JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser…

JFrog researchers found eight malicious NPM packages using 70 layers of obfuscation to steal data from Chrome browser users on Windows. The attack highlights a growing threat to developers.

Cybersecurity researchers from JFrog Security Research have discovered eight malicious NPM packages. These packages are designed to attack Windows users on the Google Chrome browser and steal personal data.

These packages are a clear example of what is known as a supply chain attack, a growing risk in the software industry. This kind of attack happens when malicious code is secretly injected into a legitimate part of the software development process, like an open-source library, which is then used by many different developers. This allows the hackers to reach a huge number of people without directly hacking each one individually.

Packages uploaded to the npm repository containing the malicious code (JFrog)

According to JFrog’s blog post, attackers hid their malicious code in the packages using a series of advanced techniques, including what experts call “multi-layered obfuscation,” to hide their true purpose.

The malicious code was buried under a total of “70 layers of code obfuscation,” making it extremely difficult to detect. What’s more, the code automatically downloaded and installed a specific version of Python on a victim’s machine. It then used that to run a hidden script. All this, without any user input or approval.

The final goal of this attack cycle was to steal sensitive data from the Chrome browser, including passwords, credit card information, cryptocurrency funds, and user cookies. The attackers behind this were an NPM user named “ruer” and another named “npjun.”

****The Concern****

Open-source software repositories, as we know them, are becoming a prime target for attackers. Hackers are increasingly using tactics like typosquatting and masquerading, where they create packages with names similar to popular ones to trick developers into using them by mistake.

Nevertheless, JFrog researchers reported the incident, and all 8 malicious packages have been removed.

Guy Korolevski, a Security Researcher at JFrog and author of this report, shared his comment with Hackread.com, noting that the sophistication of these attacks shows why constant vigilance is necessary.

“The impact of sophisticated multi-layer campaigns designed to evade traditional security and steal sensitive data highlights the importance of having visibility across the entire software supply chain with rigorous automated scanning and a single source of truth for all software components,” he stated.

8 Malicious NPM Packages Stole Chrome User Data on Windows

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware…

A Facebook malvertising campaign is spreading the Brokewell spyware to Android users via fake TradingView ads. The malware steals crypto and personal data.

Cybersecurity researchers at Bitdefender Labs have discovered a new malicious ad campaign (malvertising) on Facebook that is actively spreading a notorious Android spyware against unsuspecting users.

The research, shared with _Hackread.com_, reveals that the campaign tricks victims into downloading Brokewell spyware, which has been operational since at least early 2024. In one previous case reported in April 2024, the Brokewell spyware was spotted spreading via Fake Chrome Updates.

****How the Ads Find Their Targets****

Researchers found that this malvertising campaign doesn’t just target a general group of users; it uses the Facebook ad network to specifically target Android users with tailored ads. In just one month, these ads have already been served to tens of thousands of users in the European Union alone, showing how eagerly cyber criminals have been attempting to spread this threat.

The campaign’s modus operandi involves attackers creating advertisements that look like they’re from the legitimate platforms. For example, one company specifically targeted in this malvertising is TradingView, a widely used online trading platform.

As shown in the screenshot below, scammers have used the company’s branding and visuals. These ads promise a high-value item, a free premium app, to trick users into clicking.

Malicious ads which spread BrokeWell malware – Source: Bitdefender Labs

****New Features****

According to researchers, once installed, the malware displays spyware and Remote Access Trojan (RAT) capabilities, suggesting that this is an advanced version of Brokewell.

The malware then requests permissions, often posing as fake update prompts, to gain total control. It can steal cryptocurrencies, bypass two-factor authentication, and even take over a user’s accounts.

It also allows the attackers to record screen activity, log keystrokes, and use the device’s camera and microphone. The malware can even intercept sensitive text messages, including banking and security codes.

All these capabilities show Android spyware is out of control, and as more people rely on smartphones for banking, crypto wallets, and other financial apps, a single compromised device can give hackers access to a person’s entire financial life. Researchers suggest the following security tips to stay protected from such campaigns:

*   Avoid clicking on ads on social media.

