All news with #supply chain compromise tag

🐛 Security teams have warned of a rapidly spreading secret-stealing worm, Shai-Hulud, that has resurfaced in the npm ecosystem and already infected hundreds of packages with tens of millions of downloads. First seen in September, attackers hijack developer accounts to publish trojanized packages that exfiltrate AWS keys and GitHub tokens to attacker-controlled repositories. Vendors including Wiz Security and Mondoo report explosive scaling—hundreds of new repos discovered every 30 minutes—and urge urgent dependency audits. Recommended mitigations include rotating credentials, disabling npm postinstall scripts in CI, enforcing MFA, pinning versions, and using tools like Safe-Chain to block malicious packages.

⚠️ Hundreds of trojanized versions of popular npm packages — including toolkits linked to Zapier, ENS Domains, PostHog and others — have been published in a renewed Shai‑Hulud supply‑chain campaign designed to steal developer and CI/CD secrets. The malware runs during pre‑install, collects credentials into files like cloud.json and environment.json, and posts encoded data to quickly created GitHub repositories. Researchers at Aikido Security, Wiz and Step Security identified obfuscated payloads in setup_bun.js and a large, heavily obfuscated bun_environment.js dropper.

⚠ Multiple security vendors report a second Sha1-Hulud campaign that has trojanized hundreds of npm packages and affected over 25,000 repositories. The attack leverages a preinstall script ("setup_bun.js") to install or locate the Bun runtime and execute a bundled payload ("bun_environment.js") that harvests credentials. The malware registers hosts as self-hosted GitHub runners named "SHA1HULUD", drops a vulnerable workflow (.github/workflows/discussion.yaml) to run arbitrary commands via repository discussions, exfiltrates secrets as artifacts, and then removes traces; when exfiltration fails it can attempt destructive wiping of the user home directory.

⚠️ Iberia has notified customers that personal data was exposed after unauthorized access to a supplier's systems, potentially including names, email addresses and Iberia Club loyalty numbers. The carrier says no login credentials or payment card details were taken and that it has implemented additional verification checks and mitigation measures. Customers are urged to watch for phishing and suspicious communications. The airline is investigating and has informed authorities.

🔔 Iberia has informed customers of a security incident after unauthorized access to a supplier's systems exposed limited customer information. The airline says affected fields may include full name, email address, and Iberia Club loyalty identification numbers, while login credentials and payment card data were not accessed. Iberia says it activated its security protocol, added verification codes for email changes, is monitoring systems, and has notified authorities as it works with the third-party vendor. Customers are urged to watch for suspicious messages and report anomalies to the airline.

⚠️ Kaspersky describes a campaign in which attackers used the AI-powered web builder Lovable to mass-generate convincing fake vendor pages that host malicious installers. Those pages distribute a custom, attacker-signed build of the legitimate remote administration tool Syncro, which installs silently and grants full remote access. Because the payload is a legitimate admin tool altered for abuse, detection is difficult and victims risk data theft and loss of cryptocurrency funds.

🔐 Salesforce disclosed unauthorized access tied to Gainsight-published apps using OAuth integrations, saying it revoked all active access and refresh tokens and temporarily removed those apps from the AppExchange while investigators continue their work. Gainsight confirmed the incident, has engaged Mandiant for forensics, and revoked related connector access across other marketplaces. Google Threat Intelligence linked the activity to actors associated with ShinyHunters, echoing prior token-abuse campaigns against Salesloft and Drift. The incident highlights supply-chain risks in SaaS OAuth integrations and reinforces urgent recommendations to audit and revoke suspicious tokens.

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

⚠️ On November 20, customer support platform provider Gainsight reported connection failures after Salesforce revoked active access for the Gainsight SFDC Connector following detection of unusual activity. Salesforce temporarily removed all Gainsight-published apps from its AppExchange, citing potential unauthorized access via the app's external connection rather than a Salesforce platform vulnerability. Gainsight also disabled integrations with HubSpot and Zendesk, and engaged Mandiant to support forensic work. A criminal collective claiming affiliation with Lapsus$/Scattered Spider said it was responsible and threatened wider data leaks and a RaaS offering.

📰The U.S. Securities and Exchange Commission has voluntarily dismissed its lawsuit against SolarWinds and CISO Timothy G. Brown, filing a joint motion to dismiss on November 20, 2025. The October 2023 complaint alleged fraud, internal control failures, and misleading disclosures tied to the late-2020 supply-chain compromise attributed to APT29. Many allegations were rejected by the SDNY in July 2024 as relying on hindsight. SolarWinds' CEO said the company emerges stronger, more secure, and better prepared.

