{"id":94279,"date":"2026-02-14T07:00:00","date_gmt":"2026-02-14T04:00:00","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=94279"},"modified":"2026-02-14T07:01:45","modified_gmt":"2026-02-14T04:01:45","slug":"dydx-developer-accounts-breached-malicious-ai-chrome-extensions-and-other-cybersecurity-news","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/dydx-developer-accounts-breached-malicious-ai-chrome-extensions-and-other-cybersecurity-news\/","title":{"rendered":"dYdX developer accounts breached, malicious AI Chrome extensions and other cybersecurity news"},"content":{"rendered":"<p>A roundup of the week\u2019s most important cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>Hackers breached accounts of developers at the dYdX crypto exchange.<\/li>\n<li>North Korean hackers used new macOS malware to steal cryptocurrency.<\/li>\n<li>Malicious AI-themed Chrome extensions were installed by 300,000 users.<\/li>\n<li>Connecticut residents were charged with stealing $3m.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">Hackers breached developer accounts at the dYdX crypto exchange<\/h2>\n<p>Attackers compromised accounts of developers at the decentralised crypto exchange dYdX and injected malware into official software packages (npm and PyPI). Researchers at Socket <a href=\"https:\/\/socket.dev\/blog\/malicious-dydx-packages-published-to-npm-and-pypi\">discovered<\/a> the breach.<\/p>\n<p>The npm and PyPI packages are used by programmers to work with the exchange\u2019s protocols, including creating wallets and executing trades. As billions of dollars flow through dYdX, the threat was severe.<\/p>\n<p>The target was wallet seed phrases. Once a developer interacted with an infected library, the malware copied access keys and sent them to the attackers\u2019 server. The culprits used website addresses that looked almost identical to the exchange\u2019s official domains.<\/p>\n<p>For developers using the Python version, matters were worse: a remote-access trojan was installed. Running in the background every ten seconds, it allowed the attackers to execute arbitrary code on the victim\u2019s machine, enabling the theft of cryptocurrency, passwords and personal files, and monitoring of user activity.<\/p>\n<p>Socket\u2019s specialists noted the intruders understood the system\u2019s internals, hiding malicious code deep within legitimate, automatically executed files.<\/p>\n<p>After the alert, the exchange confirmed the breach and urged anyone who downloaded updates in January 2026 to isolate affected computers immediately and move funds to new, secure wallets.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">1\/ IMPORTANT SECURITY ANNOUNCEMENT \u2014 READ IF YOU HAVE USED VERSIONS OF DYDX-V4 CLIENTS HOSTED ON PyPI or NPM.<\/p>\n<p>\u2014 dYdX (@dYdX) <a href=\"https:\/\/twitter.com\/dYdX\/status\/2016690036536721727?ref_src=twsrc%5Etfw\">January 29, 2026<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h2 class=\"wp-block-heading\">North Korean hackers used new macOS malware to steal cryptocurrencies<\/h2>\n<p>North Korean hackers are running personalised campaigns, using AI-generated videos to deliver malware to crypto users, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/unc1069-targets-cryptocurrency-ai-social-engineering\">reported<\/a> Mandiant experts.<\/p>\n<p>The goal is financial gain, indicated by the toolset used in an attack on an unnamed fintech firm. According to Mandiant, researchers found seven distinct macOS malware families and attributed them to the group UNC1069, tracked since 2018.<\/p>\n<p>The victim was contacted via Telegram from a compromised account of a cryptocurrency company executive. After establishing trust, the hackers sent a Calendly link that redirected to a fake Zoom conference page hosted on attacker infrastructure.<\/p>\n<p>According to the victim, the hackers showed a deepfake video of the crypto firm\u2019s CEO. During the call, the attacker feigned audio issues and, under that pretext, instructed the victim how to \u201cfix the errors\u201d by running commands that kicked off an infection chain for both Windows and macOS.<\/p>\n<p>The hackers then sequentially deployed seven malware families:<\/p>\n<ul class=\"wp-block-list\">\n<li>WAVESHAPER \u2014 a backdoor running as a background service, collecting system information and loading subsequent modules;<\/li>\n<li>HYPERCALL \u2014 a loader that downloads malicious dynamic libraries and injects them directly into memory;<\/li>\n<li>HIDDENCALL \u2014 a backdoor granting direct keyboard access, command execution and file operations;<\/li>\n<li>SILENCELIFT \u2014 a minimalist backdoor that relays screen-lock status to the attackers\u2019 server and can intercept Telegram messages given root privileges;<\/li>\n<li>DEEPBREATH \u2014 a data-theft tool that bypasses macOS protections and steals Keychain contents, browser data, Telegram data and Apple Notes;<\/li>\n<li>SUGARLOADER \u2014 a loader using an encrypted configuration to fetch next-stage payloads;<\/li>\n<li>CHROMEPUSH \u2014 a browser data-mining tool masquerading as the \u201cGoogle Docs Offline\u201d extension, intercepting keystrokes and cookies and taking screenshots.