*   Check website URLs carefully for fakes.

*   Review app permissions before granting them.

*   Avoid installing apps from unofficial sources (sideloading).

*   Be cautious of ads, even on trusted platforms like Facebook.

Fake Facebook Ads Push Brokewell Spyware to Android Users

**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

139.0.3405.125

8/28/2025

139.0.7258.154/.155

CVE-2025-9478: Chromium: CVE-2025-9478 Use after free in ANGLE

Make sure your Chrome browser is updated to the latest version to stay protected.

Google has patched a critical graphics library vulnerability in the Chrome browser, discovered by its AI-powered detection tool, Google Big Sleep.

Google has released the Chrome Stable version 139.0.7258.154/.155 for Windows, macOS, and Linux, addressing a critical security vulnerability. Users are advised to update their browsers as the patch will roll out over the coming days.

The vulnerability known as CVE-2025-9478, a use-after-free issue in the ANGLE graphics library, was caught by Google’s own AI security tool, Big Sleep (aka Google Big Sleep). Rather than human researchers, this autonomous agent flagged the vulnerability on August 11, 2025 then human researchers at Google verified it before it was patched.

Use-after-free (UAF) (PDF) flaws occur when software references memory that has already been freed. This can lead to memory corruption or allow attackers to execute malicious code. In this case, a fake web page could trigger the vulnerability, compromising the security of a targeted device.

ANGLE is a core graphics component translating OpenGL ES calls to hardware APIs, which makes it a commonly used target in GPU‑accelerated contexts like WebGL or Canvas rendering.

The update improves memory handling in ANGLE and adds stronger safeguards to block similar flaws. Google plans to release Chrome 140 soon, but the current fix is already underway for most users.

Although the vulnerability was rated 9.8 on the CVSS scale, no signs of exploitation in the wild have been found yet, which makes this update especially timely.

****What is Google Big Sleep?****

Google’s “Big Sleep” is an AI-powered detection system created through collaboration between Google DeepMind and Project Zero. The tool is designed to automatically scan for previously unknown security vulnerabilities in widely used software, then report them for verification and patching. By combining automated analysis with human review, Big Sleep helps speed up the process of finding and fixing flaws before attackers can exploit them.

****Update Chrome Browser****

Make sure your Chrome browser is updated; either let it do so automatically or navigate to Help > About Chrome to trigger an immediate check. If you’re using another Chromium-based browser, Edge, Brave, Vivaldi, and others will likely follow with their own updates, as they use the same Chromium libraries

Google Big Sleep AI Tool Finds Critical Chrome Vulnerability

The Mustang Panda APT is hijacking Google Chrome browsers when they attempt to connect to new networks and redirecting them to phishing sites.

China Hijacks Captive Portals to Spy on Asian Diplomats

Plus: Google wants billions of Chrome users to install an emergency fix, Kristi Noem is on the move, and North Korean IT workers are everywhere.

“I’m looking over my shoulder driving home,” a doctor whose hospital was targeted by a subpoena told the Post.

****Kristi Noem Relocates to Military Housing After Doxxing****

Homeland Security secretary Kristi Noem has temporarily moved into secure military housing after the location of her Washington, DC, apartment was exposed online, triggering what DHS called “vicious doxxing” and a wave of death threats, the New York Post reports. A DHS official said the relocation was necessary for safety, though Noem continues to pay rent on her Navy Yard residence.

The move comes as Noem has pointed to what she describes as a sharp rise in violence against ICE agents, citing what it claims to be a nearly 1,000 percent uptick in assaults—figures ICE has not fully explained and that The Washington Post has questioned for lacking specificity. While DHS has not publicly detailed the sources of the alleged threats against her, Noem has framed them as part of a broader climate of hostility toward immigration enforcement.

****Nearly Every Fortune 500 Firm May Have Unknowingly Hired North Korean IT Workers****

North Korea has reportedly infiltrated the global IT job market by posing as remote employees at Fortune 500 companies, Axios reports. The operation—backed by groups like Jasper Sleet and Moonstone Sleet—uses stolen identities and AI-assisted applications to bypass hiring systems and conceal the workers’ true origins.

