> supply chain attack monitor
Tracking software supply chain compromises across package registries, build systems, and update mechanisms. Each incident is logged with affected packages, attack vector, severity, and links to full analysis.
axios 1.14.1, 0.30.4
DPRK-linked UNC1069 compromised the axios maintainer account and published backdoored versions (1.14.1, 0.30.4) deploying the WAVESHAPER.V2 RAT. 100M+ weekly downloads, ~80% cloud environment exposure.
AppArmor (kernel) Ubuntu default AppArmor profiles
CrackArmor research disclosed a chain of AppArmor bypasses enabling container escapes from Docker and Kubernetes pods on default Ubuntu configurations.
aquasecurity/trivy-action, aquasecurity/setup-trivy, trivy binary trivy-action/setup-trivy (pinned by tag, March 19); trivy binary v0.69.4, v0.69.5, v0.69.6
TeamPCP stole a GitHub PAT via misconfigured pull_request_target workflow and force-pushed malicious commits to 76/77 Trivy version tags plus Docker Hub/GHCR/ECR. TeamPCP Cloud Stealer harvested CI/CD secrets, SSH keys, cloud creds, and K8s tokens from any pipeline that ran Trivy that day.
checkmarx/kics-github-action, checkmarx/ast-github-action kics-github-action (all tags via March 23 push); ast-github-action 2.3.28
TeamPCP force-pushed malicious commits to all 35 version tags of checkmarx/kics-github-action and poisoned ast-github-action v2.3.28, continuing the same credential-harvesting campaign as the Trivy compromise.
litellm 1.82.7, 1.82.8 (last clean: 1.82.6)
TeamPCP published two backdoored LiteLLM releases (1.82.7, 1.82.8) on PyPI containing the TeamPCP Cloud Stealer, which exfiltrates SSL/SSH keys, cloud credentials, K8s configs, API keys, and shell history.
telnyx 4.87.1, 4.87.2
TeamPCP published two backdoored Telnyx Python SDK releases (4.87.1, 4.87.2) on PyPI as part of the same credential-harvesting campaign targeting developer tooling.
strapi-plugin-* (36 packages) All (version 3.6.8)
36 malicious npm packages disguised as Strapi CMS plugins deployed Redis exploits, PostgreSQL credential harvesting, and persistent C2 implants targeting production infrastructure via postinstall hooks.
1,700+ packages (debug-logfmt, pino-debug, baraka, libprettylogger, openlss/func-log, others) Various
DPRK-linked Contagious Interview operation published 1,700+ malicious packages across five ecosystems impersonating developer tooling, delivering BeaverTail loader and InvisibleFerret backdoor for credential theft and persistent access.
Smart Slider 3 Pro 3.5.1.35 (Pro only)
Attackers compromised Nextend's update distribution infrastructure and pushed a trojanized Smart Slider 3 Pro 3.5.1.35 build containing a multi-layered RAT with rogue admin creation, remote command execution via HTTP headers, multi-point persistence, and full credential exfiltration to C2 domain wpjs1[.]com. 800K+ active installations affected.
CPU-Z, HWMonitor, HWMonitor Pro, PerfMonitor 2 All CPUID products downloaded April 9 15:00 UTC β April 10 10:00 UTC
Attackers compromised a secondary download-link API on cpuid.com and replaced installers for CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor 2 with trojanized builds. Malicious CRYPTBASE.dll sideloaded via legitimate signed executables deploys STX RAT with in-memory execution, reverse proxy, desktop control, and infostealer capabilities. C2: welcome[.]supp0v3[.]com. 150+ confirmed victims including orgs in retail, manufacturing, telecoms, and agriculture.
Context.ai (Google Workspace OAuth app) Vercel projects with non-sensitive env vars prior to April 19, 2026
A Lumma Stealer infection at a Context.ai employee (Feb 2026) yielded session tokens for Context.ai's Google Workspace OAuth application, giving the attacker delegated access to every tenant that had installed the app. ShinyHunters pivoted through a Vercel employee's Workspace account into internal Vercel environments and read customer environment variables not marked 'sensitive'. 580 Vercel employee records leaked; data listed for sale at $2M on BreachForums. Sensitive-flagged env vars (encrypted at rest) were not accessed.
pgserve, automagik, xinference, kube-health-tools, kube-node-health pgserve 1.1.11β1.1.13; xinference 2.6.0β2.6.2; automagik and Namastex.ai packages (multiple recent versions); kube-health-tools, kube-node-health (all published versions)
CanisterSprawl campaign hijacked pgserve (npm, versions 1.1.11β1.1.13), automagik (Namastex.ai), xinference (PyPI 2.6.0β2.6.2), and typosquatted Kubernetes health tools. 1,143-line postinstall payload harvests npm/PyPI tokens, cloud credentials (AWS/GCP/Azure), GitHub PATs, SSH keys, kubeconfigs, Docker configs, Chrome password store, and MetaMask/Phantom/Solana/Ethereum/Bitcoin/Exodus/Atomic wallet data. If publish tokens are present, re-injects payload into every package the victim can publish and ships new patch versions β worming across ecosystems. Initial access for Namastex.ai packages via malicious PRs with prt-scan-{12hex} branch names triggering secret harvest in CI. Exfil encrypted with RSA-4096 + AES-256 to telemetry.api-monitor.com and an ICP blockchain canister.
