-style attacks.

Investigation Findings and Potential Risks

Trellix has stated that the breach appears contained and, at this stage, there is no evidence of direct impact on customers or product integrity.

Key findings so far include:

• No compromise of the build, release, or update pipeline
• No signs of malicious code being inserted into products
• No evidence of active exploitation using the accessed data

However, the nature of source code exposure still raises concerns. Attackers could analyze the code offline to identify vulnerabilities, reverse-engineer protections, or develop evasion techniques against Trellix security tools.

The company is continuing a detailed forensic review to understand how the access occurred, what data was viewed or copied, and whether any long-term risks remain. Strengthening internal controls, access monitoring, and repository protections is likely part of the ongoing response.

This incident reflects a broader trend where attackers target software vendors instead of end users, aiming to gain leverage through trusted platforms. Similar breaches involving Microsoft, Okta, and LastPass show how valuable internal systems have become as entry points.

Trellix has committed to transparency and plans to release more technical details once the investigation is complete, helping the wider security community understand and defend against similar threats.

The post Trellix Confirms Source Code Repository Breach appeared first on First Hackers News.

Axios is a widely used JavaScript library that helps developers handle HTTP requests in both Node.js and browsers. Because it is used in so many projects, this axios npm hack can affect a large number of applications and development systems.

The attack took place on March 31, 2026, when hackers compromised two versions of Axios — 1.14.1 and 0.30.4. When developers installed these versions, a hidden malicious package called “plain-crypto-js” was automatically included without their knowledge, demonstrating the dangers of an axios npm hack.

This package acts as a loader. It connects to attacker-controlled servers and downloads additional malware. One of the main threats is a Remote Access Trojan (RAT), which allows attackers to gain control over infected machines.

If a developer’s system is affected, attackers can quietly steal sensitive data such as source code, environment variables, and credentials. They can also move deeper into company systems, including CI/CD pipelines, which increases the overall risk.

What You Should Do Immediately

CISA recommends that organizations review their systems for any recent Axios updates. If the affected versions were installed, quick action is important.

Teams should downgrade to safe versions like 1.14.0 or 0.30.3 and remove the malicious “plain-crypto-js” package from their projects. It is also important to rotate all sensitive credentials, including API keys, SSH keys, and access tokens.

Monitoring network activity is another key step. Any unusual outbound connections should be investigated, and security scans should be run to ensure no hidden threats remain.

How to Prevent Similar Attacks

This incident highlights how software supply chain attacks are becoming more advanced. Many of these attacks take advantage of default package manager settings that automatically install dependencies.

To reduce risk, organizations should strengthen their security practices. Enabling strong authentication for developer accounts can prevent unauthorized access. Disabling automatic script execution during installations can also block malicious behavior.

It is also a good practice to avoid using newly published packages without proper verification. Monitoring systems for unusual activity, such as unexpected processes or unknown network connections, can help detect threats early.

By taking these precautions, organizations can better protect their development environments from future attacks.

The post CISA Flags Axios npm Hack in Supply Chain Attack appeared first on First Hackers News.

The operation focused on the W3LL phishing kit, a tool widely used by cybercriminals to steal credentials and bypass multi-factor authentication. Attackers used this kit to carry out large-scale fraud attempts, with losses estimated to exceed $20 million.

How the W3LL Phishing Kit Worked

The W3LL toolkit was designed to make cybercrime easier, even for low-skilled attackers. It was sold as a service, allowing buyers to quickly launch phishing campaigns using ready-made fake login pages that closely mimicked legitimate websites.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

What made this tool especially dangerous was its ability to go beyond simple credential theft. Instead of just capturing usernames and passwords, it also collected session data and authentication tokens. This allowed attackers to bypass MFA protections and gain ongoing access to accounts without raising immediate alerts.

The ecosystem also included an underground marketplace called W3LLSTORE. This platform enabled criminals to buy and sell stolen credentials, corporate access, and remote connections, creating a full cybercrime supply chain.

