Passkeys were built to enable a password-free future. Here's what they are and how you can start using them.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links. Learn more.

Passwords suck. They're hard to remember, but worse is playing the ever-evolving game of cybersecurity whack-a-mole with your most important accounts. That’s where passkeys come into play. The so-called “war on passwords” has taken off over the past two years, with titans like Google, Microsoft, and Apple pushing for a password-less future that the FIDO Alliance (a consortium made to “help reduce the world’s over-reliance on passwords”) has been trying to realize for over a decade.

Like it or not, you’ll be prompted to create a passkey at some point, and you likely already have. That’s a good thing, as passkeys aren’t only much easier to use than a traditional password, they’re also a lot safer. Here's everything you need to know about using them.

_Updated September 2: We've added a few details on about restoring passkeys and mentioned non-biometric authentication options._

Passkeys offer a way of confirming you are who you say you are without remembering a long, complicated password, and in a manner that's resistant to common attacks on passwords like phishing and dictionary attacks.

“Passkeys are built to replace passwords and outdated forms of two-factor authentication entirely,” Andrew Shikiar, executive director and CEO of the FIDO Alliance, tells WIRED. They represent a rare step forward in cybersecurity; one that’s not only easier to use than previous methods but also safer.

Conceptually, passkeys can come in many forms, but you’ll most commonly interact with them on a device you own. For example, imagine you want to sign in to your Google Account on a new device. Instead of entering a password, a passkey allows you to log in to your account with a device you’ve already verified. You can use your phone as a passkey, which instantly grants access to your Google Account without ever entering a password. The best implementations of passkeys don’t even need a username.

Passkeys end up being safer and more convenient than passwords because they work in a fundamentally different way. Passwords are what you’d call a “shared secret” in the world of cybersecurity. You know the secret, and so does the service you’re signing in to. The problem is that you have to remember that secret, and you aren’t fully in control of it, as you have to share that secret with whatever service you’re using. A data breach and a little decryption time are all that's needed to end up with a compromised account, and you didn't even do anything wrong.

Passkeys use public-key cryptography. Instead of matching a shared secret, public-key cryptography works by matching a pair of keys—a public key that anyone can see, and a private key that only you have access to. It’s safer because only you have access to your private key, and it’s easier because that key is bound to some device you own and usually secured with biometrics.

In the event your device is lost or stolen, you can restore your passkeys using the account you created it with. For instance, Google allows you to store passkeys in the Google Password Manager and sync them across your devices. Windows and iCloud Keychain only work on their respective operating systems, but they're tied to your Microsoft and Apple accounts, respectively.

**Are Passkeys Safe?**

Passkeys are safe, even more so than a long, random password. When you sign in with a passkey, you send a handful of information to the service you’re signing into, including your public key, which is stored as a representation of you as a user. This information alone doesn’t do anything.

On the device where you created the passkey, you'll have to engage in a “challenge” to unlock your private key, usually some form of biometric authentication. If the challenge is successful, it’s signed and sent back to the service you’re trying to log into. That challenge is then checked against the public key, and if it’s a match, you’re given access. Critically, this authentication happens on your device, not on a server far away.

Although biometric authentication is how you'll typically interact with passkeys on a mobile device, it's not a requirement. On Windows, for example, you need to authenticate with Windows Hello, which can use your device's PIN. On Android, you can use a pin or pattern.

With a password, there’s a ton of room for an attacker to potentially steal your password. Data breaches might expose your password, and even if it’s encrypted, it can be cracked. Phishing schemes are an easy vector of attack for hackers looking to steal passwords. And, if you’re using a service with spotty security practices, you could have a password exposed as plaintext in a breach; there are dozens and dozens of examples of this happening before.

**Passkeys vs. 2FA and MFA**

Passkeys are tricky because they fly in the face of security conventions that have been around for years—namely, two-factor (2FA) or multifactor authentication (MFA). Although you don’t need to plug in a code from a text or copy something over from an authenticator app, passkeys inherently use multifactor authentication. It just happens so fast that it’s easy to miss.

MFA is about adding additional layers of protection beyond your password. Instead of just your password, you need it and a code texted to you, for example. Passkeys already work that way. You need to match the public-private key pair, but you also need to authenticate that you have access to that private key. It’s not “something you know and something you own,” as 2FA is normally described, but it’s still two layers of authentication.

Here's how Shikiar describes it: “When you sign in, the service issues a cryptographic challenge that can only be answered with the private key on your device, verified by something you have (like your phone or laptop) and often something you are (like a biometric). The result is a phishing-resistant login with no reusable credentials to steal.”

