All news with #supply chain compromise tag

🔒 In the CEO Outlook 2026 survey, Trend Micro CEO Eva Chen describes how rapid AI adoption and expanding cloud footprints are transforming the cyberthreat landscape and elevating business risk. She flags rising ransomware, supply-chain exposures and AI-enabled attacks, and urges firms to prioritize automation, XDR and cloud security. Chen also stresses the role of channel partners and talent development in building resilience against increasingly sophisticated threats.

🔒 Multiple current and former Target employees told BleepingComputer that a sample of source code and documentation published by a threat actor matches real internal systems. A screenshot of company-wide Slack shows an "accelerated" security change effective January 9, 2026, restricting access to git.target.com to Target-managed networks or VPN. The 14MB sample contains internal names like "BigRED" and "TAP" and references to Vela, Hadoop datasets, and JFrog Artifactory. The threat actor claims a full archive of ~860GB; the root cause remains under investigation.

🔐 Attackers in 2025 are not inventing wholly new techniques but refining long‑standing ones—supply‑chain compromise, credential theft, and malware in official stores—at vastly greater scale. AI has lowered the barrier to entry, enabling small teams or individuals to publish trusted packages, automate phishing, and pivot them to malicious behavior. Gaps in permission models and slow supply‑chain mitigation let these campaigns cascade through dependencies. Defenders should prioritize fundamentals: fix permissions, harden verification, and make phishing‑resistant authentication the default.

🔒 The Amsterdam Court of Appeal sentenced a 44‑year‑old Dutch national to seven years in prison for breaching IT systems at the ports of Rotterdam, Barendrecht and Antwerp to facilitate drug trafficking. The court found he gained access after employees introduced USB sticks containing malware, enabling installation of a remote access tool, data exfiltration and interception. An appeal arguing unlawful interception of Sky ECC communications was rejected, as the defence failed to substantiate procedural violations. He was acquitted on one large cocaine import charge but upheld on hacking, facilitating the importation of 210 kg of cocaine, and attempted extortion.

🔒 Target is investigating claims that an unknown threat actor published samples of internal source code on public Gitea repositories and is advertising a larger dataset for sale. The posted sample included a SALE.MD index listing roughly 57,000 lines and an estimated archive size of ~860 GB. After BleepingComputer alerted Target, the sample repos were removed and the retailer's developer Git server at git.target.com became inaccessible externally. Commit metadata and repository structure suggest the material may have originated from private internal infrastructure.

🔒 Researchers found eight malicious npm packages impersonating n8n community nodes that were designed to steal developers' OAuth credentials. The packages mimicked legitimate integrations (for example, Google Ads), saved encrypted OAuth tokens to n8n's credential store, then used the instance master key at runtime to decrypt and exfiltrate tokens to attacker-controlled servers. Analysts urge disabling community nodes and auditing packages before installation.

🐛 Shai‑Hulud marks a shift from passive supply‑chain tricks to an actively propagating worm that targets developer identities and CI/CD trust. Variants harvest NPM tokens, GitHub secrets and leverage stolen credentials to publish infected packages automatically, often including a dead‑man switch to erase traces. CISOs must treat pipelines and AI-assisted tooling as primary attack surfaces.

🔐 Endor Labs discovered malicious npm packages this week that impersonated community nodes for the n8n workflow automation platform, harvesting OAuth tokens and API keys when installed. The deceptive packages presented legitimate-looking configuration screens while executing code to decrypt credentials from n8n’s credential store and exfiltrate them to attacker-controlled C2 servers. Because n8n treats installed nodes as trusted code with full access to the workflow environment, these packages bypass typical supply-chain monitoring and can perform arbitrary network requests and host interactions. Endor recommends preferring built-in integrations, auditing package source and metadata, monitoring outbound traffic from automation hosts, and using isolated, least-privilege service accounts.

