> supply chain attack monitor
Tracking software supply chain compromises across package registries, build systems, and update mechanisms. Each incident is logged with affected packages, attack vector, severity, and links to full analysis.
axios 1.14.1, 0.30.4
DPRK-linked UNC1069 compromised the axios maintainer account and published backdoored versions (1.14.1, 0.30.4) deploying the WAVESHAPER.V2 RAT. 100M+ weekly downloads, ~80% cloud environment exposure.
AppArmor (kernel) Ubuntu default AppArmor profiles
CrackArmor research disclosed a chain of AppArmor bypasses enabling container escapes from Docker and Kubernetes pods on default Ubuntu configurations.
aquasecurity/trivy-action, aquasecurity/setup-trivy, trivy binary trivy-action/setup-trivy (pinned by tag, March 19); trivy binary v0.69.4, v0.69.5, v0.69.6
TeamPCP stole a GitHub PAT via misconfigured pull_request_target workflow and force-pushed malicious commits to 76/77 Trivy version tags plus Docker Hub/GHCR/ECR. TeamPCP Cloud Stealer harvested CI/CD secrets, SSH keys, cloud creds, and K8s tokens from any pipeline that ran Trivy that day.
checkmarx/kics-github-action, checkmarx/ast-github-action kics-github-action (all tags via March 23 push); ast-github-action 2.3.28
TeamPCP force-pushed malicious commits to all 35 version tags of checkmarx/kics-github-action and poisoned ast-github-action v2.3.28, continuing the same credential-harvesting campaign as the Trivy compromise.
litellm 1.82.7, 1.82.8 (last clean: 1.82.6)
TeamPCP published two backdoored LiteLLM releases (1.82.7, 1.82.8) on PyPI containing the TeamPCP Cloud Stealer, which exfiltrates SSL/SSH keys, cloud credentials, K8s configs, API keys, and shell history.
telnyx 4.87.1, 4.87.2
TeamPCP published two backdoored Telnyx Python SDK releases (4.87.1, 4.87.2) on PyPI as part of the same credential-harvesting campaign targeting developer tooling.
strapi-plugin-* (36 packages) All (version 3.6.8)
36 malicious npm packages disguised as Strapi CMS plugins deployed Redis exploits, PostgreSQL credential harvesting, and persistent C2 implants targeting production infrastructure via postinstall hooks.
1,700+ packages (debug-logfmt, pino-debug, baraka, libprettylogger, openlss/func-log, others) Various
DPRK-linked Contagious Interview operation published 1,700+ malicious packages across five ecosystems impersonating developer tooling, delivering BeaverTail loader and InvisibleFerret backdoor for credential theft and persistent access.
Smart Slider 3 Pro 3.5.1.35 (Pro only)
Attackers compromised Nextend's update distribution infrastructure and pushed a trojanized Smart Slider 3 Pro 3.5.1.35 build containing a multi-layered RAT with rogue admin creation, remote command execution via HTTP headers, multi-point persistence, and full credential exfiltration to C2 domain wpjs1[.]com. 800K+ active installations affected.
CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2 All CPUID products downloaded April 9 15:00 UTC β April 10 10:00 UTC
Attackers compromised a secondary download-link API on cpuid.com and replaced installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor 2 with trojanized builds. Malicious CRYPTBASE.dll sideloaded via legitimate signed executables deploys STX RAT with in-memory execution, reverse proxy, desktop control, and infostealer capabilities. C2: welcome[.]supp0v3[.]com. 150+ confirmed victims including orgs in retail, manufacturing, telecoms, and agriculture.
