Find notable cyber news and cases, enriched with sources, timelines, and signals.

SeasonalInvite eCard phishing campaign targeting Windows and macOS users

Campaign
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

The SeasonalInvite phishing campaign has been active for six months, tricking Windows and macOS users into installing legitimate RMM software through fake eCards. The operation used 959 domains and a traffic distribution system (TDS) to route victims to a BlueMountain impersonation page that auto-downloaded an installer. The campaign matters because the installers were commercially signed and therefore could pass normal security checks while still enabling attacker-controlled remote access.

Related Happenings

CrashStealer meeting-PIN delivery campaign

Campaign
H score35 First: 13.07.2026 22:04 Last: 13.07.2026 22:04 Sources 1

About this happening: The **CrashStealer** campaign is delivering a **signed, Apple-notarized installer** from a **fake software site** gated by a **meeting PIN**, narrowing infection opportunities to...

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

JINX-0164 cryptocurrency recruitment-lure campaign

Campaign
H score39 First: 28.05.2026 10:54 Last: 28.05.2026 10:54 Sources 1

About this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...

UNC1069 open-source maintainer social-engineering campaign

Campaign
H score38 First: 04.04.2026 23:30 Last: 04.04.2026 23:30 Sources 1

About this happening: UNC1069's **coordinated social-engineering campaign** against **Node.js and npm maintainers** has widened, with multiple developers reporting the same lure pattern and the potenti...

Latest development: 06.04.2026 23:55

Security researcher Taylor Monahan and Socket reported that members of the open source software community, including Socket engineers and CEO Feross Aboukhadijeh, were targeted by the same slow-burn LinkedIn, Slack, and Microsoft Teams social engineering playbook used against Axios maintainer Jason Saayman, indicating the campaign was wider than a single Axios compromise.

Timeline

  1. 15.07.2026 18:00 2 articles · 1h ago

    SeasonalInvite eCard phishing campaign targeting Windows and macOS users

    Initial Disclosure

    Early activity used **tax** and **Social Security** lures, then rotated to **Valentine's**, **Easter**, and spring invitation themes. Victims who reached the fake greeting-card page were funneled through a **TDS** to an installer that matched their operating system.

    Show sources