Security researchers dissecting the open‑source Shai‑Hulud supply‑chain attack worm uncovered a bizarre Python‑version Easter egg that checks a host’s geolocation, and with a 1‑in‑6 chance plays a blaring alarm and deletes all files on machines located in Israel or Iran.
OceanLotus (APT32) hijacked three innocuous PyPI packages—uuid32-utils, colorinal, and termncolor—to drop the ZiChatBot malware, which persists via registry or crontab and communicates through the Zulip public chat REST API, making its traffic indistinguishable from legitimate developer traffic and evading network‑based detection.
In May 2026, Kaspersky revealed that the official Windows installer for DAEMON Tools Lite versions 12.5.0.2421‑12.5.0.2434 had been compromised for nearly a month, allowing attackers to inject signed back‑door binaries, establish C2 communication, deliver staged payloads—including a QUIC RAT—to thousands of victims across more than a hundred countries, with high‑value targets primarily in Russia, Belarus and Thailand, before a patched version 12.6.0.2445 was released.
A security researcher discovered that the official Xubuntu download page was compromised, delivering a ZIP containing a tos.txt file with a bogus 2026 copyright and a malicious Windows executable that functions as a crypto‑clipper, prompting Xubuntu to temporarily disable the download site while investigating the breach.
The article dissects a recent attack where a PowerShell script hidden in a Pastebin post uses character‑level steganography to retrieve a C2 address, extracts Telegram Desktop's tdata files, compresses them, and exfiltrates the data via a hard‑coded Telegram Bot API, while employing hidden execution, fileless memory loading, environment detection, and self‑destruct on virtual machines.
The author recounts a multi‑day incident response to a ThinkPHP website that was compromised via a weak admin password, detailing how repeated data tampering, hidden scheduled‑task scripts, and a ransom message were investigated, mitigated, and finally contained through systematic hardening and monitoring.
A supply‑chain breach of the popular LiteLLM Python library injected malicious .pth files that silently harvest SSH keys, cloud credentials, and other secrets, deploy persistent backdoors, and spread through downstream packages, prompting urgent detection and remediation steps for developers.
The report details how the GhostClaw/GhostLoader campaign leverages trusted GitHub repositories and AI‑assisted development workflows to deliver a multi‑stage macOS payload that steals credentials, contacts a single C2 domain, and establishes persistence, while providing blue‑team detection and mitigation guidance.
The article analyzes how generative AI is transforming cybercrime by enabling 13 distinct attack methods—from highly personalized phishing emails and AI‑assisted malware creation to automated vulnerability hunting, deep‑fake social engineering, malicious LLMs, and attacks on AI infrastructure—highlighting recent research data and real‑world examples that illustrate the heightened speed, stealth, and accessibility of modern threats.
Although Linux is widely regarded as secure, the article explains why antivirus software is still valuable for Linux servers and desktops, and provides a concise review of ten popular Linux antivirus solutions, highlighting their features, licensing, and typical use cases.
The article warns of sophisticated invoice‑phishing emails that can implant malware and outlines three practical defenses, then shifts to a detailed analysis of Israel’s cyber strike on Iran’s missile command, explaining the attack’s technical layers, hybrid war model, strategic implications, and future risks.
Researchers discovered that threat actors exploit Bing AI’s enhanced search to promote a counterfeit OpenClaw GitHub repository, delivering the Atomic Stealer info‑stealer to macOS users and proxy malware to Windows users, highlighting new security risks in AI‑driven search ecosystems.
The article outlines thirteen distinct techniques by which cybercriminals exploit generative AI—from hyper‑personalized phishing and AI‑driven malware creation to AI‑coordinated espionage, deep‑fake social engineering, and attacks on AI infrastructure—backed by expert quotes, research findings, and concrete case studies.
A malicious fake 7‑Zip installer masquerades as the legitimate open‑source archiver, silently deploying a Trojan that creates a residential‑proxy botnet, modifies system services and firewall rules, and can expose users to legal and privacy risks, while Windows Defender now flags it as Trojan:Win32/Malgent!MSR.
FortiGuard Labs reveals a sophisticated SEO poisoning campaign that lures Chinese Windows users to fake software sites, delivers hidden Hiddengh0st and Winos malware, employs anti‑analysis tricks, establishes persistence, and exfiltrates data, while the article breaks down the full attack chain and offers practical defense steps.