The scheme funnels salaries back to Pyongyang and raises serious cybersecurity concerns, from intellectual property theft to the risk of extortion if the workers are exposed. The Justice Department has announced charges against several individuals tied to the plot, while the FBI has conducted raids on “laptop farms” supporting it, ABC News reports. The Times of India, meanwhile, reported in June that Microsoft had suspended roughly 3,000 Outlook and Hotmail accounts allegedly connected to the scheme.

Earlier this month, WIRED reported on a related trove of leaked documents obtained by cybersecurity researcher SttyK and presented at the Black Hat security conference. The cache provides a rare look inside these North Korean IT worker operations, detailing their meticulous job tracking, internal quotas, and even glimpses of daily life under close regime surveillance.

****FBI Partners With Texas Universities on Cybersecurity and Infrastructure Research****

Texas Tech University has signed a research agreement with the FBI focused on defending key services against cyberattacks and other disruptions, the Midland Reporter-Telegram reports. The partnership will reportedly grant the bureau access to Tech’s Critical Infrastructure Security Institute, which studies vulnerabilities in the power grid, water systems, communications networks, and military facilities.

Angelo State University will also contribute access to its cybersecurity programs and Regional Security Operations Center, where students train while monitoring real-world networks in West Texas. University leaders and FBI officials said the deal is meant to turn academic research into practical tools and expand the pipeline of graduates prepared for defense and cybersecurity roles.

The push to expand research partnerships, however, contrasts with reporting in The New York Times this week that the FBI may be moving away from its traditional role as an intelligence agency, with plans to lower recruiting standards and focus more on street crime. Critics say that shift risks leaving the bureau with less capacity for complex, technical cases, even as it seeks outside expertise through agreements like the one with Texas Tech.

****Google Issues Emergency Chrome Security Update****

Google has pushed an urgent security update for its Chrome browser, urging users worldwide—estimated in the billions—to install the patch immediately, The Sun reports. The update addresses multiple vulnerabilities, including the high‑severity CVE‑2025‑8901 in Chrome’s ANGLE graphics engine, which could allow attackers to hijack devices merely by luring users to a malicious webpage.

Although there’s no evidence of any real‑world exploitation yet, Google emphasizes that the risk remains until the update is installed and the browser is restarted. The fixes are rolling out across all major platforms—Windows, macOS, Linux, Android, and iOS—and Google advises users to apply them promptly to stay protected.

US Government Seeks Medical Records of Trans Youth

A clickjack attack was revealed this summer that can steal the credentials from password managers that are integrated into web browsers.

Sometimes it can seem as though everything’s toxic online, and the latest good thing turned bad is here: Browser pop-ups that look like they’re trying to help or authenticate you could be programmed to steal data from your password manager. To make matters worse, most browser extension-based password managers are still vulnerable to the attack.

This issue affects password managers like 1Password, LastPass, NordPass, and Enpass. They’re online services that store all your access credentials in an encrypted vault, and they use browser extensions to automatically fill in those passwords on web forms when you need them. Because they use extensions, you have to install them separately in your browser.

These extension-based password managers are more secure than those built natively into your web browser in some ways. Browser-based password managers tend to encrypt information using your browser access credentials. Malicious infostealer software can steal the files and decrypt them easily when you’re already logged in.

Browser extension-based password managers store encrypted vaults in memory or in other locations on your computer. They auto-lock after activity and instead of using operating system-level encryption, they use a separate master password. But while they have their benefits, nothing’s ever completely safe.

**Clickjacking’s back**

At the DEFCON security conference this month, cybersecurity researcher Marek Tóth presented an attack that works on most browser extension-based password managers. It uses malicious code to manipulate the structure of the site in the browser, changing the way it looks and behaves.

Tóth, who was just demonstrating the attack to highlight the vulnerability, used this capability for a new version of an old attack called clickjacking. It persuades a victim to click on one thing on a web page but then uses that action to click something else.

