Malware hidden in fake Minecraft Mods on GitHub is stealing passwords and crypto from players. Over 1,500 devices may be affected, researchers warn.

A new malware campaign has been targeting Minecraft players through fake mod downloads, according to recent findings from Check Point Research (CPR). Shared through GitHub and disguised as popular **Minecraft cheat mods**, the files carry a layered infection that can steal everything from saved passwords to cryptocurrency.

**Malware Hidden Inside Mods**

The campaign, which surfaced in March 2025, focused on active players using mods to enhance their gameplay. Mods like Oringo and Taunahi, widely known in the Minecraft cheat community, were mimicked to attract downloads. But instead of extra features, these files installed malware in three stages.

According to CPR’s **blog post**, first came a Java-based downloader. After confirming the user was running Minecraft and not a sandboxed or virtual environment, it dropped the download of a second-stage stealer which harvested login credentials and other sensitive files.

The final payload, a more advanced spyware tool, dug even deeper. It scanned for data in Discord, Steam, Telegram, web browsers and **crypto wallets.** It could also take screenshots and collect technical details from the infected machine. Data stolen through this campaign was then sent out over Discord, making the exfiltration hard to detect.

****Russian-Speaking Attacker Suspected****

Hints from the malware’s code, including Russian-language comments and UTC+3-based activity patterns, point to a Russian-speaking threat actor. The operation was linked to a group Check Point referred to as the Stargazers Ghost Network, a malware delivery system that uses a distribution-as-a-service model. The same system was **previously seen in July 2024** distributing malware through more than 3,000 fake GitHub accounts.

In the latest Minecraft scam, CPR’s research also traced the campaign across several GitHub repositories, each posing as legitimate mod tools. This helped the malware gain reach while avoiding immediate suspicion. Based on internal traffic analysis, the researchers estimate that at least 1,500 devices may have been compromised so far.

Malicious GitHub repositories (Image via CPR)

****Why Minecraft Was the Perfect Target****

Minecraft’s global popularity makes it a prime target for these kinds of attacks. With over 200 million monthly active users and more than a million modders, the game has built an extensive infrastructure of user-created content. Many players are young and may not be well-equipped to spot fake downloads, especially when they’re presented as performance boosters or cheats.

The modding community thrives on open sharing, but that openness has become a vulnerability. Attackers are betting that users won’t double-check the origin of a mod if it looks familiar.

This is why in October 2021, Minecraft was identified as **the most malware-infected game** after researchers found 44,335 compromised devices and over 300,000 malware cases targeting its players.

****What Players Should Do****

This attack is just another example of how familiar online platforms, especially those used by younger audiences, are being turned into distribution channels for malware. If you’re a Minecraft player or a parent of one, now’s a good time to check your devices and habits:

*   Stick to mods from well-known and verified platforms.
*   Make sure your antivirus and security updates are current.
*   Avoid any mod claiming to offer hacks, cheats or automation.
*   Monitor accounts linked to Discord, gaming platforms or crypto wallets for suspicious activity.

Fake Minecraft Mods on GitHub Found Stealing Player Data

It sure is a hard time to be a SOC analyst. 
Every day, they are expected to solve high-consequence problems with half the data and twice the pressure. Analysts are overwhelmed—not just by threats, but by the systems and processes in place that are meant to help them respond. Tooling is fragmented. Workflows are heavy. Context lives in five places, and alerts never slow down. What started as a

How AI-Enabled Workflow Automation Can Help SOCs Reduce Burnout

Google has revealed the various safety measures that are being incorporated into its generative artificial intelligence (AI) systems to mitigate emerging attack vectors like indirect prompt injections and improve the overall security posture for agentic AI systems.
"Unlike direct prompt injections, where an attacker directly inputs malicious commands into a prompt, indirect prompt injections

Google Adds Multi-Layered Defenses to Secure GenAI from Prompt Injection Attacks

Zyxel users beware: A critical remote code execution flaw (CVE-2023-28771) in Zyxel devices is under active exploitation by a Mirai-like botnet. GreyNoise observed a surge on June 16, targeting devices globally.

A serious security vulnerability, tracked as CVE-2023-28771, is affecting Zyxel networking devices. Security researchers at GreyNoise noticed a sudden sharp rise, and a concentrated effort by attackers to exploit this flaw on June 16th.

