What Minneapolis activists have to teach us about organizing communities to resist ICE

Shadowserver tracks nearly 800,000 IP addresses with Telnet fingerprints amid ongoing attacks exploiting a critical authentication bypass vulnerability in the GNU InetUtils telnetd server.

The government wants staff to shun Silicon Valley and shift to its home-grown Visio platform instead.

The government wants staff to shun Silicon Valley and shift to its home-grown Visio platform instead.

Congress pressed for a report on Alex Pretti’s killing. CBP supplied answers to a list of questions — questions that CBP had written itself.

Researchers in China said the SpaceX decision was ‘directly triggered’ by a close call between two satellites in December.

“In my opinion ICE are the bad guys. I am not proud that the company I enjoy so much working for is part of this,” one worker wrote on Slack.

On January 23rd, 2026, security researchers discovered a dangerous npm package named ansi-universal-ui that disguised itself as a legitimate user interface component library. The deceptive package description claimed to offer a lightweight UI system for modern web applications. However, beneath this innocent facade lay G_Wagon, a highly sophisticated multi-stage information stealer designed to harvest sensitive data from victims’ computers. G_Wagon operates as a complex attack framework that downloads its own Python runtime and executes heavily obfuscated code to extract browser credentials, cryptocurrency wallet data, cloud credentials, and messaging tokens. The malware uses an embedded Windows DLL injected directly into browser processes through native NT APIs, demonstrating advanced technical capabilities. The stolen information gets exfiltrated to Appwrite storage buckets controlled by the attackers. The infection process reveals careful planning. When users installed ansi-universal-ui, a postinstall hook triggered the malicious code automatically. The dropper component fetches a Python payload from command and control servers, pipes it through stdin to avoid writing files to disk, and executes the destructive stealer in memory. Aikido analysts and researchers identified the malware after observing version iterations and tracking the attack development across multiple package releases between January 21st and January 23rd. Detection Evasion Through Continuous Evolution What makes G_Wagon particularly concerning is its rapid evolution and sophisticated evasion techniques. The attackers published ten package versions over two days, progressively refining their approach. Early versions included a simple placeholder script to test the dropper infrastructure. By version 1.3.5, they added legitimate-looking branding with detailed README files describing fictional components like a “Virtual Rendering Engine” and “ThemeProvider.” The attackers gradually enhanced obfuscation across later versions. Version 1.4.1 introduced hex-encoded command and control URLs, split into chunks to evade pattern matching. They renamed directories from python_runtime to lib_core/renderer and changed variable names from pythonCode to _texture_data, making the code resemble graphics rendering instead of malware. They also switched to piping payloads through stdin rather than creating files, leaving no forensic artifacts on disk for investigators to recover. This continuous refinement demonstrates an active threat actor learning from their implementation. They fixed bugs within eighteen minutes of discovering issues, moved between different command and control endpoints, and progressively added anti-forensics capabilities including automatic payload deletion. Organizations should immediately remove the malicious package versions 1.3.5 through 1.4.1, rotate all stored browser passwords, revoke cryptocurrency wallet extensions, and regenerate cloud provider credentials. Follow us on  Google News ,  LinkedIn , and  X  to Get More Instant Updates ,  Set CSN as a Preferred Source in  Google . The post G_Wagon npm Package Attacking Users to Exfiltrates Browser Credentials using Obfuscated Payload appeared first on Cyber Security News .

A federal agent allegedly tried to enter Google’s Cambridge campus in the fall, WIRED has learned. Now, staffers want policies that protect them from immigration officials.