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"939\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755-1024x939.png\" alt=\"image\" class=\"wp-image-275153\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755-1024x939.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755-300x275.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755-768x704.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755-1536x1408.png 1536w, https:\/\/forklog.com\/wp-content\/uploads\/img-972f9acc0b51aa6a-6220020319196755.png 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Attack chain. Source: Mandiant.<\/figcaption><\/figure>\n<p>Mandiant noted that SILENCELIFT, DEEPBREATH and CHROMEPUSH are entirely new toolsets for the group. Researchers called it \u201cunusual\u201d to see such a volume of malware deployed on a single host against a single individual.<\/p>\n<p>This suggests a highly tailored operation aimed at extracting the maximum data for two purposes: stealing cryptocurrency and preparing future campaigns by stealing the victim\u2019s identity and contacts.<\/p>\n<h2 class=\"wp-block-heading\">AI Chrome extensions with malware installed by 300,000 users<\/h2>\n<p>Thirty malicious AI-themed Chrome extensions were installed by more than 260,000 users, <a href=\"https:\/\/layerxsecurity.com\/blog\/aiframe-fake-ai-assistant-extensions-targeting-260000-chrome-users-via-injected-iframes\/\">reported<\/a> researchers at the LayerX browser security platform.<\/p>\n<p>The campaign masquerades as AI assistants to steal credentials, email contents and information about visited pages.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"601\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-2f812602844520d4-6220020329772854-1024x601.png\" alt=\"image\" class=\"wp-image-275154\" srcset=\"https:\/\/forklog.com\/wp-content\/uploads\/img-2f812602844520d4-6220020329772854-1024x601.png 1024w, https:\/\/forklog.com\/wp-content\/uploads\/img-2f812602844520d4-6220020329772854-300x176.png 300w, https:\/\/forklog.com\/wp-content\/uploads\/img-2f812602844520d4-6220020329772854-768x451.png 768w, https:\/\/forklog.com\/wp-content\/uploads\/img-2f812602844520d4-6220020329772854.png 1414w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Source: LayerX.<\/figcaption><\/figure>\n<p>All analysed extensions appear to be part of a single fraud network, communicating with infrastructure under one domain.<\/p>\n<p>Researchers said the most popular was Gemini AI Sidebar (80,000 users), which has been removed from the store. However, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/fake-ai-chrome-extensions-with-300k-users-steal-credentials-emails\/\">BleepingComputer<\/a> found that other extensions with thousands of installs remain in Google\u2019s repository:<\/p>\n<ul class=\"wp-block-list\">\n<li>AI Sidebar \u2014 70,000 users;<\/li>\n<li>AI Assistant \u2014 60,000 users;<\/li>\n<li>ChatGPT Translate \u2014 30,000 users;<\/li>\n<li>AI GPT \u2014 20,000 users;<\/li>\n<li>ChatGPT \u2014 20,000 users;<\/li>\n<li>Google Gemini \u2014 10,000 users.<\/li>\n<\/ul>\n<p>All 30 extensions share the same internal structure, JavaScript logic and requested permissions. They contain no AI functionality in their code; instead, they load content from a remote domain.<\/p>\n<p>Worse, developers can change an extension\u2019s behaviour at any time on the server side without releasing an update, sidestepping Google\u2019s moderator rechecks.<\/p>\n<p>In the background, the extensions exfiltrate the contents of visited pages, including sensitive authentication pages:<\/p>\n<ul class=\"wp-block-list\">\n<li>Gmail surveillance. Fifteen extensions target Google Mail data. A script reads email text directly in the browser and can intercept even drafts;<\/li>\n<li>data leakage. When using features such as \u201ccompose with AI\u201d, the email text is sent to the attackers\u2019 third-party servers, leaving Gmail\u2019s protected boundary;<\/li>\n<li>eavesdropping. The software also has a speech-recognition function that can be activated remotely. Depending on permissions, it can record the user\u2019s conversations.<\/li>\n<\/ul>\n<p>BleepingComputer asked Google for comment, but the company had not responded by publication time. Experts recommended checking LayerX\u2019s indicators of compromise, removing the extension immediately and changing passwords.<\/p>\n<h2 class=\"wp-block-heading\">Connecticut residents charged with stealing $3m\u00a0<\/h2>\n<p>Two Connecticut residents were charged with fraud involving gambling platforms and stolen personal data, the US Department of Justice <a href=\"https:\/\/www.justice.gov\/usao-ct\/pr\/glastonbury-men-charged-using-thousands-stolen-identities-defraud-fanduel-and-other\">reported<\/a>.<\/p>\n<p>According to the indictment, from April 2021 to 2026 the accomplices stole $3m using personal data from roughly 3,000 victims.<\/p>\n<p>The scheme worked as follows:<\/p>\n<ul class=\"wp-block-list\">\n<li>buying data. They purchased personal information for thousands of people on darknet markets and via the Telegram messenger;<\/li>\n<li>account creation. Using the data, they opened thousands of fake accounts on platforms such as FanDuel, DraftKings and BetMGM;<\/li>\n<li>verification. The defendants subscribed to background-check services (TruthFinder, BeenVerified) to answer knowledge-based authentication questions during account verification;<\/li>\n<li>automation. One suspect kept a spreadsheet containing victims\u2019 names, dates of birth, addresses, emails and Social Security numbers.