The Puush server was breached and a fake, malware-infected program update was put in place. This means that anyone updating to version r94 of the software is infected.
The malware tries to grab passwords from infected systems, and was noticed after users complained on Twitter that the latest update had been flagged up by BitDefender. As a precautionary measure, the update server has been taken offline, and a clean update has been made available as a standalone download.
Puush is quick to point out that it is only the Windows version of the app that is affected, the iOS and OS X apps remain clean. It is not yet clear what happens to passwords that have been collected as tests have not shown them to be sent to another computer.
The malware may be collecting locally stored passwords, but the company is yet to confirm these have been transmitted back to a remote location.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now