• Over 25,000 compromised accounts were sold between 2019 and 2023
• More than 17,000 victims were targeted globally in recent campaigns
• Fraud attempts exceeded $20 million
• Stolen access was often resold multiple times for profit

Law Enforcement Action and Impact

Even after the original marketplace shut down, the operation continued through private channels. Investigators tracked its evolution and identified the key individuals behind it.

With support from U.S. authorities, the FBI seized critical infrastructure used to run the phishing service. At the same time, Indonesian police arrested the suspected developer and took control of domains linked to the operation.

Officials described the platform as more than just a phishing kit—it functioned as a complete cybercrime service. By shutting it down, authorities have disrupted a major tool that attackers relied on to breach organizations.

This takedown highlights how modern phishing has evolved into organized, scalable operations—and why international cooperation is essential to combat today’s cyber threats.

The post W3LL Phishing Kit Takedown Disrupts MFA Bypass Campaign appeared first on First Hackers News.

Social Engineering and Delivery Tactics

The attack typically begins with direct contact. Victims are approached through platforms like LinkedIn, email, or messaging apps by accounts posing as journalists, support staff, or known contacts. These interactions are carefully crafted to build trust before introducing a malicious link.

The link is usually presented as something urgent or relevant, such as a video call request, shared document, or account alert. Once clicked, victims are redirected either to fake login pages or download portals.

Common tactics used:

• Impersonation of trusted individuals or organizations
• Spearphishing messages tailored to the target
• Fake login pages mimicking services like email or cloud platforms
• Malicious download links disguised as secure communication tools

This approach relies heavily on human trust rather than technical exploitation, making it highly effective even against cautious users.

Fake Apps and Spyware Capabilities

The core of the campaign is the use of fake Android applications that appear to be secure messaging tools. These apps are distributed through convincing websites that mimic official sources and offer “enhanced” or “pro” versions of popular platforms.

Once installed, the spyware operates silently in the background, collecting and transmitting sensitive data to attacker-controlled servers.

Key capabilities include:

• Access to contacts, messages, and call-related data
• Collection of device information and stored files
• Extraction of documents, media, and backup data
• Continuous communication with remote command servers

The malware is designed to blend in as a legitimate app, making detection difficult for users who install it outside official app stores.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Broader Implications

This campaign highlights a growing trend where attackers combine social engineering with mobile spyware to conduct surveillance operations. The targeting of civil society groups suggests a shift toward more personalized and contract-driven espionage activities.

It also reinforces a critical point: even advanced threats often rely on simple entry points — convincing a user to trust and install something that appears legitimate.

The post Fake Messaging Apps Used to Deliver ProSpy Spyware appeared first on First Hackers News.

How the Malicious Package Operates

The fake package was uploaded under a seemingly legitimate name and presented as a utility for checking AI tokens. However, several warning signs were overlooked. The documentation was copied from an unrelated project, indicating a lack of authenticity, and the package structure was crafted to appear credible at first glance.

Once installed, the package connects to a remote server hosted on Vercel to fetch additional hidden code. Instead of storing malicious files on disk, it executes payloads directly in memory, making detection significantly harder.

Key behaviors observed:

• Contacts a remote endpoint to download and execute hidden scripts
• Uses obfuscation to hide command-and-control (C2) details
• Executes payloads in memory to bypass traditional security tools
• Disguises itself with legitimate-looking files and dependencies

Even after the main package was removed, related packages from the same source remain active and continue to be downloaded.

Multi-Stage Malware Capabilities

Further analysis revealed that the payload is not a simple script but a modular backdoor with multiple capabilities running in parallel. Each module performs a specific malicious function, allowing attackers to maintain control and extract valuable data.

Core functionalities include:

• Remote access module enabling attackers to control the infected system
• Credential theft targeting browsers and cryptocurrency wallets
• File exfiltration scanning for sensitive documents and configuration files
• Clipboard monitoring to capture copied data such as keys or passwords

The malware uses advanced obfuscation techniques, making it difficult to analyze. Its structure and behavior closely resemble known backdoors, particularly those linked to sophisticated threat campaigns.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Focus on AI Development Environments

The malicious code actively searches for folders linked to widely used AI tools such as Cursor, Claude, Gemini CLI, Windsurf, PearAI, and Eigent. These directories often store API keys, authentication tokens, and even conversation histories.

