Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, March 02, 2026

shutterstock 1951619836

A popular tool turned traitor, the QuickLens Chrome extension has been purged from the Web Store after a malicious change in ownership transformed it into a cryptocurrency-stealing machine. For its 7,000 unsuspecting users, what began as a simple screen-search utility became a silent harvester of Gmail data and crypto seed phrases.

The digital "moats" of air-gapped networks have met a formidable adversary in Ruby Jumper, a new multi-stage campaign by the North Korean hacking group ScarCruft. By weaponizing removable drives to bridge the physical divide, the group uses a suite of custom tools to hop from internet-connected machines into isolated high-security environments.

A high-stakes security crisis has erupted within the AI agent ecosystem as the ClawJacked vulnerability (CVE-2026-25253) shatters the safety of locally running OpenClaw instances. Because the agent’s gateway service implicitly trusts "localhost" connections, malicious websites can use a hidden WebSocket script to brute-force passwords at lightning speed without ever triggering an alert.

Top Malware Reported in the Last 24 Hours

Another day, another malicious Chrome extension

A Chrome extension named "QuickLens - Search Screen with Google Lens" was removed from the Chrome Web Store after being compromised to distribute malware and steal cryptocurrency from users. Initially popular, the extension was sold to a new owner who released a malicious update that stripped essential browser security headers, facilitating ClickFix attacks. This update enabled the extension to connect to a command-and-control server, allowing it to execute harmful scripts that targeted various cryptocurrency wallets, capturing sensitive data like seed phrases and login credentials. The malware also scraped personal information from Gmail, Facebook, and YouTube accounts. Following the discovery of these malicious activities, Google disabled the extension and flagged it as malware, affecting around 7,000 users.

Ruby Jumper - APT37 launches new malware campaign 

North Korean hacking group APT37, also known as ScarCruft, has launched a new malware campaign named "Ruby Jumper," targeting air-gapped networks. This campaign employs removable drives to facilitate data transfer between isolated systems. Researchers from Zscaler identified five malicious tools used in this operation: RESTLEAF, SNAKEDROPPER, THUMBSBD, VIRUSTASK, and FOOTWINE. The infection begins when a victim opens a malicious Windows shortcut, which deploys a PowerShell script to extract embedded payloads while simultaneously launching a decoy document. RESTLEAF establishes communication with APT37's command-and-control infrastructure, leading to the download of further malware components. THUMBSBD collects system information and prepares data for exfiltration, while VIRUSTASK spreads the infection to new air-gapped machines. This sophisticated approach allows APT37 to bridge air gaps and maintain covert control over compromised systems.

North Korean hackers publish malicious npm packages

North Korean hackers have released 26 malicious npm packages as part of the ongoing Contagious Interview campaign, disguising them as legitimate developer tools. These packages contain functionality to extract C2 server URLs hidden within innocuous Pastebin content, utilizing steganography to encode the addresses. The malware executes upon installation, running a payload that decodes the C2 URLs and connects to infrastructure hosted on Vercel. This sophisticated approach allows the malware to target multiple operating systems, including Windows, macOS, and Linux, while extracting sensitive information such as credentials, browser data, and SSH keys. 

Top Vulnerabilities Reported in the Last 24 Hours

ClawJacked vulnerability exposes OpenClaw users

A severe vulnerability known as "ClawJacked" has been identified in the AI agent OpenClaw, enabling malicious websites to gain unauthorized access to locally running instances. The flaw arises from the OpenClaw gateway service exposing a WebSocket interface to localhost, which is not restricted by browser cross-origin policies. This allows attackers to use JavaScript to silently connect and brute-force passwords without triggering alerts. The researchers demonstrated that they could achieve hundreds of password guesses per second, compromising weak passwords rapidly. Once access is obtained, attackers can register as trusted devices, allowing them to steal sensitive information, execute commands, and potentially compromise entire workstations. 

Critical vulnerability found in Angular SSR

A critical vulnerability, tracked as CVE-2026-27739, has been discovered in Angular Server-Side Rendering (SSR), allowing attackers to exploit Server-Side Request Forgery (SSRF) and Header Injection attacks. This flaw arises from Angular's internal URL reconstruction logic, which improperly trusts user-controlled HTTP headers like Host and X-Forwarded-* without verifying the destination domains. As a result, attackers can manipulate the application's base origin, leading to severe consequences such as credential theft, internal network probing, and data exposure. The vulnerability affects multiple versions of Angular SSR packages, making it a widespread concern for developers. Successful exploitation requires specific conditions, including the use of Angular SSR and the ability to influence HTTP headers directly.

Discover Related Resources