The vulnerability allows for remote code execution, which means attackers can run their own programs on vulnerable devices from a distance. This particular weakness is found in how Zyxel devices handle specific internet messages, called Internet Key Exchange (IKE) packets coming through the UDP port 500.

****The Sudden Surge and Its Reach****

While attacks targeting this Zyxel flaw had been minimal, June 16th brought a significant spike in activity. GreyNoise recorded 244 different internet addresses trying to exploit the issue within a single day.

Source: GreyNoise

These attacks are aimed at devices in various countries, with the following being the most targeted:

*   India
*   Spain
*   Germany
*   United States
*   United Kingdom

Interestingly, a review of these 244 attacking addresses showed they had not been involved in any other suspicious network activity in the two weeks leading up to this sudden burst.

****Tracing the Source****

An investigation into the attacking internet addresses revealed they were all registered under Verizon Business infrastructure and appeared to originate from the United States. However, because the attacks use UDP port 500, which allows for spoofing (faking the sender’s address), the true source might be hidden, noted GreyNoise researchers in their blog post shared with Hackread.com.

Further analysis by GreyNoise, supported by checks from VirusTotal, found signs that these attacks might be linked to variants of the Mirai botnet, a type of malicious software that takes over devices.

In response to these active threats, security experts are urging immediate action. It is advised to block all 244 identified malicious IP addresses and to check if any internet-connected Zyxel devices have the necessary security patches for CVE-2023-28771.

Device owners should also watch for any unusual activity after an exploit attempt, as this could lead to further compromise or the device being added to a botnet. Finally, it’s recommended to limit any unnecessary exposure of IKE/UDP port 500 by applying network filters.

It’s important to note that Zyxel devices have faced security challenges in the past. For instance, Hackread.com reported in June 2024, about Zyxel NAS devices being targeted by a Mirai-like botnet exploiting a different recent vulnerability (CVE-2024-29973), highlighting a recurring pattern of issues for the company’s products.

“This was added to the CISA Known Exploited vulnerabilities list on May 31, 2023, requiring agencies to have it resolved before June 21 that same year. The activity observed appears to be the Mirai botnet activity,” said Martin Jartelius, CISO at cybersecurity company Outpost24.

“As the vulnerability has been extensively targeted before, for someone to fall victim now, they would have had to obtain a vulnerable device, deploy it without updates, and expose it to the internet, even though it’s in a known vulnerable state,” explained Martin.

“One would almost say that the chain of incompetence needed to be victimized at this point is borderline impressive, but of course, it can happen. This, however, is not the vulnerability we should all wake up and worry about today. In fact, if you were worried about it, you would have fixed it years ago.”

Zyxel Devices Hit by Active Exploits Targeting CVE-2023-28771 Vulnerability

Unmanned vehicles are increasingly becoming essential weapons of war. But with a potential conflict with China looming large, Taiwan is scrambling to build a domestic drone industry from scratch.

In the span of just a few years, drones have become instrumental in warfare. Conflicts in Ukraine, Iran, Nagorno-Karabakh, Sudan, and elsewhere have shown how autonomous vehicles have become a quintessential part of modern combat.

It’s a fact that Taiwan knows all too well. The island nation, fearing imminent invasion from China, has both the need, know-how, and industry necessary to build a robust and advanced drone program.

Yet Taiwan, which has set an ambitious target of producing 180,000 drones per year by 2028, is struggling to create this industry from scratch. Last year, it produced fewer than 10,000.

“Taiwan definitely has the ability to make the best drones in the world,” says Cathy Fang, a policy analyst at the Research Institute for Democracy, Society, and Emerging Technology (DSET).

So why doesn’t it?

**Designing a Hellscape**

Fang and her colleagues published a lengthy report on June 16 that reveals just how sluggish Taiwan’s drone industry has been. According to their research, the country has produced between 8,000 and 10,000 unmanned aerial vehicles (UAVs) over the past year, with “structural challenges” standing in the way of the current rate and the ambitious goal. Their study found that Taiwan’s drone production has been stymied by “high manufacturing costs, low domestic procurement, and minimal foreign government orders.”

