Malicious npm package 'lotusbail' steals WhatsApp credentials and messages

A malware campaign involving seven npm packages has been identified, operated by the threat actor dino_reborn. The packages use cloaking tools, anti-analysis controls, and fake crypto-exchange CAPTCHAs to redirect victims to malicious URLs. The packages were taken down following security requests. The campaign employed detailed device fingerprinting and dynamic redirects through the Adspect API. The malware disabled user interactions and detected security researcher tools, displaying a white page to researchers while redirecting victims to malicious sites. The packages involved are signals-embed, dsidospsodlks, applicationooks21, application-phskck, integrator-filescrypt2025, integrator-2829, and integrator-2830.

A self-spreading malware named SORVEPOTEL targets Brazilian users via WhatsApp. The malware spreads through phishing messages containing malicious ZIP files, primarily affecting Windows systems. The campaign is designed for rapid propagation rather than data theft or ransomware. The malware exploits the trust in WhatsApp to spread across contacts and groups, leading to account bans for excessive spam. The majority of infections are concentrated in Brazil, impacting various sectors including government, public service, and technology. The malware uses a Windows shortcut (LNK) file to execute a PowerShell script, which retrieves the main payload and establishes persistence on the infected system. It also communicates with a command-and-control (C2) server for further instructions. New findings reveal that SORVEPOTEL is linked to a banking malware called Maverick, which targets Brazilian banks and monitors active browser window tabs for URLs matching financial institutions. The malware uses IMAP connections to terra.com[.]br email accounts using hardcoded email credentials to retrieve commands and implements a sophisticated remote control mechanism that allows the adversary to pause, resume, and monitor the WhatsApp propagation in real-time. A newly identified banking Trojan known as Eternidade Stealer has been observed pushing Brazil’s cybercrime ecosystem into a more aggressive phase, with attackers using WhatsApp as both an entry point and a propagation tool. The malware combines a WhatsApp-propagating worm, a Delphi-based stealer, and an MSI dropper to harvest financial data, system details, and contact lists. The campaign leverages a combination of social engineering and WhatsApp hijacking to distribute the trojan, using an obfuscated Visual Basic Script to drop a batch script that delivers two payloads: a Python script for WhatsApp Web-based dissemination and an MSI installer for Eternidade Stealer. The malware harvests a victim's entire contact list, filters out groups, business contacts, and broadcast lists, and sends a malicious attachment to all contacts. The MSI installer drops several payloads, including an AutoIt script that checks if the compromised system is based in Brazil by inspecting the operating system language. The script scans running processes and registry keys to ascertain the presence of installed security products and profiles the machine, sending details to a C2 server. The malware injects the Eternidade Stealer payload into 'svchost.exe' using process hollowing. Eternidade Stealer continuously scans active windows and running processes for strings related to banking portals, payment services, and cryptocurrency exchanges and wallets. The malware uses a terra.com[.]br email address to fetch C2 details, mirroring a tactic recently adopted by Water Saci. The campaign's backend was traced to two panels, one for managing the Redirector System and another login panel, used to monitor infected hosts. The threat actor Water Saci is using a sophisticated, highly layered infection chain that uses HTML Application (HTA) files and PDFs to propagate a worm that deploys a banking trojan via WhatsApp in attacks targeting users in Brazil. The latest wave is characterized by the attackers shifting from PowerShell to a Python-based variant that spreads the malware in a worm-like manner over WhatsApp Web. The PDF lure instructs victims to update Adobe Reader by clicking on an embedded link. Users who receive HTA files are deceived into executing a Visual Basic Script immediately upon opening, which then runs PowerShell commands to fetch next-stage payloads from a remote server, an MSI installer for the trojan and a Python script that's responsible for spreading the malware via WhatsApp Web. The MSI installer serves as a conduit for delivering the banking trojan using an AutoIt script. The script also runs checks to ensure that only one instance of the trojan is running at any given point of time. The script verifies the presence of a marker file named "executed.dat." If it does not exist, the script creates the file and notifies an attacker-controlled server ("manoelimoveiscaioba[.]com"). The script analyzes the user's Google Chrome browsing history to search visits to banking websites, specifically a hard-coded list comprising Santander, Banco do Brasil, Caixa Econômica Federal, Sicredi, and Bradesco. The script then proceeds to another critical reconnaissance step that involves checking for installed antivirus and security software, as well as harvesting detailed system metadata. The main functionality of the malware is to monitor open windows and extract