Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

LastPass and Bitwarden fake-breach phishing campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

An ongoing phishing campaign is impersonating LastPass and Bitwarden to push users toward a fake desktop password-manager app, creating a risk of PC hijacking and data theft. The lure uses fabricated breach alerts to increase urgency and steer recipients to a malicious download path. The activity started over the Columbus Day holiday weekend and appears designed to blend social engineering with remote-access tooling.

Related Happenings

OAuth device-code phishing campaign targeting SaaS accounts

Campaign
First: 04.04.2026 17:17 Last: 04.04.2026 17:17 Sources 1

About this happening: A **device code phishing** campaign now includes **EvilTokens**, a **phishing-as-a-service** kit sold on **Telegram** that uses the **OAuth 2.0 device authorization flow** to hija...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Compromised legitimate WordPress websites used to infect visitors with infostealer malware campaign expands across multiple victims

Campaign
First: 11.03.2026 16:45 Last: 11.03.2026 16:45 Sources 1

About this happening: A **global ClickFix campaign** is abusing compromised **WordPress** sites to push **infostealer malware** to visitors, putting credentials and financial data at risk. The operatio...

Open Happening

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Open Happening

LastPass users phishing campaign using fake support threads

Campaign
First: 04.03.2026 22:44 Last: 04.03.2026 22:44 Sources 1

About this happening: A **phishing campaign** is targeting **LastPass users** with fake account-access alerts, putting **vault credentials** at risk. The lure uses spoofed support threads and urgent li...

Open Happening

Timeline

  1. 15.10.2025 22:22 2 articles · 7mo ago

    Fake LastPass and Bitwarden breach alerts

    Initial Disclosure

    An ongoing phishing campaign targets LastPass and Bitwarden users with fake emails claiming the password managers were hacked and urging recipients to download a supposedly more secure desktop app; the downloaded binary installs Syncro MSP tooling, the threat actors use Syncro to deploy ScreenConnect for remote access, and Cloudflare is blocking the fraudulent landing pages as phishing attempts.

    Show sources
    Open in new tab