Sophisticated npm-Based Infostealer Targets Windows Users via Malicious Packages On March 12, 2026, JFrog security researchers Guy Korolevski and Meitar Palas uncovered a stealthy cyberattack leveraging the npm ecosystem to distribute the Cipher infostealer. The malware, disguised as a Roblox script executor named "Solara," was embedded in two now-removed npm packages: bluelite-bot-manager and test-logsmodule-v-zisko. The attack chain began with pre-install scripts in the npm packages, which downloaded a Windows executable from Dropbox. Despite appearing benign on VirusTotal where it evaded nearly all antivirus detection the executable acted as a dropper, concealing a 321MB archive containing obfuscated JavaScript, a full Node.js environment, and an embedded Python script. The payload also included elevate.exe, a legitimate tool repurposed to escalate privileges. ### Discord Account Compromise Cipher prioritized Discord credential theft, employing two distinct methods: - BetterDiscord: The malware patched core files to disable webhook protections, ensuring stolen data reached attackers unimpeded. - Official Discord App: A second-stage payload, downloaded from a live GitHub repository, forced users to log out, then captured credentials, 2FA codes, and credit card details upon re-login. Persistence was achieved by modifying Discord’s installation files to auto-execute the malicious script. ### Browser & Cryptocurrency Theft The malware conducted a system-wide sweep for sensitive data, targeting: - Browsers: Chrome, Edge, Brave, Opera, and Yandex stealing passwords, cookies, autofill data, and browsing history. - Cryptocurrency Wallets: Bitcoin, Ethereum, Exodus, Electrum, and others. It actively decrypted Exodus wallet seed files using local libraries. - Python Dependency: If Python wasn’t installed, the malware silently downloaded it to ensure successful data exfiltration. Stolen data was compressed into a ZIP file and transmitted to attackers via file-sharing services or a command-and-control server. ### Response & Mitigation While the malicious npm packages and Dropbox links have been neutralized, the campaign highlights the risks of supply-chain attacks in open-source ecosystems. The use of obfuscation, legitimate tools (elevate.exe), and multi-stage payloads allowed the malware to evade detection, underscoring the need for vigilance in dependency management.

Western Australia Audit Reveals Critical Microsoft 365 Security Gaps in State Entities A recent report by the Western Australian Office of the Auditor General (OAG) uncovered significant vulnerabilities in how state government entities manage their Microsoft 365 (M365) environments, exposing them to heightened risks of cyber incidents, data breaches, and operational disruptions. The audit identified weaknesses across multiple security domains, including governance, identity and access management, information protection, logging and monitoring, and threat protection controls. Two major incidents highlighted the consequences of these gaps: 1. Data Breach Involving Sensitive Information An audited entity inadvertently exposed the personal and sensitive data of 32 individuals, including children, by emailing it to an unvetted third-party service provider, which stored the information in Dropbox. The breach stemmed from the absence of data loss prevention (DLP) controls and a failure to assess the third party’s security posture. While some entities had DLP policies in place, they were not consistently applied across OneDrive, SharePoint, Power Platform, Exchange, and Teams, leaving sensitive data unprotected. 2. $71,000 Theft via Phishing and Weak MFA A threat actor compromised a senior officer’s M365 account through a phishing email, exploiting weak multifactor authentication (MFA). The attack went undetected for a month, during which the attacker: - Registered their own MFA device - Created email forwarding rules to conceal communications - Studied the victim’s email history to craft convincing social engineering tactics - Submitted a fraudulent invoice, resulting in the theft of $71,000 The OAG attributed the incident to ineffective security configurations, including: - Failure to block high-risk users and sign-ins - Lack of email spoofing protections to prevent impersonation - Insufficient controls to detect and report fake emails from third-party servers Western Australia’s Auditor-General, Caroline Spencer, emphasized that proper M365 security management is critical for safeguarding government data and ensuring uninterrupted public services amid evolving cyber threats. The findings underscore systemic gaps in third-party risk assessment, DLP enforcement, and phishing defenses across state entities.