Fang and other DSET researchers briefed WIRED on the details of their report in their Taipei offices in May.

Taiwan has lived under the threat of Chinese invasion for decades, but recent years have turned it into a more immediate possibility. Beijing has made clear that it intends to complete its aggressive modernization of the People’s Liberation Army by 2027; Taiwanese officials say invasion could come that early but almost certainly before Premier Xi Jinping’s current term in office ends in 2029.

While there are competing views about what form, exactly, Chinese military aggression could take, military analysts in Taiwan fear it could be a full combined arms onslaught: From air and sea at first, followed by a full land invasion.

That means Taiwan has an imperative to come up with innovative solutions to defend itself, and fast. As one American commander remarked in 2023, Taiwan’s self-defense will mean turning the Taiwan Strait into a “hellscape”—bombarding incoming Chinese ships and planes with swarms of uncrewed aerial and naval vehicles. This strategy doesn’t need to destroy the considerable Chinese navy and air force outright, but it does need to frustrate Beijing’s advances long enough for Taiwan’s allies to rally to its defense.

Taipei is already doing some of this right. In 2022, the government launched the Drone National Team, a program meant to match government and industry to scale up the nascent field. In particular, the team was dispatched to learn lessons from Ukraine, whose defensive strategy has relied heavily on small, tactical, cheap UAVs capable of carrying out multiple missions and integrating closely with ground units. Today, the country boasts a massive domestic drone industry, with Kyiv planning to buy 4.5 million small drones this year, on top of its long-range uncrewed missile program, its autonomous land vehicles, and its uncrewed naval drones.

But Ukraine also shows the disadvantage at which Taiwan finds itself. In a secret workshop in Kyiv, a Ukrainian drone maker told WIRED that he had no choice but to source his antennas and chips from China. Taiwanese chips were too expensive.

**Competing With DJI**

“We are not able to compete with DJI,” Fang says, referring to the massive Chinese drone manufacturer.

Other countries that have scaled up their drone programs recently have accepted Chinese technology in their supply chain—either as an asset or a necessary evil. But Taiwan, for obvious reasons, is leery of including any Chinese tech.

That makes drone manufacturing hard. China maintains a massive advantage in producing certain critical pieces of these UAVs—including the gimbals, optical sensors, and antennas. To buy that equipment, Taiwan needs to find allied suppliers, often at considerable cost.

Taiwan has even had difficulty leveraging its advantages. The country has an advanced battery industry, for example—but it’s heavily reliant on Chinese critical minerals. The island nation also boasts the world’s most impressive semiconductor industry: It produces 60 percent of the world’s semiconductors and 90 percent of the advanced semiconductors. But, Fang says, Taiwan does not produce any chips specifically for use on drones.

“Taiwanese drone makers are buying chips from Qualcomm and Nvidia, but those chips are not specifically for drones,” she says. “Those are communication chips, sensor chips, those are for more general use.” And even those general chips are significantly more expensive than their Chinese competitors, sometimes by a factor of 10.

“We definitely have the ability to make them,” Fang adds. “But the reason why these companies are not involved in this market is because the scale is just too small.”

It’s a catch-22: Taiwanese companies can’t increase production and reduce costs until they get more orders, but they can’t get more orders because their costs are too high.

“We need more government procurement from Taiwan itself,” Fang says. Thus far, the nation’s defense ministry has ordered fewer than 4,000 drones, although it plans to purchase tens of thousands more in the years to come. It owes to the fact, analysts say, that financing the kind of defense spending that Taiwan needs remains politically difficult. Earlier this year, opposition lawmakers in the Legislative Yuan passed a budget that slashed planned defense spending.

If Taiwan’s industry has any hope of growing by the scale the country needs, Fang says there’s a clear answer: America.

**Building an Army of Drones**

DSET has a number of recommendations, both for Taiwan and America, on how to establish this ambitious new industry. For starters, they argue, America needs to start actually supporting Taiwan’s local industry.

To date, no Taiwanese drone manufacturer has secured access to the Department of Defense’s “blue list”—its roster of trusted drone suppliers. Earning a spot on that list could mean millions or billions of dollars in orders from the Pentagon.

