Source code environments are considered high-value targets because they reveal the inner workings of security products. Even limited access can give attackers insights into detection logic, configurations, or potential weaknesses that could be studied for future exploitation or used in supply chain-style attacks.

Investigation Findings and Potential Risks

Trellix has stated that the breach appears contained and, at this stage, there is no evidence of direct impact on customers or product integrity.

Key findings so far include:

• No compromise of the build, release, or update pipeline
• No signs of malicious code being inserted into products
• No evidence of active exploitation using the accessed data

However, the nature of source code exposure still raises concerns. Attackers could analyze the code offline to identify vulnerabilities, reverse-engineer protections, or develop evasion techniques against Trellix security tools.

The company is continuing a detailed forensic review to understand how the access occurred, what data was viewed or copied, and whether any long-term risks remain. Strengthening internal controls, access monitoring, and repository protections is likely part of the ongoing response.

This incident reflects a broader trend where attackers target software vendors instead of end users, aiming to gain leverage through trusted platforms. Similar breaches involving Microsoft, Okta, and LastPass show how valuable internal systems have become as entry points.

Trellix has committed to transparency and plans to release more technical details once the investigation is complete, helping the wider security community understand and defend against similar threats.

The post Trellix Confirms Source Code Repository Breach appeared first on First Hackers News.

Axios is a widely used JavaScript library that helps developers handle HTTP requests in both Node.js and browsers. Because it is used in so many projects, this axios npm hack can affect a large number of applications and development systems.

The attack took place on March 31, 2026, when hackers compromised two versions of Axios — 1.14.1 and 0.30.4. When developers installed these versions, a hidden malicious package called “plain-crypto-js” was automatically included without their knowledge, demonstrating the dangers of an axios npm hack.

This package acts as a loader. It connects to attacker-controlled servers and downloads additional malware. One of the main threats is a Remote Access Trojan (RAT), which allows attackers to gain control over infected machines.

If a developer’s system is affected, attackers can quietly steal sensitive data such as source code, environment variables, and credentials. They can also move deeper into company systems, including CI/CD pipelines, which increases the overall risk.

What You Should Do Immediately

CISA recommends that organizations review their systems for any recent Axios updates. If the affected versions were installed, quick action is important.

Teams should downgrade to safe versions like 1.14.0 or 0.30.3 and remove the malicious “plain-crypto-js” package from their projects. It is also important to rotate all sensitive credentials, including API keys, SSH keys, and access tokens.

Monitoring network activity is another key step. Any unusual outbound connections should be investigated, and security scans should be run to ensure no hidden threats remain.

How to Prevent Similar Attacks

This incident highlights how software supply chain attacks are becoming more advanced. Many of these attacks take advantage of default package manager settings that automatically install dependencies.

To reduce risk, organizations should strengthen their security practices. Enabling strong authentication for developer accounts can prevent unauthorized access. Disabling automatic script execution during installations can also block malicious behavior.

It is also a good practice to avoid using newly published packages without proper verification. Monitoring systems for unusual activity, such as unexpected processes or unknown network connections, can help detect threats early.

By taking these precautions, organizations can better protect their development environments from future attacks.

The post CISA Flags Axios npm Hack in Supply Chain Attack appeared first on First Hackers News.

How the Malicious Package Operates

The fake package was uploaded under a seemingly legitimate name and presented as a utility for checking AI tokens. However, several warning signs were overlooked. The documentation was copied from an unrelated project, indicating a lack of authenticity, and the package structure was crafted to appear credible at first glance.

Once installed, the package connects to a remote server hosted on Vercel to fetch additional hidden code. Instead of storing malicious files on disk, it executes payloads directly in memory, making detection significantly harder.

Key behaviors observed:

• Contacts a remote endpoint to download and execute hidden scripts
• Uses obfuscation to hide command-and-control (C2) details
• Executes payloads in memory to bypass traditional security tools
• Disguises itself with legitimate-looking files and dependencies

Even after the main package was removed, related packages from the same source remain active and continue to be downloaded.

Multi-Stage Malware Capabilities

Further analysis revealed that the payload is not a simple script but a modular backdoor with multiple capabilities running in parallel. Each module performs a specific malicious function, allowing attackers to maintain control and extract valuable data.

