Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Japan's Largest Taxi Service Goes Offline After Cyberattack

Nihon Kotsu, Japan’s largest taxi operator, said that its systems were impacted in a cyberattack, causing the company to close down some of ...

All the recent news you need to know

CrashStealer macOS Malware Uses Apple-Notarized App to Evade Security Checks



CrashStealer, a new macOS information-stealing malware named for Apple's Mac operating system, bypasses built-in security protections by using an Apple notarized application, demonstrating a growing trend of malicious actors utilizing legitimate software verification mechanisms in order to target Apple users. 

Jamf Threat Labs researchers discovered that the malware is distributed via a disk image named Werkbit.app that is signed and notarized by Apple. Due to the fact that the installer is notarized by Apple and has a valid developer ID, Gatekeeper security checks can be successfully passed by the installer, increasing user confidence and acceptance of the application.

In early May 2026, Jamf Threat Labs identified CrashStealer as a suspicious macOS sample uploaded to VirusTotal. Activated infections were detected by researchers in early July, indicating the malware had progressed from development to real-world deployment. 

Based on the timeline, the operators seem to have refined the malware before launching broader attacks on macOS. This macOS stealer is written in native C++, unlike many macOS stealers, which rely on AppleScript or Objective-C wrappers. As a result, CrashStealer is more difficult to analyze while ensuring enhanced performance. Researchers have reported that the malware validates the user's macOS login password. 

Once the password has been validated, the malware can unlock the user's login keychain and gain access to additional sensitive information. The attack chain is designed to keep the user's identity hidden. A GitHub repository is utilized by the malware to retrieve configuration data after the victim launches the installer, which is then used to download the final malicious payload. 

GitHub-hosted configurations contain instructions for downloading shell scripts that are responsible for retrieving the final malware payload from attacker-controlled infrastructure when the victim launches the installer. CrashStealer reduces its forensic footprint by decoding its contents during execution rather than storing them in plain text during execution. 

The CrashStealer application establishes persistence as a LaunchAgent, utilizes multiple anti-analysis techniques, and checks for installed security or forensic tools before harvesting data by employing multiple anti-analysis techniques. As a precaution, the malware masquerades as CrashReporter, Apple's legitimate crash reporting utility. 

By using Apple's bundle identifier, icon, and naming conventions, the malware makes malicious activity appear to be similar to legitimate system activity. This malware targets credentials stored in Chromium-based browsers as well as Mozilla Firefox, resulting in a significant increase in browsers affected. MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Rabby, OKX Wallet, Exodus, Keplr, Solflare, Backpack, and MetaMask are among the many cryptocurrency wallet extensions that search for data. 

As part of the attack, CrashStealer attempts to extract information from 14 password managers, including 1Password, Bitwarden, LastPass, Dashlane, Keeper, KeePassXC, NordPass, Enpass, and RoboForm. In addition to collecting files from the user's Documents and Downloads folder, the malware compresses the data into a ZIP archive to reduce the possibility of interception. 

To protect the collected data, it is encrypted using AES-GCM before being transmitted via libcurl to an attacker-controlled server. CrashStealer is noted by researchers as encrypting each file before exfiltration, rather than protecting the entire archive. As a result of its use of industry-standard cryptographic techniques, the malware makes intercepted data significantly more difficult for defenders to analyze without the appropriate key to decrypt. 

Researchers at Jamf observed that the malware incorporates code obfuscation, encrypted strings, control-flow flattening, and layered anti-debugging techniques into its data exfiltration mechanism, making it significantly more resilient than typical information commodity thieves.

Investigators also discovered additional domains and operator infrastructure linked to the campaign, including a password-protected management panel that is believed to be used by the attackers. It has been demonstrated that CrashStealer is not a standalone malware sample, but is part of a coordinated operation. 

Researchers believe CrashStealer exemplifies a growing trend in macOS malware, demonstrating the combination of trusted software signing, multiple stages of delivery, sophisticated anti-analysis techniques, and strong encryption to make it more difficult to detect. Furthermore, the campaign emphasizes the growing tendency of attackers to exploit legitimate Apple security mechanisms for malicious delivery, reinforcing the need for users to verify software sources even when applications pass Gatekeeper checks. 

In CrashStealer, cybercriminals demonstrate the increasing use of trusted security mechanisms to avoid detection and compromise macOS systems by exploiting trusted security mechanisms to evade detection. Increasingly sophisticated methods of delivery and stronger encryption are being adopted by attackers; therefore, organizations and users need to remain vigilant by ensuring that they download software only from trusted sources, monitoring unusual activity, and updating their security solutions.

GoDaddy Challenges Indian Court Order Over Domain Privacy and Internet Governance Rules

 

A legal battle in India over online fraud could have major implications for privacy and regulation of the internet around the globe, as domain name registrar Go Daddy takes exception to a Delhi High Court ruling that would impose severe restrictions on domain registration, privacy, and trademark protection. 