New Phishing Scam Exploits Trusted PDFs and Cloud Services to Steal Credentials Cybersecurity researchers at Forcepoint have uncovered a sophisticated phishing campaign that bypasses traditional email filters by leveraging clean-looking business emails and multi-stage deception. The attack begins with a seemingly legitimate message often referencing a "tender" or "procurement" deal containing a harmless PDF attachment. Unlike typical phishing attempts, the email itself contains no malicious links, relying instead on the PDF to initiate the scam. The PDFs exploit technical features like AcroForms and FlateDecode to embed hidden clickable buttons, tricking users into interacting with what appears to be a standard document. Once clicked, the victim is redirected to a second file hosted on Vercel Blob storage, a legitimate cloud service that helps the attackers evade security blocks. This file then directs users to a fake Dropbox login page, meticulously designed to mimic the real platform. Behind the scenes, a script harvests email credentials, passwords, IP addresses, device types, and geolocation data, transmitting the stolen information to a private Telegram channel controlled by the attackers. To avoid suspicion, the fake login page displays an error message, making victims believe they simply mistyped their password. Forcepoint has since updated its defenses to detect and block these files, but the campaign highlights how attackers are increasingly abusing trusted formats and cloud infrastructure to bypass security measures. The incident underscores the risks of assuming routine business documents are safe without verifying their origin.

Lone None Threat Group Deploys New Stealers via Fake Copyright Takedown Notices Since November 2024, the Lone None threat actor group has been orchestrating a sophisticated email campaign distributing two information stealers: Pure Logs Stealer and the newly identified Lone None Stealer (PXA Stealer). The campaign spoofs legal firms worldwide, using copyright infringement takedown notices as lures to trick recipients into executing malicious payloads. The emails, written in at least ten languages likely via machine translation or AI reference authentic Facebook accounts of victims to enhance credibility. Embedded links, often shortened via t[.]ee or g[.]su, redirect to free file-hosting services like Dropbox and MediaFire, where victims download an archive disguised as a PDF reader installer. In reality, the archive contains a repurposed Haihaisoft PDF Reader executable, a malicious DLL acting as a Python installer, legitimate documents, and files with mismatched extensions. Upon execution, the loader uses Windows certutil.exe to decode a disguised PDF archive, saving it under a different extension. A bundled WinRAR executable (renamed "images.png") extracts the decoded files into C:\Users\Public. The malicious DLL then launches a staged Python interpreter (svchost.exe), installing Python in the same directory and executing an obfuscated script. The script communicates with a Telegram bot C2 channel, where part of a paste[.]rs URL is stored in the bot’s bio. The script reconstructs the URL to fetch a secondary payload from 0x0[.]st, delivering either Pure Logs Stealer or Lone None Stealer. Both stealers employ Base64/Base85 encoding and AES encryption to evade detection. Lone None Stealer specifically targets cryptocurrency by monitoring the Windows clipboard for wallet addresses, replacing them with actor-controlled wallets for Bitcoin, Ethereum, and Solana. Observed wallet addresses include: - Bitcoin: `1DPguuHEophw6rvPZZkjBA3d8Z9ntCqm1L` - Ethereum: `0xd38c3fc36ee1d0f4c4ddaeebb72e5ce2d5e7646c` - Solana: `GQwKEEi49iKywE8ycnFsxRhxJTVf6YsoJb2vAFigc8` Earlier variants delivered XWorm and DuckTail, but recent attacks have streamlined to focus on Pure Logs Stealer’s RAT capabilities and Lone None Stealer’s cryptocurrency theft. Persistence is maintained via a registry Run key pointing to the staged Python interpreter. Defenders are advised to monitor for clandestine Python installations in C:\Users\Public\Windows, suspicious Run key entries, and anomalous executions of certutil.exe and WinRAR with renamed files. The campaign underscores the evolving tactics of threat actors in leveraging social engineering and unconventional C2 channels to distribute malware.

Dropbox confirmed that it had experienced a data breach incident in November 2022. After an unknown attacker gained access to credentials, data, and other secrets within their private GitHub code repositories. Dropbox did admit that the code contained a "few thousand names and email addresses belonging to Dropbox staff," as well as some plain text secrets like API keys and other credentials. They adopt common security precautions like frequent password changes and turning on MFA for your storage account.