credential theft

On June 5, 2026, GitHub disabled 73 Microsoft-related repositories across Azure, Microsoft, and Azure Samples organizations after the Miasma worm campaign allegedly used a compromised contributor account to plant credential-stealing payloads aimed at AI coding tools. The incident is not merely...

Microsoft and GitHub have temporarily disabled at least 70 Microsoft-linked open-source repositories after researchers reported that attackers planted credential-stealing malware in projects tied to Azure, Durable Task, Azure Functions, and AI developer workflows, with the latest public...

On June 5, 2026, GitHub disabled 73 repositories across Microsoft’s Azure, Microsoft, Azure-Samples, and MicrosoftDocs organizations after a malicious commit was pushed to Azure/durabletask through a reportedly compromised contributor account. The immediate blast radius was not Windows Update or...

Microsoft Incident Response disclosed on May 12, 2026, that attackers compromised a third-party IT services provider and used legitimate HPE Operations Manager and HPE Operations Agent infrastructure to run scripts, deploy web shells, harvest Windows credentials, and tunnel into a victim...

Microsoft’s latest macOS threat report on Sapphire Sleet reads less like a traditional malware advisory and more like a case study in how modern intrusion campaigns are built to exploit trust. Rather than leaning on a zero-day or a platform flaw, the actor reportedly strings together social...

A dangerous fake Microsoft Windows Update is being used as a malware lure, and the threat is more sophisticated than a crude phishing page or a broken installer. Instead of relying on obvious warning signs, the campaign mimics Microsoft support, borrows the language of Windows servicing, and...

Cybercriminals are increasingly abusing legitimate cloud services to make phishing attacks harder to spot, and the latest example involves Bubble.io, a popular no-code app builder now being used as a launchpad for Microsoft 365 credential theft. The core trick is simple but effective: build a...

IBM’s X‑Force now says infostealers exposed roughly 300,000 ChatGPT credentials last year — a number that changes how enterprises must think about identity, secrets, and the very idea of what constitutes a “sensitive” SaaS account. Background AI chatbots moved from novelty to daily work tool in...

Attackers are buying Facebook ad space to push what looks like an official Windows 11 download page, and victims who click “Download now” receive a 75 MB installer (ms-update32.exe) that plants an Electron-based thief, drops obfuscated PowerShell scripts, and persists via a large registry blob —...

Microsoft defenders say intruders used exposed SolarWinds Web Help Desk (WHD) instances as a beachhead in December, then moved laterally to harvest high‑privilege credentials — but the exact bug that opened the door remains unresolved. Background SolarWinds Web Help Desk is a widely deployed IT...

Microsoft and U.S. cyber authorities have issued an emergency-style alarm after a fast-moving, self-replicating supply‑chain worm — now widely discussed as Shai‑Hulud 2.0 — began executing during npm package installation, harvesting developer and cloud credentials and propagating automatically...

Keeper Security’s new Forcefield lands as a direct countermeasure to one of the fastest-growing attack vectors on Windows endpoints: memory-based credential theft and in-memory “infostealer” malware that scrapes browsers, extensions and running apps for secrets. Background Memory-based attacks...

A fast-moving, self‑replicating supply‑chain worm dubbed Shai‑Hulud has poisoned hundreds of npm packages and is actively targeting developer credentials and cloud service keys tied to Google Cloud, Amazon Web Services, and Microsoft Azure — a campaign so severe that national and vendor security...

A fast-moving, self‑replicating supply‑chain worm has infiltrated the npm ecosystem, harvesting developer credentials and using stolen tokens to republish trojanized packages that in turn spread the infection — a campaign now tracked as “Shai‑Hulud” that security teams and national agencies warn...

A self‑propagating worm has struck the npm ecosystem, infecting hundreds of JavaScript packages and turning developer machines and CI pipelines into an automated propagation platform that harvests and publishes credentials—an event that elevates the attack surface of modern software supply...

Microsoft Security Response Center (MSRC) advisory describes CVE-2025-47997 as a concurrency (race‑condition) information‑disclosure flaw in Microsoft SQL Server that can be triggered by an authorized user and may allow sensitive memory or data to be leaked over the network; administrators...

Rockwell Automation’s ThinManager has been flagged for a high-severity Server-Side Request Forgery (SSRF) flaw that can expose an industrial control system’s ThinServer service account NTLM credentials, according to a federal advisory reissued on September 9, 2025. The vulnerability—tracked...

Two German researchers demonstrated at Black Hat that an attacker with local administrative access can inject a malicious biometric template into Windows Hello for Business and sign in as another user with nothing more than their own face — a practical, low-noise bypass that undermines one of...

Security researchers have uncovered a targeted supply‑chain campaign — dubbed “Solana‑Scan” — in which malicious npm packages masquerading as Solana SDK utilities are being used to harvest developer credentials, wallet keyfiles and other high‑value artifacts from developer machines. Background /...

Microsoft's security update for a Windows File Explorer flaw underscores a long-standing risk vector: trusted UI components that implicitly parse untrusted content. In March 2025 Microsoft disclosed and patched a Windows File Explorer spoofing vulnerability that could cause Explorer to...