#credential-theft
29 articles
Over the past month, ZCyberNews has tracked 35 articles on credential theft, with AccountDumpling, APT41, and Bluekit among the top threat actors observed. The coverage spans from April 12 to May 12, 2026, and highlights vulnerabilities including CVE-2021-47928 (CVSS 8.2), CVE-2025-29927, CVE-2025-48703, CVE-2025-55182, and CVE-2025-9501. Affected sectors include technology, software development, cloud services, financial services, and social media, with impacts reported globally across Europe, North America, Bangladesh, and South Asia. The severity mix comprises 27 high, 6 critical, 1 medium, and 1 informational reports.
HIGHŠkoda Discloses Customer Data Breach After Online Shop Hack
Škoda Auto disclosed a data breach after attackers exploited a vulnerability in its e-commerce portal, stealing customer names, addresses, and password hashes.
HIGHOpencart TMD Vendor System 3.x SQLi Lets Attackers Dump User
CVE-2021-47928 (CVSS 8.2): Unauthenticated blind SQL injection in Opencart TMD Vendor System 3.x lets attackers extract usernames, emails, and password reset codes from the...
HIGHGitHub Enterprise Server Flaw Lets Attackers Steal Admin Credentials
CVE-2026-8106: Reflected HTML injection in GitHub Enterprise Server Management Console login page enables credential theft via crafted redirect_to parameter.
HIGHQuasar Linux RAT Targets Developers for Supply Chain Attacks
A new Linux implant codenamed QLNX steals developer credentials, keystrokes, and clipboard data. Targets DevOps environments for software supply chain compromise.
HIGHPCPJack Worm Steals Cloud Credentials, Wipes TeamPCP Infections
SentinelLabs uncovers PCPJack, a credential-stealing worm targeting Docker, Kubernetes, Redis, and MongoDB that actively removes rival TeamPCP access from compromised cloud...
HIGHPoisoned Ruby Gems, Go Modules Hijack CI/CD Pipelines
BufferZoneCorp account published malicious Ruby gems and Go modules that steal credentials, tamper with GitHub Actions, and establish SSH persistence in CI pipelines.
HIGHVietnamese Phishers Hijack 30K Facebook Accounts via Google AppSheet
Guardio tracks AccountDumpling campaign using Google AppSheet as phishing relay to steal 30,000 Facebook accounts, resold via illicit storefront.
HIGHCISA, FBI Warn of LummaC2 Infostealer Targeting Orgs
CISA and FBI joint advisory details LummaC2 infostealer TTPs and IOCs: malware steals credentials, crypto wallets, and session data from compromised networks.
HIGHDEEP#DOOR Python Backdoor Steals Browser, Cloud Credentials
DEEP#DOOR Python backdoor uses tunneling service for C2, disables Windows security via batch script, and harvests browser cookies and cloud tokens from infected hosts.
CRITICALPyTorch Lightning Compromised in PyPI Supply Chain Attack
Threat actors pushed malicious PyTorch Lightning versions 2.6.2 and 2.6.3 to PyPI on April 30, 2026, stealing credentials via a typosquatted dependency — Aikido Security, Socket,…
HIGHBluekit Phishing Service Offers AI Assistant, 40 Templates
A new phishing-as-a-service platform called Bluekit provides over 40 templates targeting banks, social media, and email providers, plus an AI assistant for drafting lures.
HIGHFake Roblox Enhancements Steal Hundreds of Thousands of Accounts
Malwarebytes reports hackers used fake Roblox game enhancements to steal login credentials from hundreds of thousands of players, reselling accounts for profit.
CRITICALSAP npm Packages Hijacked in Credential-Stealing Supply Chain Attack
Attackers compromised multiple SAP-related npm packages to deploy credential-stealing malware, targeting SAP BTP and cloud app credentials. Campaign dubbed mini Shai-Hulud.