The ruling comes in response to an uptick in cyber fraud in India. Government figures from last year show that authorities received 2.4 million fraud complaints, resulting in $2.4 billion in losses. In recent years, Amazon, McDonald’s, Microsoft, and other companies have taken legal action against fake websites that misled consumers into giving away personal information or making purchases. Last December, the Delhi High Court ordered removal of more than 1,100 fraudulent websites. 

With that, the court issued additional directives concerning the management of domain names and registrars. These mandates include forbidding registrars from offering privacy protection services by default, disclosing private domain owner information to third parties upon request if that party can demonstrate a “legitimate interest,” and prohibiting domain name registrations that use trademarks of others. Go Daddy argues in a petition to a larger bench of the Delhi High Court that those measures go significantly beyond what’s needed to combat fraud. 

The company believes such restrictions, if applied consistently, would disrupt internet governance worldwide. Go Daddy also objects to the requirement that domain ownership information be disclosed to anybody demonstrating a “legitimate interest.” The company argues in its petition that the language could prove too broad and that domain registrars shouldn’t be tasked with reviewing requests for domain owner information and deciding whether they meet a “legitimate interest” standard. The firm says the language could create “significant legal and operational challenges.” 

The company raises additional concerns about the order’s potential impact on international domain name sales, arguing that because the global internet isn’t bound by one jurisdiction, requiring local registrars to follow the kind of rules set out in the December ruling would, in essence, require them to follow Indian law for all international transactions. 

Go Daddy further argues that the privacy restrictions could run contrary to India’s data protection laws as well as the European Union’s General Data Protection Regulation (GDPR). By mandating that privacy protections be revoked by default for domain owners, India’s data laws and the GDPR would instead be weakened. 

Many internet governance experts believe the ruling places India at risk of negatively impacting citizens, particularly journalists, activists, bloggers, and small businesses, and that it fails to consider tactics bad actors will use to exploit weaknesses in the domain system. Other domain name registrars have raised similar objections to the December ruling, including Namecheap and Hosting Concepts. 

These companies expect that the ruling will spark similar actions in other jurisdictions. Delhi High Court is set to hear the challenges on July 16, with implications for the future of internet governance and fraud prevention measures yet to be determined.

How the Apple Copy-Paste Scam Can Give Attackers Remote Access to Your Mac

 


Apple users are being urged to exercise caution when following troubleshooting instructions found online after cybersecurity experts underlined a growing social engineering tactic that tricks victims into pasting malicious commands into the macOS Terminal application. Rather than exploiting a flaw in macOS itself, the scam relies on convincing users to voluntarily execute commands that can install malware, grant attackers remote access, or expose sensitive information stored on their devices.

Often referred to as a "copy-paste" scam, the technique targets users unfamiliar with Terminal, a command-line interface included with macOS that enables direct interaction with the operating system through text-based commands. While the application is commonly used by developers, system administrators and advanced users to automate tasks or manage system settings, executing unfamiliar commands without understanding their function can introduce significant security risks.

Unlike traditional malware campaigns that exploit software vulnerabilities, this attack depends almost entirely on social engineering. Cybercriminals impersonate trusted sources or create convincing troubleshooting scenarios to persuade victims that running a Terminal command is necessary to fix a technical issue, improve security or restore system performance. Once executed, however, the command may download malicious software, establish remote access, alter security settings or perform other unauthorized actions without the user's awareness.

Depending on the instructions provided, attackers could gain access to documents, photographs, emails, browser data, financial information, saved credentials and contact lists stored on the Mac. Some malicious scripts may also deploy keylogging software capable of recording everything a victim types, including usernames, passwords and other confidential information. In more severe cases, attackers could install ransomware or persistence mechanisms that allow them to retain access to the compromised system even after a restart.

Security researchers note that the scam can begin through multiple channels. Victims may receive phishing emails or text messages containing the malicious command, encounter it in online discussion forums disguised as a legitimate solution, or visit fraudulent websites presenting it as an official troubleshooting step. Attackers have also been observed posing as technical support representatives over the phone, carefully instructing victims to open Terminal and manually type commands under the pretense of resolving an issue.

The rise of generative artificial intelligence has introduced another avenue for abuse. Threat actors may intentionally publish malicious commands across public websites and discussion platforms in an effort to influence AI-powered assistants through a technique known as indirect prompt injection. If an AI system retrieves or references poisoned content while responding to a user's troubleshooting request, it could inadvertently recommend unsafe commands. Although AI tools continue to improve their safeguards, cybersecurity experts advise users to independently verify any command before executing it on their systems.

