Prevent Malware in Open Source with Phishing-Resistant MFA

Good stuff from my wonderful friends over at GitHub Security Lab. I can't repeat this forcefully enough - if you're a dev, you need to be using strong, phishing-resistant MFA _everywhere_. Full stop, no excuses. Passkeys backed by biometrics or a hardware key are awesome. A regular hardware key is also a huge step above TOTP and definitely SMS. Businesses: Internally, enforce requirements for phishing-resistant MFA with your identity solution. If you have a public platform, require MFA for sensitive actions, if not carte blanche.

Cybersecurity researchers have revealed a cross-site scripting (XSS) vulnerability in the web-based control panel used by StealC operators—an information‑stealing malware. The flaw allowed investigators to gather valuable intelligence about one of the actors deploying the malware in real-world campaigns. https://lnkd.in/e4G8UfhU

🛡️ Security Bug in StealC Malware Panel Let Researchers Spy on Threat Actor Operations 📅 Mon, 19 Jan 2026 12:23:00 +0530 Cybersecurity researchers have disclosed a cross-site scripting (XSS) vulnerability in the web-based control panel used by operators of the StealC information stealer, allowing them to gather crucial insights on one of the threat actors using the malware in their operations. "By exploiting it, we were able to collect system fingerprints, monitor active sessions, and – in a twist that will 🔗 Source: https://lnkd.in/gXSkKi8f #CyberSecurity #ThreatIntel #InfoSec

Don’t miss this insightful breakdown from Jamf Threat Labs on the evolution of MacSync Stealer malware, which now utilizes seemingly legitimate, code-signed Swift applications to deploy harmful scripts, moving away from the previous reliance on Terminal commands. This marks a clever yet perilous shift in macOS security threats: https://okt.to/AH9uCR #CyberSecurity #macOS #Jamf

StealC malware panel flaw gives researchers the upper hand: Cybersecurity researchers found a cross‑site scripting (XSS) vulnerability in the control panel used by operators of the StealC info‑stealer malware, allowing defenders to spy on threat actor infrastructure and sessions. https://lnkd.in/e3qCVmfd #cybernews #cybersecurity

Fake system crashes are now being used as an active malware delivery technique rather than a scare tactic alone. Recent ClickFix campaigns rely on highly convincing Windows Blue Screen of Death pages that pressure users into “fixing” the problem themselves by running commands provided on screen. This approach removes the need for exploits or vulnerabilities entirely. By shifting execution to the victim and abusing trusted Windows tools, infections often appear legitimate and evade many traditional endpoint defenses. The technique highlights how social engineering continues to outperform technical complexity when attackers understand user behavior. https://lnkd.in/dfh9VTf6 #CyberSecurity #Malware #ThreatIntelligence #InfoSec #SocialEngineering #WindowsSecurity

Don't wait for the next malware campaign to audit your security. 👀 We’ve outlined practical steps to lock down your supply chain now: ✅ Switch to phishing-resistant MFA (Passkeys/WebAuthn) ✅ Rotate and scope your tokens ✅ Review third-party access A little security cleanup today can save you from a massive headache tomorrow. 😅 https://lnkd.in/eYrsSZMs

A great new year's resolution is to look at security best practices like this to see what you can do to protect your project and your users.

the holidays are over, the new year is here - but supply-chain risks didn’t disappear 👀 this post shares a few practical ways to lock things down, worth a read if you missed it the first time around ☺️

🔐 This Week in Cyber Researchers uncovered an XSS vulnerability used by StealC malware operators, revealing key details about one of the threat actors. Learn more: https://lnkd.in/gxupBAUz #Malware #CyberSecurity