Back to updates

Credential Theft - 1

2026 (7)

June (1)

security: Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign

Microsoft Security Blog

2026-06-03

Microsoft reports a large-scale npm supply chain attack affecting over 90 versions of @redhat-cloud-services packages. The malicious code targets CI/CD and developer systems to steal GitHub, cloud, and local credentials, and propagates by republishing trusted packages.

May (4)

security: From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

Microsoft Security Blog

2026-05-22

Microsoft describes a multi-stage Linux intrusion that started from an exposed F5 BIG-IP appliance and then pivoted to an internal Confluence server to steal credentials and compromise identity. The attack involved attempted Kerberos relay and lateral movement, and Microsoft Defender detected and blocked parts of the chain.

security: Mini Shai Hulud: Compromised @antv npm packages enable CI/CD credential theft

Microsoft Security Blog

2026-05-20

Microsoft reports that compromised @antv npm packages were used to deploy the Mini Shai-Hulud payload, which runs during npm install and steals CI/CD secrets from Linux-based automation environments. The malware targets credentials from GitHub, AWS, Kubernetes, Vault, npm, and 1Password.

security: How Storm-2949 turned a compromised identity into a cloud-wide breach

Microsoft Security Blog

2026-05-18

Microsoft describes how Storm-2949 used stolen credentials to move from identity compromise to broad cloud data theft without malware. The incident highlights abuse of trusted systems and the difficulty of detecting activity that stays within normal cloud authentication flows.

security: Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

Microsoft Security Blog

2026-05-04

Microsoft Defender Research documented a large-scale credential theft campaign using code-of-conduct-themed lures, a multi-step phishing chain, and legitimate email services to send authenticated messages from attacker-controlled domains. The campaign led to adversary-in-the-middle (AiTM) token compromise.

April (2)

security: Email threat landscape: Q1 2026 trends and insights

Microsoft Security Blog

2026-04-30

Microsoft reported that email threats rose in early 2026, driven by credential phishing, QR code phishing, and CAPTCHA-gated campaigns. It also said disruption of the Tycoon2FA phishing platform reduced observed volume by 15% and prompted changes in attacker tactics.

security: Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise

Microsoft Security Blog

2026-04-16

Microsoft reports a macOS intrusion campaign attributed to Sapphire Sleet that uses social engineering and user-driven execution to bypass macOS protections. The campaign is described as stealing credentials, cryptocurrency assets, and other sensitive data.