🛡️ A BlueVoyant survey finds 97% of organizations were negatively impacted by a supply chain breach, up sharply from 81% in 2024. The State of Supply Chain Defense: Annual Global Insights Report 2025, published 20 November, shows many firms are maturing TPRM programs and shifting oversight into cyber or IT teams. Despite increased maturity, respondents report persistent issues such as lack of executive buy-in, compliance-first approaches, limited integration with enterprise risk frameworks, and a trend of adding vendors faster than they add visibility or remediation capacity.

🔒 SecurityScorecard's STRIKE team warns that Operation “WrtHug” has already compromised thousands of ASUS WRT routers worldwide by chaining six primarily legacy vulnerabilities to gain elevated privileges and persistence. The campaign abuses the ASUS AiCloud service and OS injection flaws, deploying a common self-signed TLS certificate with a 100-year expiry. SecurityScorecard notes geographic clustering, with up to 50% of victims in Taiwan, and assesses a likely China-affiliated ORB-style operation.

🔒 ESET researchers disclosed a Go-based network backdoor dubbed EdgeStepper, used by the China-aligned actor PlushDaemon to reroute DNS queries and enable adversary-in-the-middle (AitM) attacks. EdgeStepper forces update-related DNS lookups to attacker-controlled nodes, delivering a malicious DLL that stages additional components. The chain targets update mechanisms for Chinese applications including Sogou Pinyin and ultimately fetches the SlowStepper backdoor to exfiltrate data.

🛡️ ESET researchers describe how the China-aligned actor PlushDaemon uses a previously undocumented network implant called EdgeStepper to perform adversary-in-the-middle hijacks of software update flows. EdgeStepper, a Go-based MIPS32 implant, redirects DNS traffic to malicious resolvers that reply with IPs of attacker-controlled hijacking nodes, causing legitimate updaters to fetch counterfeit components such as LittleDaemon. The analysis details the implant's AES-CBC encrypted configuration (notably using the GoFrame default key), iptables redirection of UDP/53 to a local port, and the downloader chain (LittleDaemon and DaemonicLogistics) that stages and deploys the SlowStepper backdoor on Windows hosts.

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.

⚠️Seven npm packages published under the developer name 'dino_reborn' were found leveraging the cloud-based Adspect service to distinguish researchers from potential victims and redirect targeted users to cryptocurrency scam pages. Socket's analysis shows six packages include a ~39 KB cloaking script that fingerprints visitors, employs anti-analysis controls, and forwards data to an actor-controlled proxy and the Adspect API. Targets are redirected to deceptive Ethereum and Solana-branded CAPTCHA pages, while likely researchers are shown a benign Offlido-style decoy.

🔒 This week's recap highlights a surge in quiet, high-impact attacks that abused trusted software and platform features to evade detection. Researchers observed active exploitation of Fortinet FortiWeb (CVE-2025-64446) to create administrative accounts, prompting CISA to add it to the KEV list. Law enforcement disrupted major malware infrastructure while supply-chain and AI-assisted campaigns targeted package registries and cloud services. The guidance is clear: scan aggressively, patch rapidly, and assume features can be repurposed as attack vectors.

🔎 The Contagious Interview campaign is delivering trojanized coding tests that fetch heavily obfuscated JavaScript from public JSON-storage services such as JSON Keeper, JSONSilo, and npoint.io. When executed in a Node.js test run the payloads decode and install the BeaverTail infostealer and then stage the InvisibleFerret RAT. NVISO Labs warns attackers are abusing developer trust and legitimate platforms and recommends sandboxing, auditing config files, and blocking suspicious outbound requests.

🔒 Jaguar Land Rover reported a £485m ($639m) Q2 loss after a September ransomware attack that halted production at its three UK plants for weeks. The company said the incident generated £196m ($258m) in cyber-related costs, contributing to a 24% year‑on‑year revenue decline to £4.9bn ($6.5bn). JLR set up a loan-backed financing scheme for suppliers and secured government loan guarantees, and confirmed production has now resumed.

🔍 Amazon Inspector researchers identified and reported over 150,000 npm packages tied to a coordinated tea.xyz token farming campaign that automatically generated and published packages to harvest blockchain rewards. The team combined rule-based detection with AI and worked directly with the Open Source Security Foundation (OpenSSF) to assign MAL‑IDs and submit packages for removal. The campaign caused registry pollution and reveals a new reward-driven supply chain abuse vector that can obscure legitimate software and consume infrastructure resources.