Field notes from the edge.
What our engineers learned this week. Hands-on technical deep-dives, postmortems, and strategy frameworks.
AISweeping Credential-Harvesting Heist Compromises +30K Fortinet Devices
A large-scale credential-harvesting campaign has compromised over 30,000 Fortinet devices globally, with attackers successfully compiling working credentials across multiple sectors in nearly 200 countries. The active threat represents a significant security risk for enterprise organizations relying on Fortinet infrastructure for network security.
AIFileless Phantom Stealer Targets Browser Credentials
A new fileless malware variant called Phantom Stealer has emerged targeting browser credentials through memory-only execution. The malware employs sophisticated anti-analysis techniques throughout its infection chain to evade detection by security tools, representing an evolution in credential theft tactics.
AIChina-Nexus Actor Spy on US Researchers Undetected for a Year
Google identified and stopped a year-long cyber espionage campaign by a China-linked threat actor that targeted US researchers. The attackers compromised RedCAP credentials to infiltrate multiple research institutions and exfiltrate sensitive data, remaining undetected throughout the extended operation.
AIOver 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Over 400 packages in Arch Linux's Arch User Repository (AUR) were compromised this week through hijacked build scripts that deployed credential-stealing malware. The Rust-based infostealer targets developer secrets and can deploy an eBPF rootkit when executed with root privileges to evade detection.
AI400+ Arch Linux AUR Packages Hijacked to Install Rust Credential Stealer
Over 400 packages in Arch Linux's Arch User Repository (AUR) were compromised this week when attackers hijacked them and modified build scripts to deploy credential-stealing malware. The malicious payload is a Rust-based binary designed to harvest developer credentials and secrets, with the capability to deploy an eBPF rootkit when executed with root privileges to evade detection.
AIHades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
A new supply chain attack called Hades has compromised 19 packages in the Python Package Index (PyPI) registry, deploying 37 malicious wheel artifacts designed to automatically execute credential-stealing malware. This attack represents an evolution of the Miasma campaign, using *-setup.pth files for automatic execution and demonstrating increasingly sophisticated targeting of specific development
AIRust-Written IronWorm Hits NPM Supply Chain
A new malware campaign called IronWorm, written in Rust, has been discovered targeting the NPM package ecosystem. The malware focuses on compromising developer credentials and leveraging them to spread laterally across the software supply chain, posing significant risks to enterprise development environments.
AIMiasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
A supply chain attack dubbed Miasma has compromised Red Hat npm packages (@redhat-cloud-services) to deploy credential-stealing malware and a self-propagating worm on developer systems. The campaign employs Mini Shai-Hulud tactics including install-time execution, credential harvesting, CI/CD pipeline targeting, and encrypted data exfiltration. This incident represents a significant threat to ente
AIOpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
A malicious supply chain attack targeting developers has been discovered in the codexui-android npm package, which masquerades as a legitimate remote web UI for OpenAI Codex. The compromised package, still available on npm and GitHub, has attracted over 29,000 weekly downloads and is designed to steal OpenAI Codex authentication tokens from unsuspecting developers.
AIMalicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets
Security researchers have identified a malicious NuGet package impersonating a legitimate SDK for Sicoob, a major Brazilian financial institution, designed to steal client credentials and PFX certificates. Versions 2.0.0 through 2.0.4 of the fraudulent 'Sicoob.Sdk' package contain data exfiltration capabilities targeting sensitive authentication materials. This discovery highlights the growing thr
AIPCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
A new credential theft framework called PCPJack has been identified targeting exposed cloud infrastructure by exploiting five CVEs to spread in a worm-like manner. The malware harvests credentials from cloud services, containers, developer tools, productivity platforms, and financial services before exfiltrating data through attacker-controlled infrastructure, while also removing competing TeamPCP
AIMuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack
Iranian state-sponsored threat actor MuddyWater conducted a false flag ransomware attack in early 2026, using Microsoft Teams as an initial attack vector through social engineering techniques. Rapid7 identified this operation, which represents a concerning evolution in nation-state tactics that disguise espionage activities as financially-motivated cybercrime.