Google senior security leaders warn that attackers are already using AI for tasks like phishing and data‑theft command generation, and that fully automated, end‑to‑end AI attack kits are only a matter of time, forcing defenders to rethink protection strategies.
A recent security investigation reveals that over 300 seemingly harmless browser extensions were covertly hijacked by the DarkSpectre campaign, silently collecting browsing history, meeting data, and other personal information from more than 8.8 million users across Chrome, Edge, and Firefox for up to seven years.
A senior Java developer at Eaton Corporation sabotaged the company's global production system with malicious code before his dismissal, causing a massive outage, data loss, and a four‑year prison sentence, highlighting the severe risk of insider threats and the need for robust access controls and monitoring.
This guide explains how to identify hidden cryptocurrency mining malware on Linux servers, locate concealed processes with sysdig and unhide, terminate the malicious service, block suspicious IPs, and secure the system using tools like iptables, Safedog, and ClamAV, with full command examples.
A senior programmer at Eaton, fearing layoff, secretly embedded Java malware that created endless threads and a kill‑switch, causing a worldwide outage and costing tens of thousands of dollars, ultimately leading to a four‑year prison sentence and highlighting the critical risk of insider threats.
This guide explains how to identify hidden cryptocurrency‑mining processes on a Linux server, stop them, disable the services that restart them, block malicious IPs, clean unauthorized SSH keys, and harden the system with tools such as sysdig, Safedog, and ClamAV.
Sonatype’s Q1 2025 Open‑Source Malware Index identified 17,954 malicious packages—including hijacked npm crypto modules, a fake Truffle for VS Code extension, and counterfeit Solana packages—revealing that 56% of these components are associated with data breaches, a sharp rise from the 26% reported in Q4 2024, and highlighting the growing prevalence of complex, threat‑laden malware such as droppers and code‑injection threats.
A 55‑year‑old programmer at Eaton embedded a malicious Java loop that monitors his Azure AD account and, once disabled after his layoff, triggers an endless thread creation that crashes servers, blocks thousands of employees, and leads to a costly legal case.
Microsoft uncovered a malicious ad campaign that used pirated streaming sites and multi‑layer redirects to deliver GitHub‑hosted malware, while a separate Surfshark report revealed popular phone‑cleaning apps secretly sharing extensive user data with hundreds of third‑party partners.
This article explains what network attacks are, outlines the most common attack types such as malware, DoS/DDoS, phishing, SQL injection and DNS tunneling, and provides practical prevention measures including regular updates, firewall configuration, VPN use, and security awareness training.
This article provides a detailed glossary of common hacking terms and techniques—from black‑hat attackers and backdoors to APTs, exploits, and dark‑web concepts—explaining each threat, its purpose, and how it impacts information security.
A recent supply‑chain poisoning incident injected malicious post‑install scripts into the popular Vant component library and Rspack build tool, stealing cloud credentials and mining Monero, prompting developers to upgrade to safe versions and reconsider npm dependency risks.
This article documents a step‑by‑step investigation of a compromised Linux server that exhibited 100% CPU usage, detailing process, network, and startup‑service analysis, the discovery of a cryptomining malware, and the complete removal procedure.
A recent advisory from China’s National Computer Virus Emergency Response Center reveals a new “Silver Fox” Trojan variant distributed via phishing pages and social‑media links, explains its infection process on Windows PCs, and outlines practical prevention steps for enterprises and individual users.
The National Computer Virus Emergency Response Center reports a new “Silver Fox” Trojan variant distributed via phishing links in WeChat groups, disguised as tax‑related installers, which can hijack systems for remote control and fraud, and provides concrete steps for users and enterprises to defend against it.
This article walks through a real-world intrusion on an Alibaba Cloud CentOS server, detailing how a disguised gpg-agentd process was used to install backdoors, hijack SSH keys, exploit Redis, and launch mass scanning, and provides concrete hardening recommendations to prevent similar attacks.
JFrog’s security team reveals that attackers can hijack deleted PyPI packages by re‑registering the same name, tricking tools like Jenkins into installing malicious code, and outlines the scale of the risk, real‑world examples, and new defenses introduced by PyPI.
A recent ASEC report reveals that a malicious program disguised as the popular Office 2013‑2024 C2R Install crack tool distributes a .NET‑based malware suite that installs Orcus RAT, the XMRig cryptocurrency miner, and the 3Proxy proxy tool, primarily targeting Korean users and persisting via scheduled tasks and PowerShell updates.
