Threats Tagged 'netsec'

The Volume Booster Chrome extension, with approximately 2 million weekly users, silently activated a commerce-tracking SDK (Give Freely) between versions 1.0.2 and 1.0.4 without triggering Chrome's permission re-consent prompt. The extension had previously been granted broad host permissions that were dormant until the SDK was activated. This SDK collects device identifiers, geolocation data, and telemetry continuously, regardless of user interaction with the extension's visible UI. The Chrome Web Store listing's privacy declaration does not disclose these data flows, creating a discrepancy between declared and actual behavior.

A popular Chrome extension with over 2 million users introduced a new component related to Give Freely/Wildlink in a rapid update cycle. This addition enables merchant detection, affiliate attribution, and donation campaigns without requesting new permissions, meaning users received the update automatically. The Give Freely/Wildlink infrastructure appears in multiple unrelated extensions, suggesting it is a white-label monetization or fundraising SDK. There is no evidence of malware, credential theft, or overtly malicious behavior at this time. The main concern is potential transparency and privacy implications due to expanded functionality without explicit user consent.

This report highlights organized fraud syndicates operating from Myanmar, Cambodia, and Laos that target elderly victims by exploiting loneliness and cognitive decline. The criminals use legitimate remote access tools, real-time deepfakes, voice cloning, and psychological manipulation to perpetrate their schemes. The source maps the attack kill chain and proposes a defensive tool called Granny Kate to help protect elderly users. The call to action invites security researchers and developers to contribute to improving this defense. No specific software vulnerability or exploit details are provided.

A security researcher accidentally gained access to a phishing website controlled by a threat actor. The incident revealed operational mistakes by the threat actor, including exposure of backend panels and infrastructure details. This access provides valuable insight into phishing infrastructure and potential pivot points for threat intelligence investigations. The event was shared on Reddit's r/netsec community with a link to a detailed write-up. No specific software versions or patches are involved. The severity is assessed as medium based on the nature of the exposure and potential intelligence value.

PromptSnatcher is a malicious data collection operation involving two Chrome browser extensions masquerading as ad blockers with approximately 90,000 combined installs. These extensions intercept full conversation histories, model usage, and subscription tier information from eight major AI platforms, including ChatGPT, Claude, Gemini, and others. The exfiltrated data is sent to operator-controlled servers without clear user notification beyond a vague "Enhanced Protection" consent. The extensions dynamically update their parsing logic from remote command-and-control servers, enabling ongoing targeting without extension updates. Firefox variants falsely declare no data collection permissions while performing equivalent data interception. The operation uses distinct infrastructure for each extension and employs sophisticated API hooking to capture and transmit sensitive AI chat data.

A pre-authentication XML External Entity (XXE) vulnerability leading to HTTP Server-Side Request Forgery (SSRF) was reported on ArubaOS 8.13.2, specifically on port 32000's default XML API which requires no authentication. The report includes evidence such as TCP packet captures, SSH localhost logs, and internal port scans via SSRF. Despite this evidence, the issue was closed by the vendor as theoretical with no valid proof of concept. The vulnerability details and proof of concept are publicly documented on GitHub for community review.

GhostTrace is a Windows forensic scanner tool designed to detect remnants left behind after software uninstallation. It operates offline and read-only, scanning 22 forensic modules including registry keys, prefetch entries, scheduled tasks, WMI subscriptions, and more. The tool aims to provide forensic evidence of persistence, execution, user activity, and installed software traces without modifying the system or generating network traffic. It is intended for investigative use rather than automatic threat verdicts.

X.com injects session-bound tracking tokens into the clipboard content whenever a user copies text or links from the site. This injection includes appending tracking parameters to URLs and embedding hidden HTML elements with encoded tracking data. Security tools flag this behavior as malicious injection due to the clipboard manipulation resembling techniques used by malware. There is no opt-out or disclosure from X.com, and the bug bounty program has been dissolved.

SearchJack is a campaign involving 23 deceptive Chrome extensions that hijack users' default search engines, silently routing approximately 758,000 users' search queries through operator-controlled affiliate monetization networks. These extensions present various advertised functionalities but primarily serve to generate affiliate revenue without user consent. The campaign involves at least 8 distinct monetization brokers and 22 publishers, many of which anonymize their identities. The extensions often use manifest-only wrappers or runtime obfuscation to evade detection. This activity constitutes a significant privacy violation and poses a security risk as operators could inject malicious content into search results without updating the extension code.

Four coordinated npm supply chain campaigns were active during May and June 2026, targeting the npm ecosystem with various sophisticated techniques including dependency confusion, namespace compromise, scope confusion, and typosquatting. These campaigns employ multi-stage postinstall execution chains that fetch and run platform-specific payloads, aiming to steal environment variables, CI/CD secrets, cloud metadata service tokens, and other sensitive credentials. The campaigns affect multiple platforms (Windows, macOS, Linux) and cloud environments (GCP, Azure). Detection relies on identifying version sentinels, cloud metadata endpoint access patterns, and characteristic postinstall behaviors. An open-source scanner with detection capabilities for these campaigns is available for community use.