< ciso
brief />
Tag Banner

All news with #supply chain compromise tag

576 articles

Microsoft at Black Hat USA 2026: Defending Trust

🔒 At Black Hat USA 2026, Microsoft Security highlights how threat actors exploit trusted systems—software, developer workflows, identities, and AI—to scale attacks. Sessions and briefings across August 4–6 focus on supply chain compromises, AI security, and practical defense strategies. Visit booth #2144 for demonstrations, expert-led services, and community events including a reception on August 5.
read more →

Weekly roundup: emerging cyber threats and takedowns

🛡️ This week’s roundup highlights a wave of opportunistic attacks where familiar software and weak defaults are abused to escalate damage quickly. Reports include malicious NuGet packages that deliver spyware via game cheats, trojanized installers distributing sophisticated RATs, and a fast-spreading Rust ransomware incident that encrypted a network within 24 hours. Additional items cover actively exploited CVEs added to CISA’s KEV, guidance for coordinated vulnerability disclosure, large-scale fraud and money‑laundering disruptions in Europe, evasive Windows bind-link techniques, fake GitHub repos spreading an infostealer, and misuse of Chrome Sync for covert surveillance.
read more →

PhantomEnigma Abuses Brazilian Government Sites

🛡️ ANY.RUN uncovered an active PhantomEnigma campaign that hijacked over 20 Brazilian government websites to deliver malware. The operation used authenticated emails, compromised mailboxes, and trusted .gov.br hosts to redirect victims to malicious installers and a modular index.js backdoor. Researchers linked hundreds of sandbox sessions to reveal the campaign’s infrastructure, delivery chains, and detection guidance.
read more →

Malicious Python Packages and Supply Chain Risks

🐍 This report examines how the convenience and popularity of Python have attracted supply chain abuse, showing how malicious packages can execute code during installation and persist via .pth files or sitecustomize hooks. It outlines the installation layers (hosting, installation, environment), distribution formats (sdist, wheel), and common abuse techniques, emphasizing the rapid impact of compromised packages on development and enterprise assets.
read more →

148 npm Packages Masked as Student Proxies Abused

🔍 JFrog researchers found 148 npm packages posing as student web proxies that converted visitors' browsers into a DDoS botnet for roughly two weeks in May. The packages hosted a proxy UI but loaded a mutable remote script and a WebSocket flood generator, allowing attackers to run volumetric and control-plane attacks from unsuspecting users' tabs. Many packages have since been removed, but remnants and mutable loaders remain active, so network and build mitigations are advised.
read more →

Jscrambler npm package compromised with infostealer

🛡️ Jscrambler disclosed that a threat actor published malicious npm releases (8.14, 8.16, 8.17, 8.20) containing an info-stealer executed via the preinstall hook. The tampered package was live for two hours, downloaded 1,479 times, and affected four dependent packages that were deprecated and replaced. Jscrambler revoked compromised publishing credentials and urged users to rotate secrets and update to the safe release.
read more →

Ghostcommit attack hides prompt injection in images

🛡️ Researchers demonstrated "Ghostcommit," a proof-of-concept attack that hides malicious instructions inside a PNG referenced by an AGENTS.md so AI code-reviewing agents read images, open .env files, and exfiltrate secrets as integer constants. The pull request appears benign to text-based reviewers and default configs often exclude images from review, letting the change merge without human oversight. In tests, several coding agents followed the image pointer and emitted the repository's .env as a tuple of integers, while some agent harnesses refused. The ASSET Research Group published code, disclosed vendors, and built a multimodal GitHub app that inspects images, code shape, and conventions to block the exploit in trials.
read more →

Injective Labs SDK compromise exposes wallet keys

🔐 Unknown actors compromised the Injective Labs SDK repository and published a malicious npm package, @injectivelabs/sdk-ts@1.20.21, to exfiltrate cryptocurrency private keys and mnemonic phrases. The backdoored release, deployed on July 8, 2026, was embedded with fake telemetry that captured sensitive wallet data and transmitted it to an external server. The attacker pushed identical poisoned versions across 17 additional @injectivelabs-scoped packages to reach transitive users. A clean update (1.20.23) is now available and users are urged to rotate any exposed keys and check dependencies.
read more →

Exposed server reveals mass WordPress backdoor campaign

🔍 Researchers found a cybercrime crew's unsecured server containing tools, logs, and target lists that revealed a large-scale webshell access brokerage dubbed WP-SHELLSTORM. The exposed files showed automated scanners exploiting known WordPress and Joomla plugin flaws, notably the Breeze caching and Joomla JCE bugs, and included lists naming over 1.4 million domains. Two security teams analyzed the leaked repository and measured confirmed compromises in the thousands, while also tracing earlier credential-stealing activity against corporate Nacos instances. The leak underscores how public exploits and poor operator hygiene enabled mass compromise at scale.
read more →

