All news with #supply chain compromise tag

⚠️ Google Threat Intelligence Group (GTIG) observed a supply-chain attack on 2026-03-31 where attackers introduced a malicious dependency, plain-crypto-js, into legitimate axios releases (1.14.1 and 0.30.4). The package contains an obfuscated Node.js dropper (SILKBELL) that installs the multi-platform WAVESHAPER.V2 backdoor on Windows, macOS, and Linux. GTIG attributes the activity to UNC1069 and publishes IOCs and remediation steps for affected developers and organizations.

⚠️ Hackers hijacked the npm account for Axios, a widely used JavaScript HTTP client, to publish two malicious releases on March 31, 2026. The attacker added a trojanized dependency (plain-crypto-js@^4.2.1) that runs a post-install dropper (setup.js) which fetches OS-specific RATs from a C2 server. The payloads target Windows, macOS, and Linux and include persistence and evasion techniques, while the dropper attempts to erase traces and restore a clean package.json after infection.

🔐 Researchers at Wiz report that TeamPCP has been harvesting, validating, encrypting and exfiltrating cloud credentials, SSH keys, Kubernetes configs and other development secrets from compromised supply chain components to attacker-controlled domains. The group used typosquatting on PyPI to push credential-stealing malware into packages affecting Trivy, KICS, LiteLLM and Telnyx. Wiz warns this activity appears linked to, or at least shared with, extortion-focused actors such as Lapsus$, and vendors report claims of partnerships with ransomware affiliates, raising the risk of follow-on ransomware campaigns.

🔎 Hexastrike warns of a regionally focused campaign targeting Chinese-speaking users through typosquatted sites that impersonate trusted software brands to deliver a previously undocumented remote access trojan. The malware, AtlasCross RAT, is deployed via ZIP lures that drop a trojanized Autodesk installer which loads a second-stage payload and executes in memory. Installers were signed with a stolen EV certificate tied to DUC FABULOUS CO.,LTD, and the operation is attributed to Silver Fox, affecting multiple Asian countries.

🔒 U.S. prosecutors have charged 36-year-old Jonathan Spalletta, known online as 'Cthulhon' and 'Jspalletta', with stealing more than $53 million after hacking the Uranium Finance crypto exchange twice and laundering proceeds through a cryptocurrency mixer. The indictment alleges he abused multiple smart contract coding flaws in April 2021 to drain liquidity pools and extorted a sham bug bounty. A 2025 search recovered high-value collectibles and about $31 million in cryptocurrency; Spalletta faces computer fraud and money laundering counts that carry substantial prison terms.

⚠️ The popular HTTP client Axios was compromised after attackers published poisoned npm releases that introduced a malicious dependency, plain-crypto-js@4.2.1. The injected package executes an obfuscated postinstall dropper that fetches platform-specific RAT payloads for macOS, Windows and Linux. The actor used a compromised maintainer account to push axios@1.14.1 and axios@0.30.4, bypassing CI/CD. Users who installed those releases should assume compromise and follow remediation guidance.

🔒 Cloudflare is making advanced client-side protections self-serve and offering domain-based threat intelligence free across all Client-Side Security customers. The Client-Side Security Advanced bundle brings machine learning and an LLM-backed second opinion to detect malicious JavaScript and drastically reduce false positives. It relies on browser reporting like CSP and requires only that traffic be proxied through Cloudflare, so there is zero latency impact to applications. These tools are intended to help organizations of all sizes detect skimming, supply-chain compromises, and sophisticated browser-side attacks.

⚠️A backdoored release of the Telnyx Python SDK on PyPI was used to deploy credential-stealing malware hidden inside WAV audio files. Security firms Aikido, Socket, and Endor Labs attribute the tampering to TeamPCP, which published versions 4.87.1 and 4.87.2; the latter contained a functioning payload. The malicious code executes on import from telnyx/_client.py and uses steganography to XOR-decode a WAV-hosted second stage that harvests SSH keys, cloud tokens, wallets, environment variables, and Kubernetes secrets. Developers are advised to revert to Telnyx 4.87.0 and treat any systems importing the affected releases as compromised.

🎧 TeamPCP published two malicious telnyx PyPI releases (4.87.1 and 4.87.2) on March 27, 2026 that harvest and exfiltrate credentials using audio steganography embedded in .WAV files. The trojanized code executes on import via modifications to telnyx/_client.py, targets Windows, Linux and macOS, and minimizes forensic traces through in-memory execution and encrypted HTTP exfiltration. PyPI has quarantined the project; users should downgrade to 4.87.0, rotate secrets, and audit affected environments.

⚠️ Researchers report that the threat actor TeamPCP compromised the official telnyx Python SDK on PyPI by publishing trojanized releases (4.87.1 and 4.87.2) that exfiltrate sensitive files. The payload executed at install time, stealing SSH private keys and bash history and sending them to an attacker-controlled HTTP endpoint. Socket, Endor Labs, Aikido Security and Wiz confirmed the findings and advise removing the malicious versions and rotating any exposed credentials.

