Credential-stealing malware is malicious code built to collect secrets such as passwords, session tokens, API keys, SSH keys, and cloud credentials. It often runs quietly in the background, searching browser stores, environment variables, local config files, developer tooling, or memory for anything that grants access.
This matters because credentials are reusable trust. If attackers capture them, they may bypass MFA, move laterally, access source code, or impersonate services without needing to exploit a system again. In supply-chain attacks, the malware can arrive inside a dependency, package install script, or build tool and execute as soon as the software is loaded. Defenders look for unusual process behavior, unexpected network connections, secret-access patterns, and signs that exposed tokens or keys must be rotated. Treat any compromised host or build pipeline as a potential source of leaked credentials until proven otherwise.