Tag: supply-chain

42 Attack Reports | 0 Vulnerabilities

Attack reports

Malicious NPM Packages Deliver NodeCordRAT

Three malicious npm packages were discovered in November 2025, designed to deliver and install a new RAT malware family named NodeCordRAT. The packages, bitcoin-main-lib, bitcoin-lib-js, and bip40, mimicked legitimate Bitcoin-related libraries to deceive developers. NodeCordRAT uses Discord for com…
supply-chain
credential-theft
cryptocurrency
npm
2026-01-08
nodecordrat
Published: January 8, 2026
Downloadable IOCs: 0

Malicious VSCode Extension Launches Multi-Stage Attack Chain with Anivia Loader and OctoRAT

A malicious Visual Studio Code extension named 'prettier-vscode-plus' was discovered on the official VSCode Marketplace, impersonating the legitimate Prettier formatter. This extension served as the entry point for a multi-stage malware chain, starting with the Anivia loader, which decrypted and ex…
supply-chain
developers
process-hollowing
extension
multi-stage
vscode
uac-bypass
2025-12-04
remote-access-toolkit
anivia
octorat
Published: December 4, 2025
Downloadable IOCs: 8

Bootstrap script exposes PyPI to domain takeover attacks

A vulnerability in legacy Python packages could enable an attack on PyPI through a domain compromise. The issue stems from bootstrap files for a build tool that installs the 'distribute' package, which fetch and execute an installation script from a now-available domain. Affected packages include t…
supply chain
vulnerability
open-source
pypi
domain takeover
bootstrap script
2025-12-03
python packaging
Published: December 3, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 2

Shai-Hulud V2 Poses Risk to NPM Supply Chain

A second wave of the Shai-Hulud malware campaign, dubbed 'The Second Coming', has emerged targeting the npm ecosystem. This advanced software supply chain attack has compromised over 700 npm packages and created more than 27,000 malicious GitHub repositories. Shai-Hulud V2 introduces critical advan…
backdoor
supply chain
worm
exfiltration
credential theft
github
2025-12-03
shai-hulud v2
Published: December 3, 2025
Downloadable IOCs: 3

Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems

The Shai-hulud 2.0 campaign features an advanced malware variant that steals credentials and secrets from major cloud platforms and developer services. It automates the backdooring of NPM packages maintained by victims, enabling rapid propagation across the software supply chain. The malware target…
supply chain
cloud
credential theft
azure
npm
aws
github
shai-hulud
2025-11-27
gcp
Published: November 27, 2025
Downloadable IOCs: 6

Water APT Multi-Stage Attack Uncovered

A sophisticated multi-stage attack attributed to the Water Gamayun APT group has been analyzed. The attack begins with a compromised legitimate website redirecting to a lookalike domain, delivering a double-extension RAR payload disguised as a PDF. This payload exploits the MSC EvilTwin vulnerabili…
supply-chain
obfuscation
apt
powershell
rhadamanthys
zero-day
CVE-2025-26633
msc eviltwin
encrypthub
darkwisp
silentprism
russia-aligned
2025-11-26
Published: November 26, 2025
Linked vulnerabilities : CVE-2025-26633 (CVSS 7.0)
Downloadable IOCs: 4

Build script exposes PyPI to domain takeover attacks

ReversingLabs researchers discovered vulnerable code in legacy Python packages that could enable an attack on the Python Package Index (PyPI) via a domain compromise. The vulnerability lies in bootstrap files for a build tool that installs the Python package 'distribute' and performs other tasks. W…
python
supply chain
vulnerability
pypi
2025-11-24
packaging
legacy code
domain takeover
CVE-2023-45311
bootstrap script
Published: November 24, 2025
Linked vulnerabilities : CVE-2023-45311
Downloadable IOCs: 0

