Trending Topics

SparkCat’s Comeback: Stealthy Mobile Wallet Stealer Hiding in “Normal” Apps

Researchers have uncovered a new SparkCat malware variant lurking in seemingly legitimate iOS and Android apps, including enterprise messengers and food delivery services, on both the Apple App Store and Google Play. The trojan quietly scans victims’ photo galleries for images containing cryptocurrency wallet recovery phrases, using an optical character recognition module to detect and exfiltrate those that match specific keywords. Kaspersky reports finding two infected apps on the App Store and one on Google Play, primarily targeting cryptocurrency users in Asia. The updated Android version adds multiple obfuscation layers, such as code virtualization and cross‑platform languages, to frustrate analysis and detection while scanning for Japanese, Korean, and Chinese terms. By contrast, the iOS variant searches for English mnemonic phrases, broadening its potential impact beyond a single geographic region. These evolutions, together with earlier assessments that SparkCat is operated by a Chinese‑speaking actor, show an increasingly capable and persistent threat focused on stealing high‑value crypto funds directly from users’ personal devices. For defenders and everyday users, the key takeaway is that “store‑approved” does not equal safe: even official marketplaces can host advanced crypto‑stealing malware that abuses normal permission prompts to access photos. Users should avoid storing wallet seed phrases in screenshots or photos, limit app permissions, especially gallery access, and use reputable mobile security tools to scan for malicious behavior. Organizations with crypto‑exposed staff or customers should reinforce secure wallet practices, advise against storing recovery phrases on smartphones, and monitor for emerging mobile stealer campaigns such as SparkCat.

Exchange Online Glitches Again: Outlook Users Face Renewed Mailbox Access Turbulence

Microsoft is still wrestling with lingering Exchange Online mailbox access issues that have intermittently disrupted Outlook mobile and the new Outlook for Mac for several weeks, despite an earlier declaration that the problem was resolved. The incident, first recorded as EX1256020 and tied to a newly introduced virtual account, was marked resolved on April 1, only to resurface under a new identifier, EX1268771, after tenants continued reporting impact. Microsoft now says it is restarting the Notification Broker service across affected parts of the Exchange Online infrastructure while it continues to investigate the underlying root cause. According to Microsoft, the impact is intermittent and currently limited to some users accessing their Exchange Online mailboxes via Outlook mobile apps or the new Outlook for Mac desktop client. The company has not yet disclosed which regions or how many users are affected, but has classified the situation as an incident, a label typically reserved for critical service issues with noticeable user impact. This latest disruption follows a series of recent Exchange Online outages, including one earlier this month that blocked access via Outlook on the web, desktop, Exchange ActiveSync, and other protocols, as well as separate sign‑in problems for Office[.]com and Microsoft 365 Copilot. For organizations, the recurring nature of these Exchange Online events underscores the importance of resilience planning even for mature cloud services. Practical steps include: maintaining backup access channels (such as alternate mail clients or admin portals), rehearsing communication plans for SaaS disruptions, and monitoring Microsoft’s service health dashboard and incident IDs (such as EX1268771) to quickly understand the scope and expected timelines. Teams that rely heavily on Outlook mobile or the new Outlook for Mac should proactively brief end users, document local workarounds, and consider temporary client or configuration alternatives until Microsoft confirms a durable fix.

Claude Code Leak Trap: Fake GitHub Repos Are Now Dropping Vidar Infostealer on Curious Downloaders

Threat actors are piggybacking on Anthropic’s recent Claude Code source leak by seeding fake GitHub repositories that masquerade as “unlocked” or “enterprise” versions of the leaked tool but actually deliver the Vidar information‑stealing malware. After Anthropic accidentally published a 59.8 MB JavaScript source map in an npm package, exposing roughly 513,000 lines of un-obfuscated TypeScript covering Claude Code’s orchestration logic, permissions, hidden features, and security internals, copies and forks of the code spread rapidly across GitHub. One malicious repo, operated by the user “idbzoomh,” is search‑engine‑optimized to rank among the top Google results for “leaked Claude Code,” luring users to download a 7‑Zip archive containing a Rust‑based executable named ClaudeCode_x64[.]exe, which, when launched, installs Vidar along with the GhostSocks traffic proxy. The attackers have been updating the malicious archive frequently, signaling an intent to rotate or expand payloads over time, and a second, nearly identical GitHub project suggests the same actor is experimenting with different delivery flows. This campaign fits a broader pattern: GitHub continues to be abused as a malware delivery platform, with past waves pushing fake proof‑of‑concept exploit repositories to compromise inexperienced researchers and low‑tier cybercriminals chasing “free” code. The Claude leak’s hype and the AI sector’s general FOMO amplify this risk, as users searching for cutting‑edge tools are more likely to lower their guard and run unsigned binaries from strangers on GitHub and beyond, turning a source‑code exposure into a convenient distribution channel for commodity malware. For developers, researchers, and security teams, the lesson is that high‑profile leaks are now reliable bait for infostealers and other malware, making this GitHub–Vidar campaign essentially the next phase of the same Claude Code leak story. The original analysis framed the leak as a strategic risk to AI builders and enterprises integrating frontier models, because more than 500k lines of exposed code would accelerate vulnerability discovery, jailbreak research, and tailored attacks against Anthropic’s ecosystem, while this new development shows adversaries also weaponizing the hype around that leak to infect anyone curious enough to download “unlocked” or “enterprise” builds. That makes earlier recommendations even more urgent: treat AI‑related source and tooling as crown‑jewel assets, assume adversaries will eventually know internals, enforce strict rules against running binaries from unverified repositories, validate code provenance carefully, and remember that “open‑source” and “on GitHub” are not security guarantees when a sudden leak is driving massive interest and opportunistic abuse.

