All CosmicBytez Labs articles tagged #Credential Theft, across news, security advisories, how-to guides, and projects.
SOCRadar uncovered FortiBleed — a large-scale credential-harvesting campaign targeting 11,250 FortiGate portals across 150+ countries, resulting in 110...
Japanese telecom giant KDDI Corporation disclosed a data breach affecting up to 14.22 million email accounts across six ISPs — including Nifty, Biglobe,...
Deep analysis of the FortiBleed operation reveals a sophisticated five-stage credential harvesting pipeline — custom Golang sniffers, Telegram-based...
The FortiBleed campaign's operators weaponize Fortinet's own built-in diagnostic command to run a custom Golang sniffer that intercepts 24 authentication...
A financially motivated Russian-speaking initial access broker behind the FortiBleed campaign has been systematically harvesting credentials from over...
A Russian IAB harvests 110M credentials from FortiGate firewalls; the Icarus group drains hundreds of Salesforce orgs via Klue OAuth tokens; a 29-year-old...
The large-scale FortiBleed campaign targeting Fortinet FortiGate devices deployed custom packet sniffers to harvest authentication secrets from...
A supply chain attack dubbed easy-day-js has compromised 144 npm packages in the @mastra/* namespace by hijacking a contributor account for the popular...
IronWorm, a self-propagating supply chain worm written in Rust, is targeting npm developers to steal credentials and reuse them to spread across the...
Attackers increasingly favor stolen credentials over exploits, and infostealers have become the primary access broker feeding ransomware and cybercrime...
The Miasma credential-stealing worm framework was briefly open-sourced on GitHub before removal, potentially enabling copycat attacks against open-source...
The 2026 Verizon DBIR confirms phishing, shadow AI, malicious extensions, and credential theft now execute inside the browser, exposing major security gaps.
Tech giant Toshiba and mega-retailer Muji have warned visitors that suspicious sign-in screens appearing on their websites could be harvesting credentials — a…
A new Mini Shai-Hulud supply chain campaign codenamed Miasma has compromised Red Hat's @redhat-cloud-services npm packages, deploying a self-propagating…
CISA adds CVE-2026-48027 to KEV after a malicious Nx Console VS Code extension was found harvesting credentials from disk and memory via obfuscation.
Italian authorities have dismantled the CINEMAGOAL piracy ecosystem after the app was found to have been stealing authentication codes from streaming...
Multiple PHP packages belonging to the Laravel-Lang organization have been poisoned in a software supply chain attack, delivering a cross-platform...
Ukrainian cyberpolice, working with US law enforcement, identified an 18-year-old from Odesa suspected of running an infostealer malware operation that...
Threat actors have compromised the widely-used actions-cool/issues-helper GitHub Action, redirecting every existing tag to a malicious imposter commit...
A Flare threat intelligence analysis breaks down the REMUS infostealer — a rapidly evolving credential theft tool built around stolen browser sessions and...
Hundreds of npm packages in the TanStack open source ecosystem have been infected by a fresh wave of Mini Shai-Hulud worm activity from TeamPCP — the same...
A newly discovered Linux implant called Quasar Linux RAT (QLNX) is silently targeting software developers to harvest credentials, log keystrokes, and...
The TeamPCP threat group's Mini Shai-Hulud supply chain campaign compromised SAP-related npm packages along with PyTorch Lightning and Intercom client...
A new supply chain attack campaign dubbed BufferZoneCorp has been observed using sleeper packages in RubyGems and Go module registries to push...
Threat actors compromised the popular Python PyPI package 'Lightning' — used for PyTorch model training — pushing malicious versions 2.6.2 and onward to...
Security researchers have uncovered a coordinated supply chain attack campaign dubbed 'mini Shai-H' targeting SAP-related npm packages, injecting...
Vercel has confirmed a security breach in which limited customer credentials were exposed after an employee's workstation was compromised through malware...
Stolen credentials remain the dominant initial access vector in 2026 — no zero-days, no malware, just valid logins that blend in with normal activity...
Following law enforcement disruption of the Tycoon 2FA platform, threat actors are reusing its tools and techniques across a wave of new phishing kits,...
Credential-based attacks now dominate the threat landscape, and traditional detection models are failing. Here are the fundamental shifts cybersecurity...
An authorization flaw in Juju's Controller facade allows any authenticated low-privilege user to call the CloudSpec API and extract the cloud provider...
Bitcoin Depot, one of North America's largest Bitcoin ATM operators, has filed an SEC disclosure revealing a cyberattack in which threat actors gained...
An international law enforcement operation has dismantled FrostArmada, an APT28 campaign that hijacked DNS on compromised MikroTik and TP-Link routers to...
Threat actors are running a large-scale, automated campaign exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js applications to steal...
Device code phishing attacks abusing the OAuth 2.0 Device Authorization Grant flow have exploded 37-fold in 2026 as ready-made phishing kits proliferate...
Improper certificate validation in Amazon Athena ODBC driver versions prior to 2.1.0.0 allows man-in-the-middle attackers to intercept authentication...
Threat actors are capitalising on the Claude Code source code leak by creating fake GitHub repositories that impersonate the leaked source to deliver...
A large-scale credential harvesting campaign has been observed exploiting the React2Shell vulnerability (CVE-2025-55182) as an initial infection vector,...
A new report reveals how industrialized credential theft has become the common thread connecting ransomware campaigns, SaaS platform breaches, and...
GitLab has patched a high-severity vulnerability in its Jira Connect integration affecting CE/EE versions from 14.3 through 18.10 that allowed an...
The TeamPCP threat actor — behind previous supply chain attacks on Trivy, KICS, and litellm — has now compromised the telnyx Python package on PyPI,...
Russian law enforcement has arrested the alleged administrator of LeakBase — a credential marketplace operating since 2021 with 142,000 members and...
The GlassWorm self-propagating worm campaign has compromised 72 Open VSX extensions using invisible Unicode Private Use Area characters and a Solana...
Security researchers have published details of two newly patched critical vulnerabilities in n8n — CVE-2026-27577 (CVSS 9.4), an expression sandbox escape...
A Russian-linked phishing operation dubbed Diesel Vortex has stolen over 1,649 credentials from major freight and logistics companies across the US and...