All news with #supply chain compromise tag

⚠ Forked IDEs based on Microsoft VSCode (such as Cursor, Windsurf, Google Antigravity and Trae) retain hardcoded extension recommendations that point to Microsoft's Visual Studio Marketplace. Because these forks use OpenVSX instead, several recommended publisher namespaces were unclaimed, enabling attackers to register them and publish malicious extensions. Supply-chain researchers at Koi claimed affected namespaces and uploaded inert placeholders while coordinating with the Eclipse Foundation to secure the registry.

🔒 Ledger says some customers had personal data exposed after a breach at third‑party payment processor Global‑e. The company confirmed its own network, hardware, and software were not compromised and that the leaked fields were limited to shopper names and contact information — no payment data, seed phrases, or blockchain secrets were taken. Ledger warned customers to watch for phishing attempts, never disclose their 24‑word recovery phrase, and follow any direct notifications from Global‑e for details.

🔒 This week's recap highlights persistent, trust‑based attacks that quietly exploited updates, extensions, sessions, and messages to scale impact across IoT, browsers, and collaboration platforms. A nine‑month RondoDox campaign leveraged React2Shell for RCE in React Server Components, while a supply‑chain compromise of Trust Wallet extensions exposed GitHub secrets and Chrome Web Store keys, enabling roughly $8.5M in crypto theft. Newly observed groups like DarkSpectre abused legitimate extensions to reach millions of users, and well‑resourced actors reused successful trust vectors rather than relying on one‑off exploits.

🔒 The European Space Agency (ESA) has acknowledged a December server compromise affecting a small number of external, non-corporate servers that support unclassified collaborative engineering activities. The agency says it has informed relevant stakeholders, implemented measures to secure potentially affected devices and launched a forensic analysis. Reports on underground forums claim over 200GB of data was stolen, including source code, CI/CD pipelines and credentials, raising supply chain and operational concerns.

🔐Trust Wallet attributes a December 24 compromise of its Chrome extension to activity tied to the Sha1‑Hulud campaign after attackers added malicious JavaScript to version 2.68. The injected code harvested sensitive wallet data and enabled unauthorized transactions, resulting in roughly $8.5 million stolen from over 2,500 wallets. Exposed GitHub developer secrets revealed a Chrome Web Store API key that let the attacker publish a trojanized build. Trust Wallet revoked release APIs, had malicious domains suspended, and has begun reimbursing victims while warning of impersonation scams.

🛡️ Third-party risk is a growing enterprise threat underscored by recent supply-chain attacks, including the June 2024 compromise of TeamViewer by APT29. The article argues organizations often depend on hundreds or thousands of vendors with limited transparency, immature security practices, and hidden subcontractors, which makes traditional vendor assessments a weak defense. It proposes the musk oxen strategy: collective intelligence-sharing, coordinated remediation support, and joint negotiation to strengthen common weak links and reduce systemic risk.

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.

🚨 The fourth wave of the GlassWorm campaign is targeting macOS developers by distributing malicious VS Code/OpenVSX extensions that deliver trojanized cryptocurrency wallet applications. The extensions embed an AES-256-CBC-encrypted payload in compiled JavaScript, execute after a 15-minute delay using AppleScript, and persist via LaunchAgents. The malware harvests developer credentials, browser and Keychain data, supports VNC and SOCKS proxying, and includes a mechanism to replace Ledger Live and Trezor Suite with trojanized versions. Users should remove the identified extensions, reset credentials, revoke tokens, and inspect or reinstall affected macOS systems.

🔒 Trust Wallet disclosed that a second wave of the Shai‑Hulud supply chain attack exposed developer GitHub secrets, including a Chrome Web Store API key, enabling attackers to upload a trojanized extension build directly. The malicious update (v2.68) pushed a backdoor that harvested wallet mnemonic phrases to a domain registered as metrics-trustwallet[.]com, leading to the theft of about $8.5 million from 2,520 addresses. Trust Wallet urged users to update to v2.69, launched a reimbursement claim process, and said it has implemented additional monitoring and controls to strengthen its release procedures.

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.

🔔 A newly disclosed MongoDB memory-exposure flaw (CVE-2025-14847, "MongoBleed") and a wave of supply-chain and update-channel compromises defined the final week of 2025. Active exploitation of MongoDB affected tens of thousands of instances worldwide while extension- and package-based attacks, including a compromised Trust Wallet Chrome extension and a malicious npm package, led to immediate thefts and account takeovers. The recap stresses rapid attacker tempo, the abuse of trusted update/support channels, and persistent impacts that can surface months or years after an initial compromise.

