All news with #supply chain compromise tag

🔒 A compromised update for Smart Slider 3 Pro (v3.5.1.35) was delivered through the plugin’s official update channel on April 7, 2026, and remained accessible for roughly six hours before detection. Security firm Patchstack and maintainer Nextend confirmed unauthorized access to Nextend’s update infrastructure and a fully attacker-authored build was distributed. The trojanized update installs a multi-stage backdoor that provides pre-authenticated RCE, hidden administrative accounts, multi-location persistence, and automatic data exfiltration to a command-and-control domain; operators should update to v3.5.1.36 and audit affected sites. The free Smart Slider edition is not impacted.

🔒 Smart Slider 3 Pro update infrastructure was hijacked to push a malicious 3.5.1.35 release to WordPress and Joomla sites. The tampered update preserved normal slider functionality while installing multiple backdoors, creating a hidden administrator account, and exfiltrating credentials. The vendor urges immediate upgrade to 3.5.1.36 (or restoring to 3.5.1.34 or earlier) and advises treating affected sites as fully compromised.

🛡️ A concise roundup of the week's notable incidents: a resilient hybrid variant of Phorpiex combines HTTP C2 polling with a P2P protocol to survive takedowns, while a 13‑year‑old chainable flaw in Apache ActiveMQ (CVE-2026-34197) can yield stealthy RCE if left unpatched. Industry data show record cyber‑fraud losses and a spike in AI‑assisted DDoS tactics. Multiple supply‑chain and platform abuses—from trojanized developer tools to malicious PyPI packages and SaaS notification phishing—underscore the need to patch, audit, and harden AI integrations.

⚠️ TrueSec reports a malicious supply-chain compromise in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file named litellm_init.pth (34,628 bytes) that the Python interpreter executes automatically on every startup, without requiring any explicit import of the module. This behavior enables silent, persistent code execution on affected systems and increases the risk to downstream projects and production environments. The incident underscores the urgent need for SBOMs, SLSA, and SigStore adoption to harden supply-chain defenses.

🔒 Socket Security researchers say the North Korea-linked campaign known as Contagious Interview has published more than 1,700 malicious packages across npm, PyPI, Go, Rust and Packagist. The packages impersonate legitimate developer tooling and act as loaders that fetch platform-specific malware with infostealer and RAT capabilities. A Windows variant delivered through license-utils-kit behaves as a full implant, enabling command execution, keystroke logging, browser and wallet theft, file exfiltration and remote access via AnyDesk.

🔒 Drift Protocol says a coordinated, six-month operation led to a $280M+ theft after attackers built "a functioning operational presence" inside the platform and engaged contributors in person and via Telegram. The attackers reportedly hijacked Security Council administrative powers and drained assets in about 12 minutes. Drift suspects two contributors were compromised via a malicious code repository (possible VSCode/Cursor exploit) and a fake TestFlight wallet app. Blockchain firms attribute the campaign to UNC4736, linked to North Korea.

⚡ This week’s incidents include a supply-chain compromise of the popular Axios npm package by actors attributed to North Korea (UNC1069) and an actively exploited Chrome zero-day (CVE-2026-5281) in the Dawn/WebGPU component. Other notable events include active exploitation of Fortinet FortiClient EMS, a TrueConf update-integrity bypass, and an accidental large code leak from Anthropic’s Claude development. Organizations should treat developer tooling, CI/CD, and dependencies as part of the attack surface and apply patches and integrity checks promptly.

🔒 TeamPCP's March 2026 compromise of LiteLLM packages on PyPI injected infostealer malware into versions 1.82.7 and 1.82.8 that ran during installs and updates. The malware harvested plaintext SSH keys, cloud credentials (AWS, Azure, GCP), Docker configs, IDE and agent memory files, and other local secrets, exploiting transitive dependencies. PyPI removed the packages within hours, but many downstream packages would have triggered execution. Use ggshield, pre-commit hooks, and filesystem scanning to detect and contain local secrets.

🔍 Drift says the April 1, 2026 Solana exploit that stole $285 million was a months-long, targeted social-engineering operation attributed with medium confidence to DPRK-linked UNC4736. Attackers cultivated in-person trust at crypto conferences and via Telegram, seeded funds, and shared repositories and tools that embedded malicious code. Investigators suspect a weaponized Visual Studio Code project and an Apple TestFlight wallet were used to compromise contributors, and Drift is working with law enforcement and forensic partners to remediate.

⚠ SafeDep researchers disclosed 36 malicious npm packages masquerading as Strapi v3 plugins that execute payloads via the postinstall hook. Uploaded by four sockpuppet accounts over 13 hours, the packages weaponized Redis and PostgreSQL to deploy reverse shells, harvest credentials, and install a persistent implant targeting a hostname named prod-strapi. The postinstall script runs with the installing user's privileges, creating acute risk for CI/CD pipelines and containers. Users who installed any listed package are advised to assume compromise and rotate all credentials.