<\/li>\n<\/ul>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em>\u201cI was just browsing a list of Social Security numbers and using reverse phone lookup in the Scam Shield app\u201d<\/em>, wrote defendant Amitoy Kapur in a text message to accomplice Siddharth Lillani.<\/p>\n<\/blockquote>\n<p>When details matched, the perpetrator created an account. In some cases, it was possible to proceed without additional checks by BeenVerified.<\/p>\n<p>The aim was to obtain promotional bonuses that bookmakers offer on the first deposit or bet. If such a bet won, the defendants moved the funds to virtual prepaid cards and then to their personal accounts.<\/p>\n<h2 class=\"wp-block-heading\">Microsoft patched remote code execution in Windows 11 Notepad<\/h2>\n<p>Microsoft <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-20841\">fixed<\/a> a critical vulnerability in Notepad for Windows 11 that let attackers launch local or remote programs. They needed only to trick a user into clicking a specially crafted Markdown link, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/windows-11-notepad-flaw-let-files-execute-silently-via-markdown-links\/\">BleepingComputer<\/a> reported.<\/p>\n<p>With Windows 11, Microsoft dropped WordPad and modernised Notepad, rewriting it from scratch and adding Markdown support. That allowed users to format text and insert clickable links directly in .md files.<\/p>\n<p>According to media reports, the problem lay in improper handling of special elements in commands. A hacker could create a Markdown file with malicious links using protocols such as file:\/\/ (path to an executable) or ms-appinstaller:\/\/ (app installation).<\/p>\n<p>When opened in early Notepad versions (including 11.2510) in Markdown mode, the text appeared as a link. Pressing it with Ctrl+click caused the software to launch the specified file or protocol automatically. The chief risk was that code executed in the user\u2019s security context with the same privileges, and Windows did not display its standard warning about launching a potentially dangerous file.<\/p>\n<p>Security researchers found it was even possible to link to files on remote network resources. After the patch, clicking any other link triggers a warning dialog in Notepad.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Mass delistings <a href=\"https:\/\/forklog.com\/en\/news\/mass-delistings-bolster-moneros-monopoly-in-the-darknet\">strengthened the monopoly<\/a> of Monero on the dark web.<\/li>\n<li>The $1m contest winner from X was <a href=\"https:\/\/forklog.com\/en\/news\/x-contest-winner-suspected-of-serial-rug-pulls\">suspected<\/a> of multiple rug pulls.<\/li>\n<li>Eight years in prison and payment of $7.5m: a court <a href=\"https:\/\/forklog.com\/en\/news\/former-safemoon-ceo-sentenced-to-eight-years-and-7-5-million-fine\">sentenced<\/a> SafeMoon\u2019s former head.<\/li>\n<li>Experts <a href=\"https:\/\/forklog.com\/en\/news\/experts-critique-russias-new-cryptocurrency-seizure-rules\">assessed<\/a> Russia\u2019s rules for seizing cryptocurrencies.<\/li>\n<li>The FTX founder <a href=\"https:\/\/forklog.com\/en\/news\/ftx-founder-accuses-biden-administration-of-political-persecution\">accused<\/a> Joe Biden\u2019s administration of political persecution.<\/li>\n<li>In South Korea, authorities <a href=\"https:\/\/forklog.com\/en\/news\/south-korea-launches-investigation-into-bithumb-following-bitcoin-giveaway\">opened an investigation<\/a> into Bithumb after a bitcoin \u201cgiveaway\u201d.<\/li>\n<li>Tether <a href=\"https:\/\/forklog.com\/en\/news\/tether-freezes-544-million-in-illicit-funds-at-turkeys-request\">froze<\/a> $544m in illicit funds at Turkey\u2019s request.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>In a new ForkLog piece, together with the Mixer.Money bitcoin-mixer team, we examine the consequences of data leaks and how to minimise risks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A roundup of the week\u2019s most important cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":94280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"The week's key cybersecurity developments, from dYdX to malicious AI Chrome add-ons.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-94279","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"210","promo_type":"1","layout_type":"1","short_excerpt":"The week's key cybersecurity developments, from dYdX to malicious AI Chrome add-ons.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=94279"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94279\/revisions"}],"predecessor-version":[{"id":94281,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/94279\/revisions\/94281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/94280"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=94279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=94279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=94279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}