By extracting this data, attackers can misuse paid AI services, access proprietary code, and potentially pivot deeper into enterprise systems using additional credentials like SSH keys or cloud access tokens.

Key risks include:

• Theft of API keys and AI service tokens
• Exposure of sensitive prompts and development data
• Unauthorized use of paid AI platforms
• Increased risk of broader infrastructure compromise

Detection and Defensive Measures

From a defensive standpoint, visibility into unusual outbound traffic is critical. Monitoring connections to external infrastructure, especially uncommon endpoints, can help identify suspicious package behavior early.

Security teams can also leverage threat hunting techniques to detect patterns associated with multi-process Node.js malware and unusual communication channels such as Socket.IO-based command-and-control traffic.

Recommended actions:

• Monitor and restrict unnecessary outbound network connections
• Watch for abnormal Node.js process activity
• Identify unusual file access in developer environments
• Use threat hunting queries to detect similar attack patterns

Securing Developer Workflows

This campaign reflects a broader trend of supply chain attacks targeting developer ecosystems, particularly those involving AI tools. As these tools become deeply integrated into workflows, they also become high-value targets.

Developers should treat AI-related directories with the same level of sensitivity as critical folders like .ssh or cloud configuration paths. Before installing any package, it is essential to verify its authenticity, review its dependencies, and examine any unusual installation behavior.

Early reporting of suspicious packages and increased awareness within the developer community can significantly reduce the impact of such threats.

IOCs

The post Malicious npm Package Impersonates Gemini to Steal AI Tokens appeared first on First Hackers News.

These applications worked as expected, which helped them avoid suspicion and gain user trust. Before they were removed, they reached over 2.3 million downloads, exposing a large number of users.

The campaign mainly targets older Android devices by exploiting 22 known vulnerabilities that were originally patched between 2016 and 2021. Devices running outdated versions, especially Android 7 and below, are at the highest risk because they no longer receive security updates.

Stealthy Entry Through Legitimate Apps

The attack begins when a user installs one of the infected apps and opens it. Everything appears normal, but hidden code is triggered in the background during the app’s startup process.

To remain undetected, these apps request minimal permissions and include common frameworks like Firebase, analytics tools, and social SDKs. This helps them blend in with legitimate applications.

The initial malicious payload is hidden inside what looks like a normal image file. In reality, the image contains encrypted data attached to it. Once executed, the app extracts and decrypts this payload directly in memory, leaving very little trace behind.

The malware then runs a series of checks to avoid detection. It looks for emulators, debugging tools, VPNs, proxies, and even uses geofencing to skip certain regions. Only after passing these checks does it connect to its command-and-control server.

Modular Payload and Deep System Control

After connecting to its server, the malware downloads additional components disguised as harmless files. These components are customized based on the infected device.

It collects detailed information such as device model, kernel version, installed apps, and security patch level. Based on this, it selects the most effective exploit to gain control.

Once successful, the attackers gain root access and disable important security protections like SELinux. The rootkit then embeds itself into the system by modifying critical libraries, allowing it to inject malicious code into every app running on the device.

On older devices, this level of access allows the malware to survive even after a factory reset.

WhatsApp Session Hijacking

One of the most serious capabilities of this campaign is targeting WhatsApp.

When WhatsApp is opened, the malware extracts sensitive data, including encrypted databases and key identifiers used by the app. It also collects information such as phone number, country code, and account details.

This data is sent to attacker-controlled servers using encrypted communication that mimics legitimate traffic. With this information, attackers can clone or hijack the victim’s WhatsApp session on another device.

Infrastructure and Evasion Techniques

NoVoice uses a segmented infrastructure where different servers handle different tasks like device tracking, payload delivery, exploit hosting, and command execution.

It also uses cloud services to host its payloads, allowing attackers to quickly change servers if any part of the operation is detected. This makes the campaign more resilient and harder to shut down completely.