🔒 The year 2025 saw an unprecedented surge of supply-chain compromises that targeted ecosystems across repositories, package registries, CI/CD workflows, and service providers. Incidents ranged from the US$1.5 billion Bybit Safe{Wallet} heist to self-propagating worms like Shai-Hulud and GlassWorm infecting npm and VS Code extensions. Attackers employed stolen tokens, typosquatting, phishing and malicious CI workflows to plant backdoors, steal secrets, and drain crypto, prompting urgent calls for stronger vendor controls, code audits, and incident response readiness.

🛡️ Rising geopolitical tensions have made cyber operations a central instrument of statecraft, forcing European organizations to rethink digital architectures and trust assumptions. The article reviews state-linked campaigns from the mid-2000s through 2025, the evolution of hacktivism into state‑aligned actors, and the persistence of cyber extortion ecosystems. It highlights trends—identity- and edge-focused attacks, supply-chain and appliance compromises—and recommends prevention, detection, incident response, and public‑private coordination, including tabletop rehearsals and recovery drills.

🔒 Millions of CI/CD pipelines were exposed after the threat actor TeamPCP injected malicious code into widely used tools — Trivy, Checkmarx workflows, and LiteLLM packages — enabling credential theft and persistent backdoors. The compromised artifacts were live only briefly but likely executed broadly, exfiltrating cloud keys, SSH credentials and cryptocurrency wallets. Immediate steps include pinning dependencies to exact SHAs, rotating secrets, hunting for traffic to typosquatted domains, and restoring affected systems from verified backups.

🔍 Cybersecurity researchers report a new GlassWorm evolution that delivers a multi-stage data theft framework and a remote access trojan (RAT) which force-installs a malicious Google Chrome extension masquerading as Google Docs Offline. The campaign gains initial access via rogue packages on npm, PyPI, GitHub and Open VSX, and resolves C2 addresses using Solana memos and public Google Calendar dead drops. A .NET component performs hardware wallet phishing when Ledger or Trezor devices are connected, while a WebSocket RAT harvests browser data, executes arbitrary JavaScript, and supports HVNC and SOCKS modules. Developers are urged to verify publishers and use scanning tools such as AFINE's glassworm-hunter.

🔐 A supply-chain compromise of Trivy has escalated into an extortion campaign linked to Lapsus$, with Mandiant reporting over 1,000 impacted enterprise SaaS environments and the potential for many more. Initial access by cloud-native actor TeamPCP led to stolen credentials that were used to backdoor packages and extend control to projects such as LiteLLM. Security firms Wiz and Socket describe malicious Docker and npm artifacts, a self-replicating worm, and manipulated CI/CD tags, while Aqua Security and partners work to rotate credentials and contain the incident.

📦 The widely used Python package LiteLLM on PyPI was found to contain credential-stealing malware in versions 1.82.7 and 1.82.8, uploaded on 24 March 2026. Security researchers report the malicious code harvested SSH keys, cloud credentials, Kubernetes secrets, database credentials, TLS keys and cryptocurrency wallets, then encrypted and exfiltrated the data to attacker infrastructure and installed persistent backdoors. Endor Labs and JFrog analysis showed the later variant executed whenever any Python process started, enabling silent background operation; version 1.82.6 is the last known clean release and organizations are urged to rotate secrets and audit systems for compromise.

⚠️ PyPI warned developers after two malicious releases of the Python LLM middleware LiteLLM were briefly posted, potentially exposing any credentials accessible to the package environment. Sonatype and Wiz analyses describe a three-stage, obfuscated payload that harvested environment variables, cloud and CI/CD credentials, SSH keys, and other sensitive artifacts, encrypting stolen data before exfiltration. PyPI linked the uploads to an exploited Trivy dependency in the ongoing TeamPCP supply-chain campaign and urged users to revoke or rotate secrets that may have been exposed.

🔒 Microsoft provides operational guidance to detect, investigate, and mitigate the March 19, 2026 supply-chain compromise that weaponized the Trivy vulnerability scanner and related GitHub Actions. The campaign, attributed to TeamPCP, used prior access to force-push tag changes and publish a trojanized Trivy binary (v0.69.4), enabling credential theft while preserving legitimate scan output. The guidance describes observable telemetry, hunting queries, and immediate remediation steps including safe versions, action pinning, and secrets protections.

🔒 The LiteLLM PyPI package was compromised by the TeamPCP group, which pushed malicious releases (1.82.7 and 1.82.8) that execute a hidden payload on import. Version 1.82.8 also installed a litellm_init.pth so the code runs at Python interpreter startup. The payload deploys a credential stealer, establishes persistence, and exfiltrates encrypted archives to attacker infrastructure. Users should immediately check installations and rotate secrets.

⚠️ Security researchers report that TeamPCP published backdoored litellm packages (v1.82.7 and v1.82.8) to PyPI on March 24, 2026, likely leveraging a Trivy compromise in the project's CI/CD. The malicious wheels included a three-stage payload: a credential harvester, a Kubernetes lateral-movement toolkit, and a persistent systemd backdoor executed at import or interpreter startup. Vendors removed the tainted releases and urge immediate audits, isolation of affected hosts, credential rotation, and inspection of Kubernetes clusters for rogue pods and persistence.