🔓 Korean Air warned employees that personal information, including names and bank account numbers, was compromised after its former in-flight catering supplier, Korean Air Catering & Duty-Free (KC&D), notified the carrier it had been hacked. Local outlets report about 30,000 records were exfiltrated, and the Clop ransomware gang has claimed responsibility and posted the alleged data on its leak site. Korean Air reported the incident to authorities, is investigating the scope, and urged staff to remain vigilant for phishing and impersonation attempts.

🔒 Cybersecurity researchers detailed a five-month, targeted spear-phishing campaign that published 27 malicious npm packages across six aliases to repurpose package CDNs as resilient hosting for browser‑run credential‑harvesting lures. The embedded HTML/JavaScript mimicked document‑sharing portals and Microsoft sign‑in, pre-filling victim emails and using bot/sandbox checks, honeypot fields and heavy obfuscation to evade detection. Socket links the domains to Evilginx-style AitM infrastructure and urges phishing‑resistant MFA, strict dependency verification, CDN request logging, and monitoring for suspicious post‑auth activity.

🛡️ Researchers have uncovered a new macOS information stealer, MacSync, delivered as a code-signed and notarized Swift installer masquerading as a messaging app. The signed DMG bypasses Gatekeeper and XProtect, and the installer prompts users to right-click to run — a common social-engineering tactic. Apple has revoked the signing certificate. The dropper enforces rate limits, removes quarantine attributes, and downloads a Base64-encoded payload that resolves to the rebranded Mac.c/MacSync strain.

🔐 Outsourcing critical IT and cybersecurity has shifted from a cost-saving tactic to a systemic fragility driver. The article explains how single-vendor failures — highlighted by SolarWinds and MOVEit — can cascade across industries, amplified by cloud adoption, talent shortages and subcontractor opacity. It warns that AI-driven agents, regulatory fragmentation, and geopolitical exposures turn vendor compromises into national and economic security risks. Boards, CISOs and regulators must adopt trust-by-design, stress tests and AI resilience measures.

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.

🔒 Koi Security disclosed a malicious npm package, lotusbail, masquerading as a WhatsApp API and designed to intercept authentication tokens, messages, contacts and media. Uploaded in May 2025 by the account "seiren_primrose", it has been downloaded over 56,000 times and remained available at the time of reporting. The library wraps the WebSocket client and contains a hard-coded pairing code that links the attacker's device to a victim's WhatsApp account, creating a persistent backdoor even after uninstallation. It also implements anti-debugging traps to freeze execution and hinder analysis.

🔒 A malicious NPM package published as lotusbail and masquerading as a WhatsApp Web API library was found to exfiltrate authentication tokens, session keys, messages, contacts and media. Researchers at Koi Security report the package wraps the legitimate WebSocket client from the Baileys project so all traffic is intercepted and recorded. The malware encrypts captured data with layered obfuscation (Unicode tricks, LZString, AES and custom RSA) and establishes persistent access by pairing the attacker’s device to victims' WhatsApp accounts. Developers should remove the package, inspect linked devices, and monitor runtime behavior for unexpected outbound connections.

🛡️ CISA's addition of CVE-2025-59374 to the KEV catalog documents a historical ASUS Live Update supply‑chain compromise rather than a new, active campaign. The CVE formalizes the 2018–2019 'ShadowHammer' incident in which maliciously modified Live Update binaries were selectively delivered to targeted systems, and the client reached End‑of‑Support in October 2021. ASUS's December 2025 FAQ appears to be a documentation update clarifying upgrade paths to the last Live Update release (3.6.15), and CISA emphasized that KEV inclusion does not necessarily indicate ongoing exploitation. Security teams should apply context‑aware triage and ensure supported software is up to date.

📌 The CVE-2025-59374 record documents the 2018–2019 ShadowHammer supply‑chain compromise of ASUS Live Update, a client that reached End‑of‑Support in October 2021. The entry, now rated 9.3, formalizes a historical incident and does not indicate current active exploitation for supported devices. Security teams should verify systems are running the latest supported software but avoid treating the KEV listing as an immediate, new threat.