Context.ai (Google Workspace OAuth app) Vercel projects with non-sensitive env vars prior to April 19, 2026
A Lumma Stealer infection at a Context.ai employee (Feb 2026) yielded session tokens for Context.ai's Google Workspace OAuth application, giving the attacker delegated access to every tenant that had installed the app. ShinyHunters pivoted through a Vercel employee's Workspace account into internal Vercel environments and read customer environment variables not marked 'sensitive'. 580 Vercel employee records leaked; data listed for sale at $2M on BreachForums. Sensitive-flagged env vars (encrypted at rest) were not accessed.
pgserve, automagik, xinference, kube-health-tools, kube-node-health pgserve 1.1.11β1.1.13; xinference 2.6.0β2.6.2; automagik and Namastex.ai packages (multiple recent versions); kube-health-tools, kube-node-health (all published versions)
CanisterSprawl campaign hijacked pgserve (npm, versions 1.1.11β1.1.13), automagik (Namastex.ai), xinference (PyPI 2.6.0β2.6.2), and typosquatted Kubernetes health tools. 1,143-line postinstall payload harvests npm/PyPI tokens, cloud credentials (AWS/GCP/Azure), GitHub PATs, SSH keys, kubeconfigs, Docker configs, Chrome password store, and MetaMask/Phantom/Solana/Ethereum/Bitcoin/Exodus/Atomic wallet data. If publish tokens are present, re-injects payload into every package the victim can publish and ships new patch versions β worming across ecosystems. Initial access for Namastex.ai packages via malicious PRs with prt-scan-{12hex} branch names triggering secret harvest in CI. Exfil encrypted with RSA-4096 + AES-256 to telemetry.api-monitor.com and an ICP blockchain canister.
@bitwarden/cli @bitwarden/cli 2026.4.0
Attacker pivoted from the ongoing Checkmarx/TeamPCP campaign (suspected via a trojanized Checkmarx KICS Docker image) into Bitwarden's publish-ci.yml GitHub Actions workflow and pushed a trojanized @bitwarden/[email protected] to npm. Malicious preinstall hook (bwsetup.js -> bw1.js) harvested GitHub/npm tokens, SSH keys, .env, shell history, cloud creds (AWS/GCP/Azure), AI coding tool tokens, and crypto wallet files (Electrum, MetaMask). Self-propagating 'Shai-Hulud: The Third Coming' worm republishes the payload into any npm packages the stolen token can publish to, and commits encrypted exfil back to the victim's own GitHub repos. AES-256-GCM exfil to audit.checkmarx[.]cx (94.154.172[.]43). 334 installs during the 93-minute window. No end-user vault data accessed.
mbt, @cap-js/db-service, @cap-js/sqlite, @cap-js/postgres mbt 1.2.48; @cap-js/db-service 2.10.1; @cap-js/sqlite 2.2.2; @cap-js/postgres 2.2.2
TeamPCP-linked 'Mini Shai-Hulud' campaign hijacked SAP's release workflow and published malicious versions of four SAP Cloud Application Programming (CAP) packages to npm. Each compromised package added a preinstall hook (setup.mjs) that downloaded the Bun JS runtime from GitHub and ran an obfuscated execution.js stealer harvesting SSH keys, npm/GitHub tokens, AWS/Azure/GCP/K8s credentials, and crypto wallets. On GitHub Actions runners, an embedded Python script reads /proc/<Runner.Worker pid>/maps and /proc/<pid>/mem to scrape isSecret values directly from runner memory, bypassing log masking. Stolen data is AES-256-GCM encrypted and exfiltrated by creating a public repo on the victim's own GitHub account with description 'A Mini Shai-Hulud has Appeared.'
intercom-client intercom-client 7.0.4, 7.0.5
Intercom's official npm SDK pushed two malicious releases (7.0.4, 7.0.5) carrying the same Mini Shai-Hulud Bun-based credential stealer used in the SAP CAP compromise. preinstall hook downloads Bun runtime, executes obfuscated execution.js to harvest dev/CI secrets, and exfiltrates AES-256-GCM-encrypted blobs to attacker-created public repos on the victim's GitHub account.
lightning lightning 2.6.2, 2.6.3
PyTorch Lightning published two malicious releases (2.6.2, 2.6.3) on PyPI carrying the same Mini Shai-Hulud Bun-based stealer (8.3M monthly / 2.1M weekly downloads). Hidden _runtime/ directory auto-executes on 'import lightning': spawns a daemon thread that downloads Bun and runs an 11MB obfuscated router_runtime.js, harvesting SSH/cloud/CI credentials and crypto wallets, AES-256-GCM exfil to attacker-created repos on victim's GitHub account. Socket flagged the malicious versions 18 minutes after publication; PyPI quarantined the packages but a Socket-opened warning issue on the Lightning-AI repo was closed within one minute by a 'pl-ghost' account posting a 'SILENCE DEVELOPER' meme β strong signal the project's GitHub account is itself compromised.
