Injection Archives

AppWizard

April 30, 2026

LofyStealer Targets Minecraft Players via Node.js Loader and Browser Injection

Minecraft players are being targeted by a deceptive hacking tool called “Slinky,” which is actually an infostealer known as LofyStealer linked to the Brazilian cybercrime group LofyGang. The malware uses a Node.js-based loader and a C++ payload to extract sensitive browser data, disguising itself as a Minecraft hack. It primarily targets younger players who may unknowingly execute it. The malware operates through a two-stage architecture, with a 53.5 MB loader binary that injects a smaller 1.4 MB payload into browser processes, bypassing detection methods. It collects sensitive information such as cookies, passwords, and credit card details, compressing and encoding the data for exfiltration. The command-and-control (C2) infrastructure is hosted in Brazil, and the malware's design reflects advanced compilation techniques. The campaign is attributed to LofyGang, which has evolved into a more professional entity, posing severe risks to players who download cheats and cracked tools. Indicators of compromise include a specific C2 IP address and associated endpoints.

AppWizard

April 30, 2026

LofyStealer Uses Node.js Loader Against Minecraft Gamers

Cybersecurity threat hunters have discovered an active infostealer campaign targeting the gaming community, involving malware called LofyStealer (or GrabBot) that disguises itself as a Minecraft hack named “Slinky.” The attackers use the official game icon to trick young gamers into executing the malware. The Brazilian cybercrime group LofyGang has enhanced its technical capabilities, utilizing a sophisticated two-stage modular architecture. The initial stage features a 53.5 MB loader file named load.exe, which is a Node.js runtime environment that obscures malicious signatures. The loader connects to the attacker’s server and decrypts a 1.4 MB C++ payload, chromelevator.exe, which targets eight web browsers to extract sensitive information like cookies and passwords. The stolen data is compressed, encrypted, and sent to the attacker’s server. LofyGang has evolved into a Malware-as-a-Service platform, offering a web panel for operators to monitor victims and generate custom executables. The campaign highlights the increasing threats to the gaming community, with advanced evasion techniques being employed by cybercriminals. Security professionals are advised to monitor network traffic and conduct audits for suspicious activities.

Tech Optimizer

April 30, 2026

Inside the Architecture of an MCP Server for PostgreSQL

The Model Context Protocol (MCP) serves as a standard interface between large language models (LLMs) and external systems like PostgreSQL, emphasizing the importance of control over mere connectivity. An MCP server must act as a mediation and policy layer, enforcing security boundaries and ensuring that connections default to read-only. It should validate AI-generated SQL as untrusted input, encapsulate queries within transactions, and apply execution-time controls. The server must separate query generation from execution approval to manage operational costs and enforce guardrails on query types, such as limiting the number of rows returned. Token efficiency is crucial, with design considerations for compact data representation and schema introspection. In production, connection management is vital to prevent data leakage among multiple AI agents, and observability through logging executed queries and metadata is necessary for debugging and compliance. Long-running sessions require support for paginated responses to manage context effectively. Overall, the MCP server must integrate security, query safety, token efficiency, and observability into its design from the outset.

AppWizard

April 30, 2026

Minecraft Players Targeted by LofyStealer Using Node.js Loader and In-Memory Browser Injection

A new infostealer malware called LofyStealer is targeting the gaming community, particularly Minecraft players, by disguising itself as a cheat tool named “Slinky.” It employs a two-stage attack to extract sensitive information from eight major web browsers, including Chrome and Firefox, while evading detection by security software. The malware siphons off cookies, saved passwords, payment card information, and session tokens. Researchers at Zenox.ai identified LofyStealer, linking it to the Brazilian cybercrime group LofyGang, which has been active since October 2022. The malware uses social engineering tactics to appear legitimate and operates as a Malware-as-a-Service platform, offering both Free and Premium tiers to buyers. Its technical sophistication is evident in its method of in-memory browser injection, which allows it to bypass security defenses. The stolen data is compressed and sent to a command-and-control server. Users are advised to avoid downloading unofficial game mods and enable multi-factor authentication to reduce the risk of credential theft. Security teams should monitor for specific behavioral indicators related to the malware's operations.

Tech Optimizer

April 26, 2026

CanisterSprawl: pgserve Compromised on npm: Malicious Versions Harvest Credentials and Exfiltrate to a Decentralized ICP Canister

On April 21, 2026, compromised versions of pgserve (1.1.11, 1.1.12, and 1.1.13) were published on npm, containing a 1,143-line credential-harvesting script that executes during the postinstall phase of npm install. The malware functions as a supply-chain worm, reinjecting itself into other packages if it finds an npm publish token. Stolen credentials are encrypted using RSA-4096 and AES-256 and exfiltrated to a decentralized Internet Computer Protocol (ICP) canister. The last legitimate release was v1.1.10, published on April 17, 2026. The malware was detected by StepSecurity AI Package Analyst and Harden Runner, which flagged the compromised versions as Critical / Rejected and confirmed live exfiltration during analysis. The injected script performs operations such as harvesting environment variables, collecting filesystem secrets, encrypting payloads, and propagating to other npm packages and Python packages if a PyPI token is detected. The exfiltration domains have been added to a global block list.