**Devices and Browsers That Support Passkeys**

Passkeys are broadly integrated at an operating system level. If you’re using an OS that doesn’t natively support passkeys—i.e., Linux—you can still use them. However, you’ll need to use another device, like your phone, to scan a QR code and authenticate yourself, or a third-party password manager.

Here are the operating systems that fully support passkeys:

*   Android 9 or newer
*   iOS 16 or newer
*   macOS 13 (Ventura) or newer
*   Windows 10/11 23H2 or newer

Each one of these operating systems supports passkeys for native apps, as well as in your browser. Chromium supports passkeys, which covers the vast majority of browsers available, including Brave, Opera, Vivaldi, and Google Chrome. The major non-Chromium browser, Mozilla Firefox, also supports passkeys on version 122 or newer.

**How to Create and Store Passkeys**

To use passkeys, you need to store them somewhere. The major operating systems that support passkeys already include a way to store them, but they aren’t created equally.

Windows 10 and Windows 11

You need to set up Windows Hello to use passkeys on Windows 10 or Windows 11. You might have set it up during installation, but if not, you can enable it in the **Settings** app by clicking **Accounts > Sign-in options**. Whenever you want to use a passkey, you’ll need to authenticate with Windows Hello, be it with your face, fingerprint, or PIN.

Windows 10 or 11, version 23H2 or later, will prompt you to use a passkey whenever you attempt to sign in to a supported service on a supported browser (or through a native Windows app). Unlike other operating systems, these passkeys aren’t synced across your devices. They only work on your Windows device.

Both macOS and iOS store passkeys on your iCloud Keychain, so you’ll need to turn your Keychain on if it’s not already enabled. You can turn it on in the **Settings** app by following **Apple ID > iCloud > Passwords and Keychain**. You’ll need to enable 2FA for your Apple ID to use iCloud Keychain.

Similar to Windows, you’ll be prompted to create a passkey whenever you create a new account with a service that supports passkeys. If you want to add a passkey to an already created account, you’ll have to do so through that application’s settings. Unlike Windows, these passkeys work across devices, assuming you have access to your iCloud Keychain.

In newer versions of macOS (version 15 and later), it’s much easier to create and manage passkeys through the dedicated Passwords app.

iOS follows the same principles as macOS when it comes to Passkeys. They’re stored in your iCloud Keychain and synced across your devices. In iOS 18 and newer, you can manage passkeys in the dedicated Passwords app, and in older versions, you can find them in your settings.

iOS via Jacob Roach

iOS via Jacob Roach

Android 9 and newer versions support passkeys, but in different forms. By default, passkeys in Android will use the Google Password Manager, which is tied to your Google Account and syncs across your devices. On Android 14 and newer, you can choose to store your passkeys elsewhere, such as in a third-party password manager.

Passkeys in a Password Manager

Chrome via Jacob Roach

If you want all your passkeys on all your devices, operating system be damned, you need a password manager. Most of the best password managers support passkeys, allowing you to store and sync them on nearly any device. I personally use 1Password, but services like NordPass, Bitwarden, and Dashlane also support passkeys. You can create and store passkeys with a password manager on Android and iOS.

Keep your logins locked down with our favorite password management apps for PC, Mac, Android, iPhone, and web browsers.

**Apps That Support Passkeys**

There are only a few places where you can store and sync passkeys, but plenty of services support passkeys for signing in. The usual suspects include Microsoft, Adobe, Amazon, Google, and Apple, but there are still many websites and apps that don’t support passkeys.

You can find a handful of directories that claim to hold a complete list of apps that support passkeys with a quick Google search. 1Password maintains one directory, as do a couple of B2B services, including a directory from Hanko and another from OwnID. These aren’t complete lists. Meta apps like Facebook and Instagram aren’t listed, for example, despite adding support for passkeys in June 2025.

The best directory I’ve come across is from a nonprofit called 2factorauth in Sweden. It’s hosted on GitHub, updated constantly, and critically, maintained by the community. It’s the most up-to-date I’ve found, and apps are even organized into categories so you can, for instance, pick a VPN service that supports passkeys.

**Passkeys Will (Eventually) Replace Passwords**

Passkeys were built to replace passwords, but we’re in the middle of a long, arduous transition to get there. It requires every app, device, and operating system to adopt a new standard of authentication and ditch a model we've been using for decades throughout our entire digital lives.