DAEMON Tools Lite (Windows installer) DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434 (Windows)
Official DAEMON Tools Lite Windows installers, served from the vendor site and signed with the legitimate Disc Soft Authenticode certificate, were trojanized starting April 8, 2026. The implant was injected into the CRT init code of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe and beaconed to env-check.daemontools[.]cc (registered March 27). Kaspersky telemetry shows thousands of infection attempts across 100+ countries with ~10% on enterprise hosts. A multi-protocol second-stage backdoor (HTTP/HTTP3/UDP/TCP/WSS/QUIC/DNS, injects into notepad.exe and conhost.exe) was deployed only on ~12 hosts in government, scientific, manufacturing, and retail orgs in Russia, Belarus, and Thailand. Chinese-speaking actor suspected. Version 12.6 (released May 5) is clean.
@tanstack/*, @mistralai/mistralai, mistralai (PyPI), @uipath/*, @opensearch-project/*, guardrails-ai (PyPI), @squawk/* 42 @tanstack/* packages (84 versions, incl. @tanstack/react-router); @mistralai/mistralai (npm); mistralai==2.4.6 (PyPI); guardrails-ai==0.10.1 (PyPI); @uipath/* SDKs; @opensearch-project/* JS clients; @squawk/* (2 packages)
TeamPCP's fourth Mini Shai-Hulud wave chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork-base trust boundary, and runtime OIDC token extraction from the Runner.Worker process via /proc/<pid>/mem. The stolen OIDC token published 84 malicious versions across 42 @tanstack/* packages directly through npm's trusted-publisher endpoint, producing the first documented npm worm carrying valid SLSA Build L3 provenance attestations. 373 malicious package-versions across 169 names in total; mistralai PyPI payload included locale-aware destructive branch targeting Hebrew/Farsi environments.
Hundreds of malicious gems (names not yet disclosed) Hundreds of malicious gems (yanked); RubyGems signup endpoint disabled
Unknown attacker uploaded hundreds of malicious gems to RubyGems on May 11-12, 2026, targeting RubyGems' own engineers and staff rather than downstream Ruby developers. Packages contained cross-site scripting payloads aimed at RubyGems moderation surfaces plus exploits intended to harvest data from registry infrastructure. RubyGems (operated by Mend.io) disabled new account registration as containment. No widely-installed gem has been reported backdoored; downstream developer impact is currently low, but the campaign signals attacker interest in compromising registry-side defenders. Distinct from but contemporaneous with the BufferZoneCorp 'knot-*' sleeper-gem credential-theft campaign disclosed May 1.
Nx Console VS Code extension (nrwl.angular-console) Nx Console 18.95.0 (VS Code Marketplace only; Open VSX unaffected; fixed in 18.100.0)
A developer's leaked GitHub credentials were used to push an orphaned, unsigned commit to the official nrwl/nx repo and ship a malicious Nx Console 18.95.0 to the VS Code Marketplace (2.2M+ installs). Opening any workspace fetched a 498 KB obfuscated payload that harvested GitHub, npm, AWS, HashiCorp Vault, Kubernetes, 1Password and Claude Code secrets, exfiltrated over HTTPS / GitHub API / DNS tunneling, and dropped a persistent macOS Python backdoor using the GitHub Search API as a dead drop. Payload bundled full Sigstore/Fulcio and SLSA provenance tooling to forge cryptographically signed npm releases from stolen OIDC tokens. Second Nx-ecosystem compromise within a year after the August 2025 s1ngularity campaign.
actions-cool/issues-helper, actions-cool/maintain-one-comment issues-helper: all 53 tags; maintain-one-comment: 15 tags (both repos now disabled by GitHub)
An attacker with write access to the actions-cool org repointed all 53 release tags of the popular issues-helper GitHub Action β plus 15 tags of maintain-one-comment β to a single imposter commit unreachable from default-branch history. The malicious commit downloads the Bun runtime inside the Actions runner, reads decrypted secrets from Runner.Worker process memory (bypassing log masking), and exfiltrates them over HTTPS to t.m-kosche[.]com. Every tag-referenced consumer pulls the payload on its next run; only full-SHA-pinned workflows are unaffected. GitHub disabled both repos for ToS violation. Exfiltration domain overlaps with the Mini Shai-Hulud @antv npm wave, suggesting a shared actor cluster.
laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions 233 versions across laravel-lang/lang (12.x-15.x lines), laravel-lang/attributes, laravel-lang/http-statuses, laravel-lang/actions; malicious versions removed and packages unlisted by Packagist
An attacker repointed git tags across four community Laravel-Lang Composer packages to commits in a malicious fork, backdooring 233 historical versions without ever committing to the official repos. Each poisoned version shipped src/helpers.php registered under composer.json autoload.files, so the backdoor executed on every PHP request. A stage-1 dropper fetched a second stage from flipboxstudio[.]info/payload (TLS verification disabled), staged it under <tmp>/.laravel_locale/, and ran it via exec() on Unix or a .vbs/cscript launcher on Windows. The ~5,900-line PHP stealer harvested AWS/GCP/Azure/DigitalOcean cloud keys (incl. EC2 IMDS), kubeconfig and Vault tokens, Jenkins/GitLab/GitHub Actions/ArgoCD CI/CD secrets, SSH keys, .git-credentials, 17 Chromium browsers (dropping DebugChromium.exe to bypass App-Bound Encryption), password managers, crypto wallets, and VPN configs, then exfiltrated AES/XOR-encrypted data to flipboxstudio[.]info/exfil and self-deleted. Detected by Aikido on May 22, 2026; Packagist removed the malicious versions and temporarily unlisted the packages.
5,561 GitHub repositories (incl. @tiledesk/tiledesk-server) 5,561 public GitHub repositories with weak branch protection; payload bundled into .github/workflows files
An automated campaign named Megalodon, attributed to TeamPCP, pushed 5,718 malicious commits to 5,561 distinct GitHub repositories in a six-hour window (May 18, 11:36-17:48 UTC). Using throwaway accounts with random 8-char usernames and four forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows carrying base64-encoded bash payloads. Two variants observed: SysDiag (mass) adds a workflow triggered on every push/pull_request; Optimize-Build (targeted) replaces an existing workflow with a workflow_dispatch trigger as a dormant on-demand backdoor. Payloads harvest CI env vars, /proc environ, AWS/GCP/Azure IMDS instance-role credentials, SSH keys, Docker/Kubernetes configs, Vault and Terraform credentials, 30+ secret regex matches, the GitHub Actions OIDC token request URL and token, GITHUB_TOKEN, GitLab CI/CD tokens, and Bitbucket tokens, exfiltrating to C2 216.126.225[.]129:8443. As of May 21 the ingest server logged 575,352 stolen files and 449 GB exfiltrated. Hudson Rock traced initial access to infostealer infections: 33%+ of affected GitHub usernames matched machines in infostealer logs.
34+ packages across npm (21), PyPI (7), Crates.io (6) β incl. eth-security-auditor, dev-env-bootstrapper, sui-move-build-helper 34+ packages, 384+ versions/artifacts across npm, PyPI, Crates.io; reported to registries, some removed and others still live at time of Socket's analysis
A coordinated cross-ecosystem campaign tracked by Socket as TrapDoor seeded 34+ malicious packages across 384+ versions into npm, PyPI, and Crates.io, targeting crypto, DeFi, Solana, and AI developers. Earliest artifact was PyPI [email protected] (May 22, 2026, 20:20 UTC), with packages published in waves from a cluster of accounts. Each ecosystem uses a distinct execution path: npm postinstall hooks run a shared 1,149-line trap-core.js credential harvester that validates stolen AWS/GitHub tokens, performs SSH-based lateral movement, and uses Fernet/ECDH encryption; Crates.io build.rs scripts (executing during cargo build) XOR-encrypt local keystores with key 'cargo-build-helper-2026' and exfiltrate to GitHub Gists; PyPI packages auto-execute on import and run remote JavaScript via 'node -e'. Stolen data includes SSH keys, Sui/Solana/Aptos wallets, AWS/cloud credentials, GitHub tokens, browser profile data, and environment variables. Notable novel technique: AI-assistant injection β the campaign plants .cursorrules and CLAUDE.md files with hidden zero-width-Unicode instructions to trick AI coding assistants into running a 'security scan' that exfiltrates secrets, and the attacker opened PRs adding these files to langchain, langflow, browser-use, llama_index, MetaGPT, and OpenHands. Shared infrastructure: GitHub account ddjidd564 hosting ddjidd564.github[.]io/defi-security-best-practices/, campaign marker P-2024-001. Unrelated to the HUMAN-reported Android ad-fraud campaign of the same name.