APT24 Pivot to Multi-Vector Attacks

APT24, a Chinese threat actor, has conducted a three-year cyber espionage campaign using BADAUDIO, a highly obfuscated first-stage downloader. The group has evolved from broad strategic web compromises to more sophisticated tactics, including supply chain attacks and targeted phishing. They comprom…
obfuscation
phishing
supply chain
cobalt strike
china
cobalt strike beacon
cyber espionage
2025-11-20
badaudio
strategic web compromise
Published: November 20, 2025
Downloadable IOCs: 0

Remote access, real cargo: cybercriminals targeting trucking and logistics

Cybercriminals are targeting trucking and logistics companies to steal cargo freight through elaborate attack chains. They compromise companies and use their access to bid on cargo shipments, which they then steal and sell. The threat actors typically deliver remote monitoring and management (RMM) …
screenconnect
phishing
social engineering
supply chain
lumma stealer
cybercrime
danabot
netsupport
stealc
simplehelp
fleetdeck
n-able
pdq connect
logistics
2025-11-03
cargo theft
logmein resolve
trucking
remote monitoring tools
Published: November 3, 2025
Downloadable IOCs: 39

Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack

A new Windows-based malware family called Airstalk has been discovered, available in PowerShell and .NET variants. It is believed to be used by a nation-state threat actor in a supply chain attack. Airstalk misuses the AirWatch API for mobile device management to establish covert command-and-contro…
supply chain
nation-state
2025-10-29
airstalk
Published: October 29, 2025
Downloadable IOCs: 6

Malicious PyPI Packages Deliver SilentSync RAT

Two malicious Python packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages, created by the same author, deliver a Remote Access Trojan (RAT) called SilentSync. The RAT is capable of remote command execution, file exfiltration, screen capturin…
rat
python
typosquatting
supply chain
data theft
remote access
pypi
data-exfiltration
supply-chain-attack
browser-data-theft
2025-09-18
silentsync
2025-09-19
python packages
Published: September 19, 2025
Downloadable IOCs: 0

"Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack

A widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem has been discovered, involving a novel self-replicating worm called "Shai-Hulud". The worm has compromised over 180 software packages, including widely used libraries. It operates by harvesting credentials,…
phishing
supply chain
worm
javascript
credential harvesting
npm
self-replicating
shai-hulud
2025-09-18
Published: September 18, 2025
Downloadable IOCs: 1

Self-replicating Shai-hulud worm spreads token stealing malware on npm

A self-replicating worm named Shai-hulud has been detected on the npm registry, spreading through compromised developer accounts and injecting malicious code into legitimate packages. The worm steals cloud service tokens, primarily targeting npm, GitHub, AWS, and GCP. It also installs Trufflehog to…
supply-chain
worm
npm
open-source
2025-09-16
self-replicating
shai-hulud
package-compromise
token-stealing
Published: September 16, 2025
Downloadable IOCs: 0

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift - Hunting pulse

A widespread data theft campaign, conducted by UNC6395, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift application. The actor systematically exported large volumes of data from numerous corporate Salesforce instances, focusing on harvesti…
supply chain
data theft
credential harvesting
salesforce
2025-09-08
oauth tokens
salesloft drift
Published: September 8, 2025
Linked vulnerabilities : CVE-2025-53690
Downloadable IOCs: 8

Supply Chain Risk in Python: Termcolor and Colorama Explained

A suspicious Python package named termncolor was discovered, which imports a malicious dependency called colorinal. This multi-stage malware operation leverages DLL sideloading to decrypt payloads, establish persistence, and conduct command-and-control communication, ultimately leading to remote co…
supply-chain
python
persistence
pypi
dll-sideloading
2025-08-16
c2-communication
zulip
termncolor
colorinal
Published: August 16, 2025
Downloadable IOCs: 0