Core functionalities include:

• Remote access module enabling attackers to control the infected system
• Credential theft targeting browsers and cryptocurrency wallets
• File exfiltration scanning for sensitive documents and configuration files
• Clipboard monitoring to capture copied data such as keys or passwords

The malware uses advanced obfuscation techniques, making it difficult to analyze. Its structure and behavior closely resemble known backdoors, particularly those linked to sophisticated threat campaigns.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Focus on AI Development Environments

The malicious code actively searches for folders linked to widely used AI tools such as Cursor, Claude, Gemini CLI, Windsurf, PearAI, and Eigent. These directories often store API keys, authentication tokens, and even conversation histories.

By extracting this data, attackers can misuse paid AI services, access proprietary code, and potentially pivot deeper into enterprise systems using additional credentials like SSH keys or cloud access tokens.

Key risks include:

• Theft of API keys and AI service tokens
• Exposure of sensitive prompts and development data
• Unauthorized use of paid AI platforms
• Increased risk of broader infrastructure compromise

Detection and Defensive Measures

From a defensive standpoint, visibility into unusual outbound traffic is critical. Monitoring connections to external infrastructure, especially uncommon endpoints, can help identify suspicious package behavior early.

Security teams can also leverage threat hunting techniques to detect patterns associated with multi-process Node.js malware and unusual communication channels such as Socket.IO-based command-and-control traffic.

Recommended actions:

• Monitor and restrict unnecessary outbound network connections
• Watch for abnormal Node.js process activity
• Identify unusual file access in developer environments
• Use threat hunting queries to detect similar attack patterns

Securing Developer Workflows

This campaign reflects a broader trend of supply chain attacks targeting developer ecosystems, particularly those involving AI tools. As these tools become deeply integrated into workflows, they also become high-value targets.

Developers should treat AI-related directories with the same level of sensitivity as critical folders like .ssh or cloud configuration paths. Before installing any package, it is essential to verify its authenticity, review its dependencies, and examine any unusual installation behavior.

Early reporting of suspicious packages and increased awareness within the developer community can significantly reduce the impact of such threats.

IOCs

The post Malicious npm Package Impersonates Gemini to Steal AI Tokens appeared first on First Hackers News.

These applications worked as expected, which helped them avoid suspicion and gain user trust. Before they were removed, they reached over 2.3 million downloads, exposing a large number of users.

The campaign mainly targets older Android devices by exploiting 22 known vulnerabilities that were originally patched between 2016 and 2021. Devices running outdated versions, especially Android 7 and below, are at the highest risk because they no longer receive security updates.

Stealthy Entry Through Legitimate Apps

The attack begins when a user installs one of the infected apps and opens it. Everything appears normal, but hidden code is triggered in the background during the app’s startup process.

To remain undetected, these apps request minimal permissions and include common frameworks like Firebase, analytics tools, and social SDKs. This helps them blend in with legitimate applications.

The initial malicious payload is hidden inside what looks like a normal image file. In reality, the image contains encrypted data attached to it. Once executed, the app extracts and decrypts this payload directly in memory, leaving very little trace behind.

The malware then runs a series of checks to avoid detection. It looks for emulators, debugging tools, VPNs, proxies, and even uses geofencing to skip certain regions. Only after passing these checks does it connect to its command-and-control server.

Modular Payload and Deep System Control

After connecting to its server, the malware downloads additional components disguised as harmless files. These components are customized based on the infected device.

It collects detailed information such as device model, kernel version, installed apps, and security patch level. Based on this, it selects the most effective exploit to gain control.

Once successful, the attackers gain root access and disable important security protections like SELinux. The rootkit then embeds itself into the system by modifying critical libraries, allowing it to inject malicious code into every app running on the device.

On older devices, this level of access allows the malware to survive even after a factory reset.

WhatsApp Session Hijacking

One of the most serious capabilities of this campaign is targeting WhatsApp.

When WhatsApp is opened, the malware extracts sensitive data, including encrypted databases and key identifiers used by the app. It also collects information such as phone number, country code, and account details.

