< ciso
brief />
Tag Banner

All news with #supply chain compromise tag

576 articles · page 7 of 29

Weekly Cyber Recap: Attackers Shift to Long-Term Occupation

🚨This week’s telemetry shows attackers moving from quick breaches to persistent occupation across SaaS, CI/CD and hosting panels. CVE-2026-41940 in cPanel/WHM and the Linux Copy Fail bug (CVE-2026-31431) are being actively exploited alongside supply-chain compromises that weaponize developer pipelines. Social engineering — including vishing that bypasses MFA — and AI-assisted phishing kits are scaling attacks. Prioritize urgent CVEs, rotate pipeline credentials, and treat sessions and routine pipeline runs as potentially hostile.
read more →

Poisoned Ruby Gems and Go Modules Target Developers

🔒 A new supply chain campaign used sleeper Ruby gems and Go modules published by BufferZoneCorp to deploy post-install payloads that harvest credentials and establish persistence. The malicious Ruby packages exfiltrated environment variables, SSH keys, AWS secrets, .npmrc/.netrc files and developer configuration during install. The Go modules tampered with GitHub Actions by installing fake go wrappers, intercepting builds, and adding a hard-coded SSH key to ~/.ssh/authorized_keys. Users should remove affected packages, rotate exposed credentials, and inspect systems and CI runners for unauthorized SSH entries and outbound connections.
read more →

PyTorch Lightning PyPI Compromise Pushes Malicious Releases

⚠️ A supply chain attack delivered two malicious PyPI releases of PyTorch Lightning (versions 2.6.2 and 2.6.3) published on April 30, 2026; the packages execute automatically on import to harvest credentials. The malicious build hides a _runtime directory with a downloader that fetches the Bun JavaScript runtime and runs an obfuscated 11MB payload that validates GitHub tokens against the api.github[.]com/user endpoint and injects worm-like commits across writable branches. The threat also tampers with local npm packages by adding postinstall hooks, incrementing patch versions, repacking .tgz files, and enabling accidental republishing back to npm. PyPI has quarantined the project; maintainers are investigating, and users should block the affected releases, downgrade to 2.6.1, and rotate any exposed credentials.
read more →

ThreatsDay: SMS blaster busts and supply‑chain shocks

🔍 This ThreatsDay bulletin highlights a week of converging risks: Canadian authorities dismantled an SMS blaster operation that spoofed cellular towers, while a malicious npm brandsquat (published as tanstack) exfiltrated local .env files during install. Researchers also flagged networks of browser extensions legally selling browsing and viewing data, the first documented abuse of the Komari admin agent in intrusions, and mass exposure of RDP/VNC servers—underscoring the importance of basic hygiene, credential rotation, and coordinated defensive response.
read more →

EtherRAT Campaign Spoofs Admin Tools via GitHub SEO

🛡️ Atos Threat Research Center disclosed in March 2026 a resilient campaign delivering a JavaScript RAT named EtherRAT via SEO-poisoned GitHub facades. The adversary places benign-looking README storefronts that link to hidden repositories hosting malicious MSI installers impersonating common administrative tools used by admins, DevOps, and security analysts. Payloads download Node.js at runtime and use an Ethereum smart contract queried through public RPC endpoints to resolve live C2 addresses, enabling rapid operator-driven server rotation and evasion of classic takedown techniques. Atos provides IoCs, technical analysis, and mitigation advice including blocking public ETH RPC access and enforcing verified tool provenance.
read more →

Supply Chain npm Attack Targets SAP Developer Tools

🔒 A supply-chain campaign dubbed "mini Shai-Hulud" infected SAP-related npm packages in late April, inserting install-time malware that harvested developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials across AWS, Azure, GCP and Kubernetes. Researchers identified affected packages including mbt@1.2.48 and several @cap-js modules. The malicious releases were later replaced with safe versions.
read more →

