Hacker News with Generative AI: Malware

Data breach exposes 184M passwords, likely captured by malware (zdnet.com)
Yet another data breach has exposed passwords and other sensitive information – but this one is a whopper.
Destructive malware available in NPM repo went unnoticed for 2 years (arstechnica.com)
Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face.
Suspected InfoStealer Malware Data Breach Exposed 184M Logins/Passwords (websiteplanet.com)
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained 184 million login and password credentials.
Hackers Weaponize KeePass Password Manager (gbhackers.com)
Threat actors have successfully exploited the widely-used open-source password manager, KeePass, to spread malware and facilitate large-scale password theft.
Xray: A full-behavior-chain anti-malware system built in Go by a student (ycombinator.com)
Malware hidden inside NPM with invisible Unicode and Google Calendar invites [video] (youtube.com)
Procolored printer drivers contained malware (neowin.net)
If you own a Procolored inkjet printer, particularly one of the UV models, you might want to check your system for malware, especially if you downloaded the companion software within the past six months, since Procolored was recently found to be distributing malicious software.
Backdooring the IDE: Malicious NPM Packages Hijack Cursor Editor on macOS (socket.dev)
Malicious npm packages posing as developer tools target macOS Cursor IDE users, stealing credentials and modifying files to gain persistent backdoor access.
DOGE engineer's credentials found in past public leaks from info-stealer malware (arstechnica.com)
Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.
DOGEs K Schutt's computer infected by malware, credentials found in stealer logs (micahflee.com)
Kyle Schutt is a 37 year old "DOGE software engineer," according to ProPublica. In February, Drop Site News reported that he gained access to FEMA's "core financial management system." His computer was apparently compromised with malware, because his email address and passwords have shown up in four separate stealer log datasets, all of them published since late 2023.
Linux wiper malware hidden in malicious Go modules on GitHub (bleepingcomputer.com)
A supply-chain attack targets Linux servers with disk-wiping malware hidden in Golang modules published on GitHub.
E-commerce sites hacked in supply-chain attack (arstechnica.com)
Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday.
Wget to Wipeout: Malicious Go Modules Fetch Destructive Payload (socket.dev)
A single line of obfuscated Go code wiped entire disks clean. Could your project be next?
Exposing Darcula: behind the scenes of a global Phishing-as-a-Service operation (mnemonic.io)
NPM targeted by malware campaign mimicking familiar library names (socket.dev)
Developers looking for familiar packages from other programming languages are increasingly falling victim to malicious attacks.
Malicious Go modules that completely wipe out your disk (neowin.net)
It's a new month, and the research team at Socket has identified malicious Go modules containing code capable of entirely wiping your computer's hard drive. Yes, totally gone.
Mac app launches slowed by malware scan (2024) (lapcatsoftware.com)
I've always attributed slow Xcode launches to Xcode simply sucking, but I've noticed that the FileMerge app frequently launches slowly too.
Using Trusted Protocols Against You: Gmail as a C2 Mechanism (socket.dev)
Socket’s Threat Research Team uncovered malicious Python packages designed to create a tunnel via Gmail.
I Found Malware in a BeamNG Mod (lemonyte.com)
Last week, I fired up BeamNG.drive hoping to enjoy a ride around Belasco City. But, just after I launched the game, I noticed an odd notification from my antivirus software.
Exiled Uyghur leaders targeted with Windows spyware (citizenlab.ca)
In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets.
Bulletproof hosting provider Proton66 steps-up malware campaigns (scworld.com)
The Russian bulletproof hosting provider Proton66 was observed conducting malware campaigns that compromised WordPress sites and then leveraged them to target Android devices.
Chinese snoops use stealth RAT to backdoor US orgs – still active last week (theregister.com)
A cyberspy crew or individual with ties to China's Ministry of State Security has infected global organizations with a remote access trojan (RAT) that's "even better" than Cobalt Strike, using this stealthy backdoor to enable its espionage and access resale campaigns.
Malicious VSCode extensions infect Windows with cryptominers (bleepingcomputer.com)
A set of ten VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer for Monero.
Malicious VSCode extensions infect Windows with cryptominers (bleepingcomputer.com)
Nine VSCode extensions on Microsoft's Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero.
Sneaky Android spyware needs a password to uninstall (techcrunch.com)
Consumer-grade phone surveillance apps aren’t only intended to stay stealthy; some of these apps are also making it increasingly difficult to remove them.
Exploiting exposed Portainer agent and using new SSH persistence (exatrack.com)
During an incident response for one of our clients, we stumbled upon a server compromised by the now relatively documented 1234 perfctl malware.
Malware found on NPM infecting local package with reverse shell (reversinglabs.com)
For the first time, RL researchers discover malicious locally-installed npm packages infecting other legitimate packages.
FBI warnings are true–fake file converters do push malware (bleepingcomputer.com)
The FBI is warning that fake online document converters are being used to steal peoples’ information and, in worst-case scenarios, to deploy ransomware on victims' devices.
Show HN: MCP is unsafe. It's time to talk about MCP malware (github.com/ShaojieJiang)
Function tool usage makes AI Agents very powerful, which is akin to introducing app stores to smartphones.
Mac is detecting Docker as a malware and keeping it from starting (github.com/docker)
Malware Blocked. “com.docker.socket” was not opened because it contains malware. this action did not harm your Mac.