Hacking List - 2026 2025 2024 2023 2021 2020 2019 2018
DATE | NAME |
Info | CATEG. |
WEB |
| 13.5.26 | GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data | Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution. "The packages do not appear designed for mass developer compromise," Socket said . | Hack | The Hacker News |
| 12.5.26 | New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots | Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command- | Hack | The Hacker News |
| 12.5.26 | Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages | TeamPCP , the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from | Hack | The Hacker News |
| 12.5.26 | TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack | Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using | Hack | The Hacker News |
| 9.5.26 | Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads | Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call | Hack | The Hacker News |
| 6.5.26 | Google's Android Apps Get Public Verification to Stop Supply Chain Attacks | Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. "This new | Hack | The Hacker News |
| 6.5.26 | DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware | A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to | Hack | The Hacker News |
| 3.5.26 | Application Control Bypass for Data Exfiltration | In case of a cyber incident, most organizations fear more of data loss (via exfiltration) than regular data encryption because they have a good backup policy in place. If exfiltration happened, it means a total loss of control of the stolen data with all the consequences (PII, CC numbers, …). | Hack | SANS |
| 3.5.26 | Popular WordPress redirect plugin hid dormant backdoor for years | The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users' sites. | Hack | BleepingComputer |
| 2.5.26 | Trellix Confirms Source Code Breach With Unauthorized Repository Access | Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said | Hack | The Hacker News |
| 1.5.26 | PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials | In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious | Hack | The Hacker News |
| 30.4.26 | SAP-Related npm Packages Compromised in Credential-Stealing Supply Chain Attack | Cybersecurity researchers are sounding the alarm about a new supply chain attack campaign targeting SAP-related npm Packages with credential-stealing | Hack | The Hacker News |
| 27.4.26 | TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns | This update succeeds TeamPCP Supply Chain Campaign Update 007, published April 8, 2026, which left the campaign in credential-monetization mode following the Cisco source code theft via Trivy-linked credentials, Google GTIG's formal designation of the operators as UNC6780 (with their credential stealer named SANDCLOCK), and the lapsed CISA KEV remediation deadline for CVE-2026-33634 with no standalone federal advisory. | Hack | SANS |
| 26.4.26 | New BlackFile extortion group linked to surge of vishing attacks | A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026. | Hack | BleepingComputer |
| 26.4.26 | New npm supply-chain attack self-spreads to steal auth tokens | A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. | Hack | |
| 24.4.26 | UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware | A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to | Hack | The Hacker News |
| 23.4.26 | Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign | Bitwarden CLI has been compromised as part of the newly discovered and ongoing Checkmarx supply chain campaign , according to new findings from | Hack | The Hacker News |
| 23.4.26 | Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain | Cybersecurity researchers have warned of malicious images pushed to the official " checkmarx/kics " Docker Hub repository. In an alert published today, | Hack | The Hacker News |
| 16.4.26 | [Guest Diary] Compromised DVRs and Finding Them in the Wild | Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands | Hack | SANS |
| 16.4.26 | Scans for EncystPHP Webshell | Last week, I wrote about attackers scanning for various webshells, hoping to find some that do not require authentication or others that use well-known credentials | Hack | SANS |
| 12.4.26 | Microsoft: Canadian employees targeted in payroll pirate attacks | A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. | Hack | |
| 12.4.26 | Smart Slider updates hijacked to push malicious WordPress, Joomla versions | Hackers hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla, and pushed a malicious version with multiple backdoors. | Hack | |
| 12.4.26 | Microsoft suspends dev accounts for high-profile open source projects | Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects without proper notification and no way to quickly reinstate them, effectively blocking them from publishing new software builds and security patches for Windows users. | Hack | |
| 12.4.26 | Hackers use pixel-large SVG trick to hide credit card stealer | A massive campaign impacting nearly 100 online stores using the Magento e-commerce platform hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image | Hack | |
| 12.4.26 | Google: New UNC6783 hackers steal corporate Zendesk support tickets | A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. | Hack | |