their window titles to compare them against a list of banks, payment platforms, exchanges, and cryptocurrency wallets. If any of these windows contain keywords related to targeted entities, the script looks for a TDA file dropped by the installer and decrypts and injects it into a hollowed "svchost.exe" process, following which the loader searches for an additional DMP file containing the banking trojan. The banking trojan deployed is not Maverick, but rather a malware that exhibits structural and behavioral continuity with Casbaneiro. The trojan carries out "aggressive" anti-virtualization checks to sidestep analysis and detection, and gathers host information through Windows Management Instrumentation (WMI) queries. The trojan makes Registry modifications to set up persistence and establishes contact with a C2 server ("serverseistemasatu[.]com") to send the collected details and receive backdoor commands that grant remote control over the infected system. The trojan forcibly terminates several browsers to force victims to reopen banking sites under "attacker-controlled conditions." The second aspect of the campaign is the use of a Python script, an enhanced version of its PowerShell predecessor, to enable malware delivery to every contact via WhatsApp Web sessions using the Selenium browser automation tool. There is "compelling" evidence to suggest that Water Saci may have used a large language model (LLMs) or code-translation tool to port their propagation script from PowerShell to Python, given the functional similarities between the two versions and the inclusion of emojis in console outputs. The development comes as Brazilian banking users are also being targeted by a previously undocumented Android malware dubbed RelayNFC that's designed to carry out Near-Field Communication (NFC) relay attacks and siphon contactless payment data. RelayNFC implements a full real-time APDU relay channel, allowing attackers to complete transactions as though the victim's card were physically present. The malware is built using React Native and Hermes bytecode, which complicates static analysis and helps evade detection. Primarily spread via phishing, the attack makes use of decoy Portuguese-language sites (e.g., "maisseguraca[.]site") to trick users into installing the malware under the pretext of securing their payment cards. The end goal of the campaign is to capture the victim's card details and relay them to attackers, who can then perform fraudulent transactions using the stolen data. The cybersecurity company said its investigation also uncovered a separate phishing site ("test.ikotech[.]online") that distributes an APK file with a partial implementation of Host Card Emulation (HCE), indicating that the threat actors are experimenting with different NFC relay techniques.

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. At least 18 popular JavaScript code packages were compromised, collectively downloaded more than two billion times each week. The attack was narrowly focused on stealing cryptocurrency but highlights the potential for more disruptive malware outbreaks. The incident underscores the vulnerability of widely-used code maintained by a small number of developers and the need for stronger authentication measures.

The Shai-Hulud worm, a self-replicating malware, has compromised at least 187 npm packages, affecting multiple maintainers. The attack uses a self-propagating mechanism to infect other packages by the same maintainer, modifying package.json, injecting a bundle.js script, repacking the archive, and republishing it. The malware uses TruffleHog to search the host for tokens and cloud credentials, creating unauthorized GitHub Actions workflows within repositories and exfiltrating sensitive data to a hardcoded webhook endpoint. The attack is named 'Shai-Hulud' after the shai-hulud.yaml workflow files used by the malware and follows the 's1ngularity' attack, potentially orchestrated by the same attackers. The attack unfolded in three phases, impacting 2,180 accounts and 7,200 repositories. The first phase, between August 26 and 27, directly impacted 1,700 users, leaking over 2,000 unique secrets and exposing 20,000 files. The second phase, between August 28 and 29, compromised an additional 480 accounts, mostly organizations, and exposed 6,700 private repositories. The third phase, beginning on August 31, targeted a single victim organization, publishing an additional 500 private repositories. The attackers used AI-powered CLI tools like Claude, Q, and Gemini to dynamically scan for high-value secrets, tuning the prompts for better success. A second wave of attacks, dubbed Sha1-Hulud, has compromised hundreds of npm packages. This new campaign introduces a variant that executes malicious code during the preinstall phase, increasing potential exposure in build and runtime environments. The attackers add a preinstall script (setup_bun.js) in the package.json file, which installs or locates the Bun runtime and runs a bundled malicious script (bun_environment.js). The malicious payload registers the infected machine as a self-hosted runner named SHA1HULUD and adds a workflow called .github/workflows/discussion.yaml. The malware downloads and runs TruffleHog to scan the local machine, stealing sensitive information such as NPM Tokens, AWS/GCP/Azure credentials, and environment variables. Wiz researchers identified over 25,000 affected repositories