home.social

#cryptominer — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cryptominer, aggregated by home.social.

  1. Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

    Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

    Pulse ID: 6a01c2363e7f67fcbed473cb
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:10

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

  2. Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

    Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

    Pulse ID: 6a01c2363e7f67fcbed473cb
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:10

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

  3. Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

    Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

    Pulse ID: 6a01c2363e7f67fcbed473cb
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:10

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

  4. Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

    Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

    Pulse ID: 6a01c2363e7f67fcbed473cb
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:10

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

  5. Poisoning the well: AI supply chain attacks on Hugging Face and OpenClaw

    Threat actors are actively exploiting AI distribution platforms like Hugging Face and ClawHub to deliver malware by embedding malicious code within models, datasets, and agent extensions. Over 575 malicious skills across 13 developer accounts were identified in the OpenClaw ecosystem, targeting Windows and macOS with trojans, cryptominers, and AMOS stealer. Attackers abuse trust relationships between users and AI platforms through indirect prompt injection, where hidden instructions cause AI agents to execute malicious actions on behalf of users. Trojanized skills masquerade as legitimate tools while instructing users to execute encoded commands or install hidden malicious dependencies. On Hugging Face, repositories host payloads within multistep infection chains disguised as legitimate applications. These campaigns employ social engineering, obfuscation, encryption, in-memory execution, process injection, and persistence techniques to evade detection while establishing covert command-and-control communica...

    Pulse ID: 6a01c2363e7f67fcbed473cb
    Pulse Link: otx.alienvault.com/pulse/6a01c
    Pulse Author: AlienVault
    Created: 2026-05-11 11:49:10

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #AMOS #CryptoMiner #CyberSecurity #Encryption #HuggingFace #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #Rust #SocialEngineering #SupplyChain #Trojan #Windows #bot #AlienVault

  6. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

    PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

    Pulse ID: 69fd0520d3687243cca2f973
    Pulse Link: otx.alienvault.com/pulse/69fd0
    Pulse Author: AlienVault
    Created: 2026-05-07 21:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

  7. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

    PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

    Pulse ID: 69fd0520d3687243cca2f973
    Pulse Link: otx.alienvault.com/pulse/69fd0
    Pulse Author: AlienVault
    Created: 2026-05-07 21:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

  8. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

    PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

    Pulse ID: 69fd0520d3687243cca2f973
    Pulse Link: otx.alienvault.com/pulse/69fd0
    Pulse Author: AlienVault
    Created: 2026-05-07 21:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

  9. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

    PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

    Pulse ID: 69fd0520d3687243cca2f973
    Pulse Link: otx.alienvault.com/pulse/69fd0
    Pulse Author: AlienVault
    Created: 2026-05-07 21:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

  10. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale

    PCPJack is a sophisticated credential theft framework that propagates across exposed cloud infrastructure while systematically removing artifacts linked to TeamPCP, a threat actor behind notable 2026 supply chain compromises. The toolset harvests credentials from cloud platforms, containers, developer tools, productivity applications, and financial services, exfiltrating data through attacker-controlled infrastructure. It targets exposed Docker, Kubernetes, Redis, MongoDB, RayML services and vulnerable web applications, enabling external propagation and lateral movement. Unlike typical cloud malware, PCPJack deploys no cryptominers, focusing instead on credential theft for monetization through fraud, spam campaigns, extortion, or access resale. The framework uses modular Python scripts orchestrated by a central component, employs Common Crawl data for target selection, and utilizes Telegram for command and control communications.