Red Hat's urgent security advisory reveals that the latest xz 5.6.0/5.6.1 tools and libraries contain sophisticated malicious code that can grant unauthorized remote access, impacting Fedora 40, Fedora 41, and Rawhide while leaving all RHEL versions unaffected.
This article provides a comprehensive glossary of 27 common hacking terms—from black‑hat and backdoor to zero‑day exploits and dark‑web concepts—explaining each technique, malware type, and security threat in clear, concise English for anyone interested in cybersecurity fundamentals.
This article surveys a series of high‑profile supply‑chain attacks on the JavaScript/npm ecosystem—such as left‑pad removal, malicious faker.js updates, cross‑env hijacking, is‑promise bugs, getcookies backdoors, event‑stream social‑engineering, ESLint credential leaks, manifest obfuscation, and politically‑motivated code injections—highlighting how tiny, widely‑used packages can become vectors for large‑scale compromise and what developers can do to mitigate the risk.
The article explains how ChatGPT's hallucinations can generate non‑existent package links that attackers register and weaponize, demonstrates the attack with a fake Node.js npm package, and offers practical steps to detect and prevent such supply‑chain threats.
This article reviews the ten most effective Linux antivirus tools, explains why protection is essential despite Linux's inherent security, and provides concise descriptions of each solution—including Avast, Chkrootkit, ESET NOD32, F‑PROT, Panda Cloud Cleaner, Rootkit Hunter, ClamAV, Firetools, Comodo, and Sophos—to help users choose the right protection for their systems.
This article explains how to create a Windows trojan, host it on a Kali Apache server, test its detection with VirusTotal, apply Metasploit encoding and UPX packing to evade antivirus software, and set up a listener for remote control.
The article examines how the rapid popularity of ChatGPT has spurred both legitimate opportunities and a surge in illicit activities, including account resale, scam scripts generated via prompt injection, and the creation of malware, highlighting the need for stricter regulation and security awareness.
A PyTorch‑nightly supply‑chain attack introduced a malicious "torchtriton" package on PyPI that exfiltrated IP addresses, hostnames, usernames and SSH keys from Linux systems, prompting an urgent uninstall notice and a swift response from the PyTorch team.
Sysdig’s analysis of over 250,000 public Linux images on Docker Hub revealed 1,652 images containing hidden malware, including mining tools, embedded credentials, proxy‑avoidance scripts, and malicious websites, highlighting the urgent need for robust image‑scanning and credential‑management practices.
Redigo, a Go‑based malware discovered by AquaSec, continuously scans for unpatched Redis servers vulnerable to CVE‑2022‑0543, uses Redis commands to load a malicious module that creates a hidden backdoor for arbitrary command execution, gathers system data, and may enlist the host in DDoS or crypto‑mining botnets.
Researchers from the Leiden Institute of Advanced Computer Science analyzed over 47,000 GitHub repositories, uncovering that many fake proof‑of‑concept exploits conceal malware, with nearly 5,000 repositories deemed malicious and detailed case studies revealing hidden trojans, Cobalt Strike tools, and stealthy information stealers.
This article explains the concept of in‑memory PHP trojans, provides simple obfuscated source code that deletes itself and persists in RAM, discusses their stealth characteristics, and offers a basic mitigation strategy of terminating the process and removing the generated files.
An in‑depth investigation by China’s national computer emergency response center and 360 Company uncovered a sophisticated cyber‑attack on Northwestern Polytechnical University orchestrated by the U.S. NSA’s Tailored Access Operations unit, detailing the attack infrastructure, weaponised tools, data theft and broader implications for Chinese critical sectors.
The article provides a comprehensive overview of phishing as a social‑engineering attack, detailing its various techniques—including email deception, spear‑phishing, whaling, malware‑based lures, domain spoofing, vishing, SMS and QR‑code scams—and offers practical defense measures such as anti‑phishing tools, multi‑factor authentication, content filtering, and security standards.
Researchers from Intezer and BlackBerry uncovered Symbiote, a novel Linux rootkit that loads as a shared library via LD_PRELOAD, hijacks libc and libpcap, uses BPF hooking to hide malicious traffic, and targets credential theft and remote access, especially in Latin American financial sectors.
Mozilla’s security team has blocked the malicious Firefox add-ons “Bypass” and “Bypass XM”, which abused the browser’s proxy API to hijack updates and bypass paywalls, affecting hundreds of thousands of users, and introduced new fallback mechanisms and a “Proxy Failover” extension in Firefox 93.