SAP npm Packages Compromised in Credential-Stealing Attack

🔒 Multiple official SAP npm packages were recently compromised in a supply-chain operation that installs a malicious preinstall script during package installation. The script downloads the Bun runtime and executes an obfuscated payload that harvests a wide range of secrets — including npm and GitHub tokens, SSH keys, cloud credentials, Kubernetes configs, and CI/CD environment variables — and exfiltrates them to public GitHub repositories. Researchers attribute the campaign with medium confidence to TeamPCP and warn it includes self-propagation logic to modify other packages using stolen credentials.
read more →

Supply-Chain Attack Targets SAP-Related npm Packages

⚠️ Researchers have uncovered a supply-chain campaign dubbed the "mini Shai-Hulud" that poisoned multiple SAP-related npm packages to install credential-stealing malware during installation. The malicious releases added a preinstall hook that fetched and executed a platform-specific Bun binary, harvesting local credentials, GitHub and npm tokens, CI secrets, and cloud credentials. Analysts from Aikido Security, SafeDep, Socket, StepSecurity and Wiz advise rotating tokens, inspecting workflows, and upgrading to patched releases.
read more →

DPRK Supply-Chain Campaign Uses AI-Inserted npm Malware

🛡️ Researchers identified an AI-assisted supply-chain campaign that injected malicious code into npm packages — notably @validate-sdk/v2 — after a dependency was introduced by Anthropic's Claude Opus LLM. ReversingLabs named the operation PromptMink and attributed it to DPRK-aligned actor Famous Chollima (aka Shifty Corsair). The tainted packages siphon crypto credentials and secrets through layered transitive dependencies and have evolved into multi-platform RATs and information stealers.
read more →

AI-Assisted Malicious npm Dependency Steals Crypto

🔍 Researchers at ReversingLabs uncovered a malicious npm dependency, @validate-sdk/v2, that exfiltrated secrets and enabled attackers to access cryptocurrency wallets after being added to an autonomous trading agent in February 2026. The commit is reported to have been co-authored by Claude Opus, and attribution points to the North Korean state-sponsored group Famous Chollima. The campaign, tracked as PromptMink, used a two-layer package strategy—public-facing Web3 utilities to attract users while secondary dependencies delivered evolving malware that scanned environment files, collected system information, compressed project data, and installed SSH keys for persistence across Linux and Windows environments.
read more →

Fake VS Code Extensions Linked to GlassWorm Surge Escalation

🛡️ Security researchers at Socket uncovered 73 additional fraudulent Open VSX extensions impersonating trusted developer tools; many now include benign code to evade scanners and later fetch a GlassWorm loader. The extensions act as thin loaders, sometimes bundling native binaries, and connect to newly created repositories to download malicious updates. Of the 73, small subsets were activated in staged waves; Socket notified the Eclipse Foundation, and most have been removed.
read more →

Vimeo Confirms Customer Data Exposed After Anodot Breach

🔒 Vimeo says an unauthorized actor accessed certain user and customer data following the breach at Anodot. Initial findings indicate the impacted databases primarily contained technical data, video titles and metadata, and, in some cases, customer email addresses. Vimeo confirmed that uploaded video content, account credentials, and payment card information were not exposed, and that platform operations were unaffected. The company has disabled Anodot credentials, removed the integration, and engaged third-party security experts and law enforcement to investigate.
read more →

LofyGang Returns Targeting Minecraft with LofyStealer

🛡️ A Brazil-based cybercrime group known as LofyGang has resurfaced after more than three years, deploying a new infostealer called LofyStealer (aka GrabBot) that specifically targets Minecraft players. The malware is disguised as a game cheat called 'Slinky' and uses a JavaScript loader to drop and execute chromelevator.exe in memory to harvest browser data. It captures cookies, passwords, tokens, payment cards and IBANs across multiple browsers and exfiltrates them to a C2 at 24.152.36[.]241. ZenoX highlights a strategic shift to a malware-as-a-service model with free and premium tiers and warns that attackers are increasingly abusing GitHub, SEO-poisoned lures and other trusted platforms to distribute malicious payloads.
read more →