This data is sent to attacker-controlled servers using encrypted communication that mimics legitimate traffic. With this information, attackers can clone or hijack the victim’s WhatsApp session on another device.

Infrastructure and Evasion Techniques

NoVoice uses a segmented infrastructure where different servers handle different tasks like device tracking, payload delivery, exploit hosting, and command execution.

It also uses cloud services to host its payloads, allowing attackers to quickly change servers if any part of the operation is detected. This makes the campaign more resilient and harder to shut down completely.

The techniques used in this campaign show similarities with previously known Android malware, especially in how it injects code into system processes and maintains persistence.

Who Is Most at Risk

Devices running newer Android versions with updated security patches are not affected by the specific exploits used in this campaign. However, they may still be exposed to other malicious components.

Older and unsupported devices remain the most vulnerable. Since they no longer receive updates, they continue to be exposed to known security flaws that attackers can exploit.

Final Thoughts

The NoVoice campaign is a strong reminder that even official app stores are not completely safe from advanced threats.

It also highlights the risks of using outdated devices. Keeping systems updated, being cautious with app installations, and using mobile security tools are essential steps to reduce exposure to such attacks.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post NoVoice: A Silent Rootkit Campaign Targeting Android Users appeared first on First Hackers News.

Instead of depending on code injection or high-level privileges, it uses a debugger-based method to capture Chrome’s v20_master_key directly from memory during normal browser activity, making it a significant concern related to the VoidStealer Chrome ABE bypass.

This makes the technique especially concerning because attackers can access protected cookies and credentials while avoiding some of the louder behaviors that security tools usually look for.

Why This Matters

Google introduced Application-Bound Encryption (ABE) in Chrome 127 to better protect browser secrets such as cookies and saved credentials. The idea was to make theft attempts harder and easier to detect by tying decryption to Chrome and its privileged elevation service.

Older malware often used noisy methods to get around this. Some strains tried to run with SYSTEM-level privileges and copy the service logic. Others injected code into the browser process to trigger decryption from inside Chrome. Both methods usually create strong detection signals in endpoint telemetry.

The VoidStealer Chrome ABE bypass technique poses a serious risk, further complicating the protection landscape for users and organizations alike.

As cyber threats evolve, understanding the implications of methods like the VoidStealer Chrome ABE bypass becomes essential for users and security professionals alike.

VoidStealer’s newer approach is different because it avoids both of those steps while still reaching the same goal.

How Chrome ABE Protects Browser Secrets

Chrome stores protected data like cookies, and in some cases passwords, as v20-prefixed encrypted values. These values are encrypted using a special application key called the v20_master_key.

That key is protected using Windows security mechanisms and is only decrypted briefly when Chrome needs to access protected data through its elevation service.

In simple terms, the key is normally locked away and appears in plaintext only for a short moment during legitimate browser operations. VoidStealer abuses that exact moment.

What Makes VoidStealer Different

The most notable feature in VoidStealer v2.0 is its debugger-driven bypass. Instead of forcing decryption through escalation or injection, the malware waits until Chrome decrypts the key naturally and then steals it from memory.

That gives attackers a stealthier path to the same result.

Why attackers may like this method

• No SYSTEM privilege escalation
• No browser code injection
• Lower detection footprint
• Access to ABE-protected cookies and credentials

This makes the attack more attractive for threat actors trying to stay under the radar.

How the Debugger-Based Bypass Works

The technique closely follows ideas from the open-source ElevationKatz project. VoidStealer launches a hidden browser instance, starts it in a suspended state, resumes it, and quickly attaches as a debugger.

This timing matters because browsers often load and decrypt cookies during startup.

After attaching, the malware monitors module load events and identifies chrome.dll or msedge.dll. It then scans memory to locate a known string linked to the ABE decryption path.

When the browser reaches that point, current builds of Chrome and Edge temporarily hold a pointer to the decrypted v20_master_key in a processor register. VoidStealer reads that pointer and extracts the key from memory.

The malware does not need to call decryption APIs inside the victim browser process. It simply watches Chrome at the right moment and takes the key when it becomes available.

What Attackers Gain

Once the v20_master_key is stolen, attackers can use it offline to decrypt v20-protected cookies and credentials stored in the browser’s SQLite databases.

