top of page
ALL POSTS
Developer Laptops Emerge as Prime Target for Credential Theft in 2026, GitGuardian Reports
Key Findings Developer laptops have become the primary attack vector for supply-chain compromises, with attackers harvesting plaintext credentials to move laterally into production systems and cloud infrastructure GitGuardian launched Developer Endpoint Protection to address a critical gap where existing endpoint detection and identity tools miss secrets stored at rest on developer workstations Beta testing revealed an average of 150 secrets per developer laptop, with private
Jun 163 min read
Atomic Arch Campaign Hijacks 400+ Linux AUR Packages to Deploy Infostealer and eBPF Rootkit
Key Findings Over 400 packages in the Arch User Repository (AUR) were hijacked this week with malicious build scripts Attackers modified PKGBUILD files to inject a credential stealer written in Rust that harvests developer secrets The malware can load an eBPF rootkit when running with root privileges to hide its presence Attack targets orphaned packages with abandoned maintainers, then spoofs commit metadata to appear legitimate Malware collects browser cookies, SSH keys, Git
Jun 124 min read
Miasma Worm Supply Chain Attack Compromises 73 Microsoft GitHub Repositories
Key Findings A self-replicating worm called Miasma compromised 73 Microsoft GitHub repositories across Azure infrastructure and core .NET, Go, Java, JavaScript, and Python frameworks GitHub staff disabled affected repositories after attackers injected malicious workflows that harvested OIDC tokens and developer credentials The attack exploited AI coding tools as an automatic execution mechanism, triggering malware when developers cloned infected repos and opened them in IDEs
Jun 93 min read
PyPI Supply Chain Attack Exploits Malware Startup Hooks at Scale
Key Findings Coordinated PyPI supply chain attack compromised multiple popular open-source packages through maintainer account takeover Malware uses Python startup hooks (.pth files) to execute automatically during installation without requiring explicit package imports 448 affected artifacts identified spanning both npm and PyPI registries Threat actors dubbed the Hades cluster, part of broader Shai-Hulud and Miasma malware lineage Socket malware detection systems identified
Jun 73 min read
Critical Miasma Worm Campaign Targets Microsoft and Red Hat in Expanding Supply Chain Attack Wave
Key Findings Miasma worm infected 73 Microsoft GitHub repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations, forcing GitHub to disable access Attack represents re-compromise of previously infected "durabletask" PyPI package, suggesting threat actors maintained persistent access for over a month Miasma operates as self-replicating malware variant of Mini Shai-Hulud worm, exploiting the trust model of package registries rather than technical vulne
Jun 64 min read
Supply Chain Attack: 700+ Laravel Lang Versions Infected with RCE Backdoor
Key Findings Over 700 historical versions of laravel-lang localization packages compromised with RCE backdoors across multiple repositories Attack occurred May 22-23, 2026 with automated mass tag publishing seconds apart, indicating infrastructure-level breach Malicious code executes automatically via composer autoload.files on every PHP request in affected applications Second-stage payload deploys 17 specialized credential collectors targeting cloud keys, Kubernetes tokens,
May 233 min read
TeamPCP Claims Sale of Mistral AI Repositories During Mini Shai-Hulud Attack
Key Findings TeamPCP-linked forum account claims to be selling roughly 5GB of internal Mistral AI repositories and source code The alleged archive contains approximately 450 repositories covering training systems, inference infrastructure, and enterprise AI projects No independent verification of the authenticity of the claimed repositories has been established The sale announcement surfaced days after Mini Shai-Hulud supply chain attacks compromised hundreds of npm and PyPI
May 133 min read
Mini Shai-Hulud Worm Supply Chain Attack Compromises Hundreds of Open-Source Packages
Key Findings TeamPCP threat actor behind sprawling supply chain attack targeting npm and PyPI packages across TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI Malware deploys obfuscated JavaScript credential stealer targeting cloud providers, crypto wallets, AI tools, CI systems, and messaging apps Data exfiltrated to attacker-controlled infrastructure using Session Protocol to evade detection Malware establishes persistence in VS Code and Claude Code IDEs, survive
May 133 min read
JDownloader's Official Site Distributes Malware to Windows and Linux Users in Major Supply Chain Attack
Key Findings JDownloader's official website was compromised between May 6-7, 2026, serving malicious installers to Windows and Linux users instead of legitimate software Attackers deployed a Python-based remote access trojan (RAT) that gave them remote control over infected systems, with an 8-minute execution delay The breach was limited to the Windows "Alternative Installer" and Linux shell installer; macOS, in-app updates, and package managers remained unaffected Attackers
May 103 min read
Quasar Linux RAT (QLNX): A Fileless Implant Targeting Supply Chain with Stealth and Persistence
Key Findings Researchers discovered QLNX, a previously undocumented Linux remote access trojan targeting developers and DevOps environments The malware operates entirely from memory using memfd_create to avoid disk detection QLNX includes embedded C source code for PAM backdoors and LD_PRELOAD rootkits that dynamically compile on target systems The implant supports 58 command handlers including keylogging, credential theft, SSH lateral movement, and eBPF-based hiding Communic
May 94 min read
New Wave of DPRK Attacks Leveraging AI-Generated npm Malware, Shell Companies, and Remote Access Trojans
Key Findings North Korean threat actor Famous Chollima deployed malicious npm packages designed to steal cryptocurrency wallet credentials and source code from developers Campaign codenamed PromptMink features AI-generated malware split across multiple package layers to evade detection Malware evolved from simple JavaScript stealers to sophisticated multi-platform RATs compiled in Rust, capable of establishing SSH backdoors Attack chain leverages legitimate-looking packages a
Apr 303 min read
Bitwarden CLI Compromised in Supply Chain Attack Through Checkmarx
Key Findings Bitwarden CLI version 2026.4.0 was compromised through a malicious GitHub Action in the project's CI/CD pipeline, affecting the npm distribution mechanism The attack was part of the ongoing Checkmarx supply chain campaign, likely orchestrated by threat actor TeamPCP Malicious code in bw1.js executed a preinstall hook that stole GitHub tokens, npm credentials, SSH keys, cloud secrets, and shell history Stolen data was exfiltrated to a fake Checkmarx domain (audit.
Apr 243 min read
Supply Chain Worm Spreads Through npm Packages to Steal Developer Authentication Tokens
Key Findings Self-propagating worm dubbed CanisterSprawl detected in six npm packages, spreading via stolen developer credentials Malware executes during package installation to harvest npm tokens, SSH keys, cloud credentials, and browser data Stolen tokens enable attackers to push poisoned package versions, creating a self-replicating supply chain attack Exfiltration occurs through HTTPS webhook and ICP canister infrastructure designed to resist takedowns Campaign includes c
Apr 223 min read
Trivy Supply Chain Attack Triggers Self-Spreading CanisterWorm Across 47 npm Packages
Key Findings * TeamPCP cybercriminal group suspected behind supply chain attack * 47 npm packages compromised across multiple scopes * Self-propagating CanisterWorm uses ICP blockchain canister as command-and-control infrastructure * Attack leverages npm package postinstall hooks to execute malware * Worm can automatically spread using stolen npm authentication tokens * Decentralized C2 infrastructure makes takedown efforts difficult Background The supply chain attack targets
Mar 212 min read
bottom of page
