Pixnapping: Pixel-Stealing Attack That Grabs 2FA Codes from Android
Researchers have identified a new pixel-stealing attack called Pixnapping that can extract sensitive on-screen content from Android devices by abusing standard Android APIs and a hardware compression side-channel. A malicious app can push another app’s rendered pixels into the graphics pipeline and overlay semi-transparent activities to force those pixels through a measurable rendering operation, then infer pixel colors and recreate the displayed image one pixel at a time. In practice, this means an attacker can siphon two-factor authentication codes, timeline data, and other on-screen secrets in under a minute without needing elevated permissions. Tests on Google and Samsung hardware running Android 13 through 16 show the technique works, and the underlying operations necessary for the attack are present on most Android phones. Critically, the attack still requires tricking a user into installing and launching a hostile app, so it is not a purely remote exploit. The risk is material because Pixnapping bypasses many existing browser and app mitigations and can target apps that are usually considered secure, including authenticator apps. Until vendors harden the platform, practical defenses are user-focused: avoid installing untrusted apps, restrict which apps can draw overlays or request blur/visual effects, and treat any new app that asks to manipulate screen rendering with skepticism. From a product perspective, sensitive apps should be allowed to opt out of being rendered into third-party pipelines, and platform vendors need to throttle or remove the measurement primitives attackers exploit. This is an escalation in mobile side-channel threats and deserves immediate attention from security teams and app developers.
Update: Disposable npm Packages Weaponize CDN for Redirect Campaign
Researchers uncovered a large-scale phishing campaign that abused the unpkg[.]com CDN by publishing over 175 disposable npm packages that host tiny malicious scripts. Attackers embedded crafted HTML “business document” lures that load a beamglea.js file directly from unpkg, then immediately redirect victims to credential-harvesting pages, often passing the victim’s email in the URL fragment to make forms appear pre-filled. The infrastructure was purpose-built to be ephemeral: packages follow patterns such as redirect-[a-z0-9]{6} and are intended to be discarded after use, complicating takedown and attribution. Public traces began in late September 2025 and researchers disclosed the cluster in early October, with follow-up analysis revealing a related mad-* cluster that uses more elaborate delivery mechanisms. This approach avoids compromising popular libraries or installation processes and instead weaponizes trusted CDN behavior to deliver phishing content at scale. The result is a high-volume, low-friction phishing pipeline tailored to enterprise targets in industrial, technology, and energy sectors. A parallel cluster used a fake Cloudflare verification page that disables inspection tools, blocks right-click, and only fetches the actual payload URL from a remote GitHub file after a simulated verification step, then redirects the parent window to the phishing site. That variant shows how the attackers combined basic anti-analysis techniques with remote control over payload URLs, enabling quick swaps of landing pages and evasion of static detection. Defenders should treat any HTML attachments that pull scripts from unpkg[.]com as high risk. They should add email-gateway rules to quarantine or strip such attachments and monitor outbound requests for naming patterns matching redirect-* and mad-*. Organizations should also work with npm registry and CDN operators to rapidly flag and remove throwaway packages and run targeted user education about opening HTML attachments received by email. This campaign expands the attack surface of the open source supply chain and underscores the need to secure every step of software and content delivery, not just package installation.
Multi-country Botnet Mass-Enumerates US RDP Services
A large, coordinated botnet discovered by GreyNoise, starting on October 8, 2025, is probing U.S. Remote Desktop services from over 100,000 IP addresses across more than 100 countries. An early spike was traced to Brazil, followed by a rapid global spread. The campaign uses precise reconnaissance rather than noisy brute force: RD Web Access timing attacks measure subtle response-time differences during anonymous authentication flows to infer valid usernames, while RDP Web Client login enumeration observes server behavior to enumerate accounts. Most probing hosts share a near-identical TCP fingerprint, which implies centralized control over a geographically dispersed fleet. This is clearly a reconnaissance phase intended to build valid credential lists and prioritize targets for follow-on intrusion, not an opportunistic single-IP scan. The scale and technical focus on RD Web interfaces make exposed RD Web Access and RDP Web Client endpoints high-value targets right now. Organizations with internet-facing remote desktop services should assume enumeration is happening and act accordingly. The operational risk is real: enumerated accounts materially ease credential-stuffing, ransomware entry, and lateral movement once attackers supply valid passwords or leverage other compromises. Mitigate immediately by removing direct public exposure of RDP and RD Web Access where possible, placing remote access behind an RD Gateway, VPN, or bastion with enforced multi-factor authentication and strict access controls. Apply rate limits and WAF protections to RD Web endpoints to disrupt timing and enumeration probes and use vetted threat feeds to block known offender IP clusters while preparing to rotate or expand blocklists. Hunt now for signs of compromise: spikes in failed authentications, successful logins following enumeration windows, and any abnormal process or lateral activity; isolate and investigate any suspicious host without delay. Finally, validate backups and recovery plans so the organization can restore operations quickly if attackers move from reconnaissance to active exploitation.