The attack typically follows a similar pattern. After directing a user to open the Terminal application located within the Utilities folder inside Applications, the attacker provides one or more commands and claims they are required to diagnose, repair or secure the computer. In reality, those commands may download remote administration tools, retrieve additional payloads from external servers, modify system configurations or provide unauthorized access to the attacker's infrastructure.

Because the attack depends on user participation rather than exploiting a software flaw, many victims may not immediately recognize they are being targeted. Individuals unfamiliar with Terminal often have little reason to question commands presented by someone claiming to represent Apple, a software vendor or a technical support service. Similarly, users searching online for solutions may encounter malicious instructions embedded within forum posts or copied across multiple websites, making them appear credible.

To help reduce the effectiveness of these attacks, Apple introduced additional safeguards in recent versions of macOS. When users who do not regularly work in Terminal attempt to paste commands copied from websites, messaging platforms, email applications or chatbots, the operating system may interrupt the action with a warning indicating that the pasted content could contain malware or compromise privacy. Rather than automatically executing the command, the prompt encourages users to reconsider before proceeding.

Apple has also expanded malware detection capabilities within Terminal. If the operating system identifies known malicious content or scripts, it can block execution and notify the user that the pasted command has been prevented because it poses a security risk. These protections are designed to slow down impulsive actions and reduce the likelihood of users unknowingly compromising their own systems.

Cybersecurity professionals emphasize that no security warning should replace careful judgment. Users should never execute Terminal commands they do not fully understand, regardless of whether the instructions originate from an email, text message, online forum, chatbot or unsolicited phone call. Requests accompanied by pressure tactics or claims that immediate action is required should be treated with particular suspicion, as creating a false sense of urgency remains one of the most common techniques used in phishing campaigns.

Experts also caution against assuming that information found on public forums or generated by AI assistants is inherently trustworthy. Malicious instructions can spread rapidly across the internet and may be reproduced by multiple sources, giving them an appearance of legitimacy. Verifying guidance through official Apple documentation or other trusted security resources before executing any command remains one of the most effective ways to avoid becoming a victim of Terminal-based social engineering attacks.

Anthropic Delays Claude Fable 5 Usage Credit Requirement Until July 19


 

A number of Anthropic's flagship AI model, Claude Fable 5, has been extended to eligible paid subscribers until July 19, 2026 for free access. This extension provides customers with another week of access while the company continues to expand its available computing capacity. This extension follows two previous extension of the deadline. 

As part of their initial announcement, Anthropic announced that Fable 5 would be available to subscribers through July 7, but that offer has since been extended to July 12. According to Anthropic, promotional access to the Claude Code system will now be available until 11:59:59 PM PT on July 19. Along with this extension, Anthropic has also continued to increase Claude Code weekly usage limits by 50%. 

The Fable 5 subscription model allows eligible subscribers to use up to 50% of their weekly allowance at no additional charge. It draws upon the same weekly usage pool as other Claude models, however Anthropic notes that Fable 5 consumes these limits more rapidly as a result of its greater computational requirements. When enabled by their organization, this promotion is available to Claude Pro, Max, Team, and premium seat-based Enterprise subscribers. 

The promotion does not apply to Free users, standard Enterprise seats, usage-based Enterprise plans, or API customers. Anthropic's ecosystem includes Claude Web, Mobile, Desktop, Claude Code, Claude Cowork, Claude Design, Claude for Microsoft 365, and Claude Tag, among others. Users can choose "Fable 5" from the model picker on Claude's web, desktop and mobile applications in order to begin using the model. 

For Claude Code, Fable 5 requires version 2.1.170 or later, while Claude Cowork users need the latest Claude Desktop application to access the feature. Versions 2.1.170 and later are required for Claude Code, while version 2.1.170 and higher are required for Claude Cowork. Upon reaching their complimentary Fable 5 allocation, users may elect to purchase usage credits to continue using the model or to switch to another Claude model that remains available under their current subscription limitations. 

According to Anthropic, this process is consistent across all versions of Claude Web, Mobile, Desktop, Claude Work, and Claude Code. If a user exceeds the complimentary allocation for Fable 5, they may purchase usage credits, which are billed separately from their subscription, or choose to make use of another Claude model without incurring additional charges in accordance with their remaining plan limits. 

In addition, Anthropic has assured its customers that current restrictions will only last for a short period of time. According to the company, Fable 5 will not be permanently removed from subscription plans and will be restored as soon as sufficient computing resources are available. It is evident that the demand for Claude Fable 5 continues to exceed the computational resources available to Anthropic. 

Anthropic is continuing to expand its infrastructure while offering premium subscribers access to its most advanced AI model without immediate additional costs by extending its temporary promotion. Once sufficient computing capacity is available, Fable 5 will be available as a standard subscription benefit once adequate computing capacity has been reached. 

