Live

Intelligence Feed

Latest threat intelligence articles from trusted security sources, auto-processed to extract entities, IoCs, and TTPs.

Filtered by source: hacker-news Clear filter
North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

2d ago · hacker-news

North Korean threat actors have been linked to a software supply chain attack involving malicious npm packages that impersonate legitimate Rollup polyfill tools. The packages, such as 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core', install secondary-stage malicious dependencies to steal developer secrets and enable remote access. The malware evades analysis environments, exfiltrates credentials, and supports interactive command execution, targeting developer workstations and CI/CD systems. This activity mirrors previous Lazarus-linked campaigns exploiting npm for credential theft.

15 IoCs 2 Malware
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices

2d ago · hacker-news

Google, in collaboration with the FBI and other partners, has disrupted the NetNut residential proxy network, which leveraged over 2 million compromised home devices such as smart TVs and streaming boxes to route malicious traffic. The network, also known as Popa, was operated by publicly traded Israeli company Alarum Technologies and used deceptive apps to gain access without user consent. This infrastructure was exploited by cybercriminals and espionage groups for password-guessing attacks and to mask their locations. Google describes the action as a degradation rather than a complete takedown due to the network's reseller ecosystem, which allows it to persist under different brands.

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

2d ago · hacker-news

PamStealer is a new macOS information stealer distributed via fake Maccy websites, impersonating a legitimate clipboard manager. It uses a two-stage infection chain, starting with a malicious AppleScript dropper that downloads a Rust-based payload. The malware validates the victim's login password using macOS PAM, establishes persistence, and steals credentials, browser data, cryptocurrency wallets, and iCloud Keychain contents before exfiltrating them to attacker-controlled servers.

3 IoCs
European Parliament Member Investigating Spyware Was Hacked With Pegasus

2d ago · hacker-news

Former European Parliament member Stelios Kouloglou was repeatedly targeted with Pegasus spyware during his tenure on the PEGA Committee, which investigated misuse of commercial spyware. Forensic analysis revealed two infections in October 2022 and March 2023, both exploiting a zero-click vulnerability in Apple's HomeKit (PWNYOURHOME) affecting iOS 15.5. The attacks coincided with key committee activities and may be linked to a Pegasus operator targeting multiple EU jurisdictions, possibly overlapping with a campaign against exiled journalists.

1 IoCs 1 Malware
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

2d ago · hacker-news

A threat actor known as Armored Likho is conducting cyber espionage and financially motivated attacks against government agencies and the power sector in Russia, Brazil, and Kazakhstan. The group uses a mix of modular RATs, infostealers, and tools like Go2Tunnel for remote access and data exfiltration. A new Python-based infostealer, BusySnake Stealer, has been identified, which steals credentials, cookies, screenshots, and documents while evading detection through obfuscation and dynamic code execution. The attacks begin with spear-phishing emails delivering malicious payloads via RAR archives or weaponized LNK files exploiting CVE-2025-9491.

5 IoCs
New Avalon Malware Framework Packs CrownX Ransomware Capabilities

1d ago · hacker-news

A new modular malware framework dubbed Avalon has been discovered, capable of executing a multi-stage attack chain that includes credential theft, lateral movement, and ransomware deployment via its CrownX component. The attack begins with a phishing email containing a password-protected archive hosted on Proton Drive, which delivers a malicious ISO image. The framework employs advanced defense evasion techniques, disables recovery mechanisms, and exfiltrates sensitive data before encrypting systems. Notably, Avalon shows signs of AI-assisted development, lowering the barrier for less sophisticated actors to deploy complex malware.

3 IoCs 1 CVEs
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

1d ago · hacker-news

A critical Linux kernel vulnerability dubbed 'Bad Epoll' (CVE-2026-46242) allows unprivileged users to escalate privileges to root, affecting Linux systems and Android devices. The flaw is a use-after-free race condition in the epoll subsystem, exploitable even from within Chrome's sandbox. A working proof-of-concept exists, though no active exploitation has been observed. The bug is patched in newer kernels, but older 6.1-based systems like the Pixel 8 remain unaffected.

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

1d ago · hacker-news

Security firm runZero disclosed seven unpatched vulnerabilities in FatFs, a widely used filesystem library in embedded devices, which could allow attackers with physical access or control over firmware updates to achieve memory corruption and potential code execution. The most severe vulnerability, CVE-2026-6682, is a high-severity integer overflow in FAT32 volume mounting. Due to the decentralized nature of FatFs and lack of responsive upstream maintenance, downstream vendors must independently patch affected systems, increasing the risk of prolonged exposure across IoT, industrial, and consumer devices.

1 IoCs
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

1d ago · hacker-news

North Korean threat actors associated with the Contagious Interview campaign have launched the PolinRider operation, distributing 108 malicious packages and browser extensions across npm, Packagist, Go, and Google Chrome. The attack targets developers in the cryptocurrency sector through social engineering, compromising maintainer accounts to inject obfuscated JavaScript payloads into legitimate repositories. These payloads deliver second-stage malware such as DEV#POPPER RAT and OmniStealer by leveraging blockchain infrastructure and malicious VS Code task files, while using Git history manipulation to evade detection.

2 IoCs 1 Malware
U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

1d ago · hacker-news

A U.S. government entity, likely Union County, Ohio, paid approximately $1 million to a threat actor named Kairos following a data theft extortion incident. Unlike traditional ransomware attacks, Kairos did not encrypt systems but instead exfiltrated sensitive data—including files from the prosecutor's office—and threatened to leak it unless paid. The attack highlights a growing trend of pure data-theft extortion, where the leverage is the threat of public data disclosure rather than encryption. The payment of 9.44 BTC was traced through blockchain to exchanges including Bybit, OKX, and the Russian service BELQI, but no confirmation of data deletion was verifiable.

1 IoCs 1 Actors