⚠️ The maintainers of Axios report a targeted social engineering attack that allowed threat actors to publish malicious npm releases (1.14.1 and 0.30.4) which added a dependency, plain-crypto-js, that deployed a remote access trojan across macOS, Windows, and Linux. The tainted packages were available for roughly three hours before removal; any systems that installed them should be treated as compromised and have credentials and keys rotated. Google links the operation to North Korea‑aligned UNC1069, while researchers say the same playbook targeted multiple high‑impact Node.js maintainers. Axios maintainers have wiped affected hosts, reset credentials, and are adding safeguards to reduce future supply chain risk.

🔒 Recent weeks have seen multiple high-profile supply chain compromises, including malicious modifications to Axios and repository hijacks by TeamPCP that impacted tools such as Trivy. These incidents highlight how widely used libraries can rapidly propagate risk and complicate inventory and remediation efforts. The report emphasizes securing identity and CI/CD pipelines, maintaining accurate software inventories, prioritizing rapid patching, and reinforcing fundamentals like segmentation, robust logging, and multi-factor authentication to limit impact and lateral movement.

🔐 Cisco Talos is investigating a March 31, 2026 supply chain attack that briefly replaced the official Axios npm package with two malicious releases (v1.14.1 and v0.30.4). The tainted packages were available for about three hours, and Talos strongly advises rolling back to known safe versions (v1.14.0 or v0.30.3) and auditing any systems that installed them. The injected runtime dependency executes at post-install and fetches platform-specific RAT payloads for Linux, MacOS, and Windows.

🔒 CERT‑EU traced the Europa.eu data theft to a supply‑chain compromise of Trivy, the open‑source vulnerability scanner, which exposed an AWS API key and led to the theft of approximately 350 GB of web data (91.7 GB compressed). The actor, publicly linked to TeamPCP, exploited a GitHub Actions misconfiguration (CVE-2026-33634) to force CI/CD pipelines to pull credential‑stealing malware via manipulated Trivy tags. Stolen material was later passed to ShinyHunters. CERT‑EU urges updating to safe Trivy releases, rotating cloud credentials, auditing CI/CD usage, and binding GitHub Actions to immutable SHA‑1 hashes.

🔒 The maintainer of Axios confirmed a supply chain compromise caused by a targeted social engineering campaign attributed to North Korean actors tracked as UNC1069. Attackers impersonated a legitimate company's founder, lured the maintainer into a branded Slack workspace and a fraudulent Teams call, then deployed a RAT to steal npm credentials. Two malicious releases (1.14.1 and 0.30.4) carried the WAVESHAPER.V2 implant.

🔐 CERT-EU attributed a cloud compromise of the European Commission to TeamPCP, saying attackers used a compromised AWS API key allegedly stolen in a Trivy supply‑chain incident to access the Commission’s cloud and harvest secrets. The intruders used TruffleHog to locate additional credentials, attached a new access key to an existing user to evade detection, and carried out reconnaissance before exfiltrating data. The stolen dataset was later posted by ShinyHunters as a 90GB archive (≈340GB uncompressed), and CERT-EU confirmed the theft includes tens of thousands of files with personal information. CERT-EU reported no websites were defaced and found no evidence of lateral movement between Commission AWS accounts.

⚠️ Threat actors are exploiting the recent Claude Code source-code leak to distribute the Vidar infostealer via fake GitHub repositories. Anthropic accidentally exposed a 59.8 MB JavaScript source map on March 31 that revealed 513,000 lines of TypeScript across 1,906 files, and copies rapidly proliferated on GitHub. Zscaler found a malicious repo optimized for search that lures users to download a 7‑Zip archive containing a Rust dropper, ClaudeCode_x64.exe, which deploys Vidar and the GhostSocks proxy. The archive is updated frequently and may carry additional payloads.

🔒 The Drift Protocol lost approximately $280 million after an attacker obtained administrative control of its Security Council by leveraging durable nonce accounts and pre-signed transactions to delay execution and strike at a chosen time. Drift stresses that no programs or smart contracts were exploited and no seed phrases were compromised. Protocol functions are largely frozen while the team coordinates with security firms, exchanges, and law enforcement.

🔒 The Executive Branch has determined that foreign-made consumer routers create a supply-chain vulnerability and pose a severe cybersecurity risk that could disrupt U.S. critical infrastructure and harm U.S. persons. Any new router manufactured outside the United States must receive FCC approval before it can be imported, marketed, or sold; approval requires disclosure of foreign investors or influence and a plan to shift manufacturing to the U.S. Certain devices may be exempted by the Department of Defense or DHS, though neither agency has listed exceptions yet. Existing home routers do not need to be discarded, and market impacts may favor companies able to produce domestically, such as Starlink, while vendors like Netgear—which manufactures abroad—face new compliance and cost pressures.

⚠️ Check Point researchers report attackers exploited a TrueConf zero-day (CVE-2026-3502) to replace legitimate updates with malicious executables delivered from compromised on-premises servers. The vulnerability stems from a missing integrity check in the update mechanism and affected versions 8.1.0 through 8.5.2; TrueConf released a patch in 8.5.3 (March 2026). The campaign, tracked as TrueChaos, targeted government entities in Southeast Asia and likely leveraged Havoc C2, DLL sideloading, and a UAC bypass.