AppWizard

April 21, 2026

Xbox PC Project Might Have Solved How To Fix Hundreds Of ‘Broken’ Windows Games

The Xbox Collection Tracker project on GitHub addresses connectivity issues faced by Windows 8-era games in the Xbox PC app due to the transition from XBL2.0 to XBL3.0 token formats. Microsoft has deprecated the old XBL2.0-formatted XSTS tokens, causing many older titles like Microsoft Mahjong, Minesweeper, Hydro Thunder Hurricane, and others to encounter sign-in errors and lose access to features tied to Xbox Live identity. The project aims to create a compatibility layer that allows these games to connect to Xbox servers using the modern XBL3.0 format without needing extensive modifications. Developers are advocating for a server-side translation layer to restore the functionality of these classic games while acknowledging potential security concerns.

AppWizard

April 9, 2026

Google updates best AI models for coding Android apps, Gemini & GPT 5.4 at the top

The "Android Bench," Google's benchmark for evaluating AI models in Android app development, has been updated, with OpenAI's GPT 5.4 and GPT 5.3 Codex now sharing the top ranking with Gemini. The benchmark evaluates models based on criteria such as compatibility with Jetpack Compose, use of Coroutines and Flows, and integration with Room and Hilt. The latest rankings are as follows: 1. GPT 5.4: 72.4% 2. Gemini 3.1 Pro Preview: 72.4% 3. GPT 5.3-Codex: 67.7% 4. Claude Opus 4.6: 66.6% 5. GPT-5.2 Codex: 62.5% 6. Claude Opus 4.5: 61.9% 7. Gemini 3 Pro Preview: 60.4% 8. Claude Sonnet 4.6: 58.4% 9. Claude Sonnet 4.5: 54.2% 10. Gemini 3 Flash Preview: 42% 11. Gemini 2.5 Flash: 16.1% The rankings have not changed since the initial assessment in late February, and the latest models were evaluated in mid-March. The findings should be interpreted cautiously, as real-world performance may vary based on specific workflows and project requirements.

Winsage

April 5, 2026

“These mods completely changed how I use Windows 11”: As I walk through the 7 Windhawk tweaks that transformed my desktop, I’m surprised by which ones made the biggest difference

Windows 11 allows users to customize background images, themes, accent colors, and the Start menu and Taskbar. However, for more significant changes, Windhawk offers a modular approach to modify the operating system without risky file modifications. To install Windhawk on Windows 11, users can use the Windows Package Manager (winget) by running the command: winget install --id RamenSoftware.Windhawk. Notable mods available for Windhawk include: - Windows 11 Taskbar Styler: Provides control over the Taskbar's visual elements with three levels of customization. - Taskbar on Top for Windows 11: Allows users to reposition the Taskbar to the top of the screen. - Taskbar Height and Icon Size: Enables adjustments to the Taskbar's height and icon size without affecting DPI scaling. - Windows 11 Start Menu Styler: Offers complete customization of the Start menu's appearance using themes and custom XAML/CSS. - Windows 11 File Explorer Styler: Allows control over the File Explorer interface by injecting custom XAML styles. - Windows 11 Notification Center Styler: Modifies the layout, transparency, and aesthetics of the Notification Center and Quick Settings. Windhawk uses dynamic code injection to implement changes without altering system files, minimizing risks associated with traditional modifications.

Winsage

April 5, 2026

Claude Cowork and Claude Code Can Now Control Your Windows Desktop

On April 3, 2026, Anthropic expanded Claude’s desktop control feature to Windows for Pro and Max subscribers, allowing users to operate applications, navigate web pages, and manage files on their PCs without prior configuration. The feature is in research preview and includes a Dispatch companion for task assignment from mobile devices. Claude uses a structured tool hierarchy for task execution, prioritizing connectors like Slack and Google Calendar, and engages in direct desktop control only when necessary. Users must opt in to activate the feature, which integrates with existing software without requiring API keys. The technology is partly derived from Anthropic’s acquisition of Vercept AI, which specializes in AI-driven computer control. Security concerns have arisen due to vulnerabilities demonstrated shortly after the launch, prompting Anthropic to implement safeguards while acknowledging the feature's potential errors. Users can stop Claude's operations, but the company admits it cannot disable the technology remotely once tasks have started. Competitors like Microsoft and Google are also exploring similar desktop-level AI automation capabilities.

Winsage

March 31, 2026

Speechify Launches with On-Device Voice AI for 1B+ Windows Users Worldwide

Speechify has launched a Windows application featuring real-time text-to-speech and speech-to-text functionality, allowing for both cloud-based and on-device processing. On-device processing ensures user voice data remains secure on the machine. The application utilizes the Windows ML stack and platform APIs to operate across x64 and Arm64 architectures, leveraging Qualcomm’s Snapdragon technology for enhanced performance. The ONNX Runtime's QNN execution provider facilitates real-time transcription on Snapdragon laptops, enabling a split encoder-decoder architecture that optimizes processing. The application includes features like system-wide shortcuts, auto-pasting of transcribed text, OCR functionality, and secure data handling through Windows DPAPI. The Speechify Windows application is available for x64 and Arm64 devices via the Microsoft Store.