The techniques used in this campaign show similarities with previously known Android malware, especially in how it injects code into system processes and maintains persistence.

Who Is Most at Risk

Devices running newer Android versions with updated security patches are not affected by the specific exploits used in this campaign. However, they may still be exposed to other malicious components.

Older and unsupported devices remain the most vulnerable. Since they no longer receive updates, they continue to be exposed to known security flaws that attackers can exploit.

Final Thoughts

The NoVoice campaign is a strong reminder that even official app stores are not completely safe from advanced threats.

It also highlights the risks of using outdated devices. Keeping systems updated, being cautious with app installations, and using mobile security tools are essential steps to reduce exposure to such attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post NoVoice: A Silent Rootkit Campaign Targeting Android Users appeared first on First Hackers News.

That brief moment is exactly why this “three-finger test” has gone viral. It reveals something important: even advanced deepfake systems still struggle under certain real-time conditions.

What’s Really Happening in That Viral Clip

At first, the video seems like a normal interaction. The person responds naturally, maintains eye contact, and appears authentic. But when the hand moves in front of the face, the illusion begins to break.

This happens because most live deepfake systems depend on continuously tracking facial features. When those features are partially blocked, the system briefly loses its reference points. The result is a visual inconsistency that the human eye can catch — even if only for a second.

That one second is enough to raise suspicion.

Why This Simple Trick Works

The effectiveness of this trick lies in how it disrupts the assumptions deepfake systems rely on. These systems expect a relatively stable, visible face to maintain accuracy. A sudden, close-range hand movement changes that completely.

Here’s why it works so well right now:

• It introduces unpredictability into a controlled system
• It blocks key facial landmarks needed for tracking
• It forces real-time recalculation under time pressure
• It exposes weaknesses in rendering hands and motion together

Each of these factors increases the chances of visible glitches.

Why Fingers Are a Problem for AI

Hands are one of the most complex parts of the human body to replicate digitally. Fingers bend, overlap, and change shape depending on angle and movement.

When this complexity is added in front of a moving face, the system has to process both occlusion and motion at once. This is where errors start to appear — and where the illusion becomes fragile.

Why This Matters More Than It Seems

This isn’t just a social media trick. It highlights a growing security concern.

Deepfake technology is already being used in:

• Fraud attempts during video-based verification
• Impersonation in business communication
• Social engineering attacks targeting employees

In these scenarios, trust is built visually. If something looks real, it is often accepted as real. That’s what makes live deepfakes dangerous.

The viral video is a reminder that even simple interactions can challenge that trust.

Not a Perfect Solution — But a Useful Signal

While the three-finger test works today, it should not be treated as a guaranteed detection method. Deepfake systems are improving quickly, and future versions may handle these situations more smoothly.

Still, the idea behind it is powerful: introduce real-time, unexpected actions that are hard for AI to predict.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The Bigger Takeaway

The real lesson from this viral moment is not just about fingers or gestures. It’s about how we verify identity in a world where visuals can no longer be trusted completely.

Small, human-driven checks can sometimes reveal what advanced systems try to hide.

Closing Thoughts

The “three-finger” trick became popular because it is simple, visual, and surprisingly effective. It shows that even the most convincing deepfake can break under the right conditions.

But as technology evolves, detection will need to evolve with it.

Because in the near future, the challenge will not be spotting what looks fake — but questioning what looks real.

The post The Viral “Three-Finger” Test — A Simple Trick Exposing Deepfake Live Calls appeared first on First Hackers News.

Instead of depending on code injection or high-level privileges, it uses a debugger-based method to capture Chrome’s v20_master_key directly from memory during normal browser activity, making it a significant concern related to the VoidStealer Chrome ABE bypass.

This makes the technique especially concerning because attackers can access protected cookies and credentials while avoiding some of the louder behaviors that security tools usually look for.

Why This Matters

Google introduced Application-Bound Encryption (ABE) in Chrome 127 to better protect browser secrets such as cookies and saved credentials. The idea was to make theft attempts harder and easier to detect by tying decryption to Chrome and its privileged elevation service.