NET RFQ: Request for Quote Scammers Casting Wide Net to Steal Real Goods

This intelligence analysis examines a widespread Request for Quote (RFQ) scam that exploits Net financing options to steal high-value electronics and goods. The scammers pose as procurement agents for legitimate companies, using stolen information and lookalike domains to appear credible. They requ…
social engineering
supply chain
business email compromise
2025-07-23
rfq scam
electronics theft
net financing fraud
Published: July 23, 2025
Downloadable IOCs: 94

Stealthy GitHub Malware Campaign Targets Devs

A new campaign exploiting GitHub to distribute malicious Python code disguised as legitimate hacking tools has been uncovered. The operation, attributed to the group known as Banana Squad, used 67 repositories hosting trojanized files that mimicked benign open-source projects. The attackers exploit…
backdoor
python
supply chain
repositories
open-source
github
2025-06-19
trojanized files
encoding
Published: June 19, 2025
Downloadable IOCs: 2

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware has recently targeted National Defense Corporation and its subsidiaries, impacting the defense industrial base supply chain. The group's attack on AMTEC, a manufacturer of ammunition and explosives, has exposed sensitive information about global defense contractors and their su…
supply chain
data leak
double extortion
interlock ransomware
2025-05-16
defense industrial base
national security
cmmc
geopolitical influence
intellectual property
Published: May 16, 2025
Downloadable IOCs: 11

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent
Published: April 24, 2025
Downloadable IOCs: 0

PoisonSeed Campaign Targets CRM and Bulk Email Providers in Supply Chain Spam Operation

A new threat group, dubbed PoisonSeed, is targeting enterprise organizations and individuals outside the cryptocurrency industry. The campaign focuses on phishing CRM and bulk email providers' credentials to export email lists and send bulk spam. The attackers use a cryptocurrency seed phrase poiso…
phishing
cryptocurrency
supply chain
2025-04-04
2025-04-07
crm
coinbase
bulk email
ledger
seed phrase poisoning
Published: April 7, 2025
Downloadable IOCs: 45

Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream

In January 2025, a Managed Service Provider administrator was targeted by a sophisticated phishing attack impersonating a ScreenConnect authentication alert. The attackers, affiliated with Qilin ransomware and tracked as STAC4365, used an adversary-in-the-middle technique to bypass multi-factor aut…
screenconnect
phishing
ransomware
supply chain
mfa bypass
qilin
CVE-2023-27532
2025-04-01
evilginx
stac4365
msp
Published: April 1, 2025
Downloadable IOCs: 0

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware…
backdoor
supply-chain
apt
targeted
2025-03-04
satellite
sosano
Published: March 4, 2025
Downloadable IOCs: 0

Targeted activity UAC-0212 against developers and suppliers of automation and process control solutions

In 2024-2025, UAC-0212, a subcluster of UAC-0002 (Sandworm), launched targeted cyberattacks against Ukrainian critical infrastructure and related industries. The actor employed new tactics, exploiting CVE-2024-38213 to deliver malware through PDF documents. Tools like SECONDBEST, EMPIREPAST, SPARK,…
sandworm
supply chain
CVE-2024-38213
2025-02-26
crookbag
Published: February 26, 2025
Linked vulnerabilities : CVE-2024-38213 (CVSS 6.5)
Downloadable IOCs: 112

Unpacking the BADBOX Botnet

The BADBOX botnet, a newly discovered threat, targets Android devices, including high-end models like Yandex 4K QLED TVs. Over 190,000 infected devices have been observed, with malware often pre-installed from the factory or further down the supply chain. Using Censys, a suspicious SSL/TLS certific…
android
supply chain
iot
botnet
badbox
firmware
2025-02-05
censys
ssh host key
ssl/tls certificate
Published: February 5, 2025
Downloadable IOCs: 19

Targeted supply chain attack against Chrome browser extensions

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API ke…
phishing
supply chain
credentials
browser extensions
2025-01-22
data harvesting
Published: January 22, 2025
Downloadable IOCs: 80

