387 reports
Humanity’s H token was attacked from 2026-06-08 to 2026-06-09 through coordinated compromises on Ethereum and BSC. An admin hot wallet private key theft moved 6,045,060 H, while three stolen Ethereum Safe owner keys let the attacker seize the Bridge Proxy…
Kimsuky-linked spear phishing targeted a South Korean company's information-security staff by impersonating a customer asking about a suspected personal-data leak. The attacker built trust through multiple emails, then delivered malicious LNK files disgui…
CrowdStrike observed DPRK-linked FAMOUS CHOLLIMA, LABYRINTH CHOLLIMA, and STARDUST CHOLLIMA targeting the technology sector during the April 2025-March 2026 reporting period. FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard operation…
OpenSourceMalware reports that Lazarus Group remained a high-confidence DPRK supply-chain threat in early 2026, with cryptocurrency theft-focused activity across npm, PyPI, Go, Cargo, and Packagist ecosystems. The Contagious Interview campaign continued t…
North Korean fraudulent IT workers are using stolen identities, AI-generated or altered personas, and domestic laptop farms to obtain remote IT and engineering roles, then access corporate systems from abroad through KVM or remote management tooling. Once…
Proofpoint observed UNK_DeadDrop, a very likely North Korea-aligned developer phishing cluster, sending more than 250 emails to targets at nearly 100 organizations in April and May 2026, especially across cryptocurrency, finance, technology, education, an…
The episode focuses on OtterCookie, a second-stage malware family associated with DPRK-linked Contagious Interview activity. The source frames the real target as the developer workstation after code execution, including browser history, terminal residue, …
OpenSourceMalware found that npm and PyPI malicious package activity grew at similar rates from January through mid-May 2026, with PyPI growth partly driven by campaigns that published across both ecosystems. The DPRK-linked Contagious Interview campaign …
Sonatype attributes a malicious npm brandjacking campaign to Lazarus Group, involving dozens of packages that imitate or appear adjacent to trusted JavaScript ecosystems such as Buffer, Chai, and React. Analysis of `buffer-utilities` shows a dropper that …
Lazarus Group is described as a North Korean state-backed operation under the Reconnaissance General Bureau, functioning as a revenue-generating arm rather than an independent hacking collective. The excerpt says DPRK-linked actors have stolen an estimate…
Lazarus is assessed to have weaponized CVE-2025-55182, a React Server Components insecure deserialization flaw, in a Windows executable that scans target lists and attempts bulk exploitation for initial access. The intrusion chain pairs the exploit tool w…
EndPoint, formerly known as Midnight, is assessed as a Babuk-derived ransomware variant that targets Windows as well as ESXi and NAS environments and combines file encryption with data-theft extortion. The malware supports path and network-share scoped en…
The Kelp DAO exploiter reportedly laundered about $220 million of the $293 million stolen in the April 18 rsETH exploit, leaving only about $1.7 million traceable in the tagged wallet while $71 million remains frozen by Arbitrum’s Security Council. Onchai…
Infrastructure hunting from the Kimsuky-linked seed domain xpo.coupang.dns.navy expanded a single public indicator into a mapped cluster of 43 servers and 664 associated domains. The infrastructure showed repeated use of AS135377/UCloud Information Techno…
A malicious JavaScript loader was appended to `tailwind.js` in the Packagist dev version `dev-drewroberts/feature/test-case` of the legitimate PHP package `roberts/leads`. Socket assesses the activity as likely tied to Famous Chollima and consistent with …