Older malware often used noisy methods to get around this. Some strains tried to run with SYSTEM-level privileges and copy the service logic. Others injected code into the browser process to trigger decryption from inside Chrome. Both methods usually create strong detection signals in endpoint telemetry.

The VoidStealer Chrome ABE bypass technique poses a serious risk, further complicating the protection landscape for users and organizations alike.

As cyber threats evolve, understanding the implications of methods like the VoidStealer Chrome ABE bypass becomes essential for users and security professionals alike.

VoidStealer’s newer approach is different because it avoids both of those steps while still reaching the same goal.

How Chrome ABE Protects Browser Secrets

Chrome stores protected data like cookies, and in some cases passwords, as v20-prefixed encrypted values. These values are encrypted using a special application key called the v20_master_key.

That key is protected using Windows security mechanisms and is only decrypted briefly when Chrome needs to access protected data through its elevation service.

In simple terms, the key is normally locked away and appears in plaintext only for a short moment during legitimate browser operations. VoidStealer abuses that exact moment.

What Makes VoidStealer Different

The most notable feature in VoidStealer v2.0 is its debugger-driven bypass. Instead of forcing decryption through escalation or injection, the malware waits until Chrome decrypts the key naturally and then steals it from memory.

That gives attackers a stealthier path to the same result.

Why attackers may like this method

• No SYSTEM privilege escalation
• No browser code injection
• Lower detection footprint
• Access to ABE-protected cookies and credentials

This makes the attack more attractive for threat actors trying to stay under the radar.

How the Debugger-Based Bypass Works

The technique closely follows ideas from the open-source ElevationKatz project. VoidStealer launches a hidden browser instance, starts it in a suspended state, resumes it, and quickly attaches as a debugger.

This timing matters because browsers often load and decrypt cookies during startup.

After attaching, the malware monitors module load events and identifies chrome.dll or msedge.dll. It then scans memory to locate a known string linked to the ABE decryption path.

When the browser reaches that point, current builds of Chrome and Edge temporarily hold a pointer to the decrypted v20_master_key in a processor register. VoidStealer reads that pointer and extracts the key from memory.

The malware does not need to call decryption APIs inside the victim browser process. It simply watches Chrome at the right moment and takes the key when it becomes available.

What Attackers Gain

Once the v20_master_key is stolen, attackers can use it offline to decrypt v20-protected cookies and credentials stored in the browser’s SQLite databases.

That effectively removes the protection ABE was meant to provide for that browser profile. A stolen session cookie can be enough to hijack active logins and gain access to web services without needing the victim’s password again.

Detection Opportunities for Defenders

Even though this method is quieter, it still creates useful detection signals that defenders can monitor.

Key indicators to watch

• Debugger attachment to chrome.exe or msedge.exe
• Use of DebugActiveProcess involving browser processes
• Suspicious ReadProcessMemory activity against browsers
• Hidden or non-interactive browser sessions launched by unknown parent processes
• Unsigned or untrusted binaries reading browser memory

These signals become much stronger when they appear together.

Why This Matters for Security Teams

VoidStealer shows that infostealers are evolving beyond older, noisy bypass techniques. Instead of relying on privilege escalation or injection, attackers are moving toward quieter methods that abuse normal runtime behavior.

For defenders, this means detection strategies need to expand. Monitoring should not focus only on classic red flags like code injection. It also needs to cover debugger abuse, hidden browser launches, and unusual memory access patterns.

Conclusion

VoidStealer’s latest technique highlights a clear shift in browser-focused malware. By stealing Chrome’s decryption key at the brief moment it appears in memory, attackers can bypass ABE protections in a more subtle way.

Chrome’s ABE still raises the barrier for browser data theft, but this case shows that determined threat actors continue to adapt. Security teams need to respond in the same way by strengthening behavioral detection and improving visibility into suspicious browser-related activity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post VoidStealer Uses a Smarter Trick to Bypass Chrome Protection appeared first on First Hackers News.

A new phishing campaign is pretending to be LastPass support emails to trick users into revealing their vault passwords and account credentials.