| 12.4.26 | Is a $30,000 GPU Good at Password Cracking? | A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords. | Hack | |
| 11.4.26 | Obfuscated JavaScript or Nothing | I spotted an interesting piece of JavaScript code that was delivered via a phishing email in a RAR archive. The file was called “cbmjlzan.JS” (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) and is only identified as malicious by 15 AV’s on | Hack | SANS |
| 11.4.26 | Snowflake customers hit in data theft attacks after SaaS integrator breach | Over a dozen companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. | Hack | BleepingComputer |
| 11.4.26 | Authorities disrupt router DNS hijacks used to steal Microsoft 365 logins | An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. | Hack | |
| 6.4.26 | Medtech giant Stryker fully operational after data-wiping attack | Stryker Corporation, one of the world's leading medical technology companies, says it's fully operational three weeks after many of its systems were wiped out in a cyberattack claimed by the Iranian-linked Handala hacktivist group. | Hack | BleepingComputer |
| 4.4.26 | Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers | Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, | Hack | The Hacker News |
| 28.3.26 | TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files | TeamPCP, the threat actor behind the supply chain attack targeting Trivy , KICS , and litellm , has now compromised the telnyx Python package by pushing two | Hack | The Hacker News |
| 26.3.26 | TeamPCP deploys Iran-targeted wiper in Kubernetes attacks | The TeamPCP hacking group is targeting Kubernetes clusters with a malicious script that wipes all machines when it detects systems configured for Iran. | Hack | |
| 26.3.26 | Trivy supply-chain attack spreads to Docker, GitHub repos | The TeamPCP hackers behind the Trivy supply-chain attack continued to target Aqua Security, pushing malicious Docker images and hijacking the company's GitHub organization to tamper with dozens of repositories. | Hack | |
| 21.3.26 | Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages | The threat actors behind the supply chain attack targeting the popular Trivy scanner are suspected to be conducting follow-on attacks that have led to the | Hack | The Hacker News |
| 21.3.26 | Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets | Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, was compromised a second time within the span of a month to deliver | Hack | The Hacker News |
| 16.3.26 | ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers | Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync . "Unlike | Hack | The Hacker News |
| 15.3.26 | New PhantomRaven NPM attack wave steals dev data via 88 packages | New attack waves from the 'PhantomRaven' supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. | Hack | BleepingComputer |
| 9.3.26 | Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft | Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer , offering attackers a way to push malware to | Hack | The Hacker News |
| 8.3.26 | Fake Claude Code install guides push infostealers in InstallFix attacks | Threat actors are employing a new variation of the ClickFix social engineering technique called InstallFix to convince users into running malicious commands under the pretext of installing legitimate command line interface (CLI) tools. | Hack | |
| 5.3.26 | Fake Google Security site uses PWA app to steal credentials, MFA codes | A phishing campaign is using a fake Google Account security page to deliver a web-based app capable of stealing one-time passcodes, harvesting cryptocurrency wallet addresses, and proxying attacker traffic through victims' browsers. | Hack | |
| 5.3.26 | How Deepfakes and Injection Attacks Are Breaking Identity Verification | Deepfakes and injection attacks are targeting identity verification moments, from onboarding to account recovery. Incode explains why enterprises must validate the full session—media, device integrity, and behavior—to stop synthetic and injected attacks in real time. | Hack | |
| 1.3.26 | Medical device maker UFP Technologies warns of data stolen in cyberattack | American manufacturer of medical devices, UFP Technologies, has disclosed that a cybersecurity incident has compromised its IT systems and data. | Hack | |
| 1.3.26 | Fake Next.js job interview tests backdoor developer's devices | The Microsoft Defender team has discovered a coordinated campaign targeting software developers through malicious repositories posing as legitimate Next.js projects and technical assessment materials, including recruiting coding tests. | Hack | |
| 28.2.26 | ShinyHunters extortion gang claims Odido breach affecting millions | The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecommunications provider Odido and stealing millions of user records from its compromised systems. | Hack | |
| 28.2.26 | 900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks | The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited | Hack | The Hacker News |
| 21.2.26 | Flaws in popular VSCode extensions expose developers to attacks | Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely. | Hack | |
| 19.2.26 | New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS | Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns. | Hack | |