HIGHFast16 Malware Resurfaces in Supply Chain Attacks Abusing Trusted
Fast16 malware resurfaces in new supply chain attacks, abusing remote monitoring tools and browser extensions to steal credentials. Campaign targets enterprise environments.
HIGHMandiant: Fake Teams Help Desk Deploys Info-Stealing Malware
Mandiant details a social engineering campaign where attackers pose as Microsoft Teams help desk staff to trick victims into installing malware that steals credentials and session…
HIGHCrystalX RAT Combines Spyware, Stealer, and Prankware in MaaS Offering
Kaspersky details CrystalX RAT, a MaaS malware with spyware, credential theft, and prankware features targeting Windows users globally since mid-2025.
CRITICALCheckmarx KICS Supply-Chain Breach Hits Docker, VS Code
Attackers compromised Checkmarx KICS Docker images and VS Code extensions to steal cloud credentials, API keys, and source code from developer environments.
CRITICALBitwarden CLI npm Package Hijacked to Steal Developer Credentials
Attackers published a malicious @bitwarden/cli npm package that steals credentials and spreads to other projects.
HIGHWindows Snipping Tool Vulnerability Leaks NTLM Hashes via Malicious Links
CVE-2026-33829 in Windows Snipping Tool allows attackers to steal NTLMv2 hashes via malicious links. A public PoC exploit targets the ms-screensketch protocol to enable credential relay attacks.
HIGHSideWinder APT Deploys Fake Chrome PDF Viewer and Zimbra Clone to Steal
SideWinder APT targets South Asian government bodies with a phishing campaign using a fake Chrome PDF viewer and a cloned Zimbra login portal to steal webmail credentials, active since February 2026.
HIGHOmnistealer Malware Harvests Passwords, Crypto Wallets via Blockchain C2
Omnistealer malware, detailed by Malwarebytes, steals credentials from 1Password, Bitwarden, NordPass, and Exodus crypto wallets, using the Solana blockchain for stealthy command-and-control communication.
HIGHTeamPCP Supply Chain Attack Fuels Payroll Fraud and Ransomware
TeamPCP threat actors compromised trusted software tools to steal credentials from over 100 organizations, enabling $1.5M in payroll fraud, logistics theft, and ransomware extortion.
HIGHFake Data Breach Notifications Deploy Malware, Steal Credentials
Threat actors are weaponizing data breach notifications, sending fake alerts that trick users into downloading malware or entering credentials on phishing sites, according to ESET research.
HIGHJanaWare Ransomware Campaign Targets Turkish Homes and SMBs for Six Years
A ransomware campaign dubbed 'JanaWare' has been targeting Turkish homes and small-to-medium businesses since at least 2018, deploying a custom variant of the Adwind RAT to steal credentials before encryption.
INFORMATIONALZero Trust Architecture as a Critical Defense Against Credential-Based Attacks
Specops analysis details how an identity-first Zero Trust model counters the primary breach vector of stolen credentials by enforcing least privilege, device trust, and blocking lateral movement.
HIGHFBI Dismantles W3LL Phishing Kit, a $500 Service Behind $20M in Fraud
The FBI and Indonesian authorities dismantled the W3LL phishing-as-a-service platform, a $500 kit used to steal credentials and linked to over $20 million in attempted fraud.
HIGHAPT41 Deploys Stealthy Backdoor to Harvest Cloud Credentials
China-linked threat actor APT41 is deploying a novel, low-detection backdoor against AWS, Google, Azure, and Alibaba Cloud to harvest credentials and establish persistence.
HIGHVENOM PhaaS Platform Targets C-Suite Credentials in Sophisticated Campaign
A new phishing-as-a-service platform dubbed VENOM is being used to steal Microsoft credentials from senior executives via sophisticated, multi-stage email campaigns.
HIGHCredential-Based Attacks Blur Line Between Breach and Normal Activity
Modern attackers are exploiting valid credentials and living-off-the-land techniques to make breaches indistinguishable from legitimate user activity, rendering traditional perimeter and anomaly detection ineffective.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.