Webinar Promo The shift to hybrid work has reshaped the enterprise perimeter. Users are logging in from home networks, shared spaces and unmanaged devices, while applications span on-prem systems and multiple clouds. Traditional security models were not designed for this level of fragmentation, leaving many organizations struggling to maintain visibility and control without adding friction.…
Built an automated npm package scanner that uses heuristic scoring + LLM analysis to flag malicious packages in real time. Ran it for 24 hours against ~2000 recent npm registry changes and found 21 malicious packages across 11 campaigns.
Four novel attack vectors documented:
LLM API MITM (T1557): makecoder@2.0.72 overwrites ~/.claude/ via postinstall, reconfigures Claude Code client to proxy all API calls through attacker server. Application-layer MITM on AI assistant conversations.
Encrypted skill distribution (T1027, T1105): skillvault@0.1.14 fetches encrypted payloads from private API, decrypts locally, installs as persistent Claude Code skills. Server-side swappable without npm update.
AI agent as RAT (T1219, T1036.005): keystonewm/tsunami-code ship functional coding assistant CLIs routing all interactions through attacker's ngrok tunnel. Exploits AI tool trust model where users grant full filesystem access voluntarily.
Redis CONFIG SET + raw disk read via postinstall (T1190, T1006): 6 fake Strapi plugins use Redis to write shell payloads to 7 directories, dd if=/dev/sda1 to extract credentials bypassing file permissions, Docker overlay traversal for container escape.
All IOCs, decoded payloads, and MITRE mappings on the site. None of the 21 packages were flagged by any public scanner at time of discovery.
My write up around a research project I've been doing in my spare time around investigating the security of AWS CodeConnections. This post covers the techniques I used to hook a CodeBuild job to monitor the requests the CodeBuild bootstrapping makes before user code is run. Using this information I then also show the endpoints I found that can be used to retrieve the raw GitHub App token or BitBucket JWT App token CodeConnections uses which tends to be very privileged in a lot of environments, granting far more access than to just the single repository where the CodeBuild job is being run.
CVE-2026-33579 is actively exploitable and hits hard.
What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.
Why this matters right now:
The attack is trivial:
Login/pair approve [request-id]Takes maybe 30 seconds once you know the gap exists.
What you need to do:
openclaw --version. If it's anything before 2026.3.28, stop what you're doingnpm install openclaw@2026.3.28)openclaw devices list --format json and look for admins approved by pairing-only users/pair approve events in the last weekLet me know if you're interested, happy to share the link.
A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit.
Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts.
Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook.
According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered.
When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to:
Either way, the goal is the same: use real information to make the next scam more believable.
The breach itself is real. But what often follows is a second wave of scams pretending to help.
That’s where people can get hit twice: once by the breach, and again by the scam that follows it.
First, don’t panic. Then:
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast.
Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself.
Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information.
This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion.
If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on.
The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email.
If it feels dramatic, high-pressure, and just a little off, trust that instinct.
This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in.
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
Safety tips to carry into next week
The reality is, scams are getting better at looking official.
You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.
We’ll be back next week with more scams making headlines.
The post Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams appeared first on McAfee Blog.
Rob J., 31, an internal auditor in California, thought he was doing everything right this tax season. He filed his return as usual, even early, and expected a state refund just short of $400.
Instead, he got a letter saying the state had taken it.
The notice from the California Franchise Tax Board said his refund had been intercepted to pay a debt owed to a local community college.
There was just one problem: Rob had never attended that school.
“How could the state be taking my tax refund to pay a debt to a community college I’ve never attended?” he told us at McAfee. “I immediately knew something was wrong.”
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked. Someone had used my identity to enroll in a college like they were me.”
Scams like this do not start with a suspicious text or email. They start with your data being exposed somewhere you cannot see.
That is why protection has to go beyond one moment and cover the full lifecycle of identity theft.
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
A ghost student scam is a form of identity theft where someone uses your stolen personal information, often your Social Security number, to enroll in a college or university under your name.
The scammer is not trying to attend school. They are trying to use your identity to access financial aid, create accounts, or generate funds tied to a real person.
In many cases, the victim has no idea anything happened until the consequences show up later, such as a tax refund being taken, a debt appearing, or a loan being opened in their name.
That is exactly what happened to Rob.
“I started researching and came across the term ‘ghost student,’ and that’s when it clicked,” he said. “Someone had used my identity to enroll in a college like they were me.”
These scams typically follow a predictable pattern, even if the victim does not see it happening in real time:
| Stage | What happens | Why it matters |
| Data exposure | Your personal information is leaked in a data breach or collected from data broker sites | Scammers get the core details they need to impersonate you |
| Identity misuse | Your information is used to apply to colleges or financial aid programs | The scam is tied to your real identity, not a fake one |
| Enrollment activity | Fake students may enroll just long enough to access funds or create accounts | This helps scammers avoid early detection |
| Financial impact | Debts, balances, or aid obligations are created in your name | You become financially responsible on paper |
| Discovery | You find out later through a notice, refund interception, or account alert | By this point, damage has already been done |
In Rob’s case, the starting point was a data breach the year before. His Social Security number had been exposed, but he had not frozen his credit.
Someone used that information to enroll at Pasadena City College. When the balance went unpaid, the state redirected his tax refund to cover it.
Once Rob realized what happened, he moved quickly. He froze his credit, set up identity monitoring, filed a police report, and began working with the college to prove he was not the student.
He says the process has been slow and frustrating.
“I’ve spent hours on the phone trying to fix this… I’m exhausted,” he said. “Despite being the victim I am the one dealing with the consequences and trying to prove my identity to the same institution that let a fake me register.”
When he contacted campus police, he learned something else: “this has been happening to other people too.”
Ghost student scams are part of a broader shift in how identity theft works.
Instead of quick-hit fraud like a stolen credit card, scammers are using real identities to create more complex, longer-term opportunities for financial gain.
In higher education, that can include:
This trend has already affected thousands of suspected cases across education systems and continues to grow as scammers scale their tactics
If something like this happens, speed matters:
These steps help contain the damage, but they are reactive. The goal is to catch exposure earlier. McAfee+ Advanced can help you with freezing your credit, ongoing identity monitoring, and data removal from the dark web.
Rob has confirmed there are no federal loans in his name, but the situation is not fully resolved.
“I still feel like I’m waiting for the other shoe to drop,” he said.
That uncertainty is part of what makes identity theft so difficult. You are often reacting to something that started months or even years earlier. Rob said he currently has an outstanding police report and is in the process of getting his refund reclaimed.
Ghost student scams work because they operate quietly, using real data in systems most people are not actively watching. That is where ongoing protection matters.
McAfee+ Advanced helps close those gaps by:
Because the goal is not just to respond to identity theft, it’s to catch the signals early enough that someone cannot become a “student” in your name in the first place.
The post Why Was My Tax Refund Intercepted? The “Ghost Student” Scam Explained appeared first on McAfee Blog.