Messing with the structure of the site enabled him to make certain things invisible. One of these is a drop-down selector that extension-based password managers use to select and fill in account login credentials.

He used this trick to put an invisible overlay on top of a seemingly legitimate clickable element on the screen. When the user clicks it, they’re actually clicking on the overlay—which is their password manager’s dropdown selector.

The result: the password manager gives up the victim’s secrets without their knowledge.

**Think twice about what you click**

What would a decoy popup look like? These days, thanks to regulations from the EU, web sites often throw up permission banners that ask you if you’re OK with them using cookies. Most of us just click ‘yes’, but no matter what you click, an attack like this could put you at risk. Or an attacker could use an authentication button, or a “This content is sensitive, click yes if you really want to see it” button. Or, given the recent push for age verification, an “Are you really 18?” button.

This attack can steal more than your login credentials. It can also pilfer other information stored in password managers, including credit card information, personal data like your name and phone number, passkeys (digital certificates which your computer can use instead of passwords), and time-based one-time passwords (TOTP). The latter are the login tokens your computer gets after you use authentication apps like Google Authenticator.

Tóth didn’t just release this out of the blue. He disclosed it to password manager companies ahead of time, but many addressed it only partly, and some not at all.

As of earlier this week, Dashlane, Keeper, NordPass, ProtonPass, and RoboForm had fixed the issue, according to Tóth. Bitwarden, Enpass, and Apple (which uses an iCloud password manager) were in the progress of fixing it. 1Password had classified it as ‘informative’ but hadn’t fixed it yet. LastPass had fixed the vulnerability for personal and credit card data, but hadn’t yet fixed the vulnerability for login credentials, passkeys, or TOTP data. LogMeOnce hadn’t replied at all.

**Protect yourself**

So, what can you do about this threat? Tóth provides the usual warnings about enabling automatic updates and ensuring you’re using the latest versions of the password manager products. The most secure protection is disabling the autofill feature that allows password managers to fill in web form fields without user intervention. Instead, you’d have to copy and paste your details manually.

Another more convenient option is to control autofill so that it only operates when you specifically click on the browser extension in your toolbar. On Chromium browsers like Edge and Google Chrome, that means going into your extension settings, selecting “site access,” and then selecting the “on click” option. Selecting this would stop malicious code stealing your credentials in the way Tóth describes.

And as always, think twice about what you’re clicking when you’re on any website, especially any less trustworthy ones.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Clickjack attack steals password managers&#8217; secrets 

**Why is this Chrome CVE included in the Security Update Guide?**

The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.

**How can I see the version of the browser?**

1.  In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window
2.  Click on **Help and Feedback**
3.  Click on **About Microsoft Edge**

CVE-2025-9132: Chromium: CVE-2025-9132 Out of bounds write in V8

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming…

Doctor Web warns of Android.Backdoor.916.origin, a fake antivirus app that spies on Russian users by stealing data, streaming audio and video.

Cybersecurity researchers at Doctor Web are warning about a new strain of Android malware called Android.Backdoor.916.origin. The malware has been operational since January 2025 and is capable of listening to conversations, stealing messages, streaming video, and logging keystrokes.

This is the second time in the last four months that researchers have spotted malware targeting Russian infrastructure. **In April 2022**, Doctor Web exposed a fake Alpine Quest mapping app that was spying on the Russian military.

****Fake Anti-Virus Android App with Fake Results****

Doctor Web’s team believes it is not a mass infection attempt aimed at everyday Android owners, but a tool created to target Russian business representatives. The distribution method backs this theory as attackers are pushing the malware through direct messages in messengers, disguising it as an anti-virus called GuardCB.

The fake app uses a disguise to trick victims. Its icon resembles the emblem of the Russian Central Bank placed on a shield, making it look trustworthy. Once installed, it runs what looks like an antivirus scan, complete with fake detection results that are randomly generated to appear convincing.

_“_This is confirmed by other detected modifications with names like “SECURITY\_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies,_“_ noted Dr Web researchers in their **blog post**.

