ALL POSTS

North Korean-linked threat actor "Contagious Interview" has distributed over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025 Malicious code is hidden within legitimate-looking functions and only executes at runtime, not during installation, making detection harder Packages function as malware loaders delivering second-stage payloads with infostealer, RAT, and post-compromise capabilities including keylogging and remote access C

Key Findings 36 malicious npm packages masquerading as Strapi CMS plugins uploaded by four sock puppet accounts over 13 hours Eight distinct payload variants reveal real-time attack development against a specific target Exploitation chain includes Redis RCE, PostgreSQL database theft, Docker container escape, and persistent C2 implants Packages target cryptocurrency platform infrastructure with hardcoded database credentials and wallet-specific data harvesting Postinstall scr

Key Findings North Korean threat group UNC1069 is conducting coordinated social engineering campaigns against open source maintainers, particularly those managing Node.js and npm packages Attackers use fake LinkedIn profiles, Slack messages, and spoofed video conferencing platforms to build rapport over weeks before delivering remote access trojans Goal is to compromise maintainer credentials and gain write access to popular packages, allowing injection of malicious code into

Key Findings Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised

Key Findings Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors Packages published un

Key Findings * GlassWorm campaign identified targeting developers through 72 malicious Open VSX extensions * Uses sophisticated supply-chain attack technique exploiting extension dependencies * Targets development environments to steal secrets and compromise systems * Employs advanced obfuscation and evasion techniques * Spans multiple platforms including Open VSX, GitHub, and npm registries Background The GlassWorm campaign represents an evolving threat in software supply ch

Key Findings * UNC6426 breached a victim's cloud environment within 72 hours * Supply chain attack compromised nx npm package in August 2025 * Stolen GitHub token used to gain unauthorized cloud access * Threat actor created new AWS administrator role * Exfiltrated data from S3 buckets and destroyed production environments * AI-assisted attack leveraged LLM tools for credential theft Background The incident originated from a supply chain vulnerability in the nx npm package di

Key Findings: Cybersecurity researchers have disclosed an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages. The malicious code embedded into the packages comes with capabilities to siphon system information, access tokens, environment secrets, and API keys from developer environments. The packages also include a weaponized GitHub Action that harvests CI/CD secrets and exfiltrates them, as well as a "McpInje

Background The cybersecurity researchers at Veracode have discovered a new type of supply chain attack targeting the NPM ecosystem. The attack involves hiding a dangerous Pulsar Remote Access Trojan (RAT) inside seemingly innocuous PNG image files. Key Findings Hackers used a typosquatting technique to create a malicious NPM package named "buildrunner-dev" that closely resembles a legitimate tool called "buildrunner". Once installed, the package downloads a heavily obfuscated

Key Findings: Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have targeted the defense industrial base (DIB) sector. The adversarial targeting is centered around four key themes: striking defense entities in the Russia-Ukraine War, approaching employees and exploiting the hiring process, using edge devices/appliances for initial access, and supply chain risk from manufacturing breaches. Notable threat actors

Key Findings A vulnerability in the AWS Console supply chain, dubbed "CodeBreach," could have allowed attackers to seize control of critical AWS infrastructure. The flaw stemmed from a seemingly minor misconfiguration in a regular expression (regex) used to filter pull requests in AWS CodeBuild pipelines. The lack of "start ^ and end $ anchors" in the regex pattern enabled malicious actors to bypass the filter and trigger privileged builds. Wiz researchers were able to exploi

Here is the article with the key findings in bullet point format, the background as the first major point, and the headers formatted with ##: Key Findings Threat actors uploaded 8 malicious packages on the npm registry masquerading as n8n workflow automation integrations to steal OAuth credentials One such package, "n8n-nodes-hfgjf-irtuinvcm-lasdqewriit", mimicked a Google Ads integration and prompted users to link their advertising account to siphon the credentials This atta

Key Findings China-linked APT24 group used supply-chain attacks and multiple techniques over three years to deploy the BadAudio downloader and additional malware payloads The group shifted from broad web compromises to more advanced techniques targeting Taiwan, including repeated supply-chain attacks through a compromised marketing firm and spear-phishing attacks BadAudio is a custom C++ first-stage downloader that pulls an AES-encrypted payload from a fixed C2 server and run

Key Findings Seven npm packages published by a threat actor using the alias "dino_reborn" were found to be part of a highly coordinated malware campaign The packages use Adspect-powered cloaking, anti-analysis JavaScript, and fake CAPTCHA interfaces to funnel unsuspecting victims toward malicious payloads while hiding their activity from security researchers The threat actor built an entire fake website to serve security researchers while real victims are redirected through a