Toggle light / dark theme

GitHub notifications abused to impersonate Y Combinator for crypto theft

A massive phishing campaign targeted GitHub users with cryptocurrency drainers, delivered via fake invitations to the Y Combinator (YC) W2026 program.

Y Combinator is a startup accelerator that funds and mentors projects in their early stages, and connects founders with a network of alumni and venture capital firms.

The attacker abused GitHub’s notification system to deliver the fraudulent messages, by creating issues across multiple repositories and tagging targeted users.

Microsoft warns of new XCSSET macOS malware variant targeting Xcode devs

Microsoft Threat Intelligence reports that a new variant of the XCSSET macOS malware has been detected in limited attacks, incorporating several new features, including enhanced browser targeting, clipboard hijacking, and improved persistence mechanisms.

XCSSET is a modular macOS malware that acts as an infostealer and cryptocurrency stealer, stealing Notes, cryptocurrency wallets, and browser data from infected devices. The malware spreads by searching for and infecting other Xcode projects found on the device, so that the malware is executed when the project is built.

“The XCSSET malware is designed to infect Xcode projects, typically used by software developers, and run while an Xcode project is being built,” explains Microsoft.

Hackers left empty-handed after massive NPM supply-chain attack

The largest supply-chain compromise in the history of the NPM ecosystem has impacted roughly 10% of all cloud environments, but the attacker made little profit off it.

The attack occurred earlier this week after maintainer Josh Junon (qix) fell for a password reset phishing lure and compromised multiple highly popular NPM packages, among them chalk and degub-js, that cumulatively have more than 2.6 billion weekly downloads.

After gaining access to Junon’s account, the attackers pushed malicious updates with a malicious module that stole cryptocurrency by redirecting transactions to the threat actor.

U.S. sanctions cyber scammers who stole billions from Americans

The U.S. Department of the Treasury has sanctioned several large networks of cyber scam operations in Southeast Asia, which stole over $10 billion from Americans last year.

These operations, mainly those in Burma and Cambodia, are notorious for using forced labor, human trafficking, and physical violence, essentially operating as modern slavery farms that conduct online fraud.

The scams vary from “romance baiting” to fake cryptocurrency investing opportunities.

Malicious npm Packages Exploit Ethereum Smart Contracts to Target Crypto Developers

Cybersecurity researchers have discovered two new malicious packages on the npm registry that make use of smart contracts for the Ethereum blockchain to carry out malicious actions on compromised systems, signaling the trend of threat actors constantly on the lookout for new ways to distribute malware and fly under the radar.

“The two npm packages abused smart contracts to conceal malicious commands that installed downloader malware on compromised systems,” ReversingLabs researcher Lucija Valentić said in a report shared with The Hacker News.

Malicious npm Package nodejs-smtp Mimics Nodemailer, Targets Atomic and Exodus Wallets

Cybersecurity researchers have discovered a malicious npm package that comes with stealthy features to inject malicious code into desktop apps for cryptocurrency wallets like Atomic and Exodus on Windows systems.

The package, named nodejs-smtp, impersonates the legitimate email library nodemailer with an identical tagline, page styling, and README descriptions, attracting a total of 347 downloads since it was uploaded to the npm registry in April 2025 by a user named “nikotimon.” It’s currently no longer available.

“On import, the package uses Electron tooling to unpack Atomic Wallet’s app.asar, replace a vendor bundle with a malicious payload, repackage the application, and remove traces by deleting its working directory,” Socket researcher Kirill Boychenko said.

GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.

The first set of attacks entails the exploitation of CVE-2024–36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.

Fake Mac fixes trick users into installing new Shamos infostealer

A new infostealer malware targeting Mac devices, called ‘Shamos,’ is targeting Mac devices in ClickFix attacks that impersonate troubleshooting guides and fixes.

The new malware, which is a variant of the Atomic macOS Stealer (AMOS), was developed by the cybercriminal group “COOKIE SPIDER,” and is used to steal data and credentials stored in web browsers, Keychain items, Apple Notes, and cryptocurrency wallets.

CrowdStrike, which detected Shamos, reports that the malware has attempted infections against over three hundred environments worldwide that they monitor since June 2025.

Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft

A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts.

Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news outlet News4JAX.

In addition, 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. In a statement shared with security journalist Brian Krebs, Urban called the sentence unjust.

/* */