We’ve gathered the week’s most important cybersecurity news.
- A new group hit crypto companies via fake interviews and macOS malware.
- A stealth GPU miner spread through search spam and AI chatbots.
- A vigilante hacker was booted from GitHub and GitLab after posting Microsoft zero-days.
- CrowdStrike and Google dismantled a network targeting open-source developers.
New group hit crypto firms via fake interviews and macOS malware
Researchers at Wiz uncovered a large-scale cryptocurrency theft campaign attributed to a previously unknown group, JINX-0164.
Since mid-2025, the attackers have targeted blockchain developers through fake online interviews. During the exchange, the victim was redirected to a spoofed videoconferencing site. There, under the pretext of installing a client or fixing a “technical error,” the developer was persuaded to download an infected file.
The group’s toolkit includes sophisticated malware adapted for both Intel and Apple Silicon architectures:
- AUDIOFIX. Disguised as a system audio driver. It steals passwords, SSH keys, crypto wallet data, and sessions from Discord and Telegram. The software enables lateral movement across a company’s internal network, infiltration of infrastructure, and injection of malicious code into active projects;
- MiniRAT. Previously used in a supply-chain attack. It was distributed through a trojanized version of the legitimate npm package @velora-dex/sdk, used in DeFi projects. MiniRAT allows remote command execution and loading of additional modules.
Experts note that JINX-0164’s tactics — a focus on crypto, targeting developers via fake recruiting, and the use of specific VPN services (for example, Astrill VPN) — resemble the modus operandi of North Korean groups such as BlueNoroff. However, Wiz found no direct technical overlaps in infrastructure to conclusively tie JINX-0164 to Pyongyang.
Stealth GPU miner spread via search spam and AI chatbots
As part of an ongoing cryptomining campaign, attackers are targeting high-performance graphics processing units (GPUs), according to Microsoft.
Infection occurs via malicious download pages for system utilities often installed on powerful PCs. Among them: CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, and PDFgear.
Microsoft researchers found the attack begins when users search for these tools and follow malicious links boosted in results via SEO. Some April reports indicate users also landed on malicious domains after interacting with AI assistants. In those cases, victims asking a chatbot for software download recommendations received poisoned links in generated responses.
Once a system is infected, the attacker gains persistent access by deploying the standard remote management tool ScreenConnect. The core of the malware masquerades as innocuous apps like the VLC player and sets itself to autorun. To evade defenses, the malware hides its code inside legitimate Windows system files and adds itself to antivirus exclusions.
After establishing a stealthy foothold, it downloads and launches a miner to secretly extract cryptocurrency using the victim’s GPU power. The campaign uses the gminer, lolMiner, and SRBMiner-MULTI GPU miners.
Microsoft noted the operators’ behavior stands out for its “targeting and monetization strategy built from the ground up to maximize GPU-mining revenue from each compromised device” instead of chasing scale.
Vigilante hacker kicked off GitHub and GitLab after posting Microsoft zero-days
Microsoft blocked the GitHub account of a cybersecurity researcher known as Nightmare-Eclipse and deleted his Microsoft account. GitLab then followed suit.
The dispute stemmed from financial disagreements and exploit disclosure policy. As claimed by Nightmare-Eclipse, Microsoft ignored his vulnerability reports and refused to pay MSRC bounties that can reach $250,000.
In response, the researcher began publishing discovered zero-day vulnerabilities openly and said he will release another batch on July 14, 2026.
He disclosed:
- BlueHammer. Locally elevates privileges in Windows Defender. Allows an attacker with standard user access to escalate to full SYSTEM rights;
- RedSun. Exploits a different antivirus code flaw than BlueHammer but achieves a similar outcome;
- UnDefend. A tool aimed at sabotaging Windows Defender. The exploit makes the system believe an endpoint is protected and the antivirus is functioning correctly, while effectively depriving Defender of the ability to detect malware;
- GreenPlasma. A vulnerability that grants SYSTEM privileges via the CTFMon system service responsible for alternative text input and language bars;
- MiniPlasma. A local privilege escalation exploit via the Windows cloud filter driver cldflt.sys. Successfully grants SYSTEM rights even on fully updated Windows 11 versions;
- YellowKey. A critical vulnerability in BitLocker disk encryption. With physical access, an attacker can bypass protections and open encrypted data with minimal effort, nullifying the technology’s purpose.
