Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CLEARSHORT smart-contract stealer delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

The CLEARSHORT downloader is actively delivering Atomic (AMOS), Lumma, Rhadamanthys, and Vidar through hacked sites, putting Windows and Apple macOS users at risk. The chain matters because it hides payload delivery behind BNB Smart Chain smart contracts and compromised WordPress pages, making disruption and takedown harder. The delivery flow also uses ClickFix lures to push victims into running malicious commands.

Related Happenings

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

About this happening: The **Godzilla (BLUEBEAM)** web shell is now being used after **CVE-2026-5426** exploitation to run commands and stage **Cobalt Strike Beacon**, giving attackers a durable foothol...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

RoshniNaveenaS's account hit by network compromise

Incident
First: 29.04.2026 19:26 Last: 29.04.2026 19:26 Sources 1

About this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...

Open Happening

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First: 01.04.2026 10:44 Last: 01.04.2026 10:44 Sources 1

About this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

Open Happening

Timeline

  2. 16.10.2025 17:52 1 articles · 7mo ago

    UNC5142 secondary smart-contract infrastructure funded

    Campaign Scope Update

    UNC5142 funded a parallel Secondary smart-contract infrastructure for the CLEARSHORT delivery chain on February 18, 2025, adding a tactical deployment that could support campaign surges, new lures, or operational resilience.

    Show sources
    Open in new tab
  4. 16.10.2025 17:52 2 articles · 7mo ago

    CLEARSHORT smart-contract stealer delivery chain disclosed

    Initial Disclosure

    UNC5142 is publicly disclosed as a financially motivated campaign that abuses compromised WordPress sites and BNB Smart Chain smart contracts via EtherHiding to distribute Atomic (AMOS), Lumma, Rhadamanthys (aka RADTHIEF), and Vidar to Windows and Apple macOS systems through the CLEARSHORT downloader and ClickFix social engineering.

    Show sources
    Open in new tab