Trending Topics

Update: Poseidon Stealer Targets Mac Users via Fake DeepSeek Website
200 Malicious GitHub Repositories Distributing Malware to Developers
Over 35,000 Websites Hacked to Inject Malicious Scripts Redirecting Users to Chinese Websites

A sophisticated malware campaign actively targets macOS users through a fraudulent DeepSeek[.]ai interface, deploying an advanced infostealer called Poseidon Stealer. The attack begins with malvertising campaigns that redirect users to deepseek.exploreio[.]net, a convincing replica of the legitimate DeepSeek.ai platform. Victims are tricked into downloading a malicious DMG file, which prompts them to execute a shell script via Terminal, effectively bypassing Apple’s GateKeeper protections. Poseidon Stealer is designed to evade analysis using anti-debugging techniques like ptrace() and sysctl() checks while harvesting sensitive data, including browser credentials, cryptocurrency wallets, documents, and macOS keychain contents. A deceptive AppleScript prompt tricks users into entering their system password, further facilitating data theft. Once executed, the malware exfiltrates stolen data through cURL to a remote command-and-control server at 82[.]115[.]223[.]9. Security teams analyzing the payload found structured archives containing browser data, financial documents, and system metadata. This attack highlights an evolving trend in macOS threats, where adversaries exploit command-line execution to bypass Apple’s security enhancements. Organizations are urged to educate users about unexpected Terminal execution prompts, implement endpoint monitoring for osascript abuse, and block connections to known malicious IPs. The emergence of macOS-specific malware-as-a-service platforms signals a growing focus on compromising Apple environments, requiring heightened vigilance and proactive threat mitigation strategies.

The GitVenom malware campaign has compromised over 200 GitHub repositories, tricking developers into downloading malicious projects disguised as legitimate tools. Active for nearly two years, the operation has delivered stealers, remote access Trojans (RATs), and clippers, enabling attackers to steal credentials, browser history, and cryptocurrency wallets. The threat actors behind GitVenom have reportedly stolen at least 5 BTC (~$485,000) through clipboard hijacking and credential theft. The malicious repositories impersonate popular developer tools, including Telegram bots, Instagram automation scripts, Bitcoin wallet managers, and Valorant hacks, luring victims with detailed README files and multilingual installation guides. To enhance credibility, attackers used AI-generated documentation, automated repository updates with frequent commits, and inflated engagement metrics to manipulate search rankings. GitVenom’s payloads span multiple programming languages, including Python, JavaScript, C, C++, and C#, broadening the attack’s reach. The malware-laced projects targeted developers in Russia, Brazil, Turkey, and Southeast Asia, tailoring lures to regional interests such as CPF generators in Brazil and VPN bypass tools in Turkey. Kaspersky emphasizes the importance of manually reviewing code dependencies, verifying contributor history, and scrutinizing repositories with suspiciously high engagement but few forks. GitHub has removed the identified repositories, but experts warn of potential copycat campaigns. Developers must remain vigilant against supply chain threats in open-source ecosystems, ensuring thorough code audits and implementing strict security controls to mitigate risks.

A large-scale cyberattack has compromised over 35,000 websites, injecting malicious JavaScript that redirects users to unauthorized Chinese-language gambling platforms, primarily under the “Kaiyun” brand. The attack relies on obfuscated JavaScript embedded in website source code, using domains such as zuizhongjs[.]com, mlbetjs[.]com, and jbwzzzjs[.]com to distribute payloads. Once executed, the scripts manipulate browser behavior by injecting iframes and full-page overlays, hijacking legitimate website content. Advanced evasion techniques, including device fingerprinting and random execution delays, help attackers bypass automated security detections. Victims are redirected through multiple domains that facilitate fraudulent gambling operations, with some pathways leading to potential phishing scams. Security researchers suggest a possible link to the Megalayer exploit, a known attack vector for distributing Chinese-language malware. The campaign likely spreads through CMS vulnerabilities or stolen website credentials, allowing persistent script injections. Given the scale of infections, website administrators must take immediate steps to mitigate risks, including auditing site source code for unauthorized scripts, blocking known malicious domains, enforcing strict Content Security Policies (CSP), and implementing file integrity monitoring. This widespread attack underscores the importance of proactive security measures and continuous monitoring to prevent large-scale web compromises.

💡

Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.