There has been some trade in the other direction. The US has supplied Taiwan with about 1,000 drones, mostly the smaller AeroVironment Switchblade loitering munition as well as a small number of the MQ-9 Reaper long-range drones.

The US has also been shipping some novel technology to Taiwan, including access to its Replicator Initiative: an autonomous drone swarm capability designed to find and destroy targets at sea.

But, DSET argues, some of these capabilities have been more a product of what the US thinks Taiwan needs. Washington could be more effective if it developed partnerships with Taiwanese industry, DSET contends, and make longer-term decisions about what Taipei needs for its self-defense. Finally, DSET writes, Washington should drop its tariffs—on Taiwanese UAVs, at the very least.

Taiwan itself has even more work to do. DSET recommends establishing a more detailed roadmap for what capabilities it wants and needs and how it intends to get there. While plenty of focus will be on the small, first-person-view drones—the kind increasingly ubiquitous in conflicts worldwide—Taiwan will need to expand into other kinds of technology.

While Taipei has identified a wide range of capabilities it hopes to acquire, DSET found it has been mostly procuring smaller surveillance drones.

Both Russia and Iran have recently shown how long-range uncrewed vehicles can be made at scale and significantly cheaper than traditional missiles. Perhaps more importantly, the DSET report argues, Taiwan needs to be able to plug into American needs and procurement programs—and America prioritizes longer-range systems.

The preponderance of these drones has also heightened the need for defenses, particularly around electronic warfare. Taipei is investing in anti-drone systems, Fang says, but it remains an “emerging concept.” (A defense analyst told WIRED that Taiwan is simply “not prepared to fight in a complex electromagnetic environment.”)

One of the weak points in China’s invasion will be its landing crafts. Beijing has been feverishly building a fleet of barges that would be able to transport troops and tanks across the Taiwan Strait. Taiwan has been developing domestically made submarines with the hope of sinking those barges before they arrive—that capability would be augmented significantly by autonomous or uncrewed submersibles.

Ukraine has pioneered its own models of semiautonomous uncrewed naval vehicles, which have successfully sunk Russian warships and damaged the Kerch Bridge in Crimea.

As Western nations get ambitious about how to mass-produce cost-effective and high-impact defense strategies, many are looking toward uncrewed vehicles as a silver bullet. But, as Taiwan shows, this is all easier said than done.

If Taiwan gets this wrong, DSET argues, “Taiwan risks falling into a gray zone of limited interoperability and unscalable production.” Meanwhile, “the US risks failing to develop trusted regional manufacturing capacity at the speed required to compete with China's drone diplomacy and defense exports.”

It may seem like an insurmountable challenge, especially for a nation facing an existential threat from a much bigger neighbor. But, as Fang points out, Ukraine was in the same situation. “Ukraine? They didn’t even imagine that kind of capacity three years ago,” she says. But a “sense of survival” kicked in, and Kyiv stood up the world’s most impressive indigenous drone manufacturing industry.

Taipei “is, right now, in low mode,” Fang says. “Because we are still not at war. But I don't want to underestimate our capacity, even though we are in a peacetime.”

Taiwan Is Rushing to Make Its Own Drones Before It's Too Late

Not every risk looks like an attack. Some problems start as small glitches, strange logs, or quiet delays that don’t seem urgent—until they are. What if your environment is already being tested, just not in ways you expected?
Some of the most dangerous moves are hidden in plain sight. It’s worth asking: what patterns are we missing, and what signals are we ignoring because they don’t match old

⚡ Weekly Recap: Chrome 0-Day, 7.3 Tbps DDoS, MFA Bypass Tricks, Banking Trojan and More

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

June 23, 2025 - Russian hackers have convinced targets to share their app passwords in very sophisticated and targeted social engineering attacks.

June 19, 2025 - Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

June 19, 2025 - Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

June 18, 2025 - Several Instagram ads have been found impersonating banks, including the usage of deepfake videos to defraud consumers.

June 18, 2025 - These five communication channels are favored by scammers to try and trick victims at least once a week—if not more.

 A week in security (June 15 &#8211; June 21) 

In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-5p2p-6g2c-hf7m: spytrap-adb Omission of Security-relevant Information

The US concentrated its attack on Fordow, an enrichment plant built hundreds of feet underground. Aerial photos give important clues about what damage the “bunker-buster” bombs may have caused.