The inflection point is well underway, though. With major services adopting passkeys, it’s possible to use them across your most important accounts. If nothing else, it’s worth using passkeys on accounts that are connected to others, such as your Google or Facebook account if you use social sign-on features.

Despite offering clear security advantages, passkeys aren't a (excuse the pun) turnkey solution for better security. As Shikiar puts it, “Passkeys secure the front door, but organizations still need to harden the entire identity journey, ranging from onboarding and recovery to session management.”

**_Power up with unlimited access to_ WIRED_._** _Get best-in-class reporting and exclusive subscriber content that's too important to ignore. Subscribe Today._

What Is a Passkey? Here’s How to Set Up and Use Them (2025)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain

Vulnerability / Mobile Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a high-severity security flaw impacting TP-Link TL-WA855RE Wi-Fi Ranger Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, CVE-2020-24363 (CVSS score: 8.8), concerns a case of missing authentication that could be abused to obtain elevated access to the susceptible device.

"This vulnerability could allow an unauthenticated attacker (on the same network) to submit a TDDP\_RESET POST request for a factory reset and reboot," the agency said. "The attacker can then obtain incorrect access control by setting a new administrative password."

According to malwrforensics, the issue has been fixed with firmware version TL-WA855RE(EU)\_V5\_200731. However, it bears noting that the product has reached end-of-life (EoL) status, meaning it's unlikely to receive any patches or updates. Users of the Wi-Fi range extender are advised to replace their gear with a newer model that addresses the issue.

CISA has not shared any details on how the vulnerability is being exploited in the wild, by whom, or on the scale of such attacks.

Also added to the KEV catalog is a security flaw that WhatsApp disclosed last week (CVE-2025-55177, CVSS score: 5.4) as having been exploited as part of a highly-targeted spyware campaign by chaining it with an Apple iOS, iPadOS, and macOS vulnerability (CVE-2025-43300, CVSS score: 8.8).

Not much is known about who was targeted and which commercial spyware vendor is behind the attacks, but WhatsApp told The Hacker News that it sent in-app threat notifications to less than 200 users who may have been targeted as part of the campaign.

Federal Civilian Executive Branch (FCEB) agencies are advised to apply the necessary mitigations by September 23, 2025, for both the vulnerabilities to counter active threats.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.

WhatsApp says it has issued an update to patch a vulnerability that has been used in conjunction with an Apple vulnerability to target specific users and compromise their devices.

Reportedly, attackers used this exploit against dozens of WhatsApp users, and WhatsApp has notified those affected:

> “Our investigation indicates that a malicious message may have been sent to you through WhatsApp and combined with other vulnerabilities in your device’s operating system to compromise your device and the data it contains, including messages.
> 
>   
> While we don’t know with certainty that your device has been compromised, we wanted to let you know out of an abundance of caution so you can take steps to secure your device and information.”

WhatsApp advised the affected users to perform a full factory reset of their phone in order to make sure they are rid of the malware.

> “We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or targeted in other ways.
> 
>   
> To best protect yourself, we recommend a full device factory reset. We also strongly urge you to keep your devices updated to the latest version of the operating system, and ensure that your WhatsApp app is up to date.”

According to the Amnesty International Security Lab, the vulnerability was part of a zero-click attack against both iPhone and Android users. A zero-click attack is a type of attack which allows the cybercriminals to break into devices or apps without the victim needing to click, tap, or respond to anything. Unlike classic scams that rely on tricking someone into clicking a sketchy link, zero-click threats can land on a device simply because an app receives a message or notification crafted to exploit a hidden flaw.

**Technical details**

The zero-click attack required two vulnerabilities.

For iOS and Mac users these vulnerabilities were tracked as CVE-2025-43300 and lie in the Image I/O framework, the part of macOS and iOS that an app needs to open or save a picture. The problem came from an out-of-bounds write. Apple stepped in and tightened the rules with better bounds checking, closing off the hole so attackers can no longer use it.

An out-of-bounds write vulnerability means that the attacker can manipulate parts of the device’s memory that should be out of their reach. Such a flaw in a program allows it to read or write outside the bounds the program sets, enabling attackers to manipulate other parts of the memory allocated to more critical functions. Attackers can write code to a part of the memory where the system executes it with permissions that the program and user should not have.

In this case, an attacker could construct an image to exploit the vulnerability.  Processing such a malicious image file would result in memory corruption. Attackers can exploit memory corruption flaws to crash important processes or execute their own code.