| 17.2.26 | Study Uncovers 25 Password Recovery Attacks in Major Cloud Password Managers | A new study has found that multiple cloud-based password managers, including Bitwarden, Dashlane, and LastPass, are susceptible to password | Hack | The Hacker News |
| 16.2.26 | Microsoft Discloses DNS-Based ClickFix Attack Using Nslookup for Malware Staging | Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running | Hack | The Hacker News |
| 15.2.26 | Microsoft: New Windows LNK spoofing issues aren't vulnerabilities | Today, at Wild West Hackin' Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads. | Hack | |
| 14.2.26 | Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts | The AgreeTo add-in for Outlook has been hijacked and turned into a phishing kit that stole more than 4,000 Microsoft account credentials. | Hack | |
| 13.2.26 | Malicious 7-Zip site distributes installer laced with proxy tool | A fake 7-Zip website is distributing a trojanized installer of the popular archiving tool that turns the user's computer into a residential proxy node. | Hack | |
| 12.2.26 | New tool blocks imposter attacks disguised as safe commands | A new open-source and cross-platform tool called Tirith can detect homoglyph attacks over command-line environments by analyzing URLs in typed commands and stopping their execution. | Hack | |
| 12.2.26 | State actor targets 155 countries in 'Shadow Campaigns' espionage op | A new state-aligned cyberespionage threat group tracked as TGR-STA-1030/UNC6619, has conducted a global-scale operation dubbed the "Shadow Campaigns," where it targeted government infrastructure in 155 countries. | Hack | BleepingComputer |
| 12.2.26 | First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials | Cybersecurity researchers have discovered what they said is the first known malicious Microsoft Outlook add-in detected in the wild. | Hack | The Hacker News |
| 8.2.26 | EDR, Email, and SASE Miss This Entire Class of Browser Attacks | Many modern attacks happen entirely inside the browser, leaving little evidence for traditional security tools. Keep Aware shows why EDR, email, and SASE miss browser-only attacks and how visibility changes prevention. | Hack | |
| 8.2.26 | Italian university La Sapienza goes offline after cyberattack | Rome's "La Sapienza" university has been targeted by a cyberattack that impacted its IT systems and caused widespread operational disruptions at the educational institute. | Hack | |
| 8.2.26 | Romanian oil pipeline operator Conpet discloses cyberattack | Conpet, Romania's national oil pipeline operator, has disclosed that a cyberattack disrupted its business systems and took down the company's website on Tuesday. | Hack | |
| 8.2.26 | Hackers compromise NGINX servers to redirect user traffic | A threat actor is compromising NGINX servers in a campaign that hijacks user traffic and reroutes it through the attacker's backend infrastructure. | Hack | |
| 8.2.26 | The Double-Edged Sword of Non-Human Identities | Leaked non-human identities like API keys and tokens are becoming a major breach driver in cloud environments. Flare shows how exposed machine credentials quietly grant attackers long-term access to enterprise systems. | Hack | |
| 8.2.26 | EDR killer tool uses signed kernel driver from forensic software | Hackers are abusing a legitimate but long-revoked EnCase kernel driver in an EDR killer that can detect 59 security tools in attempts to deactivate them. | Hack | |
| 8.2.26 | Wave of Citrix NetScaler scans use thousands of residential proxies | A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels. | Hack | BleepingComputer |
| 7.2.26 | Exposed MongoDB instances still targeted in data extortion attacks | A threat actor is targeting exposed MongoDB instances in automated data extortion attacks demanding low ransoms from owners to restore the data. | Hack | |
| 3.2.26 | Over 6,000 SmarterMail servers exposed to automated hijacking attacks | Nonprofit security organization Shadowserver has found over 6,000 SmarterMail servers exposed online and likely vulnerable to attacks exploiting a critical authentication bypass vulnerability. | Hack | |
| 3.2.26 | Cloudflare misconfiguration behind recent BGP route leak | Cloudflare has shared more details about a recent 25-minute Border Gateway Protocol (BGP) route leak affecting IPv6 traffic, which caused measurable congestion, packet loss, and approximately 12 Gbps of dropped traffic. | Hack | |
| 3.2.26 | Nearly 800,000 Telnet servers exposed to remote attacks | Internet security watchdog Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server. | Hack | |
| 3.2.26 | Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies | The defense mechanisms that NPM introduced after the 'Shai-Hulud' supply-chain attacks have weaknesses that allow threat actors to bypass them via Git dependencies. | Hack | |
| 3.2.26 | Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users | The maintainer of Notepad++ has revealed that state-sponsored attackers hijacked the utility's update mechanism to redirect update traffic to malicious | Hack | The Hacker News |
| 28.1.26 | ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services | Cybersecurity researchers have disclosed details of a new campaign that combines ClickFix -style fake CAPTCHAs with a signed Microsoft Application | Hack | The Hacker News |
