Credential-Theft on HackingPassion.com : root@HackingPassion.com-[~]

Hackers Hijacked 400 Arch Linux AUR Packages to Install Malware

Sat, 13 Jun 2026 12:46:22 +0200

More than 400 packages in the Arch User Repository (AUR) were hijacked this week, and the attacker never broke into a single system to do it. They took over packages whose makers had walked away, then let people install the malware during a routine update they had no reason to question. 🐧

The AUR is the place where community members write and share the recipes for installing software that is not in the official Arch repositories. Publishing there is open to the community, and Arch based systems pull straight from it. That openness is one of the reasons people love Arch, and it is also why this played out the way it did. The official Arch repositories were never touched.

Google API Keys Keep Working for 23 Minutes After You Delete Them

Sat, 23 May 2026 15:04:37 +0200

Google tells you the key is gone. It keeps working for 23 more minutes. When you delete a Google API key, a dialog appears that says the following: “Once deleted, it can no longer be used to make API requests.” That is the message. It is printed there by Google, presented as fact at the exact moment you think the risk is gone. It is not true.

Security researcher Joe Leon at Aikido Security spent two days testing what actually happens after a key is deleted. He created keys, deleted them, and kept firing authenticated requests at Google’s servers at three to five per second until no valid response came back. He ran ten separate trials. The shortest window before a deleted key fully stopped working was nearly eight minutes. The median was sixteen minutes. The longest was just under twenty-three minutes. During all of that time, the key was authenticating successfully on Google’s infrastructure. A deleted key. Still working.

VoidStealer Steals Chrome Master Key Using a Debugger Trick

Wed, 20 May 2026 14:26:29 +0200

Chrome keeps saved passwords locked behind one master key. VoidStealer steals that key using a tool Chrome cannot block. It does not need administrator rights, does not touch the browser’s code, and when it is done, saved passwords, open login sessions, and stored payment cards are all readable. The technique had been sitting on GitHub as open-source research for over six months. Nobody had used it in the wild until now.

PamDOORa Steals SSH Credentials on Linux by Hiding Inside PAM Where No Antivirus Looks

Sun, 10 May 2026 12:12:16 +0200

A backdoor called PamDOORa targets Linux systems through PAM and steals SSH credentials from every user who logs in. It leaves no trace in process lists, antivirus, or logs. When the security team connects via SSH to investigate, their credentials get stolen too.

When someone logs into a Linux server, the system runs PAM to check the password. PAM stands for Pluggable Authentication Modules, and it handles authentication for everything that requires a login: SSH, sudo, the login prompt. Instead of building that check into each program separately, Linux sends everything through PAM using configuration files stored in /etc/pam.d/, one file per service. The file for SSH is /etc/pam.d/sshd. It tells PAM which modules to run, in what order, and what to do when one fails.

Microsoft Edge Stores Every Saved Password in Cleartext Memory at Startup

Tue, 05 May 2026 10:56:56 +0200

Microsoft Edge loads every saved password into memory the moment the browser opens. They sit there in plain readable text for the entire session, even for sites that are never visited during that session. Microsoft’s official response: this is by design.

A security researcher who goes by @L1v1ng0ffTh3L4N decided to test every major Chromium-based browser to see how each one actually handles stored credentials while running. He went through them one by one. Edge was the only browser he found behaving this way. He took his findings to the BigBiteOfTech conference on April 29, presented them there with Palo Alto Networks Norway, and then posted a proof-of-concept video on May 4 that pulled in 5,900 responses within hours. He also put a small tool on GitHub called EdgeSavedPasswordsDumper so anyone could check this on their own machine.

Bitwarden CLI Backdoored on npm for 93 Minutes

Fri, 24 Apr 2026 11:30:31 +0200

Bitwarden’s CLI was backdoored and pushed to npm on April 22, 2026. It was live for 93 minutes. Every developer who installed it during that window has to treat their entire machine as compromised. GitHub tokens, SSH keys, AWS credentials, cloud secrets. All of it.

If you followed the Shai-Hulud story back in November 2025, this will sound familiar. That attack spread through npm and hit packages from Zapier, Postman, PostHog, and hundreds of others. 132 million monthly downloads affected. Stolen credentials dumped into public GitHub repositories for anyone to find. This new attack names itself Shai-Hulud: The Third Coming, after the giant sandworms from Frank Herbert’s Dune. The irony is that this third wave specifically targets AI tools.

How TeamPCP Poisoned Six Python Packages and Breached Over 1000 Organizations in Five Weeks

Thu, 23 Apr 2026 11:10:52 +0200

A group of attackers has been quietly poisoning Python packages for five weeks straight. They have exfiltrated data from over 500,000 infected machines, hit more than 1,000 organizations, and confirmed victims include Aqua Security, Checkmarx, and government infrastructure including the European Commission’s AWS environment. Yesterday they struck again. This time the target was Xinference, an open-source framework used by developers to run AI models locally. Versions 2.6.0, 2.6.1, and 2.6.2 were compromised and have since been pulled from PyPI. If you installed or updated Xinference in the last 24 hours without pinning your version, you need to act now.