All news with #supply chain compromise tag

⚠️ A maintainer of widely used npm packages was phished, allowing attackers to publish malicious updates to 20 modules that together exceed two billion weekly downloads. Researchers from Aikido Security and Socket found the injected payload hooks browser APIs (window.fetch, XMLHttpRequest, window.ethereum.request) to intercept and rewrite cryptocurrency transactions. The malware substitutes recipient addresses by computing Levenshtein distance to closely match intended wallets, putting end users and developers who connect wallets at risk. The incident highlights the persistent supply-chain threat to package ecosystems.

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.

🔒 Wealthsimple has confirmed a supply-chain related data breach that exposed information for roughly 30,000 customers after software from a third-party vendor was compromised on August 30. The leaked data reportedly included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. Wealthsimple says passwords were not accessed, no client accounts were compromised and no funds were stolen. The firm says it contained the intrusion within hours, notified regulators and is offering affected customers two years of free credit monitoring, dark-web monitoring, identity theft protection and a dedicated support team.

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

🔒 Salesloft has moved to take Drift offline after a supply‑chain compromise that resulted in the mass theft of OAuth tokens and unauthorized access to Salesforce data. Multiple large vendors — including Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, and Tenable — confirmed impact, and activity is attributed to clusters tracked as UNC6395 and GRUB1. The incident underscores how fragile integrations can be and the importance of token hygiene, rapid revocation, and enhanced monitoring to contain downstream exposure.

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

🔒 Investment in AI data centers is accelerating globally, creating not only rising energy demand and emissions but also an expanded surface of cyber threats. AI facilities rely on GPUs, ASICs and FPGAs, which introduce side-channel, memory-level and GPU-resident malware risks that differ from traditional CPU-focused threats. Organizations should require operators to implement supply-chain vetting, physical shielding (for example, Faraday cages), continuous model auditing and stronger personnel controls to reduce model exfiltration, poisoning and foreign infiltration.

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.

🔑 Researchers found four malicious npm packages impersonating Flashbots and common cryptographic utilities to harvest Ethereum wallet credentials. Uploaded by user "flashbotts" between September 2023 and August 19, 2025, the libraries exfiltrate private keys and mnemonic seed phrases to a Telegram bot and transmit environment data via Mailtrap SMTP. One package also redirects unsigned transactions to an attacker-controlled wallet.

🔒 Wealthsimple disclosed a data breach detected on August 30 after attackers accessed a trusted third-party software package. The company said less than 1% of customers had personal information exposed, including contact details, government IDs, account numbers, IP addresses, Social Insurance Numbers, and dates of birth. Wealthsimple stated no funds or passwords were taken; impacted customers are being offered two years of complimentary credit and identity protection and were advised to enable two-factor authentication and remain alert for phishing.

🔒 Palo Alto Networks, Zscaler and Cloudflare disclosed a supply-chain breach traced to the Salesloft Drift integration with Salesforce. The compromise exposed business contact information, account/contact/case/opportunity records and, in some instances, OAuth tokens and plaintext support-case content; attachments and files were reportedly not affected. Palo Alto's Unit 42 observed active searches of exfiltrated data and deletion of queries consistent with anti-forensics. Vendors are advising immediate token revocation, credential rotation and comprehensive review of Salesforce logs and SOQL query history.

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.

🛡️A new campaign used malicious npm packages to hide command-and-control URLs inside Ethereum smart contracts, evading typical static detection. ReversingLabs researcher Karlo Zanki uncovered packages colortoolsv2 and mimelib2 that delivered second-stage payloads via blockchain-held URLs. The threat also included fake GitHub projects, such as solana-trading-bot-v2, built to appear legitimate. Developers are urged to vet dependencies and maintainers beyond superficial metrics.

🔒 Salesloft said it will temporarily take its Drift chatbot service offline after a supply-chain compromise led to the mass theft of OAuth and refresh tokens tied to the Drift AI chat agent. The outage is intended to allow a comprehensive security review and build additional resiliency; Drift chatbot functionality and access will be unavailable during the process. Salesloft is working with cybersecurity partners Mandiant and Coalition while investigators, including Google Threat Intelligence Group, attribute the campaign to UNC6395 and report that more than 700 organizations may be affected.

🔒 Three major vendors—Palo Alto Networks, Zscaler, and Cloudflare disclosed a supply‑chain breach tied to the Salesloft Drift Salesforce integration that exposed OAuth tokens and customer CRM data. The incident reportedly involved mass exfiltration from Account, Contact, Case and Opportunity records and included business contact data and some plaintext case notes. Vendors recommend rotating credentials, revoking unused OAuth tokens, auditing Salesforce Event Monitoring and reviewing SOQL query logs and connected-app activity for signs of abuse.