@velora-dex/sdk 9.4.1 (pin to 9.4.0 or earlier and rotate credentials)
Version 9.4.1 of @velora-dex/sdk, the legitimate DeFi SDK for the VeloraDEX exchange, was published directly to npm with three malicious lines injected into dist/index.js while the GitHub repository was left untouched. The code decoded and executed a base64 payload on the first require()/import call, fetched a shell script from C2 at 89.36.224[.]5, dropped an architecture-specific macOS binary (Intel x86_64 and Apple Silicon arm64), and registered it as a persistent service via launchctl. The implant is MiniRAT, a Go-based macOS backdoor supporting command execution, file upload/download, directory exfiltration, and C2 agent registration. In May 2026 Wiz attributed this compromise to JINX-0164, a financially motivated actor that also deploys the AUDIOFIX Python macOS RAT via fake-recruiter social engineering and pivots from developer laptops into code distribution and CI/CD infrastructure. Documented at disclosure by SafeDep and StepSecurity.
Sicoob.Sdk Sicoob.Sdk 2.0.0-2.0.4 (~484 downloads across six listed versions); 11 related Sicoob-Cooperativa.Sicoob.* modules untrusted by association (~6,000 combined downloads)
A NuGet package posing as the official C# SDK for Sicoob (Sistema de Cooperativas de Credito do Brasil) exfiltrated banking mTLS authentication material. When an app instantiated SicoobClient with a client ID, PFX path, and PFX password, the compiled DLL (lib/net8.0/Sicoob.Sdk.dll) initialized Sentry with a hardcoded DSN, read the PFX file via File.ReadAllBytes, base64-encoded it, and sent the client ID, plaintext PFX password, and encoded certificate archive through SentrySdk.CaptureMessage β abusing a legitimate, commonly-allowlisted telemetry SaaS as its exfiltration channel. A second path captured raw boleto API responses. Two evasion features: exfiltration was gated on production mode (Sentry only initialized when the isSandbox flag was false, so the package looked clean in test environments), and a source-to-package mismatch (the linked GitHub org Sicoob-Cooperativa hosted a clean SicoobClient.cs with no Sentry/file-read/base64 logic, a facade over the trojanized binary). Google AI Search amplified the package by surfacing it as the legitimate .NET integration. Reported by Socket (Kirill Boychenko) and blocked by NuGet. Coincided with Microsoft's disclosure of 14 typosquatted npm packages (publisher vpmdhaj, May 28) harvesting AWS/Vault/npm/CI-CD secrets via preinstall hooks.
codexui-android (npm); Android apps gptos.intelligence.assistant, codex.app codexui-android >= 0.1.82 (exfiltration introduced; first release v0.1.72 ~2026-04-10)
codexui-android, a functional npm package advertised as a remote web UI for OpenAI Codex (29K+ weekly downloads), was trojanized to read ~/.codex/auth.json on every invocation and exfiltrate the full OAuth blob (access_token, refresh_token, id_token, account ID) to sentry.anyclaw[.]store/startlog β a domain impersonating Sentry to blend with allowlisted telemetry. Not a typosquat: the GitHub repo (friuns2/codex-mobile) stayed clean and the malicious code lived only in the published npm tarball, added ~1 month after the first release to build trust. The stolen refresh_token does not expire, granting persistent silent impersonation that key rotation alone does not revoke. Same exfiltration chain shipped in two Android apps by 'BrutalStrike' (OpenClaw Codex Claude AI Agent, 50K+ downloads; Codex, 10K+ downloads): a 26MB APK that passes Play pre-publish scans, unpacks a Termux-derived Linux userland, runs Node.js under PRoot, and pulls the unpinned npm package at runtime. Disclosed by Aikido Security (Charlie Eriksen); package still live at disclosure. anyclaw[.]store was registered 2026-04-12, two days after npm v0.1.72.
