Built an automated npm package scanner that uses heuristic scoring + LLM analysis to flag malicious packages in real time. Ran it for 24 hours against ~2000 recent npm registry changes and found 21 malicious packages across 11 campaigns.
Four novel attack vectors documented:
LLM API MITM (T1557): makecoder@2.0.72 overwrites ~/.claude/ via postinstall, reconfigures Claude Code client to proxy all API calls through attacker server. Application-layer MITM on AI assistant conversations.
Encrypted skill distribution (T1027, T1105): skillvault@0.1.14 fetches encrypted payloads from private API, decrypts locally, installs as persistent Claude Code skills. Server-side swappable without npm update.
AI agent as RAT (T1219, T1036.005): keystonewm/tsunami-code ship functional coding assistant CLIs routing all interactions through attacker's ngrok tunnel. Exploits AI tool trust model where users grant full filesystem access voluntarily.
Redis CONFIG SET + raw disk read via postinstall (T1190, T1006): 6 fake Strapi plugins use Redis to write shell payloads to 7 directories, dd if=/dev/sda1 to extract credentials bypassing file permissions, Docker overlay traversal for container escape.
All IOCs, decoded payloads, and MITRE mappings on the site. None of the 21 packages were flagged by any public scanner at time of discovery.
My write up around a research project I've been doing in my spare time around investigating the security of AWS CodeConnections. This post covers the techniques I used to hook a CodeBuild job to monitor the requests the CodeBuild bootstrapping makes before user code is run. Using this information I then also show the endpoints I found that can be used to retrieve the raw GitHub App token or BitBucket JWT App token CodeConnections uses which tends to be very privileged in a lot of environments, granting far more access than to just the single repository where the CodeBuild job is being run.
CVE-2026-33579 is actively exploitable and hits hard.
What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.
Why this matters right now:
Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
135k+ OpenClaw instances are publicly exposed
63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
The attack is trivial:
Connect to an unauthenticated OpenClaw instance β get pairing access (no credentials needed)
Register a fake device asking for operator.admin scope
Approve your own request with /pair approve [request-id]
System grants admin because it never checks if you are authorized to grant admin
You now control the entire instance β all data, all connected services, all credentials
Takes maybe 30 seconds once you know the gap exists.
What you need to do:
Check your version: openclaw --version. If it's anything before 2026.3.28, stop what you're doing
A tax system breach in Oklahoma is puttingΒ highly sensitiveΒ personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit.Β
HackersΒ reportedlyΒ accessedΒ W-2 and 1099 files through Oklahomaβs online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts.Β
Before the follow-upΒ scamsΒ start rolling in, this is the kind of moment where layered protection matters.Β McAfee+ AdvancedΒ includes identity monitoring and dataΒ cleansupΒ thatΒ can help alert you if your personal information starts circulatingΒ where itΒ shouldnβt, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook.Β
What Happened in OklahomaΒ
According toΒ a statement byΒ the Oklahoma Tax CommissionΒ andΒ reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the stateβs Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered.Β
When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to:Β
File fraudulent tax returns Β
Try to open new accounts Β
Build phishing emails or texts that feel unusually real Β
Either way, the goal is the same: useΒ real informationΒ to make the nextΒ scamΒ more believable.Β
Red Flags of a Scam After a Breach Like ThisΒ
The breach itself is real. But what often follows is a second wave ofΒ scamsΒ pretending to help.Β
Watch For:Β
Emails or texts about your βtax accountβ that create urgency Β
Messages asking you to verify personal information Β
Fake alerts about refunds, filings, or suspicious activity Β
Links telling you to log in and βsecureβ your account Β
ThatβsΒ where people can get hit twice: once by the breach, and again by theΒ scamΒ that follows it.Β
WhatΒ To Do IfΒ YouβreΒ ImpactedΒ
First,Β donβtΒ panic. Then:Β
Take advantage of any free credit monitoring or fraud assistance being offeredΒ Β
Monitor your bank accounts, tax records, and credit reports closely Β
Consider placing a fraud alert or credit freeze if needed Β
Be extra careful with any message referencing taxes, refunds, or account accessΒ
Go directly to official sites instead of clicking links in emails or texts Β
And that, my friends, isΒ scamΒ number one in this weekβsΒ This Week in Scams.Β
LetβsΒ get into what else is on our radar.Β
The FBI Impersonation Scam Showing Up Across the U.S.Β
Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast.Β
Field offices, including ChicagoΒ andΒ Houston,Β are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claimΒ youβreΒ connected to an investigation. In others, they sayΒ youβreΒ a victim of fraud and need to actΒ immediatelyΒ to protect yourself.Β
Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information.Β
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.