    Pulse ID: 69fd0520d3687243cca2f973
    Pulse Link: otx.alienvault.com/pulse/69fd0
    Pulse Author: AlienVault
    Created: 2026-05-07 21:33:20

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #Docker #Extortion #InfoSec #Malware #OTX #OpenThreatExchange #Python #RAT #Redis #Spam #SupplyChain #Telegram #Troll #Worm #bot #AlienVault

  11. Untangling a Linux Incident With an OpenAI Twist (Part 2)

    A Linux endpoint was simultaneously compromised by at least two distinct threat actors while the developer user relied on OpenAI's Codex AI agent for security remediation. Actor A deployed a cryptominer mining Monero to a private pool. Actor B installed a multi-revenue botnet including XMRig mining, residential proxy services, and bandwidth-selling components with eight different persistence mechanisms. Actor C, potentially affiliated with Actor B, executed mass data exfiltration of 15 categories including SSH keys, cloud credentials, and API tokens. The threat actors exploited CVE-2025-55182 (React2Shell) affecting Next.js and React applications. While Codex identified some threats, it lacked contextual awareness and privileged access needed for comprehensive incident response, creating additional noise that complicated SOC investigation. The endpoint was ultimately secured through managed EDR telemetry and expert SOC analysis.

    Pulse ID: 69e95245cf3877ded3870cff
    Pulse Link: otx.alienvault.com/pulse/69e95
    Pulse Author: AlienVault
    Created: 2026-04-22 22:57:09

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #OTX #OpenThreatExchange #Proxy #RAT #SMS #SSH #bot #botnet #AlienVault

  12. Untangling a Linux Incident With an OpenAI Twist

    A technology sector organization experienced a multi-actor compromise on a Linux endpoint where cryptominers were deployed and credential harvesting occurred. The incident became complex when the legitimate user attempted to troubleshoot suspected malicious activity using OpenAI's Codex AI agent while threat actors remained active on the system. The EDR agent was installed mid-compromise, limiting historical visibility. Codex-generated commands created investigative challenges as they mimicked attacker techniques, triggering security detections and complicating the distinction between legitimate troubleshooting and malicious activity. While Codex helped terminate some malicious processes, it failed to provide complete remediation, allowing threat actors to continue exfiltrating credentials, tokens, and cloud metadata through multiple persistence mechanisms.

    Pulse ID: 69e2417e5e4fdd5f16c75dbe
    Pulse Link: otx.alienvault.com/pulse/69e24
    Pulse Author: AlienVault
    Created: 2026-04-17 14:19:42

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CredentialHarvesting #CryptoMiner #CyberSecurity #EDR #Endpoint #InfoSec #Linux #Mimic #OTX #OpenThreatExchange #RAT #SMS #bot #AlienVault

  13. Watch out as new .NET AOT malware hides its code as a black box, making detection far harder while delivering Rhadamanthys infostealer and crypto miner.

    Read: hackread.com/net-aot-malware-c

    #CyberSecurity #Rhadamanthys #InfoStealer #CryptoMiner

  14. I had a chance last week to chat with Benjamin Read of #Wiz. Last month, Read and other members of his team published a deep dive into the #React2Shell
    (CVE-2025-55182) vulnerability, and I was curious to see what has been hitting my honeypot, so I took a closer look.

    This is doing some weird stuff, friends.

    As is normally the case with exploits targeting internet-facing devices, once the exploit becomes known, it ends up in the automated scanners used by threat actors and security researchers. What I've seen over the past week is a combination of both.

    In just a few hours of operation, I identified a small number of source IP addresses exploiting React2Shell by pointing the vulnerable system at URLs hosting BASH scripts. These scripts are really familiar to anyone who routinely looks at honeypot data - they contain a series of commands that pull down and execute malicious payloads.

    And as I've seen in the past, some of these payloads use racially inflammatory language in their malware. It's weird and gross, but unfortunately, really common.

    But while most of these payloads were "the usual suspects" - remote shells, cryptocurrency miners - there was one payload that stuck out.

    It's an exploit file, based on this proof-of-concept [github.com/iotwar/FIVEM-POC/bl] designed to DDoS a modded server running "FiveM," a popular version of the game Grand Theft Auto V.

    Let that one sink in: among the earliest adopters of a brand new exploit are...people trying to mess with other people's online game servers.

    I've long said that exploits like these are the canaries in the datacenter coal mine. After all, if an attacker can force your server to run a cryptominer (or a game DDoS tool), they can force it to run far more malicious code.

    I guess someone, or a group of someones, just want to ruin everyone's good time, no matter how or what form that takes. And they'll do it in the most offensive way possible.

    Anyway, patch your servers, please, if only to stick it to these people who want to be the reason we can't have nice things.