across about 350 unique users, with 1,000 new repositories being added consistently every 30 minutes in the last couple of hours. The second wave is more aggressive, with the malware attempting to destroy the victim's entire home directory if it fails to authenticate or establish persistence. The wiper-like functionality is triggered only if the malware cannot authenticate to GitHub, create a GitHub repository, fetch a GitHub token, or find an npm token. Organizations are urged to scan all endpoints for impacted packages, remove compromised versions, rotate all credentials, and audit repositories for persistence mechanisms. The new Shai-Hulud worm targets popular projects like Zapier and PostHog. The new version can infect up to 100 npm packages, compared to 20 in the previous version. The malware has an unusual structure, split into two files to evade detection. The first file checks for and installs a non-standard 'bun' JavaScript runtime, while the second file is a massive malicious source file that publishes stolen data to .json files in a randomly named GitHub repository. The size and structure of the file confuse AI analysis tools, causing inconsistent analysis results. The worm is scaling rapidly, with 1000 new repositories discovered every 30 minutes. The worm poses a significant risk to the software industry and end users, potentially leading to data breaches, ransomware footholds, and a loss of trust in the npm ecosystem. The second wave of the Shai-Hulud supply chain attack has spilled over to the Maven ecosystem after compromising more than 830 packages in the npm registry. A Maven Central package named org.mvnpm:posthog-node:4.18.1 was identified to embed the same two components associated with Sha1-Hulud: the 'setup_bun.js' loader and the main payload 'bun_environment.js'. The Maven Central package is not published by PostHog itself but is generated via an automated mvnpm process that rebuilds npm packages as Maven artifacts. The 'second coming' of the supply chain incident has targeted developers globally to steal sensitive data like API keys, cloud credentials, and npm and GitHub tokens. The latest iteration of the attack is more stealthy, aggressive, scalable, and destructive. The attack allows threat actors to gain unauthorized access to npm maintainer accounts and publish trojanized versions of their packages. When unsuspecting developers download and run these libraries, the embedded malicious code backdoors their own machines and scans for secrets and exfiltrates them to GitHub repositories using the stolen tokens. The attack accomplishes this by injecting two rogue workflows, one of which registers the victim machine as a self-hosted runner and enables arbitrary command execution whenever a GitHub Discussion is opened. A second workflow is designed to systematically harvest all secrets. Over 28,000 repositories have been affected by the incident. This version significantly enhances stealth by utilizing the Bun runtime to hide its core logic and increases its potential scale by raising the infection cap from 20 to 100 packages. It also uses a new evasion technique, exfiltrating stolen data to randomly named public GitHub repositories instead of a single, hard-coded one. The attacks illustrate how trivial it is for attackers to take advantage of trusted software distribution pathways to push malicious versions at scale and compromise thousands of downstream developers. The self-replication nature of the malware means a single infected account is enough to amplify the blast radius of the attack and turn it into a widespread outbreak in a short span of time. Further analysis by Aikido has uncovered that the threat actors exploited vulnerabilities, specifically focusing on CI misconfigurations in pull_request_target and workflow_run workflows, in existing GitHub Actions workflows to pull off the attack. The vulnerability used the risky pull_request_target trigger in a way that allowed code supplied by any new pull request to be executed during the CI run. A single misconfiguration can turn a repository into a patient zero for a fast-spreading attack, giving an adversary the ability to push malicious code through automated pipelines you rely on every day. It's assessed that the activity is the continuation of a broader set of attacks targeting the ecosystem that commenced with the August 2025 S1ngularity campaign impacting several Nx packages on npm. As a new and significantly more aggressive wave of npm supply chain malware, Shai-Hulud 2 combines stealthy execution, credential breadth, and fallback destructive behavior, making it one of the most impactful supply chain attacks of the year. This malware shows how a single compromise in a popular library can cascade into thousands of downstream applications by trojanizing legitimate packages during installation. Data compiled by GitGuardian, OX Security, and Wiz shows that the campaign has leaked hundreds of GitHub access tokens and credentials associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. More than 5,000 files were uploaded to GitHub with the exfiltrated secrets. GitGuardian's analysis of 4,645 GitHub repositories has identified 11,858 unique secrets, out of which 2,298 remained valid and publicly exposed as of November 24, 2025. Users are advised to rotate all tokens and keys, audit all dependencies, remove compromised versions, reinstall clean packages, and harden