top of page
ALL POSTS
PyPI Supply Chain Attack Exploits Malware Startup Hooks at Scale
Key Findings Coordinated PyPI supply chain attack compromised multiple popular open-source packages through maintainer account takeover Malware uses Python startup hooks (.pth files) to execute automatically during installation without requiring explicit package imports 448 affected artifacts identified spanning both npm and PyPI registries Threat actors dubbed the Hades cluster, part of broader Shai-Hulud and Miasma malware lineage Socket malware detection systems identified
Jun 73 min read
Critical Miasma Worm Campaign Targets Microsoft and Red Hat in Expanding Supply Chain Attack Wave
Key Findings Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable access Attack represents re-compromise of previously infected "durabletask" PyPI package, suggesting threat actors maintained persistent access for over a month Miasma operates as self-replicating malware variant of Mini Shai-Hulud worm, exploiting the trust model of package registries rather than technical vulne
Jun 64 min read
Mini Shai-Hulud Worm Supply Chain Attack Compromises Hundreds of Open-Source Packages
Key Findings TeamPCP threat actor behind sprawling supply chain attack targeting npm and PyPI packages across TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI Malware deploys obfuscated JavaScript credential stealer targeting cloud providers, crypto wallets, AI tools, CI systems, and messaging apps Data exfiltrated to attacker-controlled infrastructure using Session Protocol to evade detection Malware establishes persistence in VS Code and Claude Code IDEs, survive
May 133 min read
North Korean-Linked Hackers Distribute 1,700 Malicious Packages Across Multiple Package Repositories
North Korean-linked threat actor "Contagious Interview" has distributed over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025 Malicious code is hidden within legitimate-looking functions and only executes at runtime, not during installation, making detection harder Packages function as malware loaders delivering second-stage payloads with infostealer, RAT, and post-compromise capabilities including keylogging and remote access C
Apr 82 min read
Lazarus Campaign Targets npm and PyPI Ecosystems with Malicious Packages
Key Findings Cybersecurity researchers have discovered a fresh set of malicious packages across npm and the Python Package Index (PyPI) repository linked to a fake recruitment-themed campaign orchestrated by the North Korea-linked Lazarus Group. The coordinated campaign has been codenamed "graphalgo" in reference to the first package published in the npm registry, and it's assessed to be active since May 2025. The campaign includes a well-orchestrated story around a company i
Feb 132 min read
bottom of page