Recent investigations reveal that the malicious PyPI package “ctx” harvested environment variables, encoded them in base64, and sent them to a Heroku endpoint, while attackers also hijacked the package’s maintainer account via domain takeover, highlighting serious vulnerabilities in PyPI’s package and account security processes.
The article explains how modern chat applications protect communication with asymmetric and symmetric encryption, why network eavesdropping alone cannot reveal messages, and how installed monitoring software or system vulnerabilities can still expose chat records, emphasizing the need for regular updates and careful device usage.
A new Inno Stealer malware campaign masquerades as a legitimate Windows 11 upgrade installer, using a spoofed Microsoft site to distribute an infected ISO that creates hidden scripts, disables security, and steals browser data and cryptocurrency wallets, posing a serious information‑security threat.
A malicious update to the npm package node‑ipc, used by vue‑cli, injected anti‑war code that creates unwanted files, overwrites system directories for Russian and Belarusian IPs, and sparked a community response that led to a patched vue‑cli release and detailed remediation steps.
The article examines how the proliferation of Linux‑powered IoT devices has made them prime targets for malware families like XorDDoS, Mirai and Mozi, highlighting their rapid growth, attack techniques, and recommended defensive measures for operators.
This article compiles ten recent security incidents—including Android malware families, Wi‑Fi router flaws, IoT firmware analysis, and privacy‑compliance updates—providing concise descriptions and direct links to the original reports for each threat.
A compromised UAParser.js npm package spread cryptomining malware and credential theft to an estimated 188,000 computers within four hours, prompting urgent updates and two‑factor authentication for developers relying on this popular JavaScript library.
A simple typo when using pip can install a malicious PyPI package that hides cryptomining code, and security researchers have uncovered dozens of such deceptive packages, highlighting the supply‑chain risks of Python's package ecosystem and offering practical mitigation steps.
In September 2022, Nantong police uncovered China's first nationwide case of illegal WeChat user data harvesting using a "clean fan" application, leading to the arrest of eight suspects who were convicted for illegally obtaining computer system data and controlling systems, highlighting severe information security risks.
This article shows how to use Python on Windows to obtain the system drive, enumerate and delete files and directories with os.walk, copy the script to the startup folder, generate a BAT wrapper, and silently shut down the computer, illustrating a basic malicious automation technique.
Hackers exploit GitHub Actions by submitting malicious pull requests that add hidden workflows, downloading and executing crypto‑mining binaries on GitHub’s free servers, a technique that has spread to other CI platforms and poses a persistent security challenge.
Amid soaring cryptocurrency prices, hackers exploit GitHub Actions by submitting malicious pull requests that run hidden XMRig mining code on GitHub’s free CI servers, a technique detailed through a French developer’s investigation, code analysis, attack scale, and mitigation advice.
Huorong’s threat intelligence team discovered that the Qike PDF Converter distributes a hidden malicious proxy module through download‑site installers, leading to unexplained high CPU usage, persistent system services, and widespread infection traced back to a Hangzhou tech company, urging users to update antivirus definitions and remove the software.
In a recent attack, the cyber‑crime group TeamTNT leveraged the open‑source monitoring tool Weave Scope to silently control Docker and Kubernetes cloud environments without deploying malicious code, highlighting critical misconfigurations and the growing sophistication of cloud‑native threats.
The Ngrok‑based Doki malware silently scans for Docker API endpoints with weak configurations, hijacks containers to run crypto miners, uses the Dogecoin blockchain for dynamic C2 domains, and evades detection, highlighting the critical need to secure Docker APIs.
The 2019 Tencent Game Security report reveals rising cheat samples on PC and mobile, dominant custom cheats, emerging subtle cheating tactics, a diversified black‑market selling fake IDs and compromised devices, rampant account theft largely through scams, and improved player reporting that boosted detection rates.
This guide outlines a comprehensive Linux incident‑response workflow—identifying suspicious behavior, locating and terminating malicious processes, eliminating virus files, closing persistence mechanisms, and hardening the system—while providing concrete shell commands, monitoring techniques, and remediation tips to effectively combat Linux malware.
This article details a multi‑stage, file‑less attack that leveraged weak SQL Server credentials, Transact‑SQL stored procedures, and WMI to download and execute a downloader (cabs.exe) which fetched multiple botnet components, and explains the forensic steps and remediation measures taken to eradicate the threat.
