Asking AI for personal advice is a bad idea, Stanford study shows AI chatbots, including ChatGPT, Claude, and Gemini, were all too willing to validate and hype up their users, a new Stanford study showed.

AI is not your friend.

Axios supply chain attack chops away at npm trust Developers using the axios package from npm may have downloaded a malicous version that drops a Remote Access Trojan

Axios? More like Axi-uh oh's.

New macOS security feature will alert users about possible ClickFix attacks Apple introduced an extra layer of protection against ClickFix attacks, only for macOS Tahoe 26.4 and later

ClickFix is a social engineering method that tricks users into infecting their own devices with malware.

Criminals are renting virtual phones to bypass bank security Not a real phone, but good enough to fool your bank. Researchers warn criminals are using virtual devices to bypass fraud checks.

Banks use mobile apps with device fingerprinting to prevent fraud, but criminals have adapted by "pre-warming" devices—adding banking apps, registering credentials, and executing small transactions to appear low-risk.

Bogus Avast website fakes virus scan, installs Venom Stealer instead A fake Avast scan tells you your PC is infected, then installs the malware that steals passwords, session data and crypto wallets.

A fake website impersonating Avast antivirus is tricking people into infecting their own computers.

Infiniti Stealer: a new macOS infostealer using ClickFix and Python/Nuitka A new macOS infostealer, NukeChain (now Infiniti Stealer), uses fake CAPTCHA pages to trick users into running malicious commands.

This malware targets Macs, stealing sensitive data by tricking users into running a command through a fake CAPTCHA page.

GlassWorm attack installs fake browser extension for surveillance It hides inside developer tools, then monitors activity and steals data, turning a single infection into a wider risk across the supply chain.

The setup seems aimed at developers with crypto assets, but its components and stolen data could also enable supply chain attacks or target other users.

Landmark verdicts put Meta’s “addiction machine” platforms on trial Courts are starting to question how platforms are built, not just what’s posted.

Courts in New Mexico and California both found the company liable for harm to children.

New FCC router ban could leave home networks less secure The FCC announced a ban on routers made outside the US, but it could backfire. Here’s the real risk, and what you can do about it.

Due to a lack of US-manufactured routers, people may keep older, less secure devices longer than usual.

Meet Khaled Mohamed: the bug hunter who found a Microsoft flaw We talked to Khaled Mohamed on going from “script kiddie” to bug bounty hunter, and the moment he uncovered a flaw in Microsoft Authenticator.

Khaled Mohamed, found the flaw in Microsoft Authenticator for both iOS and Android, where, in some cases, another app on your phone could steal or misuse your sign‑in codes.

FBI, CISA warn of Russian hackers hijacking Signal and WhatsApp accounts The FBI and CISA join European agencies in warning of a widespread, easily scalable social engineering campaign targeting messaging apps.

A Russian-linked social engineering campaign targets individual WhatsApp and Signal accounts of high intelligence value.

We also removed unnecessary Copilot integration by letting users disable it in Malwarebytes.

Scam compounds hiring "AI models" to seal the deal in deepfake video calls Forced labor doesn’t play well on camera, so scam compounds are hiring women to deepfake their faces on video calls.

The models are real people on video calls, while AI deepfake software alters their appearance to resemble a fictional character the victim is expecting to see.

FriendlyDealer mimics official app stores to push unvetted gambling apps Think you’re downloading from Google or Apple? 1,500+ fake app store sites look like the real thing, but push unvetted, cloned web-based casino apps.

We've found a large social-engineering campaign tricking people into online gambling sites by pretending to be a legitimate app.

https://bit.ly/3NX2eCe

The March Madness scam playbook Fans aren't the only ones who show up for March Madness. Here's how to spot all the different scams that turn up to major sporting events.

Don't let March Madness turn into March Sadness.

Here's how to spot common scams that pop up during major sporting events so you can avoid becoming a victim.

Advanced Flow will make Android sideloading safer Google’s new Advanced Flow aims to make sideloading safer on Android by slowing down scam-driven installs.

Google has introduced Advanced Flow to help Android users install apps from unverified developers more safely.

That “job brief” on Google Forms could infect your device Fake job offers on Google Forms are spreading PureHVNC malware that can take over your device.

We’ve identified a campaign using job interviews, project briefs, and financial documents hosted on Google Forms to distribute malware, including the PureHVNC RAT.

Could your face change what you pay? NYC wants limits on biometric tracking NYC lawmakers are pushing to rein in biometric tracking before it turns into real-world surveillance pricing and customer profiling.

Could your face determine how much you pay?

Surveillance pricing is another privacy nightmare no one asked for.

A DarkSword hangs over unpatched iPhones Researchers have identified multiple state-level attacks using DarkSword, a chain of vulnerabilities, to infect unpatched iPhones.

Are you still using an older iOS version because you're not a fan of the new Liquid Glass design?

DarkSword exploits unpatched iPhones, combining six vulnerabilities in iOS and Safari to deploy malware.

Find out more about the security threat.

Your tax forms sell for $20 on the dark web Tax season is also peak season for identity theft. Malwarebytes researchers spotted criminals trading stolen tax records on dark web forums.

Tax season is also peak season for identity theft. Criminals use stolen personal data to file fake tax returns and claim refunds before the real taxpayer does.

Here’s how the fraud works, and how to protect yourself.

Apple patches WebKit bug that could let sites access your data Apple has released a Background Security Improvement that silently fixes a WebKit vulnerability (CVE-2026-20643).

Apple released a Background Security Improvement to patch a flaw that could allow malicious websites to access your data.

Inside a network of 20,000+ fake shops A sprawling network of fake shops, all built for one purpose: to steal your payment details and personal data.

Our look inside a network of 20,000+ fake shops that steal your payment details and personal data.
www.malwarebytes.com/blog/scams/2026/03/insid...

Fake Pudgy World site steals your crypto passwords The phishing site it is not affiliated with Igloo Inc or Pudgy Penguins, but is designed to lure fans and steal their crypto passwords.

A phishing site impersonating the newly-launched Pudgy World browser game steals crypto passwords.

How searching for a VPN could mean handing over your work login details What looks like a legit VPN download could be a trap, as SEO poisoning is being used to steal corporate logins.

Don't click sponsored search results
Don't click sponsored search results
Don't click sponsored search results
Don't click sponsored search results
Don't click sponsored search results

Hacked sites deliver Vidar infostealer to Windows users We found fake “verify you are human” pages on hacked WordPress sites that trick Windows users into installing the Vidar infostealer.

Compromised websites are being used to deliver Vidar infostealer through fake CAPTCHA.

Google cracks down on Android apps abusing accessibility Malware has been abusing Android’s accessibility features for years. Google just made that a lot harder.

Malware has been abusing Android’s accessibility features for years. Google is making it harder to do in Android 17.2.

And it isn't just young people who feel this way. Many of the respondents in our research are older.

90% of people don’t trust AI with their data AI may be everywhere, but according to our privacy survey, 90% say they don’t trust it with their data, and many are pulling back.

Read more.

AI is everywhere, but trust is still missing.

Our new survey highlights a growing disconnect between AI adoption and data privacy concerns.

This skepticism isn’t new. It’s rooted in years of data breaches and lack of transparency from companies on how users' data is being collected and used.

Zombie ZIP method can fool antivirus during the first scan Researchers published about the Zombie ZIP vulnerability (or not a vulnerability, that's up for debate) that can bypass a first AV inspection.

Zombie ZIP creates a malformed zip file that can fool antivirus scans. But not Malwarebytes. 😘