Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lumma Stealer and trojanized Ninja Browser malware activity

Malware Activity
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

A Lumma Stealer and Ninja Browser malware activity was identified in February 2026, creating a cross-platform risk to Windows and Linux browser sessions. The Windows branch uses a padded archive and an AutoIt execution chain to deliver credential theft and session-cookie harvesting. The Linux branch pushes a trojanized browser that silently installs malicious extensions and persistence mechanisms. The combined operation matters because it enables credential theft, browser-session abuse, and durable access across multiple endpoint environments.

Related Happenings

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

FROST browser SSD timing side channel via OPFS

Technical Analysis
H score16 First: 09.06.2026 12:50 Last: 09.06.2026 12:50 Sources 1

About this happening: **FROST** turns **browser storage timing** into a **remote SSD side channel** that can identify which **sites** a user visits and which **apps** they open. The technique runs insi...

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft

Security Tool/Service
H score11 First: 09.04.2026 21:33 Last: 09.04.2026 21:33 Sources 1

About this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...

Timeline

  1. 15.02.2026 18:30 2 articles · 4mo ago

    Active Google Groups malware campaign against global organizations

    Initial Disclosure

    An active global malware campaign abused Google Groups and Google-hosted URLs to distribute Lumma Info-Stealer on Windows and a trojanized Ninja Browser on Linux. Attackers seeded technical discussion posts with organization names and industry keywords, used URL shorteners and Google Docs/Drive redirectors, and tied the activity to more than 4,000 malicious Google Groups and 3,500 Google-hosted URLs.

    Show sources