News linked to both this project and an event.
Bybit’s Security Operations Center has identified a multi-stage malware campaign targeting macOS users of Claude Code, an AI-powered search and development tool. Attackers used search engine optimization (SEO) poisoning to push malicious domains to the top of Google search results, luring users to counterfeit installation pages. Once installed, the malware steals browser credentials, macOS Keychain data, Telegram sessions, VPN configurations, and cryptocurrency wallet information. Bybit stated that the malware can also establish persistent access via backdoor functionality and attempts to target over 250 browser wallet extensions and multiple desktop wallet applications. This malicious infrastructure was identified on March 12, and related analysis, mitigation, and detection measures were completed the same day.
Odaily News Telegram founder Pavel Durov posted on X, stating that the "age verification app" proposed by the EU has design flaws and was compromised in just a few minutes. The reason lies in the fundamental security issues of its architecture that trusts user devices. The solution is positioned as "privacy-friendly," but it can actually be easily cracked. Its development path is summarized as follows: first, launch a system that appears to protect privacy but has vulnerabilities; after being compromised, use "fixes" as a reason to weaken privacy protection, eventually evolving into a surveillance tool in the name of privacy. Such "accidental vulnerability incidents" may be used to expand regulation, and the public is urged to stay vigilant.
According to Elastic Security Labs, threat actors impersonated venture capital firms and lured targets into opening malicious Obsidian note vaults via LinkedIn and Telegram. This attack leveraged Obsidian’s Shell Commands plugin to execute malicious payloads without exploiting any vulnerabilities when victims opened the note vaults. The PHANTOMPULSE malware discovered in this campaign is a previously undocumented Windows Remote Access Trojan (RAT) that uses Ethereum transaction data to achieve blockchain-based C2 communication. The macOS payload employs an obfuscated AppleScript dropper and uses a Telegram channel as a fallback C2. Elastic Defend detected and blocked the PHANTOMPULSE execution before it could run.
Zerion disclosed that some of its corporate hot wallets were recently targeted by an AI-driven social engineering attack linked to North Korean hackers, resulting in losses of approximately $100,000. Zerion stated that user funds, applications, and infrastructure remain unaffected and proactively disabled its web application to mitigate risk. This incident marks the second such attack this month, following the $280 million breach of Drift Protocol, underscoring how North Korean hackers are leveraging AI to refine social engineering tactics—primarily targeting employees and developers at crypto firms. The Security Alliance (SEAL) tracked the hacker group UNC1069, which conducts low-pressure, multi-week social engineering campaigns across platforms including Telegram, LinkedIn, and Slack, using AI tools to edit images and videos to enhance attack efficiency.