Anthropic's latest extension reflects the increased demand for advanced generative AI models, as well as the challenges associated with rapid adoption of these models. While the temporary offer ensures continued access for eligible subscribers, it emphasizes the importance of scalable computing resources when AI companies attempt to strike a balance between innovation, performance, and user expectation.

UK Warns Parents: Limit Online Sharing of Kids’ Photos Amid AI Abuse Risks

 

UK authorities have issued urgent warnings to parents about sharing children’s photos online, as AI tools increasingly enable digital abuse and exploitation. The National Crime Agency (NCA) and the Internet Watch Foundation (IWF) say that ordinary images of kids can be misused by predators to create realistic, sexually explicit material using “nudification” apps and deepfake technology. While officials stress they are not dictating parenting choices, they want families to understand a risk that many may not realize exists. 

The scale of the problem is growing fast. In 2025, the IWF identified 8,029 AI-generated images and videos classified as realistic child sexual abuse material (CSAM), a 14% rise from the previous year. AI-generated abuse videos jumped from just 13 in 2024 to 3,440 in 2025, showing how quickly the threat is escalating as imaging models improve. Because these fakes can be so convincing, it is becoming harder for platforms and investigators to distinguish them from real abuse content, complicating removal efforts and victim support. 

In response, the NCA and IWF have published new guidance urging parents and carers to limit who can see images of their children online. Their advice includes setting social media accounts to private, using “close friends” lists for sharing family photos, and regularly reviewing older posts that might expose children’s images to strangers. The guidance also recommends a “social media audit,” asking parents to check whether a child’s face, body, or school uniform is visible online and whether those images can be deleted or made private. The NSPCC similarly advises that minors keep their social media profiles on private settings to reduce exposure. 

The UK government is also tightening laws and platform responsibilities. It has made it illegal to create, possess, or distribute AI tools designed to generate child sexual abuse imagery, with offenders facing up to five years in prison. Under the Online Safety Act, tech platforms must proactively remove such content, and new powers will allow authorized testers to assess AI models for their ability to produce CSAM before they reach the market. A government spokesperson confirmed that AI-generated CSAM is treated the same as real imagery under UK law and must be taken down swiftly. 

Beyond privacy settings, experts recommend open conversations with young people about AI, “deepfake” nudes, and image consent. Children should understand that once a photo is online, it can be copied, altered, and misused—even if they trusted the original audience. Guidance also outlines steps to take if a child is targeted or if manipulated images appear, including reporting to platforms and contacting the IWF or police. As AI continues to turbocharge digital abuse risks, cautious sharing and strong privacy habits are becoming essential parts of modern parenting.

Microsoft and Google Remove ModHeader After Finding Dormant Collector


ModHeader is a famous header-editing extension with over 1.6 million installs across Microsoft’s Edge and Google’ Chrome browser. 

Google and Microsoft remove the collector

Experts discovered a secret browsing-history collector built into its official store variant, and have withdrawn the ModHeader from Google and Microsoft.

An empty allow-list kept the collector switched off and it was dormant, and no proof has surfaced that it retrieved or sent even one browsing domain.

About the discovery

Stripe OLT, a UK cybersecurity organization analyzed the code against Google’s Web Store signature and verified the collector shipped within the authentic extension, not a fake one.

Stripe OLT’s study covers the Chrome build and its 900,000 users (an estimate); and Edge and its 700,000 users. Microsoft removed  the listing on July 3rd whereas Google pulled the Chrome listing a week after, on July 10th.

Attack tactic

Variant 7.0.18 still edits HTTP headers as shown. The same minimized background also consists of another system. On the first attempt, it makes a device fingerprint and deploys a hardcoded encryption key. As the user browses, it takes the domain from each page that user opens, encodes it, and gathers it locally, up to 1000 different domains.

Scheduler and other things

A scheduler combines your fingerprint with the encrypted list, uploads it to api.stanfordstudies[.]com, and deletes the local copy once a day. If the collector were turned on, browsers using it wouldn't all beacon at once because the upload time is offset per install. The same pipeline is described in separate teardowns by researcher Yunus Aydin on version 7.0.17 and HackIndex on version 7.0.18.

How does collector function

The collector functions only if your browser matches an entry on an internal allow-list, but the list ships empty. Every time, the check fails, and the pipeline stops before it gathers even a single domain. 

The small change is populating the list, without any click and no new permissions from the users, sent as a routine update. The endpoint URL, the scheduler, the storage logic, and the hardcoded key are all on the same device.

But not everything was silent. The extension pinged extensions-hub[.]com with the product, version, and browser when it was installed, updated, and uninstalled. 

Additionally, it was evident that the piece had been running because a script that runs on every page had already recorded actual request metadata in plain text to local storage. 

Featured