Based Apparel
May 21, 2026
•[ malware, infostealer, social engineering ]
Based Apparel's merchandise website was compromised and used to present visitors with a fake Cloudflare-style verification prompt that attempted to trick macOS users into running commands that installed infostealer malware. Reporting described the malware as commodity infostealer/Trojan activity intended to steal credentials and passwords. The website was taken offline after the compromise was reported; no confirmed theft of Based Apparel data or visitor data was publicly reported.
At least one node-ipc npm package users
May 14, 2026
•[ supply chain attack, malicious package, credential theft ]
Attackers abused a dormant node-ipc npm maintainer account, likely after re-registering an expired maintainer email domain, and published malicious node-ipc versions 9.1.6, 9.2.3, and 12.0.1 on May 14, 2026. The packages contained an obfuscated credential-stealing payload that harvested developer and CI/CD secrets and exfiltrated them through DNS TXT queries.
Undisclosed Myanmar government entity
April 30, 2026
•[ cyber espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Myanmar government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Pakistani government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, Microsoft Exchange ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Pakistani government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Malaysian government entity
April 30, 2026
•[ espionage, vulnerability exploitation, unpatched software ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Malaysian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Thai government entity
April 30, 2026
•[ espionage, vulnerability exploitation, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Thai government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Indian government entity
April 30, 2026
•[ espionage, web shell, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Indian government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
University of Cambridge
April 17, 2026
•[ phishing, credential theft, account compromise ]
Students and staff received phishing emails appearing to come from compromised University of Cambridge accounts; related messages contained links designed to steal login credentials and enable further account compromise.
At least one Chrome user
April 14, 2026
•[ malicious extensions, credential theft, session hijacking ]
A coordinated campaign used 108 malicious Chrome extensions published under five developer identities to route stolen credentials, user identities, browsing data, Google account information, and Telegram Web session data to shared command-and-control infrastructure. The extensions collectively had about 20,000 Chrome Web Store installs and could inject ads or arbitrary JavaScript into visited pages and open arbitrary URLs through browser-level abuse.
LiteLLM
March 24, 2026
•[ supply chain attack, malware, credential theft ]
TeamPCP used compromised release access to publish malicious LiteLLM versions to PyPI, embedding code that exfiltrated secrets and established persistence on systems that installed the poisoned packages.
At least one TikTok Business account
March 24, 2026
•[ phishing, adversary-in-the-middle, credential theft ]
Threat actors used adversary-in-the-middle phishing pages impersonating TikTok for Business and Google Careers to capture credentials and session cookies and hijack at least one TikTok Business account while bypassing 2FA.
Bitcoin Depot
March 23, 2026
•[ unauthorized access, credential theft, cryptocurrency theft ]
Bitcoin Depot detected unauthorized access to its IT systems on March 23, 2026; attackers obtained credentials for digital asset settlement accounts and transferred 50.903 Bitcoin, worth about $3.665 million, from company wallets, while customer platforms and data were not affected.
Duet Night Abyss
March 18, 2026
•[ malware, infostealer, supply chain attack ]
Kotaku reported that on March 18, 2026 Duet Night Abyss players PCs were infected after a malicious update was pushed through the games launcher. The malware was identified by users antivirus products as 'Trojan:MSIL/UmbralStealer.DG!MTB' (Umbral Stealer), an infostealer capable of logging keystrokes, taking screenshots, and attempting to harvest sensitive information such as passwords and cryptocurrency-related data. The developers said they addressed the issue and apologized, describing it as an external malicious attack spread via the launcher update.
Telus Digital
March 12, 2026
•[ Data breach, Credential theft, Cloud security ]
Telus Digital confirmed a security incident after ShinyHunters claimed it stole nearly 1 petabyte of data in a multi-month breach. Reporting stated ShinyHunters said it gained initial access using Google Cloud Platform credentials found in data stolen in the Salesloft/Drift breach, and that Telus was not negotiating. At publication, Telus Digital had not been added to the actors leak site in the cited report, and specific data categories and affected individuals were not publicly enumerated in the DataBreaches summary.
Bitrefill
March 1, 2026
•[ cyberattack, data breach, cryptocurrency theft ]
Bitrefill disclosed that a March 1, 2026 cyberattack originating from a compromised employee laptop enabled attackers to obtain legacy credentials, access a snapshot containing production secrets, and escalate into parts of Bitrefills infrastructure. The attackers accessed parts of the database and some cryptocurrency wallets, leading to theft of funds and misuse of gift card inventory/supply flows. Bitrefill reported exposure of about 18,500 purchase records containing customer email addresses, IP addresses, and cryptocurrency payment addresses; for about 1,000 purchases, customer names were also potentially exposed (stored encrypted, but the attackers may have obtained decryption keys). Bitrefill said it shut down systems to isolate the incident, worked with security experts/on-chain analysts/law enforcement, and assessed the method as consistent with Lazarus/BlueNoroff activity.
OpenClaw / ClawHub ecosystem (AI assistant skills) – multi-victim campaign
February 19, 2026
•[ infostealer, AI assistant security, credential theft ]
This TecMundo report describes security researchers warning about OpenClaw, a malware operation that, for the first time, is reported to specifically steal secrets tied to an AI assistant ecosystem (tokens/APIs/other assistant-related data). The article frames the activity as a broad distribution campaign (malicious skills/add-ons and infostealer behavior) that can compromise a victims digital identity by extracting authentication artifacts and credentials used to access accounts and services.
WormGPT
February 10, 2026
•[ data leak, AI hacking platform, user emails ]
Cybernews reported that user details for the AI hacking platform WormGPT appeared on a data leak forum. The poster claimed they obtained the data earlier in February 2026 and that about 19,000 WormGPT users were affected. The leaked dataset was described as including user emails, payment data, subscription information, user IDs, and other account details. The reporting indicated the forum post included a sample and that the authors credibility and the sample supported the breach claim; WormGPTs operators did not confirm the incident in the article.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
At least one blockchain developer
January 22, 2026
•[ phishing, blockchain, credential theft ]
IT technicians and blockchain developers were targeted in a phishing campaign attributed to the NGB 3rd Technical Surveillance Bureau (KONNI/APT37), resulting in unauthorized access to end-user systems and the compromise of stored development and infrastructure credentials.
At least one Iranian consumer
January 20, 2026
•[ Android banking trojan, Remote-access trojan (RAT), Ransomware ]
Cyble Research and Intelligence Labs (CRIL) reported discovering deVixor, an advanced Android banking trojan that has remote-access (RAT) capabilities and can also deploy a ransomware-style device lock screen. The campaign explicitly targets Iranian users, distributing malicious APKs via phishing websites posing as legitimate automotive businesses and luring victims with heavily discounted vehicle offers. Once installed, deVixor prompts victims to grant high-risk permissions (contacts, SMS, media files, accessibility service), then harvests SMS data to extract banking information such as account balances, OTPs, bank alerts, credit card details, and crypto transaction data. It also uses WebView-based JavaScript injection to load real banking sites inside a hidden WebView and steal login credentials during authentication. In some cases, operators activate a ransom overlay that locks the device and demands payment to a cryptocurrency wallet. Cyble said it identified 700+ deVixor samples since October 2025 and observed indicators (Persian artifacts, targeted-app lists, Telegram infrastructure) suggesting strong familiarity with Irans financial ecosystem.
