ALL POSTS

Key Findings OpenAI's GitHub Actions workflow downloaded malicious Axios version 1.14.1 on March 31, compromising access to macOS app signing certificates North Korean hacking group UNC1069 hijacked the Axios package maintainer account and injected WAVESHAPER.V2 backdoor into versions 1.14.1 and 0.30.4 OpenAI found no evidence of user data theft, system compromise, or software alteration despite certificate access All macOS versions of ChatGPT Desktop, Codex, Codex CLI, and A

Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign

North Korean-linked threat actor "Contagious Interview" has distributed over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025 Malicious code is hidden within legitimate-looking functions and only executes at runtime, not during installation, making detection harder Packages function as malware loaders delivering second-stage payloads with infostealer, RAT, and post-compromise capabilities including keylogging and remote access C

Key Findings North Korean state-sponsored hacking group UNC4736 orchestrated a six-month social engineering campaign against Drift, culminating in the theft of $285 million on April 1, 2026 The operation began in fall 2025 with actors posing as a quantitative trading firm, using in-person meetings at cryptocurrency conferences across multiple countries to build trust with Drift contributors UNC4736 is also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pis

Key Findings North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024 Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems The malware evades detection by checking for secur

Key Findings Drift Protocol lost $285 million in a sophisticated attack attributed to North Korean-linked hackers on April 1, 2026 Attackers used durable nonce accounts to pre-sign transactions and compromised multisig approvals to gain admin control The operation involved multi-week preparation with staged execution across multiple phases Stolen funds were rapidly drained from multiple vaults within seconds and laundered across wallets This marks the 18th confirmed North Kor

Key Findings North Korean threat actors tracked as WaterPlum are distributing StoatWaffle malware through malicious VS Code projects using the "tasks.json" auto-run feature The malware automatically executes when any file in a project folder is opened, with downloads occurring regardless of operating system StoatWaffle includes a credential stealer targeting browsers and a remote access trojan for command execution Attackers are targeting senior engineers, CTOs, and founders

Key Findings North Korea-linked threat actor UNC1069 has been observed targeting the cryptocurrency sector to steal sensitive data The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive victims UNC1069 has a history of conducting social engineering campaigns for financial gain using fake meeting invites and posing as investors from reput

Key Findings The FBI warns that the North Korea-linked advanced persistent threat (APT) group Kimsuky is targeting governments, think tanks, and academic institutions with "quishing" attacks. Quishing is a social engineering attack that uses malicious QR codes to trick victims into visiting fake websites or downloading malware. Kimsuky has conducted spear-phishing campaigns using QR codes that impersonate trusted figures like foreign advisors, embassy staff, and think tank em

Key Findings North Korea-linked actors behind the Contagious Interview campaign have uploaded 197 new malicious npm packages to distribute a new version of the OtterCookie malware. The Contagious Interview campaign, active since November 2023, targets software developers on Windows, Linux, and macOS, with a focus on those working in crypto and Web3. Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and tr

Key Findings North Korean threat actors behind the Contagious Interview campaign have adopted a new tactic of using JSON storage services to host and deliver malware. The campaign involves approaching targets on professional networking sites under the pretext of a job assessment or project collaboration, instructing them to download a demo project hosted on platforms like GitHub, GitLab, or Bitbucket. In one such project, a file named "server/config/.config.env" contains a Ba

Key Findings North Korea-linked Konni APT group posed as psychological counselors and North Korean human rights activists to distribute malware disguised as stress-relief programs via KakaoTalk messenger Attackers compromised victims' Google accounts and abused Google's "Find Hub" service to remotely reset Android devices in South Korea, erasing users' personal data This is the first known case of a state-sponsored APT group exploiting Find Hub to perform destructive remote w