@redhat-cloud-services/* (chrome, frontend-components, host-inventory-client, rbac-client, types, hcc-*-mcp, +25 more) 31 versions across ~30 @redhat-cloud-services packages (e.g. types 3.6.1, host-inventory-client 5.0.3, frontend-components 7.7.2, rbac-client 9.0.3, chrome 2.3.1, notifications-client 6.1.4); ~117K combined weekly downloads
Mini Shai-Hulud 'Miasma: The Spreading Blight' wave hijacked the @redhat-cloud-services npm scope via a compromised Red Hat employee GitHub account that pushed malicious orphan commits, then published 31 backdoored versions through GitHub Actions OIDC from RedHatInsights/javascript-clients. Each package runs a ~4.2MB preinstall loader (ROT-21 outer layer + two AES-128-GCM blobs) that fetches Bun v1.3.13 and executes a credential stealer harvesting GitHub/npm tokens, AWS/GCP/Azure/Vault/Kubernetes creds, SSH/GPG keys, Docker/CircleCI and password-manager material β reading /proc/<pid>/mem on the Runner.Worker process to lift masked GitHub Actions secrets. New GCP/Azure identity collectors and per-infection unique encryption. Self-propagates via npm OIDC trusted publishing with a bypass_2fa parameter; exfiltrates to api.anthropic[.]com/v1/api (camouflage, not an Anthropic compromise) and GitHub dead-drop repos described 'Miasma: The Spreading Blight'. Installs kitty-monitor persistence plus a destructive gh-token-monitor dead-man switch (deletes home/Documents if a stolen token is revoked while the host is live) and Claude Code SessionStart / VS Code folderOpen hooks. Isolate hosts and runners before revoking tokens.
weavedb-sdk, wao, aonote, zkjson, arnext, roidjs, cwao, +29 more (all from npm account asteroiddao) 36 packages incl. [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] (full IoC list in JFrog writeup)
JFrog dissected IronWorm, a Rust-built self-replicating npm supply-chain worm in the Shai-Hulud lineage, caught in the Arweave/WeaveDB ecosystem. A 976KB Linux ELF ships in a tools/setup dir and runs from a preinstall hook before dependency resolution. The binary is UPX-packed (UPX! magic overwritten to defeat signature detection) and Rust-compiled with per-call-site string encryption. It sweeps 86 environment variables (cloud, DB, SCM/registry tokens, CI/CD, Vault, Kubernetes, plus 14 AI/ML keys incl. Anthropic/OpenAI/Gemini/Mistral/xAI) and 20+ credential files (~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.claude/.credentials.json, ~/.codex/auth.json, ~/Cursor/auth.json). A dedicated module injects a JS hook into the Exodus desktop wallet (weakening Electron webSecurity/sandbox/contextIsolation/nodeIntegration) to capture password + seed mnemonic; a Kubernetes module dumps reachable Secrets and logs into Vault with the pod service-account token. Self-propagates via npm Trusted Publishing OIDC (requests OIDC token, exchanges at /-/npm/v1/oidc/token/exchange/package/<pkg> for a package-scoped token, publishes trojanized release) and back-commits to GitHub under forged identities (claude for binary droppers; dependabot/renovate/github-actions for a secrets-exfil Actions workflow using toJSON(secrets) + upload-artifact, no external C2). Commit timestamps copied from each repo's last real commit; 57 backdated commits across 9 orgs. Stealth via an embedded eBPF kernel rootkit: hides PIDs from /proc, auto-hides watchlist processes on execve, SIGKILLs ptrace attempts, filters /proc/net/tcp and netlink. C2 is plain HTTP over a Tor circuit beaconing to /api/agent (upload secrets / drop file / remote shell). OpSec failures aided analysis: .BTF.ext debug metadata left in the eBPF object exposed 214 source lines, and a hardcoded BIP-39 skip-list entry leaked the operator's own wallet (0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6). Rootkit's process/socket hiding relies on a BPF helper restricted under kernel lockdown, where hidden artifacts reappear. Account ocrybit logged ~4,500 private contributions that month, so real scope likely exceeds the public footprint. Largely scrubbed post-disclosure; cleanup incomplete.