Once installed, the backdoor requests a list of permissions, from geolocation and audio recording to camera access and SMS data. It also demands device administrator rights and access to Android’s Accessibility Service, which lets it act like a keylogger and intercept content from popular apps, including the following:

*   Gmail
*   Telegram
*   WhatsApp
*   Yandex Browser
*   Google Chrome

Malware asking for permissions in the Russian language (Via Doctor Web)

****Livestreaming Audio and Broadcast Video****

Doctor Web researchers explain that the malware is designed for persistence. It launches its own background services, checks if they are running every minute, and restarts them if needed. It also communicates with multiple command-and-control servers, capable of switching between as many as 15 hosting providers if attackers want to keep the infrastructure alive.

The list of available commands, available in Doctor Web’s report, shows the extent of its spying capabilities. It can livestream audio from a microphone, broadcast video from the camera, steal text as users type it, and upload contacts, SMS, images, and call history. Additionally, it even has the ability to stream a device’s screen in real time.

****Exploiting Android’s Accessibility Service****

The malware also takes advantage of Android’s Accessibility Service as a way to protect itself. This feature is abused not only to steal keystrokes but also to block attempts to remove the malware if attackers issue such a command. That self-protection capability means even if victims realize their device is compromised, removal can be difficult without dedicated security software.

Doctor Web notes that while the malware is advanced, it is also highly localized. Its interface is available only in Russian, supporting the view that it was built with a specific group of targets in mind.

If you are an Android user in Russia, only download apps from trusted sources and avoid letting Android’s open-source nature become an open invitation for hackers.

Fake Antivirus App Spreads Android Malware to Spy on Russian Users

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and…

Morphisec warns of a new Noodlophile Stealer variant spread via fake copyright phishing emails, using Dropbox links and DLL side-loading to steal data.

A new, highly advanced cyber threat is on the rise, using fake copyright claims to trick businesses into downloading dangerous software. According to a new report from cybersecurity firm Morphisec, this malware is an upgraded version of the Noodlophile Stealer, which is now targeting companies in the US, Europe, Baltic countries, and the Asia-Pacific region.

Morphisec’s latest threat analysis, exclusively shared with Hackread.com, describes how the threat has evolved from its earlier method of using fake AI platforms to a more sophisticated approach. The diagram illustrates the step-by-step process of the attack, from the initial lure to the final data theft.

Attack Flow (Source: Morphisec)

Researchers found that this new attack uses highly personalized phishing emails disguised as official copyright infringement notices. The messages, which can be in multiple languages, are sent to key employees or the general company inboxes and often contain specific details about the company’s Facebook page, such as its unique ID.

This makes the emails appear genuine and creates a sense of urgency. The goal is to pressure a recipient into clicking a link to “view evidence” of the supposed violation, which is actually a download link for the malicious software.

One of the phishing emails disguising itself as a legal notice (Image via Morphisec)

****Delivery Method****

According to Morphisec’s blog post shared with Hackread.com, published ahead of publishing on Monday, 18, 2025, instead of fake websites, the malware is delivered via a Dropbox link that downloads a compressed archive like a ZIP file. This archive contains a legitimate application that has been tampered with to load a hidden malicious file, a technique known as DLL side-loading.

This method tricks trusted software (like PDF readers) into unknowingly running the malware. The final malicious code is disguised and uses the messaging app Telegram to evade detection by security tools.

****Stolen Data and Future Threat****

Once executed, the malware focuses on stealing a wide range of sensitive data from web browsers, including login credentials, credit card numbers, and autofill information. It also collects computer details like usernames and operating system versions.

Researchers note that the malware’s code contains placeholder functions, indicating that its creators plan to add more dangerous capabilities in the future, such as keylogging and capturing screenshots.

A key part of the process is bypassing security features in browsers like Chrome, allowing it to steal saved login data. The process of getting the final malware onto the computer is also heavily disguised, with files renamed to look like documents or images.

Considering the evolving nature of this threat, businesses must carefully monitor suspicious emails and inspect even those that appear to be from a trusted source to protect their valuable data.

Tag

#chrome