Attackers send emails that look like internal support conversations about suspicious activity on a user’s account.

These messages claim that someone is attempting actions such as:

• Exporting vault data
• Recovering the account
• Registering a new trusted device

The goal is to scare users into reacting quickly.

How the Phishing Attack Works

Hackers use a method called display name spoofing. The sender name appears as LastPass Support, but the actual email address comes from a different domain.

Many email apps, especially on mobile devices, show only the sender name. Because of this, users may not notice the fake address.

The email then asks users to secure or verify their account by clicking a link.

However, the link leads to a malicious website such as:

verify-lastpass[.]com

This site hosts a fake LastPass login page designed to look identical to the official one. If users enter their credentials, attackers can capture their master password and access their stored vault data.

Common Phishing Email Signs

The phishing emails often include LastPass branding and fake message threads to appear legitimate.

Some of the subject lines used include:

• “Account recovery verification request”
• “Unauthorized vault export attempt detected”
• “New trusted device registered to your account”

These messages create urgency so users click before verifying the source.

Security Advice for LastPass Users

LastPass has warned that it will never ask for a user’s master password through email.

Users should take the following precautions:

• Check the full sender email address carefully
• Avoid clicking links inside emails
• Access LastPass directly through the official website or app
• Enable multi-factor authentication (MFA)
• Report suspicious emails to abuse@lastpass.com

Why This Attack Matters

Phishing attacks are becoming more realistic and harder to detect.

Since password managers store sensitive data, they are a high-value target for cybercriminals. Users should always verify security alerts and avoid rushing to click links, even when the message appears legitimate.

The post Fake LastPass Support Scam Targets Password Vaults appeared first on First Hackers News.

By hosting phishing content on legitimate Google-owned domains, the attackers are able to bypass many email security filters and web gateways. Because the links appear trustworthy, they are less likely to raise suspicion.

Victims are redirected to realistic login pages that imitate well-known brands. After entering their credentials, they are quietly sent to the real website, making the attack difficult to detect.

Global Impact and Scale

The campaign is widespread. Investigators uncovered attacker-controlled servers containing thousands of stolen credentials linked to more than 1,000 organizations across 100+ countries and over 200 industries.

Mexico has the highest number of confirmed victims, particularly in manufacturing, education, and government sectors. The United States, Spain, India, and Argentina are also significantly affected.

The use of trusted cloud services makes this campaign especially effective and harder to block using traditional security controls.

Group-IB researchers describe GTFire as a structured, large-scale credential theft operation.

Attackers reuse the same phishing templates across multiple brands and store stolen data on centralized servers, organized by date, language, and targeted servic

More than 120 phishing domains were discovered, using similar naming patterns to quickly rotate infrastructure and avoid detection.

Attackers customize each fake login page to closely match real brands. After victims enter their credentials, they are redirected to the legitimate website, delaying suspicion.

Because the campaign uses trusted Google domains, traditional URL filtering and blocklists struggle to detect it — showing how easily legitimate infrastructure can be misused for phishing.

How the Attack Works

The attack starts with a phishing email that contains a Google Translate link. This link quietly routes the victim through Google’s translation service before redirecting them to a fake login page hosted on Firebase.

Because the link uses a Google domain, many email filters and web gateways do not block it.

Attackers create many random *.web.app subdomains to host phishing pages and rotate them frequently to avoid detection. Each page is designed to look like a real brand login portal.

When victims enter their credentials, they are shown a fake “wrong password” message and asked to try again. Both login attempts are secretly captured and sent to attacker-controlled servers, along with basic details like location and browser language.

The stolen data is collected using simple, ready-made backend tools, making the campaign easy to scale.

Mitigation Measures

Organizations should:

• Enforce phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize suspicious Google-based links
• Monitor for unusual use of translate.goog and *.web.app domains
• Watch for brand impersonation hosted on trusted cloud platforms
• Share indicators of compromise with security communities and CERT teams

Trusted services can be misused, so detection strategies must go beyond basic domain reputation check

The post GTFire Phishing Attack Hides Behind Google Services appeared first on First Hackers News.