Browser Security: npm Malware, SocGholish, Ducktail, Darcula Threats

Self-Spreading npm Malware Targets Developers via Discord and Private Packages

• A new self-spreading npm malware, dubbed 'BiBi', infects development machines by modifying `~/.bashrc` or `~/.zshrc` to exfiltrate environment variables and credentials to Discord webhooks.
• The malware propagates by automatically publishing malicious versions of any npm packages a compromised developer has access to, leveraging the developer's stolen npm token.
• Developers are advised to inspect their `package.json` for suspicious `postinstall` scripts that include 'bi.js' and to remove any malicious packages to prevent further compromise.

Source: Help Net Security | Date: March 01, 2026

FakeUpdates/SocGholish Campaign Utilizes New Evasion Tactics for Malware Delivery

• The SocGholish malware campaign, also known as FakeUpdates, has adopted new techniques to bypass existing security solutions and enhance the delivery of various malware strains.
• These new evasion tactics allow threat actors to more effectively compromise systems, frequently initiating with browser-based social engineering, prompting fake software updates.
• Users are strongly advised to exercise extreme caution when encountering software update prompts, especially those originating from browser pop-ups, and to only download updates from official vendor websites.

Source: Security Affairs | Date: February 28, 2026

New Ducktail Info-Stealer Variant Focuses on Facebook Business Accounts

• A new variant of the Ducktail info-stealer malware is actively targeting Facebook Business accounts, with the primary objective of stealing credentials and other sensitive data.
• The malware specifically focuses on compromising business assets, including advertising accounts and associated pages, by exfiltrating browser-stored cookies and session tokens.
• Victims are typically ensnared through social engineering tactics, which lead them to download malicious files that then facilitate the theft of browser-related account access.

Source: Security Affairs | Date: February 27, 2026

Darcula Phishing-as-a-Service Platform Enables Sophisticated Campaigns

• A newly identified, highly evasive phishing-as-a-service (PaaS) platform named 'Darcula' is being actively utilized by threat actors to launch sophisticated phishing campaigns.
• Darcula provides a comprehensive toolkit for cybercriminals, enabling them to craft highly convincing phishing pages designed to bypass conventional security detection mechanisms.
• The platform is being leveraged to target a broad spectrum of organizations, emphasizing the critical need for users to remain vigilant against expertly designed email and browser-based phishing attempts.

Source: Security Affairs | Date: February 27, 2026

References

1. Week in review: Self-spreading npm malware hits developers, Cisco SD-WAN 0-day exploited since 2023 - Help Net Security
2. SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 86 - Security Affairs
3. Security Affairs newsletter Round 565 by Pierluigi Paganini – INTERNATIONAL EDITION - Security Affairs