In today’s cybersecurity news…
Torg Grabber targets crypto wallets
A new infostealer called Torg Grabber is targeting more than 850 browser extensions, including 728 cryptocurrency wallets, along with password managers and 2FA tools. Researchers at Gen Digital say it spreads via ClickFix attacks that trick users into running malicious PowerShell commands. There are hundreds of new samples and weekly C2 infrastructure updates, and it now uses HTTPS via Cloudflare for data exfiltration to steal credentials, cookies, crypto wallet data, and files, while using evasion techniques like in-memory execution, encryption bypasses, and anti-analysis protections. (BleepingComputer)
TeamPCP backdoors LiteLLM
Threat actor TeamPCP compromised two Python package LiteLLMs via a tainted Trivy dependency, injecting malware that steals credentials, spreads across Kubernetes clusters, and installs persistent backdoors. Researchers at Endor Labs and JFrog say the payload executes automatically, harvesting SSH keys, cloud secrets, and crypto wallets, then exfiltrating data and deploying backdoors across infected systems. Maintainer Berri AI and the Python Packaging Authority warn users to treat affected environments as fully compromised and rotate all credentials. Researchers say the campaign may involve collaboration with LAPSUS$. (The Hacker News)
GitHub adds AI-powered security bug detection
GitHub is adding AI-powered scanning to its Code Security tools to expand vulnerability detection beyond CodeQL, covering Shell/Bash, Dockerfiles, Terraform, PHP, and other ecosystems. The hybrid model is entering public preview soon and flags issues like misconfigurations, weak cryptography, and insecure SQL at the pull request level, with Copilot Autofix suggesting remedies. Internal tests showed 170,000 findings over 30 days, 80% positive feedback, and Autofix cutting resolution time from 1.29 to 0.66 hours. (BleepingComputer)
LeakBase admin arrested over stolen credentials
Russian authorities arrested the alleged administrator of the LeakBase cybercrime forum, a resident of Taganrog, for running a marketplace that traded stolen personal and corporate data since 2021. The platform hosted hundreds of millions of credentials, financial information, and documents, with more than 147,000 registered users. Law enforcement seized equipment and preserved forum data for evidence. U.S. authorities called LeakBase one of the world’s largest hubs for buying and selling stolen data and cybercrime tools. (The Hacker News)
Huge thanks to our sponsor, ThreatLocker
Ransomware disrupts Spanish fishing port
A ransomware attack hit Spain’s Port of Vigo, disrupting digital systems that manage cargo operations and forcing staff to revert to manual processes. The attack was detected Tuesday and locked servers along with a ransom demand. Authorities isolated affected networks. Physical port operations continue, but digital logistics are offline pending security verification. No group has claimed responsibility, but an investigation is ongoing. (The Record)
Bubble AI app builder phishes for Microsoft 365
Kaspersky researchers report that threat actors are abusing Bubble to host phishing apps that steal Microsoft 365 credentials while evading detection. Because the apps are served from trusted *.bubble.io domains, email security tools often fail to flag them, letting victims get redirected to fake Microsoft login pages. The AI-generated apps reportedly use complex JavaScript and Shadow DOM structures that are difficult for both humans and automated tools to analyze, helping conceal malicious behavior. (BleepingComputer)
Puerto Rico agency cancels driver’s license appointments
Puerto Rico’s Department of Transportation canceled all driver’s license and vehicle service appointments after a cyberattack forced officials to shut down systems to contain the incident. The Puerto Rico Innovation and Technology Service said the attack was detected Monday, response protocols were activated, and there’s no evidence of data theft so far. Services remain offline while systems are tested and restored, marking the latest in a series of cyber incidents affecting the territory’s government agencies. (The Record)
Citrix urges admins to patch NetScaler flaws
Citrix patched two vulnerabilities affecting NetScaler ADC and Gateway devices, including a critical flaw that could let attackers steal session tokens via a memory overread, similar to past “CitrixBleed” exploits. A second bug could allow session mix-ups through a race condition. Citrix is urging immediate patching, with more than 30,000 exposed NetScaler instances being tracked. Researchers warn attackers will likely reverse engineer the fixes, with the flaw closely mirroring previously exploited zero-days, making remediation critical. (BleepingComputer)