developer and CI/CD environments with least-privilege access, secret scanning, and automated policy enforcement. Sha1-Hulud is another reminder that the modern software supply chain is still way too easy to break. A single compromised maintainer and a malicious install script is all it takes to ripple through thousands of downstream projects in a matter of hours. The techniques attackers are using are constantly evolving. Most of these attacks don't rely on zero-days. They exploit the gaps in how open source software is published, packaged, and pulled into production systems. The only real defense is changing the way software gets built and consumed. The Shai-Hulud worm dynamically installs Bun during package installation to evade traditional defenses tuned specifically to observe Node.js behavior. GitGuardian's analysis revealed a total of 294,842 secret occurrences, which correspond to 33,185 unique secrets. Of these, 3,760 were valid as of November 27, 2025. The stolen secrets included GitHub access tokens, Slack webhook URLs, GitHub OAuth tokens, AWS IAM keys, OpenAI Project API keys, Slack bot tokens, Claude API keys, Google API Keys, and GitLab tokens. Trigger.dev suffered credential theft and unauthorized access to its GitHub organization due to the Shai-Hulud worm. The Python Package Index (PyPI) repository was not impacted by the supply chain incident. The second Shai-Hulud attack last week exposed around 400,000 raw secrets after infecting hundreds of packages in the NPM registry and publishing stolen data in 30,000 GitHub repositories. Although just about 10,000 of the exposed secrets were verified as valid by the open-source TruffleHog scanning tool, researchers at cloud security platform Wiz say that more than 60% of the leaked NPM tokens were still valid as of December 1st. The Shai-Hulud threat emerged in mid-September, compromising 187 NPM packages with a self-propagating payload that identified account tokens using TruffleHog, injected a malicious script into the packages, and automatically published them on the platform. In the second attack, the malware impacted over 800 packages (counting all infected versions of a package) and included a destructive mechanism that wiped the victim’s home directory if certain conditions were met. The malware used TruffleHog without the 'only-verified' flag, meaning that the 400,000 exposed secrets match a known format and may not be valid or usable anymore. Analysis of 24,000 environment.json files showed that roughly half of them were unique, with 23% corresponding to developer machines, and the rest coming from CI/CD runners and similar infrastructure. Most of the infected machines, 87% of them, are Linux systems, while most infections (76%) were on containers. Regarding the CI/CD platform distribution, GitHub Actions led by far, followed by Jenkins, GitLab CI, and AWS CodeBuild. The top package was @postman/[email protected], followed by @asyncapi/[email protected]. These two packages together accounted for more than 60% of all the infections. Wiz believes that the perpetrators behind Shai-Hulud will continue to refine and evolve their techniques, and predicts that more attack waves will emerge in the near future, potentially leveraging the massive credential trove harvested so far.

The ClickFix malware campaign has evolved to include multi-OS support and video tutorials that guide victims through the self-infection process. The campaign, which uses fake Cloudflare CAPTCHA pages and malicious PowerShell scripts, has been observed deploying various payloads, including information stealers and backdoors. The FileFix attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Recently, threat actors have been abusing the decades-old Finger protocol to retrieve and execute remote commands on Windows devices. The Finger protocol is used to deliver commands that create a random-named path, download a zip archive disguised as a PDF, and extract a Python malware package. The Python program is executed using pythonw.exe __init__.py, and a callback is made to the attacker's server to confirm execution. A related batch file indicates that the Python package is an infostealer. Another campaign uses the Finger protocol to retrieve and run commands that look for malware research tools and exit if found. If no malware analysis tools are found, the commands download a zip archive disguised as PDF files and extract the NetSupport Manager RAT package. The commands configure a scheduled task to launch the remote access malware when the user logs in. The Finger protocol abuse appears to be carried out by a single threat actor conducting ClickFix attacks. A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. The campaign also involves phishing attacks using various malware families and phishing kits named Cephas and Tycoon 2FA. Tycoon 2FA is a phishing kit that bypasses multi-factor authentication (MFA) and authentication apps by intercepting usernames, passwords, session cookies, and MFA flows in real-time. It has been used in over 64,000 attacks this year, primarily targeting Microsoft 365 and Gmail. Tycoon 2FA includes anti-detection layers and can lead to total session takeover, allowing attackers to move laterally into various enterprise systems. Legacy MFA methods are vulnerable to Tycoon 2FA, and phishing-proof MFA solutions like Token Ring and Token BioStick are recommended to prevent such attacks. A new