When the United States bombed Iran in the early hours of Sunday local time, it targeted three facilities central to the country’s nuclear ambitions: the Fordow uranium enrichment plant, the Natanz nuclear facility, and the Isfahan nuclear technology center. Newly released satellite images show the impact of the attack—at least, what can be seen on the ground.

The brunt of the bombing focused on Fordow, where US forces dropped a dozen GBU-57 massive ordnance penetrators as part of its “Midnight Hammer” operation. These 30,000-pound “bunker-buster” bombs are designed to penetrate as deep as 200 feet into the earth before detonating. The Fordow complex is approximately 260 feet underground.

That gap accounts for some of the uncertainty over exactly how much damage the Fordow site sustained. President Donald Trump shared a post on his Truth Social platform following the attack that declared “Fordow is gone,” and later said in a televised address that “Iran’s key nuclear enrichment facilities have been completely and totally obliterated.” His own military, however, was slightly more circumspect about the outcome in a Sunday morning briefing. “It would be way too early for me to comment on what may or may not still be there,” said general Dan Caine, chairman of the Joint Chiefs of Staff.

Satellite imagery can inherently only tell you so much about a structure that is situated so far below the surface of the earth. But before and after imagery is the best publicly available information about the bombing’s impact.

A satellite image from before the US bombing of Fordow.

Photo: MAXAR Technologies/Handout via Reuters

A satellite image from after the US bombing of Fordow.

Photo: MAXAR Technologies/Handout via Reuters

“What we see are six craters, two clusters of three, where there were 12 massive ordnance penetrators dropped,” says Jeffrey Lewis, director of the East Asia Nonproliferation Program at the Middlebury Institute's James Martin Center for Nonproliferation Studies. “The idea is you hit the same spot over and over again to kind of dig down.”

The specific locations of those craters matter as well, says Joseph Rodgers, deputy director and fellow at the Center for Strategic and International Studies’ Project on Nuclear Issues. While the entrance tunnels to the Fordow complex appear not to have been targeted, US bombs fell on what are likely ventilation shafts, based on satellite images of early construction at the site.

“The reason that you’d want to target a ventilation shaft is that it’s a more direct route to the core components of the underground facility,” says Rodgers.

That direct route is especially important given how deep underground Fordow was built. The US military relies on “basically a computer model” of the facility, says Lewis, which tells them “how much pressure it could take before it would severely damage everything inside and maybe even collapse the facility.” By bombarding specific targeted areas with multiple munitions, the US didn’t need bombs capable of penetrating the full 260 feet to cause substantial damage.

“They’re probably not trying to get all the way into the facility. They’re probably just trying to get close enough to it and crush it with a shockwave,” Lewis says. “If you send a big enough shockwave through that facility, it’s going to kill people, break stuff, damage the integrity of it.”

A closer satellite view shows the impact craters and a nearby support structure.

Photo: MAXAR Technologies/Handout via Reuters

It’s also notable what US bombs didn’t hit. The oblong white building in satellite images of Fordow is likely key support infrastructure for the facility, potentially providing everything from air-conditioning to backup power generation. “The US didn’t even bother targeting it. That clearly indicates to me that they weren’t trying to temporarily shut down the facility,” Rodgers says. “We targeted these apparent ventilation shafts so that we could structurally destroy or do as much damage as we could rather than temporarily try to shut down Fordow.”

Once a long-held secret, Fordow's existence was first officially acknowledged by the Iranian government in 2009. The facility is believed to be capable of enriching uranium to 60 percent. From there, experts say, it can relatively quickly be further enriched to 90 percent, the level needed for constructing nuclear weapons.

The US bombing came more than a week after Israel launched a series of attacks on Iran with the stated goal of stopping Tehran’s nuclear program. Israel lacks munitions capable of reaching deeply buried facilities like Fordow, which appears to be why the US entered the fray.

It is currently unclear how impactful this weekend’s bombing campaign will be on Iran’s long-term nuclear ambitions. Lewis says the strike was “tactically brilliant, but strategically incomplete,” because Iranians still have nuclear material that can be enriched to weapons-grade levels. “They still have underground facilities where they could do that, and they still have the ability to produce centrifuge components, so they can still make the centrifuges for the facilities.”

