TL;DR
ModHeader browser extension (numerous installs) pulled by Google and Microsoft after hidden tracking collector discovered. CrashStealer macOS malware uses Apple-signed certificates to evade detection. CISA warns of active exploitation in Joomla extensions enabling remote code execution.
Executive Summary
- Google and Microsoft removed ModHeader extension from their stores following discovery of dormant browsing-history collector affecting 1.6 million users.
- CrashStealer, a new macOS information stealer, impersonates Apple's crash reporter and uses notarized code to bypass Gatekeeper security checks.
- CISA reports active exploitation of remote code execution vulnerabilities in Joomla iCagenda and Balbooa Forms extensions via arbitrary file uploads.
- Jscrambler npm package backdoored with infostealer malware, downloaded approximately 1,500 times before discovery.
- German retailer Lidl disclosed breach at a service provider affecting customers in Germany, Belgium, and Netherlands.
Top Threats Today
1. ModHeader Extension Silently Tracking 1.6 Million Users
Severity: HIGH Affected: Technology
Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version [1]. The collector was dormant, kept inactive by an empty allow-list, indicating the developer maintained the capability without active deployment [1]. This incident demonstrates how widely-installed, ostensibly benign browser extensions can embed surveillance infrastructure undetected.
Sources:[1] The Hacker News
Recommended Action
- Audit installed browser extensions and remove ModHeader if present
- Review browser extension permissions and remove those requesting excessive data access
- Monitor for suspicious browsing-history or keystroke collection in network logs
- Consider browser extension management policies to whitelist approved tools only
2. CrashStealer macOS Malware Bypasses Gatekeeper with Apple-Signed Code
Severity: HIGH Affected: Technology
Cybersecurity researchers have identified CrashStealer, a new macOS information stealer that masquerades as Apple's crash-reporting tool to harvest credentials, keychain data, and cryptocurrency wallet information [1][2]. Unlike prior information stealers built on AppleScript or Objective-C wrappers, CrashStealer uses a notarized dropper to pass Gatekeeper checks, allowing it to execute ⚠ with minimal user friction [1]. The malware's use of Apple-signed certificates represents an escalation in evasion technique sophistication targeting macOS users. ⚠
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Verify any Apple crash-reporting dialogs and disable automatic reporting if unnecessary
- Monitor for unexpected keychain access or credential-stealing behavior in system logs
- Apply latest macOS security updates and enable Gatekeeper enforcement
- Educate users to scrutinize system dialogs requesting credentials or authentication
3. CISA Warns of Active Joomla Extension Exploitation
Severity: HIGH Affected: Technology
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are actively exploiting remote code execution vulnerabilities in the iCagenda and Balbooa Forms extensions for Joomla to achieve code execution through arbitrary file uploads [1]. Active exploitation indicates these flaws are being weaponized in real-world attacks against deployed Joomla installations.
Sources:[1] BleepingComputer
Recommended Action
- Immediately audit Joomla installations for iCagenda and Balbooa Forms extensions
- Disable or uninstall affected extensions if not critical to operations
- Apply patches from Joomla or extension developers if available
- Review file upload functionality and restrict upload paths to non-executable directories
- Monitor access logs for suspicious file upload requests targeting extension paths
4. Jscrambler npm Package Compromised with Infostealer
Severity: HIGH Affected: Technology
The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded approximately 1,500 times [1]. The backdoored package includes infostealer malware, representing a supply-chain attack on developers who rely on this security-focused tool. While the download volume is relatively modest compared to mainstream npm packages, the targeting of a security tool introduces risk to downstream applications.
Sources:[1] BleepingComputer
Recommended Action
- Check npm audit logs and dependency lockfiles for Jscrambler package installs
- If installed, rotate all credentials and secrets that may have been exposed
- Rebuild and redeploy affected applications using only verified, clean package versions
- Review npm package source code and maintainers for critical dependencies
- Implement npm package integrity checks and signing verification in CI/CD pipelines
5. Lidl Data Breach Affects Customers Across Three European Countries
Severity: HIGH Affected: Retail
German discount supermarket chain Lidl notified customers in Germany, Belgium, and the Netherlands that attackers stole personal information in a breach at a service provider [1]. The breach scope and specific data compromised remain under investigation.
Sources:[1] BleepingComputer
Recommended Action
- Affected customers should monitor accounts for unauthorized transactions or identity theft
- Change passwords for Lidl online accounts and any linked payment methods
- File fraud alerts with relevant credit bureaus if financial data was compromised
- Organizations: audit third-party service provider access and data handling controls
Ongoing Threats
- Supply-chain and npm attacks: Jscrambler backdoor follows earlier npm supply-chain campaigns targeting JavaScript developers.
- macOS malware evolution: CrashStealer adds to macOS threats targeting credential and wallet theft.
Today's Action Checklist
- ☐ URGENT: Audit Joomla extensions (iCagenda, Balbooa Forms) and disable if unpatched; verify file upload restrictions
- ☐ Remove ModHeader extension from user browsers and review other installed extensions for suspicious permissions
- ☐ Check npm dependencies for Jscrambler package; if present, rotate secrets and redeploy clean builds
- ☐ macOS administrators: review system logs for CrashStealer impersonation indicators and educate users on crash-report dialogs
- ☐ Affected Lidl customers: monitor accounts and enable fraud alerts; organizations review third-party data access