400+ AUR packages (incl. ~20 hijacked orphaned packages); malicious npm package atomic-lockfile 400+ AUR packages (list and IoCs in Whanos report); atomic-lockfile (npm)
Over 400 Arch User Repository packages were compromised via two parallel vectors: a new maintainer spoofing a trusted publisher pushed infected packages (IFIN), and at least 20 orphaned AUR packages were adopted with PKGBUILDs modified to add post-install scripts (Sonatype). Both vectors invoke npm to install the malicious atomic-lockfile package, which drops a Linux ELF payload ('deps') β a credential stealer with optional root-only eBPF rootkit that hides processes, files, and network interfaces. Targets GitHub/npm credentials, SSH artifacts, HashiCorp Vault tokens, Docker/Podman configs, VPN material, shell histories, browser cookies, and Slack/Teams/Discord/Telegram data, with archive + HTTP upload exfil. Full reinstall recommended on compromised hosts.
@mastra/* (core, memory, server, deployer, pg, mcp, libsql, evals, datadog, rag, deployer-vercel, redis, schema-compat, +130 more); malicious dep easy-day-js [email protected] (malicious; 1.11.21 clean decoy); ~144 @mastra packages incl. @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected], @mastra/[email protected]
An attacker hijacked the former-contributor npm account 'ehindero' (scope access never revoked) and ran an automated ~88-minute campaign republishing ~144 @mastra/* AI-framework packages, each with easy-day-js added as a production dependency. easy-day-js is a dayjs typosquat: a clean decoy (1.11.21, published 2026-06-16 07:05 UTC by 'sergey2016', copying dayjs author iamkun / homepage / repo / keywords / 1.11.x lineage) was pinned via ^1.11.21, so fresh installs resolved to malicious 1.11.22 (published 2026-06-17 01:01 UTC). That version's postinstall runs an obfuscated ~4.5KB setup.cjs that disables TLS verification (NODE_TLS_REJECT_UNAUTHORIZED=0), fetches a second stage from https://23.254.164[.]92:8000/update/49890878, launches it detached (node <tmp>.js 23.254.164[.]123:443) so it survives install completion, then self-deletes. Stage two is a cross-platform infostealer: browser history + data from 160+ crypto-wallet extensions, Windows/macOS/Linux persistence, exfil to 23.254.164[.]123, and C2 polling for additional modules. @mastra/core alone sees ~918K weekly downloads; packages routinely run in CI runners and AI services holding ANTHROPIC_API_KEY/OPENAI_API_KEY/AWS/GitHub/npm secrets, and the payload fires at install time before any import. Mastra generated SLSA provenance on CI publishes but did not require it, so a plain personal token published unsigned versions; npm audit signatures or mandatory attestations would have rejected the wave. Removing the first-stage package does not kill the detached stage-two process or its persistence β treat any host that installed affected versions as compromised, roll back, and rotate all reachable credentials. Snyk/Orca link the tradecraft to Sapphire Sleet (BlueNoroff, DPRK); primary analyses stop at crypto-stealing RAT.
google-cloud-aiplatform (Vertex AI SDK for Python) google-cloud-aiplatform <= 1.143.x (tested vulnerable: 1.139.0, 1.140.0); partial fix 1.144.0; full fix 1.148.0
Unit 42 'Pickle in the Middle': the Vertex AI Python SDK generated a predictable staging-bucket name (project ID + region) and verified existence but not ownership. An attacker with only the victim's project ID could pre-create the bucket, intercept the model upload, swap in a malicious pickle/joblib artifact, and gain cross-tenant RCE in Google's serving infrastructure plus a metadata-server OAuth token reaching other tenant artifacts. No in-the-wild exploitation observed.