The second vulnerability, CVE-2025-55177 for WhatsApp users, is caused by incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

**What to do**

The infection chain described in the security advisories from Apple and WhatsApp relies on two components: an Apple vulnerability (CVE-2025-43300) in the Image I/O framework and a WhatsApp vulnerability (CVE-2025-55177) that allowed the hijacking of devices by synchronizing messages.

Attackers exploited the Apple ImageIO bug via malicious image files, which is dangerous because this core library is used by multiple apps (not just WhatsApp) for opening and previewing pictures. In affected WhatsApp versions for iOS and Mac, the sync message bug could trigger arbitrary URL processing, creating a powerful combo for chaining exploits and compromising devices without any user action.

While Android users were mentioned among potential targets in advanced spyware campaigns reported by Amnesty, the most severe zero-click risk described applies only to Apple devices. For Android, the WhatsApp vulnerability may have exposed users to attacks, but not via the same chained infection vectors. As always, updating WhatsApp and enabling advanced security features (like Google Advanced Protection on Android) is highly recommended. So is using security protection on your devices.

If you’ve received one of the notifications from WhatsApp, we’d advise you to follow the instructions.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp fixes vulnerability used in zero-click attacks 

Cybersecurity today is less about single attacks and more about chains of small weaknesses that connect into big risks. One overlooked update, one misused account, or one hidden tool in the wrong hands can be enough to open the door.
The news this week shows how attackers are mixing methods—combining stolen access, unpatched software, and clever tricks to move from small entry points to large

⚡ Weekly Recap: WhatsApp 0-Day, Docker Bug, Salesforce Breach, Fake CAPTCHAs, Spyware App & More

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The…

WhatsApp has patched a critical 0-day (CVE-2025-55177) that allowed zero-click spyware attacks on iOS and Mac users. The flaw was used to steal data. Update your app now to stay protected.

WhatsApp has revealed it has patched a serious security vulnerability in its apps for Apple devices that was used to secretly compromise the iPhones and Macs of “specific targeted users.”

The bug, identified as CVE-2025-55177, was discovered by WhatsApp’s internal security team. The company explained in its official advisory that the flaw was part of a sophisticated attack chain that linked two separate vulnerabilities. This is a zero-click attack method, which does not require a victim to click on a link, open a file, or take any other action for their device to be compromised.

The flaw itself was a case of “incomplete authorisation of linked device synchronisation messages,” the advisory explains. This allowed an unrelated user to force a target’s device to process content from a malicious web address.

When paired with a separate Apple flaw, CVE-2025-43300 (which Apple had already fixed), in how it handles images, this attack chain could be used to install a malicious program and steal data without any user interaction. It is worth noting that the flaw affects WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before version 2.25.21.78, and WhatsApp for Mac before version 2.25.21.78. WhatsApp confirmed it had sent notifications to “less than 200” users it believed had been affected.

According to a statement from the National Cybersecurity Agency (NCSA) in Qatar, the severity of this flaw lies in its mechanism for processing synchronisation messages between linked devices, which could allow a hacker to gain initial access to a victim’s device.

> #Meta, the owner of the famous chat app #WhatsApp, has announced the existence of a critical vulnerability in the app. The severity of this flaw lies in the mechanism for processing synchronization messages between linked devices, allowing an attacker to send a crafted… pic.twitter.com/dYIwdij0gP
> 
> — Qatar Tribune (@Qatar\_Tribune) August 30, 2025

Amnesty International’s Security Lab, led by Donncha Ó Cearbhaill, described the pair of bugs as an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May, and was capable of stealing data from a user’s device, including messages. In a post on X, Cearbhaill also shared necessary tips, advising people to update their devices or perform a factory reset.

(X.com)

While it’s not yet clear who is behind this latest attack, it is not the first time that WhatsApp users have been targeted by advanced spyware. In 2019, the messaging app sued the spyware maker NSO Group for a hacking campaign that compromised more than 1,400 users with its Pegasus spyware. A US court later ordered the company to pay WhatsApp $167 million in damages.

This new incident shows the ongoing threat of government spyware and malware. It also emphasises why users should always keep their apps and operating systems updated, as these updates often contain critical security patches to protect against such sophisticated attacks.

WhatsApp 0-Day Exploited in Attacks on Targeted iOS and macOS Users

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.
The vulnerability, CVE-2025-55177 (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks.

The vulnerability, **CVE-2025-55177** (CVSS score: 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Internal researchers on the WhatsApp Security Team have been credited with discovering and rerating the bug.

The Meta-owned company said the issue "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device."

