Supply Chain

Attackers compromised 700+ versions of Laravel-Lang PHP packages via tag poisoning, deploying a sophisticated stealer targeting cloud credentials, crypto wallets, and browser data. Packagist pulled affected versions.

Leaked Shai-Hulud malware source code fuels new npm supply chain attack. Four malicious packages steal credentials and deploy DDoS bot with TCP/UDP flood capabilities.

Grafana Labs confirms hackers stole source code through a GitHub token that slipped through rotation after the TanStack supply chain compromise. The company refused to pay the ransom demand.

Attackers published malicious Nx Console 18.95.0 to VS Code Marketplace, stealing developer credentials via triple-channel exfiltration and Sigstore-signed npm package poisoning.

SHub Reaper macOS infostealer bypasses Tahoe 26.4 defenses using applescript:// URLs, spoofs Apple, Google, and Microsoft to steal credentials and backdoor systems.

RubyGems suspended new account registration after attackers uploaded over 500 malicious packages in a coordinated spam attack targeting the Ruby package ecosystem.

Nitrogen ransomware gang claims 8TB of data including Apple, Nvidia, and Intel files from Foxconn's Wisconsin and Texas facilities. Fourth major ransomware incident for the electronics giant.

TeamPCP compromised 84 versions across 42 TanStack packages on May 11 using GitHub Actions cache poisoning. The malware steals CI/CD credentials and includes a wiper that triggers on token revocation.

Five NuGet packages typosquatting popular Chinese .NET libraries have racked up 65,000 downloads while stealing browser credentials, crypto wallets, and SSH keys from developer machines.

Security researchers disclosed 12 sandbox escape vulnerabilities in vm2, including three with CVSS 10.0 scores. The popular JavaScript isolation library can no longer be trusted to contain untrusted code.

Three malicious versions of the xinference AI inference library were uploaded to PyPI, targeting cloud credentials and SSH keys from 680K+ users. TeamPCP claims a copycat is responsible.

Attackers compromised elementary-data version 0.23.3 on PyPI, pushing malicious code to 1.1 million monthly users. The infection extended to Docker images via automated workflows.

Four official SAP CAP ecosystem packages compromised on April 29, harvesting developer credentials, cloud secrets, and CI/CD tokens through malicious preinstall scripts.

TeamPCP threat actors backdoored versions 2.6.2 and 2.6.3 of the popular AI framework, harvesting SSH keys, cloud credentials, and GitHub tokens from millions of developers.

Compromised Google Workspace OAuth app 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj breached Vercel, exposing API keys and source code. Hackers demand $2M; audit Workspace apps and rotate credentials.

Critical code injection vulnerability (GHSA-xq3m-2v4x-88gg, CVSS 9.9) in protobuf.js allows arbitrary JavaScript execution via malicious schemas. Patch now.

Multiple campaigns distribute NWHStealer infostealer through counterfeit Proton VPN installers, gaming modifications, and YouTube-promoted downloads. Targets browser data and 25+ crypto wallets.

Google warns of UNC6783 threat actor using Okta and Zendesk phishing to breach BPO providers, stealing 13M Adobe support tickets and bug bounty data. FIDO2 keys recommended.

ShinyHunters compromised SaaS analytics provider Anodot, using stolen authentication tokens to access and exfiltrate data from dozens of Snowflake customers.

Contagious Interview campaign escalates with trojanized developer tools across five ecosystems. Packages impersonate logging utilities and steal credentials.

Coordinated npm supply chain attack deploys 36 malicious packages masquerading as Strapi CMS plugins. Attackers target cryptocurrency platforms with Redis exploitation, credential harvesting, and persistent backdoors.

Threat actors weaponized Anthropic's accidental source code leak to distribute Vidar malware through trojanized GitHub repos. Here's how the attack works.

Operation TrueChaos exploited CVE-2026-3502 in TrueConf video conferencing to deploy Havoc malware across Southeast Asian government networks.

Attackers are posting thousands of fake Visual Studio Code vulnerability alerts in GitHub Discussions, using fabricated CVEs and urgent language to trick developers into downloading malware.

Stolen CI credentials from Trivy breach enabled TeamPCP to compromise Checkmarx KICS GitHub Actions, poisoning all 35 version tags with credential-stealing malware in four-hour window.

Malicious LiteLLM versions 1.82.7 and 1.82.8 deployed credential harvester, Kubernetes lateral movement tools, and persistent backdoor. Package sees 3 million daily downloads.

TeamPCP's supply chain attack expands with a Kubernetes wiper that detects Iranian systems via timezone and locale, wiping clusters while backdooring everyone else.

TeamPCP threat actors hijacked Aqua Security's Trivy vulnerability scanner, compromising 75 GitHub Action tags and spreading credential-stealing malware to 47 npm packages via blockchain C2.

Attackers compromised AppsFlyer's domain registrar to inject crypto-stealing JavaScript into their Web SDK. The malware swaps wallet addresses for Bitcoin, Ethereum, Solana, and more.

Researchers discovered five packages on crates.io masquerading as time utilities while exfiltrating developer credentials and API keys to attacker infrastructure.

Ericsson's U.S. subsidiary confirms data theft affecting employees and customers after attackers compromised a service provider. SSNs, medical info, and financial details exposed.

Security researchers uncover 26 malicious npm packages using steganography to hide command infrastructure in computer science essays. Famous Chollima cluster targets developers with RAT.

Microsoft uncovers developer-targeting campaign using fake coding assessments to deliver JavaScript backdoors through VS Code automation triggers and Vercel-hosted payloads.

Check Point found CVE-2025-59536 and CVE-2026-21852 in Anthropic's Claude Code. Opening a cloned repo could execute code and leak API credentials.

CVE-2026-27941 (CVSS 9.9) lets attackers execute code via pull requests to OpenLIT, stealing GITHUB_TOKEN and cloud secrets. Patch to 1.37.1 now.

VIQ Solutions confirms sensitive Australian court data including domestic violence and national security cases accessed by unauthorized Indian subcontractor e24 Technologies.

North Korea's Lazarus Group targets blockchain developers with fake recruitment campaign distributing RAT malware through 36 poisoned npm and PyPI packages.

Flickr discloses a data breach through a third-party email provider vulnerability that exposed names, emails, and IP addresses for up to 35 million users.

Rapid7 attributes the six-month Notepad++ supply chain compromise to Chinese APT Lotus Blossom, revealing a custom Chrysalis backdoor and three distinct infection chains.

Security researchers uncover ClawHavoc campaign distributing Atomic Stealer through fake cryptocurrency and productivity tools on ClawHub marketplace.

Violet Typhoon compromised the text editor's hosting provider to redirect updates to malicious servers targeting telecom and financial firms.

Two AI coding assistants on Microsoft's marketplace steal source code and credentials in real-time. Extensions use hidden iframes and analytics SDKs to profile developers.

The European Commission's revised Cybersecurity Act expands ENISA's powers and creates a framework to restrict high-risk technology suppliers.

DragonForce and other actors exploiting CVE-2024-57727 to compromise utility billing providers and their downstream customers.

SafePay ransomware group allegedly stole 3.5TB from the $48B IT distributor. Employee SSNs, passports, and performance reviews exposed.