credential-theft

Your Antivirus Is Harvesting Passwords Now: BlueHammer Hits CISA KEV

John Z Black Apr 23, 2026

Vulnerabilities & Patching #microsoft #windows-defender #bluehammer #cve-2026-33825 #zero-day #cisa-kev #credential-theft #endpoint-security

The BlueHammer flaw has moved from a research curiosity to an active threat. This Windows Defender zero-day turns your security software into a password harvester by exploiting a race condition to steal credentials. CISA says patch now.

The Storm Infostealer Doesn't Decrypt Your Passwords Locally. It Takes Them Home First.

John Z Black Apr 5, 2026

Threat Intelligence #storm #infostealer #credential-theft #server-side-decryption #maas #browser-security

Storm ships encrypted credentials to attacker servers for decryption, bypassing every endpoint detection built to catch local credential theft.

Hackers Built a SaaS-Style Dashboard to Loot Next.js Apps at Scale

John Z Black Apr 3, 2026

Threat Intelligence #next.js #react #cve-2025-55182 #credential-theft #supply-chain #cloud-security

UAT-10608 built an automated framework that exploits a CVSS 10.0 React flaw to compromise Next.js apps, harvest credentials, and display the loot in a searchable dashboard.

Microsoft's Device Code Auth Is Now a Criminal Subscription Service

John Z Black Apr 2, 2026

Ransomware & Cybercrime #phishing #microsoft-365 #device-code #eviltokens #bec #phaas #credential-theft

EvilTokens sells device code phishing as a service on Telegram. Over 340 orgs compromised, and victims never see a fake login page.

Thirty Seconds. That Is All FAUX#ELEVATE Needs to Own an Enterprise Machine.

John Z Black Mar 30, 2026

Threat Intelligence #phishing #fauxelevate #vbscript #enterprise-security #credential-theft #cryptominer #hr-security

FAUX#ELEVATE skips consumer targets entirely, checks for corporate domain membership first, then steals Chrome credentials and starts mining Monero in about 30 seconds.

The npm Ghost: That Install Log Looked Normal Because It Was Built to Fool You

John Z Black Mar 25, 2026

Threat Intelligence #npm #supply-chain #developer-security #reversinglabs #credential-theft #malware

Seven malicious npm packages have been stealing sudo passwords and crypto wallet data from developer machines since February. The trick: they generate fake terminal output so convincing that developers don't look twice.

Two Tools Published This Week Just Broke Chrome's Encryption and Bypassed Your MFA

John Z Black Mar 23, 2026

Threat Intelligence #voidstealer #astaroth #chrome #mfa #credential-theft #phishing #fido2 #passkeys

VoidStealer cracked Chrome's Application-Bound Encryption via a debugger trick, while Astaroth defeats SMS, TOTP, and push MFA in real time -- and the only method that survives both is FIDO2.

Storm-2561: Googling Your VPN Download Just Became a Security Risk

John Z Black Mar 13, 2026

Threat Intelligence #seo-poisoning #storm-2561 #vpn #credential-theft #malware #social-engineering

Microsoft exposed Storm-2561, a threat actor using SEO poisoning to serve fake VPN downloads that steal corporate credentials. The attack requires zero phishing emails. Just a search engine.