Supply chain of Korean VPN service compromised

ESET researchers have uncovered a supply-chain attack against a South Korean VPN provider by a previously unknown China-aligned APT group named PlushDaemon. The attackers replaced the legitimate VPN installer with a malicious version that deployed their SlowStepper backdoor, a feature-rich implant …
backdoor
supply-chain
apt
espionage
china
south korea
vpn
2025-01-22
slowstepper
Published: January 22, 2025
Downloadable IOCs: 0

North Korean group targets nuclear-related organization with new malware

The Lazarus group has evolved its infection chain by targeting employees of a nuclear-related organization with a combination of new and old malware. The attack involved delivering malicious archive files containing trojanized VNC utilities and various malware strains including Ranid Downloader, MI…
supply chain
modular malware
2024-12-19
lpeclient
wordpress c2
cookietime
deathnote campaign
rollmid
servicechanger
ranid downloader
charamel loader
nuclear
trojanized vnc
mistpen
cookieplus
Published: December 19, 2024
Linked vulnerabilities : CVE-2019-0859, CVE-2019-0797
Downloadable IOCs: 1

BADBOX Botnet Is Back

The BADBOX botnet, previously thought to be contained, has resurfaced with increased scope and sophistication. Recent findings reveal over 192,000 infected devices, including high-end Yandex 4K QLED Smart TVs and Hisense smartphones, expanding beyond the initially targeted off-brand Android devices…
malware
android
supply chain
botnet
proxy
ad fraud
triada
2024-12-17
badbox
firmware
smart tv
Published: December 17, 2024
Downloadable IOCs: 22

An NPM and PyPI Malicious Campaign Targeting Windows Users

Datadog Security Research has uncovered an ongoing supply chain attack targeting both npm and PyPi package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver infostealer malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hos…
supply-chain
typosquatting
infostealer
npm
pypi
2024-11-26
roblox
Published: November 26, 2024
Downloadable IOCs: 11

Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack

Unit 42 researchers identified a North Korean IT worker activity cluster, CL-STA-0237, involved in phishing attacks using malware-infected video conference apps. The cluster likely operates from Laos and exploited a U.S.-based SMB IT services company to apply for other jobs, securing a position at …
phishing
north korea
supply chain
beavertail
contagious interview
invisibleferret
wagemole
2024-11-15
insider threat
fake it workers
Published: November 15, 2024
Downloadable IOCs: 6

Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware

A sophisticated supply chain attack has been discovered targeting the NPM ecosystem. The malicious package 'jest-fet-mock' impersonates popular testing utilities and uses Ethereum smart contracts for command-and-control operations. This cross-platform malware affects Windows, Linux, and macOS, exec…
supply-chain
typosquatting
c2
npm
multi-platform
2024-11-05
blockchain
development-tools
smart-contract
ethereum
jest-fet-mock
Published: November 5, 2024
Downloadable IOCs: 4

Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack

A sophisticated malware campaign targeting cryptocurrency enthusiasts has been uncovered, utilizing multiple attack vectors including a malicious Python package on PyPI and deceptive GitHub repositories. The multi-stage malware, disguised as cryptocurrency trading tools, aims to steal sensitive dat…
supply-chain
cryptocurrency
data-theft
social-engineering
pypi
github
2024-11-04
multi-stage
gui
cryptoaitools
Published: November 4, 2024
Downloadable IOCs: 2

BORN Group Supply Chain Breach: In-Depth Analysis of Jenkins Exploitation

This analysis examines a substantial supply chain assault on the IT service provider BORN Group. The cybercriminal Intelbroker leveraged a vulnerability (CVE-2024-23897) to breach BORN Group's infrastructure, leading to the exfiltration of sensitive information from various clients. Furthermore, In…
supply chain
github
2024-08-23
Published: August 23, 2024
Linked vulnerabilities : CVE-2024-23897
Downloadable IOCs: 5

