Supply Chain Attack on HackingPassion.com : root@HackingPassion.com-[~]

OptinMonster Supply Chain Attack Hits 1.2 Million WordPress Sites

Tue, 16 Jun 2026 11:39:30 +0200

1.2 million WordPress sites were caught in a supply chain attack last week, where the admin’s own login quietly created a secret account and planted a hidden backdoor. It came in through plugins they trusted, OptinMonster, TrustPulse and PushEngage, and it only fired on the sites where an administrator was logged in.

Sansec found it on 13 June 2026. The poisoned script belonged to three popular WordPress plugins: OptinMonster, TrustPulse and PushEngage, all run by the same company, Awesome Motive. These plugins do the small marketing jobs many sites rely on, popups, social proof notifications and browser push messages. To do that, each one loads a little piece of JavaScript called an SDK from the vendor’s own content delivery network, the CDN. That SDK is the part the attacker tampered with.

Hackers Hijacked 400 Arch Linux AUR Packages to Install Malware

Sat, 13 Jun 2026 12:46:22 +0200

More than 400 packages in the Arch User Repository (AUR) were hijacked this week, and the attacker never broke into a single system to do it. They took over packages whose makers had walked away, then let people install the malware during a routine update they had no reason to question. 🐧

The AUR is the place where community members write and share the recipes for installing software that is not in the official Arch repositories. Publishing there is open to the community, and Arch based systems pull straight from it. That openness is one of the reasons people love Arch, and it is also why this played out the way it did. The official Arch repositories were never touched.

Google Catches the First AI Built Zero-Day and Stops a Mass Attack Before It Starts

Sun, 17 May 2026 13:18:03 +0200

Google caught a criminal group that used AI to find a zero-day in a popular web admin tool and had a working exploit ready for a mass attack against thousands of systems. Google has never named the tool. The attack never launched. What gave them away was a CVSS severity score inside the code for a vulnerability that has never been officially rated. The AI made up a number that does not exist.

How TeamPCP Poisoned Six Python Packages and Breached Over 1000 Organizations in Five Weeks

Thu, 23 Apr 2026 11:10:52 +0200

A group of attackers has been quietly poisoning Python packages for five weeks straight. They have exfiltrated data from over 500,000 infected machines, hit more than 1,000 organizations, and confirmed victims include Aqua Security, Checkmarx, and government infrastructure including the European Commission’s AWS environment. Yesterday they struck again. This time the target was Xinference, an open-source framework used by developers to run AI models locally. Versions 2.6.0, 2.6.1, and 2.6.2 were compromised and have since been pulled from PyPI. If you installed or updated Xinference in the last 24 hours without pinning your version, you need to act now.

Hackers Are Hijacking NGINX Servers Without Installing Malware

Thu, 05 Feb 2026 13:58:06 +0100

Hackers are hijacking NGINX web servers and rerouting live traffic through their own infrastructure. No malware installed, no vulnerability exploited. Just a few lines changed in a configuration file, and every visitor’s data flows through attacker-controlled servers without anyone noticing. 🧐

NGINX is the most popular web server on the planet. It powers over 5 million websites and handles roughly one in three web connections worldwide. Banks, governments, and universities all depend on it. And right now, a campaign is silently turning these servers into traffic relays.

How eScan Antivirus Delivered Malware Instead of Protection

Tue, 03 Feb 2026 14:07:00 +0100

eScan antivirus got hacked. Again. Same company, same update infrastructure exploited, two years apart. This time: hundreds of machines infected in a 2-hour window.

New findings dropped this week. Researchers confirmed the scope of the damage across South Asia. The vendor is now threatening legal action against the security firm that reported it. Two weeks after the attack, we now have the full picture of what went wrong.

On January 20, 2026, eScan pushed a software update to customers. Nothing unusual, antivirus products update all the time. Except this update contained malware. It came through the official update channel, carried what looked like a legitimate digital signature, and installed itself with full system privileges. That is exactly how antivirus software is supposed to work, which made it the perfect delivery mechanism.

Notepad++ Supply Chain Attack Full Story

Mon, 02 Feb 2026 17:41:03 +0100

Notepad++ delivered malware for six months. From June to December 2025, the update system was compromised. Millions of people use this software. Some of them clicked update and got spyware instead of a patch. Here is what we now know. 🧐

The attackers did not hack Notepad++ itself, they went after the hosting provider instead. On February 2, 2026, developer Don Ho published the full disclosure of what happened. The website notepad-plus-plus.org sat on a shared hosting server, which means it shared space and resources with other customers on the same machine. Once the attackers broke into that server, they could see all the traffic flowing through it and intercept whatever they wanted.

Three Names in Four Days and 1,800 Servers Leaking Credentials

Sat, 31 Jan 2026 13:45:01 +0100

Three names in four days! This AI assistant was Clawdbot, then Moltbot, and now OpenClaw. 1,800 exposed instances leaking API keys, passwords, and private messages. 💀 100,000 GitHub stars. Viral faster than almost any project in GitHub history.

OpenClaw is an open-source AI personal assistant. Mac Minis sold out worldwide because people wanted dedicated machines to run it. Cloudflare stock jumped 14-20% from all the traffic. Two million visitors in a single week.

Snap Store Domain Hijacking Lets Attackers Push Malware Through Trusted Linux Apps

Fri, 23 Jan 2026 13:49:36 +0100

Attackers found a way to hijack legitimate apps in the Snap Store. 7000 packages. Millions of Linux users. One victim already lost 9 Bitcoin. That was $490,000. 🧐

The Snap Store is the official app store for Ubuntu and other Linux distributions, run by Canonical. When developers publish apps, they sign up with an email on their own domain. Something like dev@mycoolproject.tech. But domains expire. People forget to renew, move on to other things, and that domain goes back on the market for anyone to grab.

Two Missing Characters Nearly Compromised the AWS Supply Chain

Sat, 17 Jan 2026 13:49:16 +0100

Netflix. Twitch. iCloud. The servers of the CIA and NSA. 30% of all cloud infrastructure worldwide runs on Amazon Web Services. Two missing characters in a regex filter nearly compromised all of it. 😬

A ^ at the start and a $ at the end. That’s what was missing from a security filter, and that’s all it would have taken for attackers to inject malicious code into the AWS JavaScript SDK.

European Space Agency Hacked: 200GB Stolen in 7 Days, Data Sold on FBI Honeypot

Mon, 05 Jan 2026 15:31:00 +0100

€7.68 billion budget. 3,000 staff. A brand new Cyber Security Operations Centre opened. A hacker spent 7 days inside their systems downloading 200GB of data. Data for sale on FBI honeypot 😏 On December 18, a hacker using the alias “888” got into ESA servers. JIRA project management. Bitbucket code repositories. Internal documentation systems. For seven days, nobody noticed.

On December 26, screenshots appeared on BreachForums. On December 30, ESA finally confirmed the breach.

Malicious npm Package Stole WhatsApp Messages for 6 Months: 56,000 Downloads

Wed, 24 Dec 2025 14:06:00 +0100

56,000 downloads. 6 months online. A WhatsApp library on npm was stealing credentials, messages, and contacts. Nobody noticed. 🤔 The package is called “lotusbail” and it looks like a legitimate fork of the popular WhatsApp API library @whiskeysockets/baileys.

Same functionality. Works perfectly. Send messages, receive messages, handle media. Everything you’d expect.

Except it does something extra.

→ Your WhatsApp authentication tokens → Every message you send and receive → Your complete contact list with phone numbers → All media files and documents → Session keys for persistent access