A new type of crypto scam is using Obsidian plugins to spread malware.

New Obsidian Plugin Attack Targets Crypto and Finance Users

Elastic Security Labs has uncovered a novel social engineering campaign targeting users in crypto and finance. Attackers are using the Obsidian note-taking app's community plugin feature to spread malware that can take control of victims' devices.

The attackers run highly targeted social engineering through LinkedIn and Telegram, impersonating venture capital firms. They establish business context around financial services—especially crypto liquidity solutions—to trick victims into opening attacker-controlled cloud-hosted vaults in Obsidian and enabling community plugin sync. Malicious plugins then execute the attack chain silently. The campaign works on both Windows and macOS, deploying a previously undocumented remote access trojan called PHANTOMPULSE. The malware uses on-chain transaction data from at least three different blockchain networks for decentralized command and control.