That effectively removes the protection ABE was meant to provide for that browser profile. A stolen session cookie can be enough to hijack active logins and gain access to web services without needing the victim’s password again.

Detection Opportunities for Defenders

Even though this method is quieter, it still creates useful detection signals that defenders can monitor.

Key indicators to watch

• Debugger attachment to chrome.exe or msedge.exe
• Use of DebugActiveProcess involving browser processes
• Suspicious ReadProcessMemory activity against browsers
• Hidden or non-interactive browser sessions launched by unknown parent processes
• Unsigned or untrusted binaries reading browser memory

These signals become much stronger when they appear together.

Why This Matters for Security Teams

VoidStealer shows that infostealers are evolving beyond older, noisy bypass techniques. Instead of relying on privilege escalation or injection, attackers are moving toward quieter methods that abuse normal runtime behavior.

For defenders, this means detection strategies need to expand. Monitoring should not focus only on classic red flags like code injection. It also needs to cover debugger abuse, hidden browser launches, and unusual memory access patterns.

Conclusion

VoidStealer’s latest technique highlights a clear shift in browser-focused malware. By stealing Chrome’s decryption key at the brief moment it appears in memory, attackers can bypass ABE protections in a more subtle way.

Chrome’s ABE still raises the barrier for browser data theft, but this case shows that determined threat actors continue to adapt. Security teams need to respond in the same way by strengthening behavioral detection and improving visibility into suspicious browser-related activity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post VoidStealer Uses a Smarter Trick to Bypass Chrome Protection appeared first on First Hackers News.

Groups like MuddyWater have been observed operating across sectors such as banking, aviation, non-profits, and defense-related environments.

They are using tools like Dindoor and Fakeset to maintain persistence within compromised systems, allowing them to execute commands and move laterally without drawing attention. This approach highlights a clear emphasis on remaining undetected for extended periods rather than triggering immediate alerts.

Data exfiltration plays a key role in these campaigns. Attackers are increasingly using legitimate tools and cloud services to move stolen information, blending their activity with normal network behavior. This makes detection more challenging and allows them to extract valuable intelligence over time without raising suspicion.

Surveillance and Selective Disruption

At the same time, Iran-linked actors are exploiting vulnerabilities in internet-connected cameras from vendors such as Hikvision and Dahua. Many of these devices remain exposed due to delayed patching or poor security configurations. Once compromised, they provide real-time visibility into sensitive locations, enabling monitoring of activities, tracking of responses during incidents, and improved situational awareness. These cameras effectively become low-cost surveillance nodes supporting broader intelligence operations.

On the more disruptive side, the group Handala has demonstrated how operations can shift from stealth to impact. In a claimed attack involving Stryker, attackers reportedly used device management systems to remotely wipe systems at scale instead of deploying traditional malware.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

This approach shows how existing enterprise tools can be weaponized to create significant disruption.

Overall, Iran’s cyber strategy reflects a balance between persistence and opportunistic disruption. Instead of coordinated, high-volume attacks, the emphasis is on maintaining access, exploiting exposed systems, and using proxy groups when needed.

For organizations, this reinforces the importance of continuous monitoring, timely patching, and securing internet-facing assets, as the threat is ongoing, adaptive, and often designed to remain unnoticed.

The post Iranian Cyber Operations Expand with Stealth and Surveillance Tactics appeared first on First Hackers News.

Although the number of affected individuals is small compared to Starbucks’ global workforce, the type of information involved makes the incident serious. Exposure of employment and financial records could increase the risk of identity theft for those impacted.

Attack Timeline and Investigation

According to a breach notification filed with the Office of the Maine Attorney General on March 10, 2026, the incident involved accounts connected to the Starbucks Partner Central system. This platform allows employees to access payroll details, benefits information, and other work-related records.

Investigations showed that attackers first gained access on January 19, 2026. Suspicious activity was detected on February 6, and the company fully removed the attackers from its systems by February 11.

Security experts later determined that the attackers used credential harvesting techniques. Employees were directed to fake websites that closely resembled the official Starbucks Partner Central login page. When users entered their credentials on these phishing pages, the attackers captured the login information and used it to access employee accounts.