    #PoC #exploit #CVE_2025_55182 #DDoS #FiveM #REACT #Bash #cryptominer #malware

  15. I had a chance last week to chat with Benjamin Read of #Wiz. Last month, Read and other members of his team published a deep dive into the #React2Shell
    (CVE-2025-55182) vulnerability, and I was curious to see what has been hitting my honeypot, so I took a closer look.

    This is doing some weird stuff, friends.

    As is normally the case with exploits targeting internet-facing devices, once the exploit becomes known, it ends up in the automated scanners used by threat actors and security researchers. What I've seen over the past week is a combination of both.

    In just a few hours of operation, I identified a small number of source IP addresses exploiting React2Shell by pointing the vulnerable system at URLs hosting BASH scripts. These scripts are really familiar to anyone who routinely looks at honeypot data - they contain a series of commands that pull down and execute malicious payloads.

    And as I've seen in the past, some of these payloads use racially inflammatory language in their malware. It's weird and gross, but unfortunately, really common.

    But while most of these payloads were "the usual suspects" - remote shells, cryptocurrency miners - there was one payload that stuck out.

    It's an exploit file, based on this proof-of-concept [github.com/iotwar/FIVEM-POC/bl] designed to DDoS a modded server running "FiveM," a popular version of the game Grand Theft Auto V.

    Let that one sink in: among the earliest adopters of a brand new exploit are...people trying to mess with other people's online game servers.

    I've long said that exploits like these are the canaries in the datacenter coal mine. After all, if an attacker can force your server to run a cryptominer (or a game DDoS tool), they can force it to run far more malicious code.

    I guess someone, or a group of someones, just want to ruin everyone's good time, no matter how or what form that takes. And they'll do it in the most offensive way possible.

    Anyway, patch your servers, please, if only to stick it to these people who want to be the reason we can't have nice things.

    #PoC #exploit #CVE_2025_55182 #DDoS #FiveM #REACT #Bash #cryptominer #malware

  16. Dormant Bitcoin Whale With $442M Awakens for First Time in 14 Years Amid Quantum Fears - 14-year-old wallet moves $16.6M in BTC as analyst weigh security concerns and shifting on... - coindesk.com/markets/2025/10/2 #cryptominer #markets #bitcoin #news

  17. Finally completed my rebuild of my #Grafana #prometheus #vps stack.

    The old one was hosed in a 3 month battle with a #cryptominer
    It was #docker but they kept fucking the Prometheus container.

    I rebuild everything from scratch. The panels are integrated into a single JSON file, rather than in libraries.

    The stack is now #podman. Rootless execution.
    But I couldn't get it to get #cadvisor to feed it.
    So I got a dodgy scraper script.
    But even with nice, it loads the low tier VPS to 14%

    #selfhosting

  18. Cybercriminals are blackmailing YouTubers with fake copyright claims! 😱 They're threatening creators into distributing malware disguised as download links. A trojanized program installs a cryptominer. ⚠️ Be careful what you download! More info: techradar.com/pro/security/you #cybersecurity #malware #youtube #cryptominer #newz

  19. Part 3 of my #cryptominer infection saga.

    Being too lazy to secure my infected #prometheus container, I was looking for another way to combat it.
    Killing it did now work because it's CnC was bringing it up in under a minute.

    My "fix" is inspired if I say so myself.
    Is to run a cronjob to set nice setting to the lowest possible
    (nice -n 19 xmrig)
    This makes the #xmrig crapto miner at the least possible CPU priority.

    See if you can see on my attached performance chart, when it kicks in
    😁
    #infosec

  20. Part 3 of my #cryptominer infection saga.

    Being too lazy to secure my infected #prometheus container, I was looking for another way to combat it.
    Killing it did now work because it's CnC was bringing it up in under a minute.

    My "fix" is inspired if I say so myself.
    Is to run a cronjob to set nice setting to the lowest possible
    (nice -n 19 xmrig)
    This makes the #xmrig crapto miner at the least possible CPU priority.

    See if you can see on my attached performance chart, when it kicks in
    😁
    #infosec