| 27.1.26 | China-Linked Hackers Have Used the PeckBirdy JavaScript C2 Framework Since 2023 | Cybersecurity researchers have discovered a JScript -based command-and-control (C2) framework called PeckBirdy that has been put to use by China- | Hack | The Hacker News |
| 25.1.26 | ShinyHunters claim hacks of Okta, Microsoft SSO accounts for data theft | The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion. | Hack | |
| 25.1.26 | Fake ad blocker extension crashes the browser for ClickFix attacks | A malvertising campaign is using a fake ad-blocking Chrome and Edge extension named NexShield that intentionally crashes the browser in preparation for ClickFix attacks. | Hack | |
| 22.1.26 | LastPass Warns of Fake Maintenance Messages Targeting Users' Master Passwords | LastPass is alerting users to a new active phishing campaign that's impersonating the password management service, which aims to trick users | Hack | The Hacker News |
| 18.1.26 | Credential-stealing Chrome extensions target enterprise HR platforms | Malicious Chrome extensions on the Chrome Web Store masquerading as productivity and security tools for enterprise HR and ERP platforms were discovered stealing authentication credentials or blocking management pages used to respond to security incidents. | Hack | |
| 18.1.26 | Malicious GhostPoster browser extensions found with 840,000 installs | Another set of 17 malicious extensions linked to the GhostPoster campaign has been discovered in Chrome, Firefox, and Edge stores, where they accumulated a total of 840,000 installations. | Hack | |
| 18.1.26 | Microsoft updates Windows DLL that triggered security alerts | Microsoft has resolved a known issue that was causing security applications to flag a core Windows component, the company said in a service alert posted this week. | Hack | |
| 18.1.26 | Reprompt attack hijacked Microsoft Copilot sessions for data theft | Researchers identified an attack method dubbed "Reprompt" that could allow attackers to infiltrate a user's Microsoft Copilot session and issue commands to exfiltrate sensitive data. | Hack | |
| 17.1.26 | Hidden Telegram proxy links can reveal your IP address in one click | A single click on what may appear to be a Telegram username or harmless link is all it takes to expose your real IP address to attackers due to how proxy links are handled. Telegram says it will add warnings to proxy links after researchers demonstrated that such one-click interactions could reveal a Telegram user's real IP address. | Hack | |
| 17.1.26 | Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts | Cybersecurity researchers have discovered five new malicious Google Chrome web browser extensions that masquerade as human resources (HR) and enterprise resource planning | Hack | The Hacker News |
| 16.1.26 | AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks | A critical misconfiguration in Amazon Web Services (AWS) CodeBuild could have allowed complete takeover of the cloud service provider's own GitHub repositories, including its AWS | Hack | The Hacker News |
| 16.1.26 | Researchers Reveal Reprompt Attack Allowing Single-Click Data Exfiltration From Microsoft Copilot | Cybersecurity researchers have disclosed details of a new attack method dubbed Reprompt that could allow bad actors to exfiltrate sensitive data from artificial intelligence (AI) chatbots | Hack | The Hacker News |
| 14.1.26 | n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens | Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal | Hack | The Hacker News |
| 9.1.26 | FBI Warns North Korean Hackers Using Malicious QR Codes in Spear-Phishing | The U.S. Federal Bureau of Investigation (FBI) on Thursday released an advisory warning of North Korean state-sponsored threat actors leveraging malicious QR codes in spear-phishing | Hack | The Hacker News |
| 9.1.26 | Jaguar Land Rover wholesale volumes down 43% after cyberattack | Jaguar Land Rover (JLR) revealed this week that a September 2025 cyberattack led to a 43% decline in third-quarter wholesale volumes. | Hack | |
| 9.1.26 | ClickFix attack uses fake Windows BSOD screens to push malware | A new ClickFix social engineering campaign is targeting the hospitality sector in Europe, using fake Windows Blue Screen of Death (BSOD) screens to trick users into manually compiling and executing malware on their systems. | Hack | |
| 9.1.26 | VSCode IDE forks expose users to "recommended extension" attacks | Popular AI-powered integrated development environment solutions, such as Cursor, Windsurf, Google Antigravity, and Trae, recommend extensions that are non-existent in the OpenVSX registry, allowing threat actors to claim the namespace and upload malicious extensions. | Hack | |
| 7.1.26 | VS Code Forks Recommend Missing Extensions, Creating Supply Chain Risk in Open VSX | Popular artificial intelligence (AI)-powered Microsoft Visual Studio Code (VS Code) forks such as Cursor, Windsurf, Google Antigravity, and Trae have been found to recommend | Hack | The Hacker News |
| 3.1.26 | New ErrTraffic service enables ClickFix attacks via fake browser glitches | A new cybercrime tool called ErrTraffic allows threat actors to automate ClickFix attacks by generating 'fake glitches' on compromised websites to lure users into downloading payloads or following malicious instructions | Hack |