Why This Scam Works
ThisΒ scamΒ plays on the same pressure tacticsΒ weβveΒ seenΒ over and over again: authority, urgency, and confusion.Β
If someone claims to be a federal agent, many people freeze up and assume they need to cooperateΒ immediately.Β ThatβsΒ exactly what scammers are counting on.Β
The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email.Β
The Red Flags in This Message
Unsolicited outreach from someone claiming to be federal law enforcement Β
Pressure to act immediately Β
Requests for money, gift cards, prepaid cards, or personal information Β
Instructions to keep the conversation secret Β
Stories involving a bank βworking withβ the FBI Β
If it feels dramatic, high-pressure, and just a little off, trust that instinct.Β
What To Do if You Get One Of These Messages
Do not respond Β
Do not send money or share personal information Β
Contact the agency directly using publicly listed contact information Β
Save the message for your records Β
Report it to the FBI: 1-800-CALL-FBI (225-5324), or online atΒ tips.fbi.gov.
This is also exactly the kind of messageΒ McAfeeβs Scam DetectorΒ is built to flag before you get pulled in.Β
How McAfee Helps You Stay Ahead of Scams and BreachesΒ
McAfee+ AdvancedΒ givesΒ youΒ multiple layers working together so you are not left figuring it out after the damage is done:Β
Identity MonitoringΒ alerts you if your personal info shows up where it should not, so you can act fast
Personal Data CleanupΒ helps remove your information from data broker sites, making you harder to target in the first place
Scam DetectorΒ flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe BrowsingΒ helps block risky sites if you do click
Secure VPNΒ keeps your data private, especially on public Wi-FiΒ Β
This kind of layered protection is critical in cases like ghost studentΒ scams, where the first sign of fraud often comes after financial damage has already happened.Β
Safety tips to carry into next weekΒ
Be extra cautious after any real breach makes headlines Β
Do not trust unsolicited messages just because they reference real institutions Β
Never send money to someone claiming to be law enforcement Β
Go directly to official websites instead of clicking links Β
Use tools that flag suspicious messages in real time so you do not have to guessΒ
The reality is,Β scamsΒ are getting better at looking official.Β
You should not have to be an expert to spot them.Β ThatβsΒ why McAfee is here to help. Weβre Safer Together.
WeβllΒ be back next week with moreΒ scamsΒ making headlines.Β
Rob J., 31, an internal auditor in California, thought he was doing everything right this tax season. He filed his return as usual, even early, and expected a state refund just short of $400.Β
Instead, he got a letter saying the state had taken it.Β
The notice from the California Franchise Tax Board said his refund had been intercepted to pay a debt owed to a local community college.Β
There was just one problem: Rob had never attended that school.Β
βHow could the state be taking my tax refund to pay a debt to a community college Iβve never attended?β he told us at McAfee. βI immediately knew something was wrong.βΒ
βI started researching and came across the term βghostΒ student,βΒ andΒ thatβsΒ when it clicked. Someone had used my identity toΒ enrollΒ in a college like they were me.βΒ
How McAfee+ Advanced Helps Protect YouΒ fromΒ Identity TheftΒ Β
ScamsΒ like this do not start with a suspicious text or email. They start with your data being exposed somewhere you cannot see.Β
That is why protectionΒ has toΒ go beyond one moment and cover the full lifecycle of identity theft.Β
McAfee+ AdvancedΒ givesΒ youΒ multiple layers working together so you are not left figuring it out after the damage is done:Β
Identity MonitoringΒ alerts you if your personal info shows up where it should not, so you can act fast
Personal Data CleanupΒ helps remove your information from data broker sites, making you harder to target in the first place
Scam DetectorΒ flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe BrowsingΒ helps block risky sites if you do click
Secure VPNΒ keeps your data private, especially on public Wi-FiΒ Β
This kind of layered protection is critical in cases like ghost studentΒ scams, where the first sign of fraud often comes after financial damage has already happened.Β
What IsΒ aΒ Ghost Student Scam?Β
A ghost studentΒ scamΒ is a form of identity theft whereΒ someone uses your stolen personal information, often your Social Security number, toΒ enrollΒ in a college or university under your name.Β
The scammer is not trying to attend school. They are trying to use your identity to access financial aid, create accounts, or generate funds tied to a real person.Β
