Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Silent Swap browser-extension crypto-theft campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Silent Swap campaign is replacing copied cryptocurrency wallet addresses with attacker-controlled ones, creating a risk of permanent financial loss for crypto users. It spreads through unsigned .NET and Golang installers that drop a malicious Chromium extension masquerading as Google Notes. The operation uses EtherHiding to resolve command-and-control details and hides itself by tampering with browser settings and developer-mode defenses. Telemetry shows infections are globally distributed, with the heaviest concentration in India.

Related Happenings

Silent Swap browser-extension clipboard clipper

Malware Activity
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

How related: The end goal of the extension is to act as a clipper that's capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet.

About this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...

Open Happening

Edgecution malicious Microsoft Edge extension backdoor activity

Malware Activity
H score23 First: 24.06.2026 23:58 Last: 24.06.2026 23:58 Sources 1

About this happening: The **Edgecution** malware is extending a **Microsoft Edge** browser foothold into host-level compromise by abusing **Chrome Native Messaging** and launching a **Python-based back...

Open Happening

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Open Happening

Tsundere botnet expanding on Windows

Malware Activity
H score23 First: 20.11.2025 18:57 Last: 20.11.2025 18:57 Sources 1

About this happening: The **Tsundere botnet** is actively expanding against **Windows users**, and its operators can make infected systems run arbitrary **JavaScript** from a **command-and-control serv...

Open Happening

Timeline

  1. 30.06.2026 18:40 2 articles · 1h ago

    Silent Swap browser-extension campaign replaces cryptocurrency wallet addresses

    Initial Disclosure

    McAfee Labs flagged Silent Swap, an active browser-extension campaign that uses unsigned .NET and Golang installers to deploy a malicious Chromium extension masquerading as Google Notes and replace copied wallet addresses with attacker-controlled ones. The operation uses EtherHiding to resolve command-and-control details, tampers with browser settings on Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera to persist silently, and telemetry indicates globally distributed infections with a higher concentration in India.

    Show sources
    Open in new tab