Originally reported by Hackread
TL;DR
Researchers identified multiple sophisticated phishing campaigns this week, including a Ghost campaign using fake npm install logs to steal developer credentials and crypto wallets, plus a massive QR code campaign that bypassed email security controls to reach 1.6 million users.
Multiple active phishing campaigns targeting different vectors (npm packages and QR codes) represent ongoing threats, but no indication of critical infrastructure impact or widespread exploitation.
Security researchers uncovered several sophisticated phishing campaigns this week, demonstrating attackers' continued innovation in social engineering tactics across multiple attack vectors.
ReversingLabs researchers identified a new Ghost campaign leveraging fake npm install progress bars to harvest sudo passwords and cryptocurrency wallet credentials from developers. The campaign exploits developers' familiarity with package installation processes, displaying convincing fake terminal output during what appears to be legitimate npm operations.
The attack specifically targets the development workflow, waiting for moments when developers typically enter administrative credentials. Once sudo access is obtained, the malware pivots to cryptocurrency wallet theft, highlighting the dual financial and access motivations behind the campaign.
7AI researchers documented the "Quish Splash" campaign, a massive QR code phishing operation that successfully bypassed SPF, DKIM, and DMARC protections to reach 1.6 million email recipients. The campaign leverages QR codes to redirect users to credential harvesting pages, exploiting the gap in traditional email security scanning capabilities for image-based threats.
The attack's scale and successful evasion of established email authentication mechanisms demonstrates the ongoing challenge of securing against image-based phishing vectors that don't trigger traditional content analysis.
CyberProof researchers reported a 10% increase in PXA Stealer attacks against financial institutions during Q1 2026. The malware variant utilizes Telegram for data exfiltration, making detection and takedown more challenging through the use of legitimate communication platforms.
The targeting of financial institutions aligns with broader trends of credential theft operations focusing on high-value sectors where stolen access can yield significant returns for threat actors.
Two industry analyses provided updated perspectives on enterprise security tooling. The first evaluated AI-powered security solutions from major vendors including Check Point, Palo Alto Networks, CrowdStrike, Fortinet, and Zscaler across cloud, endpoint, and network deployment scenarios.
Separately, a practitioner review examined Acalvio ShadowPlex's deception-based approach to preemptive threat detection across IT, cloud, and OT environments, highlighting the continued evolution of defensive technologies beyond traditional signature-based detection.
Originally reported by Hackread