Put your SSH keys in your TPM chip
https://raymii.org/s/tutorials/Put_your_SSH_keys_in_your_TPM_chip.html
#HackerNews #SSH #TPM #security #keys #hardware #security
A new Mac stealer targeting $10K+ crypto wallets
A sophisticated macOS stealer called notnullOSX emerged in March 2026, developed by threat actor alh1mik (formerly 0xFFF) who returned after a 2023 exit from underground forums. This Go-written modular stealer exclusively targets macOS users with cryptocurrency holdings exceeding $10,000. Distribution occurs through ClickFix social engineering and malicious DMG files disguised as legitimate applications like WallSpace. The malware employs a modular architecture with specialized components to exfiltrate iMessage history, Apple Notes, browser credentials, Safari cookies, crypto wallet files, SSH keys, and cloud provider credentials. By social-engineering victims into granting Full Disk Access, notnullOSX bypasses macOS TCC protections without triggering permission dialogs. The stealer maintains persistent WebSocket connections to Firebase infrastructure, functioning as both an infostealer and backdoor with remote module update capabilities.
Pulse ID: 69dfa7d6ed3496f811a87d22
Pulse Link: https://otx.alienvault.com/pulse/69dfa7d6ed3496f811a87d22
Pulse Author: AlienVault
Created: 2026-04-15 14:59:34
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #Browser #Cloud #Cookies #CyberSecurity #InfoSec #InfoStealer #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SSH #Safari #SocialEngineering #bot #cryptocurrency #AlienVault
Q1 2026 Malware Statistics Report for Linux SSH Servers
Analysis of attacks against Linux SSH servers during Q1 2026 reveals P2PInfect worm as the dominant threat, representing 70.3% of all attack sources. DDoS botnets including Mirai, XMRig, Prometei, and CoinMiner were identified as primary threats. A notable campaign involved installing V2Ray proxy tools on compromised systems, attributed to a suspected Chinese threat actor. Attackers employed SSH brute-force techniques to gain access, executed reconnaissance commands to assess system information, and deployed V2Ray for proxy node operations. The campaign targeted poorly secured SSH servers with weak credentials, emphasizing the need for strong password policies, access controls, and network monitoring to detect unusual outbound connections and proxy-related activities.
Pulse ID: 69de00c30406a5cbb6ba9eef
Pulse Link: https://otx.alienvault.com/pulse/69de00c30406a5cbb6ba9eef
Pulse Author: AlienVault
Created: 2026-04-14 08:54:27
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Chinese #CoinMiner #CyberSecurity #DDoS #DoS #ICS #InfoSec #Linux #Malware #Mirai #OTX #OpenThreatExchange #Password #Proxy #RAT #RCE #SSH #Word #Worm #bot #botnet #AlienVault
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
Pulse ID: 69ddc2843b479a135d03d176
Pulse Link: https://otx.alienvault.com/pulse/69ddc2843b479a135d03d176
Pulse Author: Tr1sa111
Created: 2026-04-14 04:28:52
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #DPRK #InfoSec #NPM #OTX #OpenThreatExchange #SSH #bot #Tr1sa111
Polymarket Trader Funds at Risk: DPRK npm Package Steals Wallet Keys and Installs SSH Backdoor
On April 10, 2026, a malicious npm package named sleek-pretty@1.0.0 was published, targeting developers running automated trading bots on Polymarket, a prediction market platform with $477 million in open interest. The package executes four attack chains upon import: system fingerprinting, SSH backdoor installation on Linux hosts, filesystem exfiltration, and targeted theft of Polymarket CLOB API credentials and Ethereum/Polygon wallet private keys. The payload runs at require() time without install hooks and specifically hunts SDK source files like createClobClient.ts and clob.ts. An SSH public key is written to authorized_keys for persistent access. The attacker can drain USDC balances directly using stolen L1 private keys. Attribution points to DPRK's Famous Chollima (Lazarus Group) based on TTPs matching the TraderTraitor campaign and publisher email correlation with known DPRK infrastructure.
Pulse ID: 69dd07b82c8afdcdfda7a898
Pulse Link: https://otx.alienvault.com/pulse/69dd07b82c8afdcdfda7a898
Pulse Author: AlienVault
Created: 2026-04-13 15:11:52
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #DPRK #Email #InfoSec #Lazarus #Linux #NPM #OTX #OpenThreatExchange #RAT #RCE #SSH #bot #developers #AlienVault
Tracking an OtterCookie Infostealer Campaign Across npm
Between April 6-9, 2026, multiple obfuscated malicious npm packages were identified as variants of the OtterCookie infostealer attributed to North Korean threat actors. The campaign employs a two-layer distribution strategy where benign wrapper packages clone legitimate libraries like big.js while pulling malicious dependencies containing the actual payload. Five malicious packages were identified, each containing obfuscated JavaScript files that execute via postinstall hooks. The toolchain steals credentials, files including Solana wallets and environment configurations, and exfiltrates data to Vercel-hosted C2 infrastructure. On Linux systems, it establishes persistence through SSH backdoor installation. The infrastructure overlaps with documented OtterCookie operations and connects to broader DPRK campaigns including Contagious Interview and Contagious Trader, demonstrating continued evolution in North Korean software supply chain attacks targeting developers.
Pulse ID: 69dd05a672cf30caf5d26e06
Pulse Link: https://otx.alienvault.com/pulse/69dd05a672cf30caf5d26e06
Pulse Author: AlienVault
Created: 2026-04-13 15:03:02
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#BackDoor #CyberSecurity #DPRK #InfoSec #InfoStealer #Java #JavaScript #Korea #Linux #NPM #NorthKorea #OTX #OpenThreatExchange #RAT #RCE #SSH #SupplyChain #bot #developers #AlienVault
How to install and enable an SSH server
https://negativepid.blog/how-to-install-and-enable-an-ssh-server/
#SSH #servers #linux #bash #shell #remoteAccess #tech #IT #ITadmin #computing #commandLine #prompt #negativepid
Ich war gestern-jahre alt als ich gemerkt habe, das #bitwarden bzw. #vaultwarden auch #ssh keys verdaut und ich das alles in den ssh-agent reinfummeln kann.
Authenticate SSH with Your TPM https://hackaday.com/2026/04/11/authenticate-ssh-with-your-tpm/
#LinuxHacks #SecurityHacks #Hardwaretoken #Ssh #Sshkeys #TPM
Ubuntu goes into suspend when keyboard, mouse and display disconnect #ssh
https://askubuntu.com/q/1565634/612
Authenticate SSH with Your TPM
https://fed.brid.gy/r/https://hackaday.com/2026/04/11/authenticate-ssh-with-your-tpm/
You moved your #SSH keys into #1Password like a responsible adult. Then ssh-copy-id said "no identities found." Then ssh-add agreed. Then an error message ended up inside authorized_keys on your server — and #SSH silently ignored it.
Imagine debugging that at 11pm.
Wrote up what's actually happening with the two competing agents on #macOS and the one-liner that fixes it.
https://www.attilagyorffy.com/blog/why-your-ssh-keys-vanish-when-1password-is-your-agent