Klue 'Battlecards' SaaS integration (customer OAuth tokens for Salesforce, HubSpot, SharePoint, Slack, Zoom, Gong, Chorus, Clari, Google Drive) Not version-bound β affected Klue customers whose third-party OAuth tokens (esp. Salesforce) were held by Klue's integration infrastructure. Self-disclosed victims: Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity (list still growing)
Market-intelligence vendor Klue disclosed (CEO Jason Smith) that on 2026-06-12 it found unauthorized activity in part of its integration infrastructure. Initial access was via a compromised legacy/dormant credential tied to an integration service β left over from a prototype integration Klue had abandoned and never decommissioned. The attacker pivoted into Klue's integration infra and pushed a malicious code update that harvested the OAuth tokens customers had granted to connect Klue to Salesforce and other platforms. Holding valid tokens (no exploit, no MFA to defeat), the actor minted OAuth tokens and ran Python scripts against the Salesforce REST API for hours β ReliaQuest observed ~1,000 API queries in a single 15-minute window in at least one tenant β bulk-exfiltrating CRM data: business contacts, sales comms, pricing/quotes, account records, competitive-intel material. Salesforce disabled the Klue Battlecards app integration (~2026-06-11). Klue revoked affected credentials/tokens, removed unauthorized code, disabled impacted integrations, engaged CrowdStrike, and notified law enforcement; it says content stored directly in the Klue platform was not impacted. Extortion group 'Icarus' (claims active since ~2026-04-28) publicly claimed the attack on its leak site and sent 48-hour extortion demands via Session messaging. Same blast-radius pattern as the 2025 Salesloft/Drift Salesforce OAuth supply-chain wave. Mitigation: audit/revoke unused Salesforce Connected Apps OAuth tokens, rotate Klue integration tokens, review Salesforce login history/event monitoring for bulk REST reads from unfamiliar IPs, scope tokens to least privilege, and decommission dormant credentials/tokens from abandoned integrations.
OptinMonster, TrustPulse, PushEngage (Awesome Motive WordPress plugin front-end SDKs) Not version-bound β any site running OptinMonster, TrustPulse, or PushEngage that loaded the tampered CDN SDK while a WordPress administrator was logged in (exposure window ~2026-06-12 to 2026-06-14). OptinMonster alone has 1.2M+ installs.
Attackers compromised Awesome Motive's CDN and appended malicious JavaScript to the front-end SDKs of three WordPress plugins β OptinMonster (1.2M+ installs), TrustPulse, and PushEngage. Initial access: a known vulnerability in the UpdraftPlus plugin on OptinMonster's separate marketing website yielded the CDN API key, which the attacker used to edit minified SDK files at the CDN edge (a.omappapi.com / a.opmnstr.com / a.optnmstr.com / a.trstplse.com /app/js/api.min.js and clientcdn.pushengage.com/sdks/pushengage-web-sdk.js). The plugins themselves were never modified and no update was pushed, so fully-patched sites were still served the payload. The client-side code runs only in a logged-in admin's browser: it passes anti-analysis checks, harvests a valid REST nonce, and uses the admin's own session to create rogue administrators (fixed 'developer_api1' / [email protected] plus randomized 'dev_xxxxxx') via REST (POST /wp-json/wp/v2/users), the user-new.php form, AJAX, and a hidden iframe. It then uploads a self-hiding backdoor plugin (disguised as 'Content Delivery Helper' v2.7.1 or 'Database Optimizer' v2.9.4) exposing a web shell ('WPM File Manager & Shell') via ?developer_api1_fm running system() and a developer_api1_eval PHP-eval endpoint. Exfil is XOR-encrypted (key jX9kM2nP4qR6sT8v) and beaconed to C2 tidio.cc (84.201.6.54, Ultahost AS214036), a domain impersonating Tidio registered 2026-04-28. Sansec discovered it; Patchstack blocked 271 rogue-admin attempts across 13 sites from 81 residential IPs in 36 hours. Because requests carry the admin's legitimate cookies+nonce, they are nearly indistinguishable from real admin activity. Mitigation: delete developer_api1/dev_xxxxxx admins, inspect wp-content/plugins on disk (backdoor hides from the UI) for content-delivery-helper/database-optimizer, grep for developer_api1_fm / developer_api1_eval / the XOR key, run a server-side scan, rotate admin passwords + API keys + DB creds + wp-config salts, and block tidio.cc at DNS/network.