A newly discovered Linux backdoor called SpeakUp, exploiting the ThinkPHP CVE‑2018‑20062 flaw, spreads via a built‑in Python script, hijacks cron for persistence, leverages multiple CVEs to compromise servers, and mines Monero, with infections concentrated in China and South America.
The article explains how the popular Node.js package event-stream was transferred to a new maintainer who injected a malicious flatmap-stream module that steals Bitcoin, outlines the timeline of the supply‑chain attack, and provides steps for developers to detect and remediate the infection.
Dr.Web’s recent report reveals Linux.BtcMine.174, a sophisticated 1000‑line shell‑script trojan that exploits Dirty COW or CVE‑2013‑2094 for root access, disables dozens of antivirus processes, mines cryptocurrency, and spreads via SSH‑collected hosts, with its components’ SHA‑1 hashes published on GitHub.
The Roaming Mantis malware exploits compromised routers to perform DNS hijacking, redirecting Android, iOS, and desktop users to malicious sites that install fake updates, steal credentials, and run CoinHive mining scripts, while spreading across more than twenty languages worldwide.
A recent security advisory reveals that popular remote terminal Xshell versions contain a backdoor in the nssock2.dll component, enabling shellcode to harvest host information, generate monthly DGA domains, and potentially expose sensitive data, prompting immediate version checks and upgrades.
Check Point researchers reveal that the Fireball malware, linked to Chinese firm Rafotech, has infected up to 250 million Windows and macOS computers worldwide by bundling malicious browser extensions, hijacking search engines, and enabling extensive data theft, prompting detailed analysis of its origin, impact, and mitigation steps.
The article explains the global outbreak of the WannaCry ransomware in May 2017, its exploitation of the SMB MS17-010 vulnerability (EternalBlue), the impact on governments, schools and hospitals, and provides detailed technical analysis and recommended security measures to prevent such attacks.
This article recounts a recent incident where a Struts2 vulnerability was exploited to run mining malware, detailing the discovery process, forensic analysis of services, processes, network listeners, and the step‑by‑step remediation measures including script‑based scans, permission hardening, and upgrading Struts2.
After a sudden traffic surge and loss of SSH access on an Ubuntu 12.04 server, I worked with the data‑center team to trace malicious outbound connections, identify compromised binaries, remove persistent backdoor scripts, and implement firewall rules and logging practices to prevent future intrusions.
Based on Alibaba security data from January to August 2016, an analysis of 240 popular Android apps across 16 industry categories found that 83% had counterfeit versions, totaling 8,267 fake apps that infected 67.9 million devices, with social networking apps leading the fraud landscape.
The article examines a cryptocurrency mining trojan (sample 101), detailing its process list, malicious startup scripts, SSH key injection, service deployment, removal steps, and offers practical defense measures against such malware infections.
This article chronicles the evolution of Linux malware from the first recognized virus Staog in 1996 through notable threats such as Bliss, Slapper, Badbunny, Snakso, Hand of Thief, Windigo and the Shellshock‑related Mayhem botnet, highlighting how increasing Linux adoption has attracted attackers.
This article surveys seven modern hacking tricks—from fake Wi‑Fi hotspots and cookie theft to file‑name deception, path hijacking, hosts‑file redirection, watering‑hole attacks, and bait‑replacement—explaining how they work, why they succeed, and practical defenses for users and developers.
A step‑by‑step guide shows how to identify abnormal NIC traffic, locate malicious init scripts and hidden processes, use simple shell scripts and netstat to pinpoint the offending connection, and clean a compromised Linux server to restore normal network performance.
This article breaks down the monthly expenses hackers incur for tools, services, and infrastructure, then reveals how much they can earn through ransomware, malicious certificates, fake antivirus, IP reputation abuse, web shells, and user data trading, highlighting the lucrative yet risky nature of cybercrime.
This guide explains how to identify a compromised Linux server caused by hidden cryptocurrency mining malware, kill the malicious processes, clean infected files, and harden the system by reviewing scheduled tasks, startup scripts, user accounts, and SSH configurations.
A user received a suspicious SMS with a malicious app link, prompting an analyst to download, decompile, and dissect the Android malware, revealing hidden Device Admin permissions, obfuscated code, DES-encrypted credentials, and the attacker’s email address, ultimately exposing how the trojan steals personal data.
The article chronicles the 2015 XcodeGhost incident, detailing how a malicious Xcode version infected dozens of popular iOS apps, the response from Tencent, Apple, and security researchers, and the lessons learned for developers and the broader mobile security community.