The flaw affects the following versions -

*   WhatsApp for iOS prior to version 2.25.21.73
*   WhatsApp Business for iOS version 2.25.21.78, and
*   WhatsApp for Mac version 2.25.21.78

It also assessed that the shortcoming may have been chained with CVE-2025-43300, a vulnerability affecting iOS, iPadOS, and macOS, as part of a sophisticated attack against specific targeted users.

CVE-2025-43300 was disclosed by Apple last week as having been weaponized in an "extremely sophisticated attack against specific targeted individuals."

The vulnerability in question is an out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image.

Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177.

In the alert sent to the targeted individuals, WhatsApp has also recommended performing a full device factory reset and keeping their operating system and the WhatsApp app up-to-date for optimal protection. It's currently not known who, or which spyware vendor, is behind the attacks.

Ó Cearbhaill described the pair of vulnerabilities as a "zero-click" attack, meaning it does not require any user interaction, such as clicking a link, to compromise their device.

"Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them," Ó Cearbhaill said. "Government spyware continues to pose a threat to journalists and human rights defenders."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices

Miami, United States, 28th August 2025, CyberNewsWire

**Miami, United States, August 28th, 2025, CyberNewsWire**

Halo Security, a leading provider of external risk management solutions, today announced significant platform enhancements designed to give security teams greater flexibility and control within the platform. The new features include custom dashboards, configurable reports, and improved automation capabilities that give organizations better control over how they visualize and manage their exposure data.

> “No two organizations are the same, and different team members face different challenges,” said Lisa Dowling, CEO of Halo Security. “A vulnerability analyst needs different insights than a compliance manager, and a CISO requires different views than a security specialist. These updates give every team member the ability to create personalized dashboards and reports that make them more effective at protecting their organizations.”

**Key Platform Enhancements**

**Custom Dashboards with Drag-and-Drop Functionality**

Security professionals can now build personalized dashboards using more than a dozen customizable widgets, including risk score trends, critical findings tables, asset distribution charts, and compliance status monitors. The intuitive drag-and-drop interface allows users to create role-specific views while maintaining the ability to share dashboards across teams and apply global filtering across all custom views.

**Configurable Reports for Enhanced Asset Management**

The platform now features fully customizable data tables that allow users to select which columns display in their target lists, create multiple saved views for different scenarios, and resize columns to optimize their workflow. Pre-configured views include summary, scan schedule, tag management, and technical details options.

**Improved Auto-Tagging with Granular Control**

The Halo Security platform now provides more precise control over asset organization. Automations now offer three distinct tagging modes, allowing users to sync, add, or remove tags based on the defined rules. The improved automation system offers better performance and predictability to ensure consistent asset categorization.

**Industry Impact**

The cybersecurity industry continues to grapple with tool sprawl and workflow inefficiencies that can slow response times to critical security incidents. Security teams often struggle with managing multiple tools and platforms, creating challenges in data correlation and workflow management.

> “Security teams shouldn’t have to fight their tools to get the information they need,” said Nick Merritt, VP of Security at Halo Security. “These customization features let our customers organize their data the way they think about it and take control of how they interact with the security data we collect.”

**Availability**

The new customization features are immediately available to all Halo Security customers at no additional cost. Organizations using the platform can access custom dashboard creation through their existing accounts, with shared configurations automatically synchronized across team members.

New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

**Halo Security** is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. 

Users can learn more at **halosecurity.com**.

**Contact**

**VP of Marketing**  
**Nick Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Enhances Platform with Custom Dashboards and Reports

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted…

A supply chain attack called “s1ngularity” on Nx versions 20.9.0-21.8.0 stole thousands of developer credentials. The attack targeted macOS and AI tools, according to GitGuardian’s analysis.

A sophisticated cyberattack, dubbed the “s1ngularity” attack, has compromised Nx, a popular build platform widely used by software developers. The attack, which began on August 26, 2025, is a supply chain attack, a type of security breach where hackers sneak malicious code into a widely used piece of software, which then infects all the people who use it.

The attack was designed to steal a wide variety of sensitive data, including GitHub tokens, npm authentication keys, and SSH private keys. These credentials are essentially digital keys that provide access to a user’s accounts and systems.

The malicious software also went a step further, targeting API keys for popular AI tools like Gemini, Claude, and Q, demonstrating a new focus on emerging technologies. In addition to stealing data, the attackers installed a destructive payload that modified users’ terminal startup files, causing their terminal sessions to crash.