Persistent npm Campaign Shipping Trojanized jQuery

The report describes a persistent supply chain attack involving the distribution of a trojanized version of jQuery through various platforms like npm and GitHub. The malicious jQuery variant, containing a modified 'end' function, exfiltrates website form data by sending it to remote URLs controlled…
malware
supply chain
exfiltration
npm
github
2024-07-10
Published: July 10, 2024
Downloadable IOCs: 67

Exposing Attack Operations Utilizing PyPI Against Windows, Linux and macOS Platforms

The report details the APT-C-26 (Lazarus) group's recent attack campaign utilizing malicious Python packages hosted on the PyPI repository to deliver payloads targeting multiple platforms including Windows, Linux, and macOS. It analyzes the attack flow, delivery methods, and malware components invo…
malware
apt
supply chain
lazarus
2024-07-08
pypi
comebacker
cross-platform
Published: July 8, 2024
Downloadable IOCs: 28

Supply Chain Compromise Leads to Trojanized Installers

Rapid7 discovered that installers for Notezilla, RecentX, and Copywhiz hosted on conceptworld[.]com were trojanized to execute information-stealing malware. The malware can steal browser credentials, crypto wallet info, clipboard data, and keystrokes, as well as download additional payloads. Rapid7…
supply-chain
2024-07-01
notezilla
copywhiz
recentx
Published: July 1, 2024
Downloadable IOCs: 27

Polyfill supply chain attack hits 100K+ sites

A malicious Chinese entity acquired control over the popular Polyfill JS open-source project and has been injecting malware into over 100,000 websites that embed the polyfill.io content delivery network. The malware redirects mobile users to a fraudulent sports betting site hosted on a domain imper…
malvertising
supply chain
2024-06-27
polyfill.js
redirection
Published: June 27, 2024
Downloadable IOCs: 7

Malicious npm package targets AWS users

ReversingLabs' researchers discovered a malicious package named legacyreact-aws-s3-typescript on the npm repository. It mimicked a popular legitimate package, react-aws-s3-typescript, designed to facilitate file uploads to Amazon S3 Buckets. Initially, the package appeared benign, but a later versi…
backdoor
supply-chain
2024-06-27
npm
aws
Published: June 27, 2024
Downloadable IOCs: 3

Uncovering Espionage Operations

This comprehensive analysis delves into the intricate tactics employed by a suspected China-nexus cyber espionage actor, UNC3886. The report unveils the group's sophisticated exploitation of zero-day vulnerabilities and their deployment of rootkits like REPTILE and MEDUSA for persistent system acce…
espionage
rootkit
supply chain
zero-day
2024-06-24
CVE-2022-42475
CVE-2023-20867
CVE-2023-34048
CVE-2022-41328
CVE-2022-22948
virtualsphere
Published: June 24, 2024
Linked vulnerabilities : CVE-2023-20867, CVE-2022-41328, CVE-2022-22948, CVE-2023-34048, CVE-2022-42475
Downloadable IOCs: 39

Fake Advanced IP Scanner Installer Delivers Dangerous Backdoor

Security researchers discovered a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. The compromised installer was distributed through a typo-squatted domain and appeared in search results for the legitimate software. When executed, the installer inject…
backdoor
supply-chain
typosquatting
2024-06-06
cobaltstrike
malicious-installer
Published: June 6, 2024
Downloadable IOCs: 11

CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack

Rapid7 discovered that version 8.3.7 of the JAVS Viewer software from Justice AV Solutions contained a backdoor installer allowing attackers to gain remote control over affected systems. The malicious installer included a binary named fffmpeg.exe which executed obfuscated PowerShell scripts and fac…
backdoor
supply chain
CVE-2024-4978
2024-05-24
credential harvesting
installer
stealc infostealer
software
gatedoor/rustdoor
Published: May 24, 2024
Linked vulnerabilities : CVE-2024-4978 (CVSS 8.4)
Downloadable IOCs: 10
Click here to see more Attack Reports