Further complicating the assessment of the Fordow damage is that satellite images from earlier last week show a significant amount of activity at the site, including more than a dozen trucks going to and from it. “I think there were some defense operations going on,” says Rodgers. “They probably brought those dump trucks in to try to seal off the tunnel entrances, to help protect against attacks.” There’s also the possibility that Iran was able to move nuclear material out of the facility before the attack, limiting the bombing’s usefulness.

Ultimately, Iran’s nuclear program has likely “been damaged,” Lewis says. “It has not been eliminated.”

What Satellite Images Reveal About the US Bombing of Iran's Nuclear Sites

Scammers used Inferno Drainer to steal $43,000 in crypto from 110 CoinMarketCap users through a fake wallet prompt embedded in the site’s front-end.

A coordinated crypto theft operation targeting CoinMarketCap users has been exposed after leaked images surfaced from a Telegram channel known as TheCommsLeaks. The attack used a convincing wallet connection prompt embedded in CoinMarketCap’s own interface, tricking users into handing over access to their wallets. The result? more than $43,000 worth of crypto funds drained in hours.

According to Tammy H, a Senior Threat Intelligence Researcher and Certified Dark Web Investigator at Flare.io, a Canada-based cybercrime intelligence firm, the attack was carried out using Inferno Drainer, a known wallet-draining toolkit that’s been linked to previous campaigns.

****A Pop-Up with a Price****

The method was simple but effective. Users visiting CoinMarketCap were presented with a prompt asking them to “Verify Your Wallet” to access features. It looked identical to legitimate pop-ups seen on the platform, giving users no reason to doubt it. However, once connected, wallets were quietly emptied of whatever assets they held.

Video credit: apoorv.eth on X (Twitter)

A source cited in the leak claimed the prompt appeared across nearly every page on the site. “Make it where it appears on every page,” read one message. “Most people have coins pinned… the second they render the site.”

The attacker seemed focused on increasing visibility and maximizing wallet connections. Some reports suggest that even the connect button began malfunctioning due to being rendered too many times.

****Inside the Leak****

As per Tommy H’s analysis, the Telegram channel TheCommsLeaks began sharing details around 7:30 PM local time on June 20. The messages included screenshots showing a live dashboard used by the attacker. These visuals displayed wallet connections, token transfers and total values drained in real time.

Early numbers showed 67 successful hits and over 1,300 wallet connections. The payout was already past $21,000 within the first wave. By the time the campaign ended, the final haul had climbed to $43,266, drained from 110 victims.

Tokens siphoned off included SOL, XRP, EVT, and smaller coins like PENGU and SHDW. One transaction involving $1,769 in XRP was linked to a wallet visible on BscScan, offering public confirmation of the theft.

However, the researcher noted that not every attempt succeeded. Logs from the attacker’s toolkit also showed multiple failed drains, typically due to wallets holding unsupported tokens or negligible balances.

Attackers on Telegram

****What Happened on CoinMarketCap?****

After growing speculation over whether the attack came from a spoofed domain, CoinMarketCap addressed the issue directly. In a statement published on X, the company said a doodle image displayed on their homepage had triggered malicious code through an embedded API call. This vulnerability caused the unauthorized wallet prompt to appear for some users.

The company confirmed that its security team responded immediately after detecting the issue. The malicious content was removed, and internal systems were patched to prevent further abuse.

“All systems are now fully operational, and CoinMarketCap is safe and secure for all users,” the company stated, adding that it continues to monitor the situation and provide support.

This incident goes on to show how small interface changes, even those involving something as harmless as a homepage doodle, can be leveraged for large-scale damage. While the use of a legitimate platform’s own environment to deploy malicious prompts is extremely concerning, it reflects how easily trust in familiar interfaces can be misused.

In a separate incident reported by Hackread just last week, scammers exploited search ads to trick users into calling fake support numbers shown on real websites like Apple and PayPal. Though technically unrelated, both cases show how attackers rely on user assumptions about what’s safe to interact with online.

For now, users are advised to avoid connecting wallets directly through pop-ups and verify any prompt against the platform’s official guidance. If something looks familiar, that doesn’t always mean it’s safe.

Latest News