operation embedding StealC V2 inside Blender project files has been observed targeting victims for at least six months. The attackers placed manipulated .blend files on platforms such as CGTrader, where users downloaded them as routine 3D assets. When opened with Blender’s Auto Run feature enabled, the files executed concealed Python scripts that launched a multistage infection. The infection chain began with a tampered Rig_Ui.py script embedded inside the .blend file. This script fetched a loader from a remote workers.dev domain, which then downloaded a PowerShell stage and two ZIP archives containing Python-based stealers. Once extracted into the Windows temp directory, the malware created LNK files to secure persistence, then used Pyramid C2 channels to retrieve encrypted payloads. StealC V2, promoted on underground forums since April 2025, has rapidly expanded its feature set. It now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN and mail clients. Its pricing, from $200 per month to $800 for 6 months, has made it accessible to low-tier cybercriminals seeking ready-to-use tools. ClickFix attack variants have been observed using a realistic-looking Windows Update animation in a full-screen browser page to trick users into executing malicious commands. The new ClickFix variants drop the LummaC2 and Rhadamanthys information stealers. The attack uses steganography to encode the final malware payload inside an image. The process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state. The shellcode holding the infostealer samples is packed using the Donut tool. The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13. A new campaign codenamed JackFix leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The JackFix campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code. The attack heavily leans on obfuscation to conceal ClickFix-related code and blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. The initial command executed is an MSHTA payload that's launched using the legitimate mshta.exe binary, which contains JavaScript designed to run a PowerShell command to retrieve another PowerShell script from a remote server. The PowerShell script attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged. The PowerShell script serves up to eight different payloads, including Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, and other unspecified loaders and RATs. The threat actor often changes the URI used to host the first mshta.exe stage and has been observed moving from hosting the second stage on the domain securitysettings.live to xoiiasdpsdoasdpojas.com, although both point to the same IP address 141.98.80.175. An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. The threat actor has moved beyond mass phishing and adopted stealthier, more advanced methods that prove effective and difficult for defenders to counter. In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. The attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. A malicious PowerShell script is also fetched from a spoofed Microsoft domain, which is piped straight onto the system's memory, never touching the disk and thus evading antivirus detection. The MSI file drops a malicious DLL (SentinelAgentCore.dll), which is placed strategically alongside the pre-existing, legitimate SentinelAgentWorker.exe, which is already installed as part of the victim's SentinelOne EDR. Next, the attacker loads the DLL using the signed SentinelAgentWorker (DLL sideloading), executing the file within the trusted, privileged EDR process and obtaining stealthy persistence that survives operating system updates. Once the attacker gains access, they use the SentinelOne component to collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, and to funnel encrypted HTTPS command-and-control (C2) traffic. The compromised systems are profiled using 'MachineGuid,' a unique hardware-based identifier that ransomware groups like LockBit and ALPHV use for binding encryption keys to specific victims. The abuse of trusted, signed EDR processes bypasses nearly all traditional monitoring. The researchers recommend that system administrators rely on behavior-based detection that identifies trusted processes loading unsigned DLLs from non-standard paths. Furthermore, it is helpful to set stricter controls for curl, PowerShell, and LoLBin execution. A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. ConsentFix tricks victims into completing the Azure CLI OAuth flow and steals the resulting authorization code, which is exchanged for full account access. The attack starts with victims landing on a compromised, legitimate website that ranks high on Google Search results. Victims are shown a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address, filtering out bots and non-targets. Victims are instructed to click a 'Sign in' button that opens a legitimate Microsoft URL in a new tab, leading to an Azure login page. The attack completes when victims paste the URL containing the Azure CLI OAuth authorization code into the malicious page, granting attackers access to the Microsoft account via Azure CLI. The attack triggers only once per victim IP address, preventing repeated phishing attempts on the same IP. Defenders are advised to monitor for unusual Azure CLI login activity, such as logins from new IP addresses, and to check for legacy Graph scopes used by attackers to evade detection.