In addition, Nightmare-Eclipse announced the creation of a “dead man’s switch” — an automated system that will dump new exploits online if he is arrested or physically eliminated.
CrowdStrike and Google dismantled a network targeting open-source developers
In a joint operation, CrowdStrike, Shadowserver, and Google took down an infrastructure used to spread malware and steal passwords from open-source software developers.
The target was the hackers behind the Glassworm botnet, which for two years attacked supply chains in the OS ecosystem.
Glassworm operators used several strategies to distribute malicious code, including:
- publishing infected extensions in developer marketplaces;
- malvertising — buying sponsored search results to trick victims into downloading malware;
- using credentials stolen in prior breaches to take over developer accounts and inject malicious code directly into their projects.
According to CrowdStrike, the hackers managed to “poison” more than 300 GitHub repositories. Specialists dismantled four command-and-control servers that relied on the Solana blockchain, the BitTorrent peer-to-peer network, Google Calendar, and virtual private servers. This severed the attackers’ access to infected machines and halted further malware delivery.
In Odessa, scammers used advanced AI to steal about 2.5 million hryvnias
Ukrainian law enforcement, together with Kazakhstan’s cyber police, exposed a large criminal organization in Odessa.
The phone scammers targeted citizens of Kazakhstan. Preliminary losses total around 2.5 million hryvnias (about $57,000 at the time of writing).
The fraudsters used advanced social engineering tools, including deepfakes and AI-generated video. Posing as law enforcement officers, bank employees, or telecom staff, they created a sense of threat. Under the pretense of “protecting the account” or avoiding fabricated criminal charges, they convinced victims to install malware on their smartphones to steal funds.
According to investigators, two Odessa residents organized the illegal network. The call centers operated like a streamlined business with their own CRM system and clear role distribution. Staff included HR managers, administrators, IT specialists, and operators of various levels.
During searches, police detained nine people and seized equipment, off-the-books accounting records, cars, and cash. The suspects face up to 12 years in prison with asset confiscation.
Carnival, the world’s largest cruise operator, confirms breach affecting 6 million customers
Carnival Corporation, the world’s largest cruise line operator, officially confirmed a large-scale data leak impacting nearly 6 million people.
The incident occurred on April 10, 2026, via a social-engineering attack: the intruders tricked an employee and gained access to corporate systems. The company then began mass notifications to affected individuals.
According to BleepingComputer, the ShinyHunters group claimed responsibility, saying they stole terabytes of corporate data.
Analysis indicates the hackers obtained databases of Holland America loyalty program members. Compromised information includes names, dates of birth, email addresses, gender, and customers’ locations.
It’s another reputational blow for Carnival: in 2020 and 2021, the company’s systems suffered successful cyberattacks that exposed passengers’ and crew members’ personal and financial data.
Also on ForkLog:
- Hacker hijacked a $15 million GUA airdrop.
- Fake Uniswap ads on Google netted scammers $400,000.
- Squid denied a $3 million contract hack.
- Socket identified an attack targeting crypto and AI developers.
- 10,000 critical vulnerabilities: Anthropic reported initial Project Glasswing results.
- StablR’s EURR and USDR stablecoins lost their pegs after a $2.8 million hack.
What to read this weekend?
The weekend is a chance not only to rewatch favorites, but to rethink them. ForkLog got a head start and explored why Johnny, the protagonist of Mike Leigh’s classic “Naked,” is not just a misanthrope with a Manchester accent, but an early prototype of a cypherpunk without the internet.