Checkmarx Confirms LAPSUS$ Leak of Stolen GitHub Data

🔒 Checkmarx confirmed that the LAPSUS$ group published data taken from its private GitHub repository after a March 23 supply-chain compromise tied to the Trivy incident. Investigators say credentials harvested from that earlier intrusion enabled repository access and the insertion of malicious code. On April 22 attackers published malicious Docker images and VSCode/Open VSX extensions for Checkmarx’s KICS scanner that collected credentials, keys, tokens, and config files. Checkmarx states the 96GB leak originated from its GitHub, contains no customer data, and is under forensic review while the repository remains locked.
read more →

GlassWorm Returns via 73 OpenVSX Sleeper Extensions

🚨 A new wave of the GlassWorm campaign is targeting the OpenVSX ecosystem with 73 'sleeper' extensions that upload as benign clones of legitimate listings and later deliver malicious payloads via updates. Socket researchers say six extensions have already been activated to install malware, while the other packages are considered suspicious or dormant. The attackers use thin loaders that fetch secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript to retrieve and install payloads at runtime. Developers who installed any listed extensions should rotate all secrets and clean their development environments.
read more →

Popular PyPI package hacked to push secrets-stealer

🚨 Malicious release v0.23.3 of the elementary-data PyPI package was published after an attacker exploited a GitHub Actions script-injection flaw in the project's workflow. The tainted package and its Docker image silently installed an elementary.pth-based loader that exfiltrated SSH keys, cloud credentials, developer tokens and cryptocurrency wallets. A clean v0.23.4 was released, but users who pulled the compromised artifacts must rotate secrets and remediate affected environments.
read more →

Checkmarx Confirms GitHub Repo Data Posted on Dark Web

🔒 Checkmarx has confirmed that data tied to its GitHub repository was posted on the dark web after a March 23 supply chain attack. The company says the repository is maintained separately from its customer production environment and that no customer data is stored there; a forensic investigation to verify the nature and scope of the posted material is ongoing. Access to the affected repository has been locked down, and Checkmarx says it will notify customers and relevant parties if customer information is implicated.
read more →

73 Fake VS Code Extensions Linked to GlassWorm Campaign

🔍 Cybersecurity researchers have flagged 73 cloned Microsoft Visual Studio Code extensions on the Open VSX repository tied to the persistent GlassWorm campaign. Six packages are confirmed malicious, while the remainder behave as sleeper implants that build trust until a subsequent update delivers a secondary payload hosted on GitHub. The extensions act as innocuous loaders that retrieve a VSIX payload and install it into all detected IDEs using --install-extension, enabling data theft, remote access trojans, and a rogue Chromium extension. Socket is tracking this activity as GlassWorm v2, with more than 320 artifacts identified since December 21, 2025.
read more →

Shai-Hulud Worm Elevates npm Supply-Chain Risk Globally

🔒 Unit 42 describes a fundamental shift in the npm threat landscape following the September 2025 Shai‑Hulud worm and subsequent 2026 incidents. Adversaries now harvest npm and GitHub tokens to persist inside CI/CD pipelines, deploy dormant multi‑stage payloads, and automatically republish backdoored packages. The report attributes a broad, coordinated campaign to TeamPCP, documents propagation via Docker Hub, GitHub Actions and VS Code extensions, and recommends mitigations such as credential rotation, egress filtering, and dependency pinning.
read more →

Chinese National Posed as US Researcher to Get NASA Tech

🛰️ The NASA Office of Inspector General (OIG) says a Chinese national, identified in a 2024 indictment as Song Wu, posed as U.S. researchers to obtain sensitive aerospace modeling software and source code from NASA employees, universities, and private firms. The campaign ran from January 2017 through December 2021 and also targeted multiple U.S. government agencies. Song faces wire fraud and aggravated identity theft charges and remains at large.
read more →