TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The Hacker News

ThreatsDay Bulletin: SMS Blaster Busts, OpenEMR Flaws, 600K Roblox Hacks and 25 More Stories

[email protected] (The Hacker News) · 5 days ago · Read original ↗

ATT&CK techniques detected

25 predictions
T1056.001Keylogging
99%
“crypto wallets and chromium - family browsers ; steals. npmrc, cloud provider tokens, and shell history ; and runs a native keylogger on windows, macos, and linux with autostart persistence on all three, " safedep said. security is a team sport. we keep seeing the same gaps becau…”
T1195.001Compromise Software Dependencies and Development Tools
99%
“investigation into the cybersecurity incident has revealed the teampcp attack affecting the trivy scanner is the " likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our github repositories. " this, in turn, allowed the attackers to …”
T1190Exploit Public-Facing Application
97%
“fines to companies in 2025, a total larger than the last five years combined, per gartner. " regulators are also shifting their efforts away from spreading awareness to full - scale enforcement, " the company said. " this is increasingly becoming the standard in 2026 and beyond. …”
T1195.001Compromise Software Dependencies and Development Tools
96%
“human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices, " europol said. - pypi package hijacked via ci exploit in yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular " elementary - da…”
T1176Software Extensions
94%
“env. production, from developers ' machines at install time, exfiltrating them to an attacker - controlled endpoint, " socket said. the malicious package is maintained by a user named " sh20raj. " versions 2. 0. 4 through 2. 0. 7 are confirmed malicious. update : in a post shared…”
T1068Exploitation for Privilege Escalation
92%
“26 elections for the tibetan parliament - in - exile with little impact. the operation, part of spamouflage, a long - running influence network linked to beijing, has used a cluster of 90 facebook profiles and 13 instagram profiles to push criticism of the tibetan government - in…”
T1195.001Compromise Software Dependencies and Development Tools
91%
“a cellular tower to send phishing texts to nearby phones. these tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. " an sms blaster works by mimicking a legitimate cellular tower. when nearby phones connect to it, users receive fraudule…”
T1585.002Email Accounts
90%
“filters. the emails, which originate from " noreply @ robinhood [. ] com, " warn of suspicious activity tied to their accounts and urge them to click to complete a security check by clicking on a link that directs to a phishing site. " this phishing attempt was made possible by a…”
T1176.001Browser Extensions
88%
“env. production, from developers ' machines at install time, exfiltrating them to an attacker - controlled endpoint, " socket said. the malicious package is maintained by a user named " sh20raj. " versions 2. 0. 4 through 2. 0. 7 are confirmed malicious. update : in a post shared…”
T1190Exploit Public-Facing Application
87%
“##s are exploiting two authentication bypass vulnerabilities in qinglong, an open - source timed task management platform with over 19, 500 github stars, to deploy cryptocurrency miners. the two flaws – cve - 2026 - 3965 and cve - 2026 - 4047 – enable authentication bypass that r…”
T1587Develop Capabilities
83%
“investigation into the cybersecurity incident has revealed the teampcp attack affecting the trivy scanner is the " likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our github repositories. " this, in turn, allowed the attackers to …”
T1552.001Credentials In Files
81%
“credentials exposed kela said it tracked 2. 86 billion compromised credentials in 2025 globally. these included usernames, passwords, session tokens, cookies found in url, login and password ( ulp ) lists, breached email repositories, and cybercrime marketplaces. at least 347 mil…”
T1566.002Spearphishing Link
73%
“in - the - middle ( aitm ) features by integrating tools like fm scanner for extracting and analyzing mailbox content. " saiga 2fa is an example of how phishing kits are evolving into application - level platforms, " the company said. " unlike traditional phishing kits, saiga int…”
T1176Software Extensions
71%
“24 media extensions that are installed on 800, 000 users and collect viewing data and demographic information on major streaming platforms such as netflix, hulu, disney +, amazon prime video, hbo, apple tv, and others, " layerx said. " 12 separate ad blockers with a combined inst…”
T1176.001Browser Extensions
68%
“24 media extensions that are installed on 800, 000 users and collect viewing data and demographic information on major streaming platforms such as netflix, hulu, disney +, amazon prime video, hbo, apple tv, and others, " layerx said. " 12 separate ad blockers with a combined inst…”
T1657Financial Theft
68%
“dispatch the legitimate publishing pipeline against it – without ever touching the master branch or opening a pull request, " the company said. the developers urged users who installed 0. 23. 3, or pulled and ran its docker image, to assume compromise and rotate any credentials. …”
T1587Develop Capabilities
59%
“a cellular tower to send phishing texts to nearby phones. these tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. " an sms blaster works by mimicking a legitimate cellular tower. when nearby phones connect to it, users receive fraudule…”
T1068Exploitation for Privilege Escalation
44%
“attacker with limited local access needs to first compromise a privileged service that runs under the network service identity, deploy a fake rpc server with the same rpc interface uuid and exposed endpoint name ( i. e., termservice ), listen to specific requests, and then impers…”
T1204.005Malicious Library
39%
“human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices, " europol said. - pypi package hijacked via ci exploit in yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular " elementary - da…”
T1078.001Default Accounts
39%
“servers a new analysis from forescout has found 1. 8 million rdp and 1. 6 million vnc servers are exposed on the internet. " china accounts for 22 % of exposed rdp and 70 % of exposed vnc servers ; the u. s. accounts for 20 % and 7 % ; germany accounts for 8 % and 2 %, " the comp…”
T1195.002Compromise Software Supply Chain
39%
“human trafficking and prostitution, kidnapping, armed robbery, and fraudulent spiritual practices, " europol said. - pypi package hijacked via ci exploit in yet another software supply chain attack, unknown threat actors pushed a malicious version of the popular " elementary - da…”
T1021.001Remote Desktop Protocol
38%
“servers a new analysis from forescout has found 1. 8 million rdp and 1. 6 million vnc servers are exposed on the internet. " china accounts for 22 % of exposed rdp and 70 % of exposed vnc servers ; the u. s. accounts for 20 % and 7 % ; germany accounts for 8 % and 2 %, " the comp…”
T1176.002IDE Extensions
37%
“env. production, from developers ' machines at install time, exfiltrating them to an attacker - controlled endpoint, " socket said. the malicious package is maintained by a user named " sh20raj. " versions 2. 0. 4 through 2. 0. 7 are confirmed malicious. update : in a post shared…”
T1657Financial Theft
35%
“account. - social media scams surge the u. s. federal trade commission ( ftc ) warned of a massive increase in losses from social media scams since 2020, exceeding $ 2. 1 billion in 2025, including $ 794 million to scams that started on facebook, more than on any other platform. …”
T1589.001Credentials
33%
“dispatch the legitimate publishing pipeline against it – without ever touching the master branch or opening a pull request, " the company said. the developers urged users who installed 0. 23. 3, or pulled and ran its docker image, to assume compromise and rotate any credentials. …”

Summary

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and