In many cases, the victim has no idea anything happened until the consequences show up later, such as a tax refund being taken, a debt appearing, or a loan being opened in their name.Β
That is exactly what happened to Rob.Β
βI started researching and came across the term βghost student,β and thatβs when it clicked,β he said. βSomeone had used my identity toΒ enrollΒ in a college like they were me.βΒ Β
How Ghost Student Scams HappenΒ
TheseΒ scamsΒ typically follow a predictable pattern, even if the victim does not see it happening in real time:Β
StageΒ
What happensΒ
Why it mattersΒ
Data exposureΒ
Your personal information is leaked in a data breach or collected from data broker sitesΒ
Scammers get the core details they need to impersonate youΒ
Identity misuseΒ
Your information is used to apply to colleges or financial aid programsΒ
TheΒ scamΒ is tied to your real identity, not a fake oneΒ
EnrollmentΒ activityΒ
Fake students mayΒ enrollΒ just long enough to access funds or create accountsΒ
This helps scammers avoid early detectionΒ
Financial impactΒ
Debts, balances, or aid obligations are created in your nameΒ
You become financially responsible on paperΒ
DiscoveryΒ
You find out later through a notice, refund interception, or account alertΒ
By this point, damage has already been doneΒ
In Robβs case, the starting point was a data breach the year before. His Social Security number had been exposed, but he had not frozen his credit.Β
Someone used that information toΒ enrollΒ at Pasadena City College. When the balance went unpaid, the state redirected his tax refund to cover it.Β
βDespite BeingΒ theΒ Victim, IβmΒ TryingΒ toΒ Prove My IdentityβΒ
Once Rob realized what happened, he moved quickly. He froze his credit, set up identity monitoring, filed a police report, and began working with the college to prove he was not the student.Β
He says the process has been slow and frustrating.Β
βIβveΒ spent hours on the phone trying to fix thisβ¦Β IβmΒ exhausted,β he said.Β βDespite being theΒ victimΒ I am the one dealing with the consequences and trying to prove my identity to the same institution that let a fake me register.βΒ Β
When he contacted campus police, he learned something else: βthis has been happening to other people too.βΒ
Why Ghost Student Scams Are IncreasingΒ
Ghost studentΒ scamsΒ are part of a broader shift in how identity theft works.Β
Instead of quick-hit fraud like a stolen credit card, scammers are using real identities to create more complex, longer-term opportunities for financial gain.Β
In higher education, that can include:Β
Enrolling fake students using stolen identitiesΒ Β
Accessing financial aidΒ Β
Holding seats in classes long enough to collect fundsΒ Β
This trend has already affected thousands of suspected cases across education systems and continues to grow as scammers scale their tacticsΒ Β
What to Do If Your Identity Is Used in a Ghost Student ScamΒ
If something like this happens, speed matters:Β
Freeze your credit with all three bureausΒ Β
Check your FAFSA and student loan recordsΒ Β
Contact the school and dispute theΒ enrollmentΒ Β
File a police reportΒ Β
Set up identity monitoring and alertsΒ Β
Remove your personal information from data broker sitesΒ Β
These steps helpΒ containΒ the damage, but they are reactive. The goal is to catch exposure earlier.Β McAfee+ Advanced can help you with freezing your credit, ongoing identity monitoring, and data removal from the dark web.Β
How Robβs Story Ends: βIβm Waiting for the Other Shoe to DropβΒ
Rob has confirmed there are no federal loans in his name, but the situation is not fully resolved.Β
βI still feel like Iβm waiting for the other shoe to drop,β he said.Β Β
That uncertainty is part of what makes identity theft so difficult. You are often reacting to something that started months or even years earlier.Β Rob said he currently has an outstanding police report and isΒ in the process of gettingΒ his refund reclaimed.Β Β
How to Stay Ahead of Identity Theft Like ThisΒ
Ghost studentΒ scamsΒ work because theyΒ operateΒ quietly, using real data in systems most people are not actively watching.Β That is where ongoing protection matters.Β
Alerting you earlyΒ when your personal data appears on the dark web or in risky environmentsΒ Β
Reducing your exposureΒ by removing your data from broker sites that scammers rely onΒ Β
BlockingΒ scamΒ entry pointsΒ across texts, emails, links, and deepfakesΒ Β
Protecting your devices and connectionsΒ so attackers have fewer ways inΒ Β
Because the goal is not just to respond to identity theft, itβs to catch the signals early enough that someone cannot become a βstudentβ in your name in the first place.Β
The Quizlet flashcards, which WIRED found through basic Google searches, seem to include sensitive information about gate security at Customs and Border Protection locations.