Because these accounts contained payroll and employment records, the attackers were able to view several types of sensitive personal data, including

• Full names and dates of birth
• Social Security numbers
• Bank account and routing numbers linked to direct deposits

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

After discovering the breach, Starbucks immediately blocked unauthorized access, notified law enforcement authorities, and strengthened security measures for the employee portal.

The company is also offering 24 months of identity theft protection and credit monitoring services through Experian to help protect the affected individuals.

This incident follows previous cybersecurity challenges faced by the company. In November 2024, Starbucks experienced operational disruptions after a ransomware attack targeted Blue Yonder, a third-party provider used for supply chain and scheduling systems.

Earlier in September 2022, Starbucks’ Singapore operations experienced a major breach that exposed the personal information of more than 219,000 customers after a vendor’s system was compromised.

The latest incident highlights how phishing attacks and stolen credentials continue to be a common method used by cybercriminals to gain access to corporate system

The post Starbucks Data Breach Exposes User Information appeared first on First Hackers News.

A new phishing campaign is pretending to be LastPass support emails to trick users into revealing their vault passwords and account credentials.

Attackers send emails that look like internal support conversations about suspicious activity on a user’s account.

These messages claim that someone is attempting actions such as:

• Exporting vault data
• Recovering the account
• Registering a new trusted device

The goal is to scare users into reacting quickly.

How the Phishing Attack Works

Hackers use a method called display name spoofing. The sender name appears as LastPass Support, but the actual email address comes from a different domain.

Many email apps, especially on mobile devices, show only the sender name. Because of this, users may not notice the fake address.

The email then asks users to secure or verify their account by clicking a link.

However, the link leads to a malicious website such as:

verify-lastpass[.]com

This site hosts a fake LastPass login page designed to look identical to the official one. If users enter their credentials, attackers can capture their master password and access their stored vault data.

Common Phishing Email Signs

The phishing emails often include LastPass branding and fake message threads to appear legitimate.

Some of the subject lines used include:

• “Account recovery verification request”
• “Unauthorized vault export attempt detected”
• “New trusted device registered to your account”

These messages create urgency so users click before verifying the source.

Security Advice for LastPass Users

LastPass has warned that it will never ask for a user’s master password through email.

Users should take the following precautions:

• Check the full sender email address carefully
• Avoid clicking links inside emails
• Access LastPass directly through the official website or app
• Enable multi-factor authentication (MFA)
• Report suspicious emails to abuse@lastpass.com

Why This Attack Matters

Phishing attacks are becoming more realistic and harder to detect.

Since password managers store sensitive data, they are a high-value target for cybercriminals. Users should always verify security alerts and avoid rushing to click links, even when the message appears legitimate.

The post Fake LastPass Support Scam Targets Password Vaults appeared first on First Hackers News.

By hosting phishing content on legitimate Google-owned domains, the attackers are able to bypass many email security filters and web gateways. Because the links appear trustworthy, they are less likely to raise suspicion.

Victims are redirected to realistic login pages that imitate well-known brands. After entering their credentials, they are quietly sent to the real website, making the attack difficult to detect.

Global Impact and Scale

The campaign is widespread. Investigators uncovered attacker-controlled servers containing thousands of stolen credentials linked to more than 1,000 organizations across 100+ countries and over 200 industries.

Mexico has the highest number of confirmed victims, particularly in manufacturing, education, and government sectors. The United States, Spain, India, and Argentina are also significantly affected.

The use of trusted cloud services makes this campaign especially effective and harder to block using traditional security controls.

Group-IB researchers describe GTFire as a structured, large-scale credential theft operation.

Attackers reuse the same phishing templates across multiple brands and store stolen data on centralized servers, organized by date, language, and targeted servic

More than 120 phishing domains were discovered, using similar naming patterns to quickly rotate infrastructure and avoid detection.

Attackers customize each fake login page to closely match real brands. After victims enter their credentials, they are redirected to the legitimate website, delaying suspicion.

Because the campaign uses trusted Google domains, traditional URL filtering and blocklists struggle to detect it — showing how easily legitimate infrastructure can be misused for phishing.