Update: UAT‑10608 Turns React2Shell Vulnerability into a Massive Credential Harvesting Operation

This update builds on a previous blog post that examined React2Shell and CVE‑2025‑55182 in Next[.]js as a critical RCE flaw; new research from Cisco Talos now shows how that bug is being weaponized at scale by a threat cluster tracked as UAT‑10608. At least 766 publicly reachable Next[.]js hosts across multiple clouds and regions have been compromised, with attackers using automated scanning (via services like Shodan/Censys or custom scanners) to find vulnerable deployments and then drop a multi‑stage collection framework dubbed NEXUS Listener. Once in, the framework systematically pulls environment variables, JSON‑parsed runtime env, SSH private keys, shell history, Kubernetes service account tokens, Docker configs, API keys, IAM role credentials from AWS/GCP/Azure metadata services, and more, effectively turning each host into a high‑value credential faucet. Central to the operation is a password‑protected web UI called NEXUS Listener (now at version V3), which aggregates all stolen data into a searchable dashboard with statistics on compromised hosts and credential types. Talos observed data from an unauthenticated instance, confirming that the haul includes Stripe keys; AI platform keys for OpenAI, Anthropic, and NVIDIA NIM; communication service credentials for SendGrid and Brevo; Telegram bot tokens; webhooks; GitHub/GitLab tokens; and database connection strings, among other secrets. Beyond immediate abuse, this aggregate dataset effectively maps victims’ infrastructure, services, configurations, cloud providers, and third‑party integrations, creating a rich intelligence layer for follow‑on attacks, social engineering, or resale to other actors. For organizations, this reinforces and sharpens the guidance from the earlier React2Shell write‑up: CVE‑2025‑55182 is not just a code‑execution bug but a gateway into your entire cloud and SaaS ecosystem if secrets are poorly managed. Defenders should urgently patch vulnerable Next[.]js/React Server Components deployments, enforce least privilege on application credentials, enable secret scanning, avoid SSH key reuse, and lock down cloud metadata services (e.g., IMDSv2 enforcement on AWS EC2). Where compromise is suspected, or where Next[.]js apps were exposed without prompt patching, teams should rotate credentials, audit third‑party integrations, and assume that attackers may already hold a detailed map of internal services and keys, aligning incident response with the scale and automation demonstrated by UAT‑10608.

Update: ShinyHunters’ Final Ultimatum: Cisco Data, Salesforce Chaos, and the Expanding Cloud Extortion Playbook

The ShinyHunters group has issued a “final warning” to Cisco ahead of an April 3, 2026, deadline, claiming it stole data through three distinct paths, UNC6040, Salesforce Aura, and compromised AWS accounts, and threatening to leak it if the company does not make contact. The actors say they hold more than 3 million Salesforce records, as well as personally identifiable information, GitHub repositories, AWS storage buckets, and other internal corporate data, and have hinted at additional “digital problems” if their demands are ignored. This escalation comes days after ShinyHunters claimed to leak 350GB of European Commission data, reinforcing the group’s strategy of combining high‑profile victims, public pressure, and multi‑environment access to maximize leverage. The reference to UNC6040 ties the claims back to prior incidents in which Google’s Threat Intelligence Group formally designated ShinyHunters and Cisco disclosed a vishing‑based campaign targeting employees and internal systems. By explicitly invoking UNC6040 and Salesforce Aura, the group suggests that at least part of the alleged Cisco compromise may stem from social engineering, cloud misconfigurations, or third‑party integrations rather than a single technical exploit. Screenshots shared on the leak site appear to show an AWS organizational dashboard, storage volumes, and bucket listings tied to a Cisco‑related environment, suggesting visibility into multiple linked accounts rather than a single isolated resource, though the images themselves do not expose sensitive data. ShinyHunters has spent the past year monetizing access to Salesforce‑related data across a wide range of organizations, repeatedly pointing to misconfigurations, compromised credentials, and integration weaknesses that transcend any single platform and have affected brands from Odido and Telus Digital to Gucci, Balenciaga, and Qantas. With the Cisco deadline approaching and the claims still unverified, the case highlights how mature extortion crews now chain together voice phishing, SaaS access, and cloud‑control plane visibility to pressure large enterprises. For defenders, the message is clear: strengthen employee awareness of vishing, rigorously harden and monitor Salesforce and other SaaS integrations, enforce least-privilege and strong authentication in AWS Organizations, and assume that multi‑tenant cloud and CRM environments are prime targets in modern data‑theft campaigns.