🔒 Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that appears to have been developed more than a year before the vulnerabilities were publicly disclosed. Huntress analysts found PDB build paths and simplified Chinese artifacts suggesting components were compiled in late 2023 and early 2024. The toolkit chains multiple ESXi flaws to escape guest VMs into the hypervisor, load an unsigned kernel driver, and deploy a persistent backdoor. Organizations are urged to apply the latest ESXi security updates and use the supplied detection rules to detect compromise.

🔍 Zscaler ThreatLabz researchers uncovered three malicious npm packages that delivered a previously undocumented remote access trojan dubbed NodeCordRAT. Uploaded under the username "wenmoonx" and disguised as bitcoin libraries, the packages used a postinstall script to install the final payload. NodeCordRAT uses npm for distribution and Discord as its C2, supporting remote shell execution, screenshots, and file exfiltration including browser credentials and wallet seed phrases.

🚗 Jaguar Land Rover is still reeling from a late‑August cyber-attack that disrupted production from September through mid-November, Tata Motors reported. Retail sales in Q3 2025 fell 25.1% year‑on‑year to 79,600 vehicles, while wholesale shipments plunged 43% to 59,200 units. Tata said the incident "significantly disrupted operations," forcing factory stoppages and ongoing distribution delays, compounded by US tariffs and model phase-outs.

⚠ Forked IDEs based on Microsoft VSCode (such as Cursor, Windsurf, Google Antigravity and Trae) retain hardcoded extension recommendations that point to Microsoft's Visual Studio Marketplace. Because these forks use OpenVSX instead, several recommended publisher namespaces were unclaimed, enabling attackers to register them and publish malicious extensions. Supply-chain researchers at Koi claimed affected namespaces and uploaded inert placeholders while coordinating with the Eclipse Foundation to secure the registry.

🔒 Ledger says some customers had personal data exposed after a breach at third‑party payment processor Global‑e. The company confirmed its own network, hardware, and software were not compromised and that the leaked fields were limited to shopper names and contact information — no payment data, seed phrases, or blockchain secrets were taken. Ledger warned customers to watch for phishing attempts, never disclose their 24‑word recovery phrase, and follow any direct notifications from Global‑e for details.

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.

🔒 The European Space Agency (ESA) has acknowledged a December server compromise affecting a small number of external, non-corporate servers that support unclassified collaborative engineering activities. The agency says it has informed relevant stakeholders, implemented measures to secure potentially affected devices and launched a forensic analysis. Reports on underground forums claim over 200GB of data was stolen, including source code, CI/CD pipelines and credentials, raising supply chain and operational concerns.

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.

🛡️ Third-party risk is a growing enterprise threat underscored by recent supply-chain attacks, including the June 2024 compromise of TeamViewer by APT29. The article argues organizations often depend on hundreds or thousands of vendors with limited transparency, immature security practices, and hidden subcontractors, which makes traditional vendor assessments a weak defense. It proposes the musk oxen strategy: collective intelligence-sharing, coordinated remediation support, and joint negotiation to strengthen common weak links and reduce systemic risk.

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.

🚨 The fourth wave of the GlassWorm campaign is targeting macOS developers by distributing malicious VS Code/OpenVSX extensions that deliver trojanized cryptocurrency wallet applications. The extensions embed an AES-256-CBC-encrypted payload in compiled JavaScript, execute after a 15-minute delay using AppleScript, and persist via LaunchAgents. The malware harvests developer credentials, browser and Keychain data, supports VNC and SOCKS proxying, and includes a mechanism to replace Ledger Live and Trezor Suite with trojanized versions. Users should remove the identified extensions, reset credentials, revoke tokens, and inspect or reinstall affected macOS systems.

🔒 Trust Wallet disclosed that a second wave of the Shai‑Hulud supply chain attack exposed developer GitHub secrets, including a Chrome Web Store API key, enabling attackers to upload a trojanized extension build directly. The malicious update (v2.68) pushed a backdoor that harvested wallet mnemonic phrases to a domain registered as metrics-trustwallet[.]com, leading to the theft of about $8.5 million from 2,520 addresses. Trust Wallet urged users to update to v2.69, launched a reimbursement claim process, and said it has implemented additional monitoring and controls to strengthen its release procedures.