A massive data breach (allegedly) has occurred at Adobe. Carried out by a threat actor calling themselves "Mr. Raccoon", the claims are that over 13M support ticket details have been leaked along with details of over 15,000 employees. Additionally, they have access to their microsoft SharePoint instance and also to make matters worse, Adobe's HackerOne account. Adobe is yet to comment on this matter.
I've written a scanner for XPI browser extension files which analyzes a browser extension for malicious content. It will print everything that is suspicious or could be used for something malicious so that you will know if and where you can begin with your malware analysis. Example output of a Firefox malware extension (which is live on firefox extensions store)
I have written the above script, and I ran it against 15~ random extensions from the store with less than 10K downloads, and it didn't take me more than 10 minutes to find the malware extension above.
I've also completely reverse engineered the extension to find out exactly what it does, and written an article about it where I walk you through the code and exploitation process steb-by-step, showing all the techniques used to hide from the verification processes in the extension store, breaking out of the sandbox and stealing credentials with a full Command and control server controlling it.
The malware code is very sophisticated. The payload never touches the DOM. It never appears in network DevTools as a suspicious request. It is stored in extension localStorage where casual inspection won't find it. But my scanner will catch it.
Techniques used:
Steganographic Payload in PNG Icon
Unicode Low-Byte Encoding Trick
Decoded Payload: The C2 String Table
72-Hour Sleeper with Random Sampling
C2 Beacon via Another PNG File
Dynamic `declarativeNetRequest` Rule Injection
Affiliate Commission Hijacking
Content Script Privilege Escalation Bridge
Arbitrary URL Redirect on Any Domain
CSP Erasure
Full deep dive analysis with code examples in link above. The extension discussed is live as of today.
ββ CRITICAL ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ [CRITICAL] [PNG_APPENDED] icon/logo.png: 1902 bytes appended after PNG IEND (entropy=5.63) β classic stego carrier CODE: b'ncige\x1f\xe3\xbd\xa9\x18\xe3\xa1\x84\xe1\xa1\xa1\x18\xe3\xa1\xb9\x1f\xe3\xbd\xb3\x1c\xe3\xb0\xba\x1b\xe5\xac\xa0\r\n\β¦ ββ HIGH ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ [HIGH ] [CLASS_STORAGE_OVERLAP] js/content.js: String literal '7yfuf2' appears both as a JS string in this file and as an HTML class attribute in index.html β likely used as a covert stego marker or out-of-band key CODE: class='7yfuf2' in index.html [HIGH ] [CLASS_STORAGE_OVERLAP] js/content.js: String literal 'ncige' appears both as a JS string in this file and as an HTML class attribute in index.html β likely used as a covert stego marker or out-of-band key CODE: class='ncige' in index.html [HIGH ] [JS_OBFUSCATION] js/content.js:380 atob() β decoding base64 at runtime (possible payload decode) CODE: '); fileTip = atob(contentPool[screenValues]).replace(image Context: if (contentPool && contentPool[screenValues]) { var image$1 = new RegExp(pageArr.buffer$1[37], 'g'); fileTip = atob(contentPool[screenValues]).replace(image$1, ''); dataExt = JSON.parse(fileTip); screenValues = dataExt.map [HIGH ] [JS_OBFUSCATION] js/content.js:719 atob() β decoding base64 at runtime (possible payload decode) CODE: return dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, " Context: function reContentAll(dataExt) { return dataExt ? atob(atob(this)) : btoa(this).replace(/=/g, ""); };
Login