How the Attack Works

The attack starts with a phishing email that contains a Google Translate link. This link quietly routes the victim through Google’s translation service before redirecting them to a fake login page hosted on Firebase.

Because the link uses a Google domain, many email filters and web gateways do not block it.

Attackers create many random *.web.app subdomains to host phishing pages and rotate them frequently to avoid detection. Each page is designed to look like a real brand login portal.

When victims enter their credentials, they are shown a fake “wrong password” message and asked to try again. Both login attempts are secretly captured and sent to attacker-controlled servers, along with basic details like location and browser language.

The stolen data is collected using simple, ready-made backend tools, making the campaign easy to scale.

Mitigation Measures

Organizations should:

• Enforce phishing-resistant multi-factor authentication (MFA)
• Train employees to recognize suspicious Google-based links
• Monitor for unusual use of translate.goog and *.web.app domains
• Watch for brand impersonation hosted on trusted cloud platforms
• Share indicators of compromise with security communities and CERT teams

Trusted services can be misused, so detection strategies must go beyond basic domain reputation check

The post GTFire Phishing Attack Hides Behind Google Services appeared first on First Hackers News.

Most of the traffic (92%) targeted a single SonicOS REST API endpoint used to check SSL VPN status. The activity was coordinated across three infrastructure clusters, with a commercial proxy network rotating over 4,000 IP addresses in short bursts to evade detection.

While this campaign focused mainly on reconnaissance, several critical SonicWall vulnerabilities remain high-risk targets:

• CVE-2024-53704 (CVSS 9.8, CISA KEV, ransomware-linked)
• CVE-2024-40766 (CVSS 9.8, used by Akira and Fog ransomware)
• CVE-2021-20028 (CVSS 9.8, CISA KEV listed)
• CVE-2024-38475 (CVSS 9.1)
• CVE-2019-7481 (CVSS 7.5, ransomware-linked)
• CVE-2022-22274 (CVSS 9.8)
• CVE-2023-0656 (CVSS 7.5)

Security researchers assess this activity as pre-exploitation reconnaissance. Attackers appear to be building a high-value list of exposed SSL VPN endpoints for future credential stuffing and vulnerability exploitation.

VPN Access Is the Fastest Way In

SonicWall SSL VPN has become a common entry point for ransomware groups, especially Akira. Researchers have shown that once attackers gain VPN access, they can move to full network encryption in under four hours — sometimes in less than one.

Recent scanning shows attackers are heavily targeting the API endpoint that reveals whether SSL VPN is enabled. This indicates they are building a target list of exposed devices before launching credential stuffing or vulnerability-based attacks.

Since March 2023, Akira has compromised hundreds of organizations and generated hundreds of millions in ransom payments. Fog ransomware has also used SonicWall VPN access as an initial foothold.

Several high-risk vulnerabilities make this worse. Five of the seven key SonicWall CVEs tied to this attack surface are listed in CISA’s Known Exploited Vulnerabilities catalog. One of the most critical is CVE-2024-53704 (CVSS 9.8), an authentication bypass flaw in SonicOS and NSv appliances that is already being exploited in the wild.

With over 430,000 SonicWall firewalls exposed to the internet — many running outdated firmware — attackers have a large and accessible attack surface.

Organized Scanning Infrastructure

GreyNoise identified four coordinated clusters behind the February 2026 scans, all focused on VPN discovery and credential testing.

Attackers used proxy networks, rotating IPs, ports, and browser fingerprints to evade detection, with nearly 70% of traffic sharing the same automated Chrome-on-Linux HTTP/1.0 signature.

Reconnaissance Before the Real Attack

This pattern closely resembles earlier campaigns where large-scale VPN scanning was followed by credential-based intrusions.

The current activity appears to be reconnaissance — mapping exposed SSL VPN services and identifying weak targets. History shows that exploitation typically follows this phase.

Organizations should immediately restrict VPN management access, enforce multi-factor authentication for all SSL VPN users, and urgently patch CVE-2024-53704 and other SonicOS vulnerabilities. Without action, this scanning phase could quickly evolve into widespread ransomware incidents.

The post Massive Scanning Campaign Targets SonicWall Firewalls appeared first on First Hackers News.