Injective SDK npm package used to steal wallet keys

🔒 Security researchers discovered that the @injectivelabs/sdk-ts npm package (v1.20.21) was published with malicious code to capture cryptocurrency wallet private keys and mnemonic seed phrases. The compromise stemmed from a hijacked GitHub contributor account with suspicious commits appearing on June 8; the legitimate owner quickly reverted changes and released a clean 1.20.23. The malware activated when wallet-generation or import functions were called and exfiltrated secrets via HTTP POST to a public Injective Labs endpoint, and the tainted package had hundreds of dependent packages and thousands of downloads.
read more →

Fake Paysafe, Skrill SDKs on npm and PyPI steal creds

🔒 Malicious packages impersonating Paysafe, Skrill, and Neteller SDKs were published to npm and PyPI, delivering credential-stealing malware to developers and applications. Socket discovered 17 packages that expose expected APIs but return fake success responses while searching for and exfiltrating secrets such as API keys, tokens, and AWS credentials. Developers who installed these packages are urged to rotate secrets, inspect dependency trees and CI logs, and block the malicious package names at registry proxies.
read more →

GitHub Actions attack pattern that eludes CI scanners

🛡️ In June 2026, Novee Security disclosed "Cordyceps," a CI/CD composition weakness across thousands of high-impact repositories that flagged 654 and confirmed 300+ exploitable cases. The issue stems from how GitHub Actions events like pull_request_target and workflow_run execute with elevated privileges and can be tricked into running attacker-controlled content. Each workflow file appears valid, so SAST/DAST tools miss the cross-file composition that enables command, code injection and cross-workflow privilege escalation. Vendors have patched, but the broader governance gap—exacerbated by AI-generated workflows—remains and requires stricter trust boundaries and provenance controls.
read more →

North Korean campaign publishes malicious packages

🛡️ Researchers observed North Korea–linked actors behind the Contagious Interview campaign publish 108 unique malicious packages and extensions across npm, Packagist, Go, and Chrome under an operation dubbed PolinRider. The releases include obfuscated JavaScript loaders that append code to common project config files and leverage VS Code task auto-run behavior to execute payloads. Attackers appear to acquire or retain registry and maintainer access via repository compromises, domain takeovers, or malicious dependencies. The campaign has been active since at least 2023 and continues to deliver RATs and stealers through multi-stage blockchain-backed payload delivery.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Phantom Squatting: LLMs Enabling Web Domain Attacks

🛡️ Unit 42 found that large language models (LLMs) commonly hallucinate plausible web domains for real brands, and adversaries are registering these nonexistent domains to intercept AI-generated traffic. This phenomenon, called phantom squatting, poses a supply chain risk and was observed across multiple sectors. Researchers predicted adversary registrations 18–51 days in advance and discovered over 13,229 malicious URLs plus ~250,000 unregistered hallucinated domains.
read more →

Counterfeit USBs Infected JGSDF Networks Nearly Year

🔍 Leaked documents reveal that counterfeit USB flash drives carrying malware entered Japan's Ground Self-Defense Force (JGSDF) networks after being distributed during 2024 earthquake relief operations. The malicious drives, traced to sellers in China and priced below market rates, were discovered in February 2025 and found on over 50 computers, nearly half handling classified data. Investigators linked the malware to a strain previously associated with a China-linked hacking group, while authorities maintain the infection showed only self-replication behavior.
read more →

Suspected Russian Involvement in JLR Cyberattack

🛡️ Security experts have reacted to a New York Times report linking Russian hackers to the Jaguar Land Rover breach, which reportedly cost the British economy £1.9bn. Microsoft flagged the activity, and specialists pointed to the lack of a ransom demand, timing before a vehicle rollout, and novel ransomware as indicators of state involvement. Former JLR security leaders and industry analysts suggest the attack resembled sabotage more than typical cybercrime.
read more →

Hijacked npm and Go packages deploy cross‑platform stealer

🛡️ Cybersecurity researchers discovered two malicious npm packages and a cluster of Go packages that deploy a Python-based information stealer targeting Windows, Linux, and macOS. The attack hides execution in a VS Code task that runs when a project folder is opened and retrieves encrypted JavaScript from blockchain transaction data to configure a socket.io backdoor. The campaign uses a disguised font file to deliver multi-stage payloads and ultimately installs a Python infostealer that exfiltrates credentials, wallets, and developer artifacts.
read more →

AI Adoption Is Accelerating Risks for SMEs

🔒 Small and mid-sized businesses are rapidly adopting AI, often ahead of large enterprises, and this pace is outstripping their ability to govern associated cyber risks. Shadow AI—employees using public tools without oversight—exposes customer data, financial records, and intellectual property, while attackers increasingly exploit these weaker links in supply chains. The author urges owners and CFOs to map AI use, restrict sensitive data, treat AI access like hires, and engage advisors who can secure AI adoption effectively.
read more →