@bitwarden/cli @bitwarden/cli 2026.4.0
Attacker pivoted from the ongoing Checkmarx/TeamPCP campaign (suspected via a trojanized Checkmarx KICS Docker image) into Bitwarden's publish-ci.yml GitHub Actions workflow and pushed a trojanized @bitwarden/[email protected] to npm. Malicious preinstall hook (bwsetup.js -> bw1.js) harvested GitHub/npm tokens, SSH keys, .env, shell history, cloud creds (AWS/GCP/Azure), AI coding tool tokens, and crypto wallet files (Electrum, MetaMask). Self-propagating 'Shai-Hulud: The Third Coming' worm republishes the payload into any npm packages the stolen token can publish to, and commits encrypted exfil back to the victim's own GitHub repos. AES-256-GCM exfil to audit.checkmarx[.]cx (94.154.172[.]43). 334 installs during the 93-minute window. No end-user vault data accessed.
mbt, @cap-js/db-service, @cap-js/sqlite, @cap-js/postgres mbt 1.2.48; @cap-js/db-service 2.10.1; @cap-js/sqlite 2.2.2; @cap-js/postgres 2.2.2
TeamPCP-linked 'Mini Shai-Hulud' campaign hijacked SAP's release workflow and published malicious versions of four SAP Cloud Application Programming (CAP) packages to npm. Each compromised package added a preinstall hook (setup.mjs) that downloaded the Bun JS runtime from GitHub and ran an obfuscated execution.js stealer harvesting SSH keys, npm/GitHub tokens, AWS/Azure/GCP/K8s credentials, and crypto wallets. On GitHub Actions runners, an embedded Python script reads /proc/<Runner.Worker pid>/maps and /proc/<pid>/mem to scrape isSecret values directly from runner memory, bypassing log masking. Stolen data is AES-256-GCM encrypted and exfiltrated by creating a public repo on the victim's own GitHub account with description 'A Mini Shai-Hulud has Appeared.'
intercom-client intercom-client 7.0.4, 7.0.5
Intercom's official npm SDK pushed two malicious releases (7.0.4, 7.0.5) carrying the same Mini Shai-Hulud Bun-based credential stealer used in the SAP CAP compromise. preinstall hook downloads Bun runtime, executes obfuscated execution.js to harvest dev/CI secrets, and exfiltrates AES-256-GCM-encrypted blobs to attacker-created public repos on the victim's GitHub account.
lightning lightning 2.6.2, 2.6.3
PyTorch Lightning published two malicious releases (2.6.2, 2.6.3) on PyPI carrying the same Mini Shai-Hulud Bun-based stealer (8.3M monthly / 2.1M weekly downloads). Hidden _runtime/ directory auto-executes on 'import lightning': spawns a daemon thread that downloads Bun and runs an 11MB obfuscated router_runtime.js, harvesting SSH/cloud/CI credentials and crypto wallets, AES-256-GCM exfil to attacker-created repos on victim's GitHub account. Socket flagged the malicious versions 18 minutes after publication; PyPI quarantined the packages but a Socket-opened warning issue on the Lightning-AI repo was closed within one minute by a 'pl-ghost' account posting a 'SILENCE DEVELOPER' meme β strong signal the project's GitHub account is itself compromised.
DAEMON Tools Lite (Windows installer) DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434 (Windows)
Official DAEMON Tools Lite Windows installers, served from the vendor site and signed with the legitimate Disc Soft Authenticode certificate, were trojanized starting April 8, 2026. The implant was injected into the CRT init code of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe and beaconed to env-check.daemontools[.]cc (registered March 27). Kaspersky telemetry shows thousands of infection attempts across 100+ countries with ~10% on enterprise hosts. A multi-protocol second-stage backdoor (HTTP/HTTP3/UDP/TCP/WSS/QUIC/DNS, injects into notepad.exe and conhost.exe) was deployed only on ~12 hosts in government, scientific, manufacturing, and retail orgs in Russia, Belarus, and Thailand. Chinese-speaking actor suspected. Version 12.6 (released May 5) is clean.
@tanstack/*, @mistralai/mistralai, mistralai (PyPI), @uipath/*, @opensearch-project/*, guardrails-ai (PyPI), @squawk/* 42 @tanstack/* packages (84 versions, incl. @tanstack/react-router); @mistralai/mistralai (npm); mistralai==2.4.6 (PyPI); guardrails-ai==0.10.1 (PyPI); @uipath/* SDKs; @opensearch-project/* JS clients; @squawk/* (2 packages)
TeamPCP's fourth Mini Shai-Hulud wave chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork-base trust boundary, and runtime OIDC token extraction from the Runner.Worker process via /proc/<pid>/mem. The stolen OIDC token published 84 malicious versions across 42 @tanstack/* packages directly through npm's trusted-publisher endpoint, producing the first documented npm worm carrying valid SLSA Build L3 provenance attestations. 373 malicious package-versions across 169 names in total; mistralai PyPI payload included locale-aware destructive branch targeting Hebrew/Farsi environments.
Hundreds of malicious gems (names not yet disclosed) Hundreds of malicious gems (yanked); RubyGems signup endpoint disabled
Unknown attacker uploaded hundreds of malicious gems to RubyGems on May 11-12, 2026, targeting RubyGems' own engineers and staff rather than downstream Ruby developers. Packages contained cross-site scripting payloads aimed at RubyGems moderation surfaces plus exploits intended to harvest data from registry infrastructure. RubyGems (operated by Mend.io) disabled new account registration as containment. No widely-installed gem has been reported backdoored; downstream developer impact is currently low, but the campaign signals attacker interest in compromising registry-side defenders. Distinct from but contemporaneous with the BufferZoneCorp 'knot-*' sleeper-gem credential-theft campaign disclosed May 1.