Malware Alerts

A malicious update to the postmark-mcp server injects a hidden BCC to exfiltrate sensitive emails from thousands of organizations. Koi’s risk engine uncovered the attack, highlighting risks in AI-driven MCP tools. Remove version 1.0.16+ and audit MCP servers now.

Microsoft uncovers advanced XCSSET variant infecting Xcode projects for macOS devs—adds Firefox data exfiltration, crypto wallet clipboard swaps via AES-encrypted AppleScripts, and LaunchDaemon persistence. Mitigate with updates, Defender for Endpoint, and domain blocks.

Average breakout time drops to 18 minutes (June-August 2025, per ReliaQuest), fueled by automation and Oyster malware's abuse of rundll32.exe for DLL loading via scheduled tasks. Learn about Gamarue USB attacks, AI-driven malvertising, and defenses like behavioral monitoring.

The npm package "fezbox" (alias janedu) disguises as a JS/TS utility library but hides credential-stealing code in a Cloudinary QR image. Discovered by Socket Threat Research, it uses reversed strings and obfuscation to evade detection—learn risks and defenses like CI/CD scanning and zero-trust dependencies.

Malicious fake online speedtest tools, uncovered September 21, 2025, use obfuscated JavaScript, Node.js, and Inno Setup to exfiltrate system data to C2 servers like cloud.appusagestats[.]com. Learn about XOR-encoded commands, execution risks, and key mitigations like EDR and app whitelisting.

Iranian threat group Nimbus Manticore (UNC1549) targets job seekers with phishing via fake recruitment sites mimicking Boeing and Airbus, delivering evasive malware like MiniJunk and MiniBrowse. Explore tactics, expansion to Western Europe, and essential mitigations for defense and telecom sectors.

SentinelLABS uncovers MalTerminal, an early LLM-enabled malware using OpenAI's GPT-4 to dynamically create ransomware or reverse shells at runtime, evading detection and marking a new era in AI-driven cyber threats.

Zero Salarium's EDR-Freeze proof-of-concept uses Windows' MiniDumpWriteDump to freeze EDR and antivirus software indefinitely, offering a stealthy alternative to BYOVD attacks without third-party drivers or detection risks.

RevengeHotels (TA558) escalates cyberattacks with AI-crafted loaders delivering VenomRAT malware, targeting Windows users via phishing. The malware features stealth, persistence, and encrypted communication.

Mustang Panda, a China-linked threat actor, uses the SnakeDisk USB worm and updated TONESHELL backdoors to target Thailand-based IPs, deploying the Yokai backdoor for remote access. Learn about their evolving malware tactics and focus on Thailand.