GitGuardian’s analysis shared with Hackread.com revealed some surprising details about the attack and its victims. The firm found that 85% of the infected systems were running macOS, highlighting the attack’s particular impact on the developer community, which frequently uses Apple computers.

In a curious turn, GitGuardian found that of the hundreds of systems where AI tools were targeted, many of the AI clients unexpectedly resisted the malicious requests. They either outright refused to run the commands or gave responses suggesting they knew they were being asked to do something wrong, showing a potential, though unintentional, new layer of security.

The Attack Explained (Source: GitGuardian)

The stolen credentials were not only valuable but also widespread. GitGuardian’s monitoring platform, which tracks public GitHub activity, discovered 1,346 repositories used by the attackers to store stolen data.

To avoid detection, the attackers double-encoded the stolen data before uploading it. This number is far higher than the ten publicly visible repositories, as GitHub was quickly working to delete the rest.  An analysis of these repositories revealed 2,349 distinct secrets, with over 1,000 still valid and working at the time of the report. The most common secrets were for GitHub and popular AI platforms.

For anyone who used the malicious Nx versions 20.9.0 through 21.8.0, the most crucial step is to immediately assume that their credentials have been exposed. GitGuardian has created a free service called HasMySecretLeaked that allows developers to check for compromised credentials without ever revealing their actual keys.

This attack reminds us that simply deleting a compromised file is not enough; the actual secret keys and tokens must be revoked and rotated to prevent further access by the attackers.

Thousands of Developer Credentials Stolen in macOS “s1ngularity” Attack

ESET has identified PromptLock, the first AI-powered ransomware, using OpenAI models to generate scripts that target Windows, Linux…

ESET has identified PromptLock, the first AI-powered ransomware, using OpenAI models to generate scripts that target Windows, Linux and macOS.

It was only a matter of time before artificial intelligence became a building block for cybercriminals. This week, researchers at ESET revealed what they are calling the first known AI-powered ransomware, a prototype dubbed PromptLock, which uses an open-weight AI model from OpenAI to generate malicious code on the fly.

Rather than carrying a static payload, PromptLock calls on the gpt-oss:20b model through the Ollama API, enabling it to write and execute Lua scripts directly on a compromised system. These scripts can scan directories, inspect files, exfiltrate selected data, and encrypt the results, all without the need for prepackaged binaries. That flexibility gives attackers a level of adaptability not commonly seen in traditional ransomware.

The malware is written in Golang, making it cross-platform, and ESET has already spotted both Windows and Linux samples uploaded to VirusTotal. Because Lua is lightweight and portable, it allows PromptLock to reach further than its usual victims and run on systems often neglected by ransomware operators, including macOS and consumer Linux devices.

Interestingly, researchers noted that while PromptLock can exfiltrate and encrypt files, but its ability to destroy data has not yet been implemented. This, along with several rough edges in the code, suggests that it is a proof-of-concept or work-in-progress rather than a live campaign targeting organisations.

This screenshot shared by ESET shows a list of functions inside the PromptLock ransomware code. Each entry is essentially a function name that reveals what the malware can do.

ESET’s findings add to worries that AI-driven malware could make cyberattacks faster and larger-scale. Just as machine learning has already been used to create more convincing phishing lures and deepfake content, models can also be adapted to handle tasks such as reconnaissance, persistence, or data theft. PromptLock shows that ransomware authors are already experimenting with this approach.

Commenting on the discovery, Nathan Webb, principal consultant at Acumen Cyber, explained why this development should not be dismissed as a simple lab experiment: “This is possibly the first instance of an AI-powered piece of ransomware observed in the wild. Rather than come with a payload, the malware uses ChatGPT to write Lua scripts on the fly, which gives it information about the local system and allows it to view files, exfiltrate data, and ultimately encrypt the system.”

“The use of Lua here suggests that attackers are trying to make the ransomware platform-agnostic, so that they can target a wider range of systems and environments, especially those not traditionally targeted due to their low market share, like Apple devices, and consumer Linux devices,” Nathan pointed out.

Webb also pointed out that defending against such threats will require new thinking around script interpreters and OS-level tools. Security vendors will need to improve detection mechanisms that can separate legitimate scripts from malicious ones, using their own machine learning models to deobfuscate and analyse behaviour in real time.

First AI-Powered Ransomware PromptLock Targets Windows, Linux and macOS

The chairman sent letters out to companies like Apple, Meta, and Microsoft, advising them not to adhere to the demands of foreign governments to weaken their encryption.

Tag

#apple